Save to My DOJO
A great new feature found in vCenter Server Appliance 6.5, is the ability to back up a vCenter instance natively. Native backup takes a file-based backup approach where the resulting files are transferred to a remote repository using any of the following protocols; HTTP, HTTPS, FTP, FTPS and SCP.
In this post, I go over the details of setting up an FTPS repository using an IIS Web Server running on Windows Server 2012. Alternatively, you could use something like the FileZilla FTP server which is an equally valid solution. For the record, FTPS is an extension of the FTP protocol which includes TLS / SSL support making FTP transfers more secure by encrypting traffic during transit.
I’ve split the article into three sections namely,
- Setting up and configuring IIS on Windows Server.
- Setting up an FTPS site on IIS.
- Performing a backup via the vCSA Web Console (VAMI).
Installing and configuring IIS on Windows Server 2012
Assuming a Windows Server 2012 machine or VM is available and that you are somewhat familiar with IIS, let’s go ahead and add the Web Server (IIS) and FTP Server roles.
1] Click on the Server Manager icon on the task bar and select Add roles and features from the Quick Start section. Press Next twice and install the features as shown in Figure 1.
2] Once the install completes, you’ll need to set up two more items.
- Using Computer Manager (Server Manager -> Tools menu), go ahead and create a user account called VCSAUser.
- Finally, create a folder, let’s say c:\FTPSVCSA, where the appliance backup files will be transferred to.
Setting up FTPS on IIS
Creating a certificate
Now that the web server is up and running, it’s time to create the FTP site. But first things first. Since we’re using FTPS, we have to create an SSL certificate as is standard in all SSL/TLS implementations. To do this, follow the steps as listed:
1] Launch IIS Manager from Server Manager as shown in Figure 2.
2] Click on the IIS server name in the left pane. From the Home screen, locate Service Certificates and double click on it
3] Click on Create Self-Signed certificate and follow the wizard. Type in a friendly name for the new certificate and set the certificate store to Web Hosting. Pressing OK completes the procedure.
Creating and configuring an FTPS site
With the certificate ready and done with, we can now proceed to create the FTP site, the details of which will be used later on while setting up the backup job on vCSA. Here are the steps needed:
1] Using IIS Manager, right click on the server name and select Add FTP Site.
2] Specify a name for the FTP site and the corresponding folder, the one previously created. Press Next.
3] Next, select the IP address assigned to the server leaving port 21 selected as is. Under the SSL section, tick on the Require SSL option and select the certificate previously created from the SSL Certificate drop down box. Press Next.
4] Select the Basic Authentication option. Under Authorization, select Specified Users and type in the name of the user account previously created i.e. vcsauser. Tick on both the Read and Write options under Permissions.
5] Finally, right-click the FTPS site, select Edit Permissions and assign the vcsauser user account read and write access or, if you prefer, full control.
If required, you can always change any of the FTP site settings at a later stage by simply clicking on the FTP site name and selecting any from the grouped settings as shown in Fig. 10.
At this point, the FTPS site should be fully accessible. As mentioned earlier, one could use other FTP servers such as FileZilla. The software is open-source, free to use and easy to set up. I used FileZilla to test out the procedures in this post and I only needed to create a user and enable FTP over TLS to have vCSA natively backup to it using FTPS.
Using the Appliance Management tool to back up the vCSA
To perform a backup, we will use the Appliance Management tool (or VAMI) the URL for which is https://<appliance name or IP address>:5480. Log in as root using the password set during the vCSA installation process.
The following steps will take you through the procedure that backs up the vCSA and transfers the backup files to the IIS server using FTPS.
1] Once you log in, click on the Backup button on the Summary page.
2] Figure 13 shows at the which stage the transfer protocol is selected along with a number of parameters. Additionally, you will include the following:
- Set the protocol to FTPS
- Type in the IP address or FQDN of the FTP server. Make sure to add ‘/’ at the end.
- The default port is 21 but this may differ according to how you set it up.
- The ftp user account created earlier which in our case is vcsauser.
- The password for the ftp user account.
- To encrypt the backup files, just tick the Encrypt Backup Data option and specify a passphrase. The passphrase will be asked for when carrying out a restore job, so make it a point to remember it. Keep in mind that FTPS simply secures the channel over which the data is being transmitted. Data is only encrypted to disk when the Encrypt Backup Data option is selected (Fig. 13).
3] HTTPS, along with FTPS and SCP, is another protocol supported by native backup. Avoid using HTTP and FTP since data is sent in the clear. This holds especially true if the backup files are transmitted over unprotected WAN links. I will not be covering how to set up HTTPS and SCP in this post but the procedure should be very similar to setting up FTPS. In the end, it all depends on the OS and solution you are using.
In theory, HTTP is superior to FTP in terms of speed and reliability but I haven’t had the chance to test this out thoroughly. Here’s a good article comparing the two protocols.
4] Make sure that the folder created earlier to hold the backup files is empty. I’m not sure why this is a requirement but you will receive the following error message if it is not. The downside to this, of course, is that you have to empty the folder each time a backup has to be taken.
5] Here you can select which items you want backed up. You are also given the total amount of data that will be backed up and eventually transferred. Press Next to continue.
6] At this screen, just press Finish to start the backup.
7] You can follow the progress as shown. Press OK when the backup job completes.
If the backup completes successfully, you should see a number of files created under the backup folder. The enc file extension tells us that the encryption option was selected. The only exception to this is the JSON backup configuration file which needs to be in clear text, presumably to retrieve backup and server information during a restore job.
If the backup fails, you can refer to the backup logs on the appliance to troubleshoot what went wrong. Some of the issues I faced included an Error 413, request entity too large entry which I fixed as per the referenced instructions. To view the contents of the log file on the appliance, proceed as follows:
- Using putty or similar, SSH in as root on the appliance.
- Type Shell at the prompt.
- Type cd /var/log/vmware/applmgmt.
- Type more backup.log or tail backup.log.
And just in case the instructions weren’t clear enough, here’s a video showing how I set up FTPS on IIS and successfully backed up vCSA to it.
The ability to backup a vCSA natively is a welcome addition to any admin’s toolkit. Security wise, it is important that one is able to ensure the safe transit of data and storage, hence the importance of using secure protocols and data encryption. VMware went to great lengths in this respect, not only with native backup but in many other security related areas encompassing vSphere 6.5.
I haven’t touched on the subject of restoring from backup since I’ll be covering this topic in a future post. However for completeness sake, do know that to restore from backup you have to run the vCSA installer and select Restore from the list of options.
I hope you found this post useful and as always watch this space for more interesting stuff to come.
[the_ad id=”4738″][the_ad id=”4796″]
Not a DOJO Member yet?
Join thousands of other IT pros and receive a weekly roundup email with the latest content & updates!