Recently I had a client with a very tight budget for whom I had to set up a low-cost or no-cost off-site backup strategy. If you run or administer a business network, then you probably already know that off-site backups are not just luxury reserved for the Fortune 500 companies. Off-site backup is a crucial and indispensable tool for EVERY business, even one-man shops. The possibility of losing your customer files, accounting data, tax information and basically everything in your file server in the event of a fire, theft, flood or other disaster is not something most of us can live with, especially if we are in charge of safeguarding the IT department and asset.
OK, back to this client. She has a successful company housed in an office in Irvine with about 10 user. Email and website are hosted elsewhere so the regular backup strategy is pretty straightforward and simple to set up and monitor. Put in a local NAS drive, set up scheduled nightly backups with Windows task scheduler and you’re done. Easy enough.
Now what do you do about off-site backups? This same client got broken into a few months ago and thieves took a laptop and a few other goodies, but thankfully they left the file server, the NAS drive, the switches, and other network components alone. So the urgency of doing offsite backups became woefully apparent. I have a couple of other clients using Mozy.com and I am happy with the results, although it does cost about a $1-2 per GB. So for this client the cost would be over $1,000 per year, which would be nice if we could mitigate. Furthermore, last time I had to restore file from Mozy, I had to call them and have them “prepare” a restore CD and FedEx it to us and that took about 3 days. I’m not too thrilled about that, although I like Mozy as a company and their software is pretty much fire and forget. Once you set it up right, it just works and it has nice features like bandwidth throttling and time of day scheduling and most importantly it runs as a Windows service not an executable, so you don’t have to stay logged on to the server or whatever machine is doing the backup.
So to make this short, the owner of this business lived near Irvine also and if you work in or around Central or South Orange County, you know that most residences as well as businesses have access to high-speed broadband (several times faster than a T1 in fact) on either DSL or cable/fiber. This client had 7.5MB download/1.5MB upload speeds at the office and roughly the same at her home. So what we ended up doing was set up two low-cost NetGear FVS114 VPN routers (which are less than $45 each on Ebay) one at the office and one at the owner’s residence and connected them them with a a site-to-site VPN tunnel. Then we purchased a Buffalo Terastation NAS drive (about $600), identical to the one already at the office and installed it at the owner’s residence.
Fig. 1: Site-to-Site VPN Network Diagram
For this client all the company accounting and user files reside on the NAS drive, which is configured with RAID 5 to protect against disk failures. There is no tape drive or tape library. Instead nightly and weekend backups are done from the NAS to the file server’s internal disk which is configured as a RAID 1 (mirroring). This configuration provides the added benefit that if the server were to crash, the users would still be able to access their files and get to the internet, so it would be more of a nuisance than a disaster.
Fig. 2: Netgear FVS114 Configuration
Fig 3: The two Terastations can see and communicate with each other
OK, back to the offsite backup. Once the site-to-site was set up, both NAS drives could see (ping, access, etc.) each other and the server could see them both. The Terastations have a nice backup and synchronization utility that allows you to back up one NAS to another automatically and this is what I enabled initially. BTW, Terastations run an embedded version of Linux inside so it has much more features than just a plain, dumb network disk drive, but you don’t have access to the OS, so the features and applications are not user tweakable. However it became evident that this was not going to work. First of all, the backup routine has no bandwidth throttling capability, so once you set it and kick start the service, it will hog the entire upload bandwidth and you’re going to have a lot of unhappy users. Secondly, there really isn’t any easy way to monitor the backup process to see if/when it failed and why. And the death nail to this approach was that, as far as I could tell, the backup was more of a synchronization – i.e. if files/folders were deleted from the office NAS, the deletions would propagate to the home NAS. Not good. What if a malicious user or a disgruntled employee got into your network and started deleting stuff and you didn’t find out about it until the next day? No, no no no. Bad. Very bad.
So to get around this I installed AllWaySync on the server and set up a “copy” operation from NAS1 to NAS2. This will create a mirror image on the home NAS. I set it to go off at night, every night, after the regular backup completes. I selected every night instead of Mon-Fri because many users log in via VPN and create files and make change from home or remote sites. I also made sure to select the “1-Way Left to Right” method and unchecked “Propagate Deletions” because you don’t want files either accidentally or intentionally deleted to also be deleted from the target NAS. This strategy has the added benefit that, let’s say ALL of the IT equipment in your office was lost, say a burglar broke in and took EVERYTHING but the kitchen sink. All that it would take to get back up and running is to bring the home NAS to the office, plug it into the network and voilà. The only tweaks you need to make is change the IP address and share drive mappings and you’re back in business. In minutes, not days. Of course this assumes your switch and cable modem/router were left alone, but if not, those are very easy to replace and can be easily found at local computer supply stores.
Fig. 4: AllWaySync Configuration
While we are going through this scenario, I can over-emphasize the importance of have an updated network topology diagram and inventory chart (stored off-site of course). For example in the above scenario, let’s say your cable modem was taken in the burglary. Even if you could replace it quickly, do you remember your public IP, logon account and password, DMZ or service or firewall settings? My guess would be that you wouldn’t and in a disaster recovery situation, that last thing you want to do is scramble to get information. So I highly recommend have a continually updated network diagram with all the IPs, accounts/passwords, screen caps, etc., and save it to a location where you can access it if all heck breaks loose. An of course password protect that file since you will have a lot of sensitive info.
In configuring the site-to-site VPN, you may want to take some precaution in enabling the NetBIOS broadcasts since this will increase the volume of inter-site traffic, so if you have a relatively slow connection at either end, you may want to disable this in the VPN Policy screen. In the above example, bandwidth was not an issue and enabling NetBIOS allowed us to browse the remote network for drive mappings and other tasks.
Good luck with your disaster planning and offsite backups. Feel free to email me if you have questions about this setup.