Security
Domain or workgroup
Backup Proxy servers can be either domain-joined or sit in a workgroup. The best practice is to use a separate domain. However when using them in a workgroup the following settings are required:
- The Remote Registry service must run on the target machine. The service startup type must be set to Automatic.
- Backup proxy server ports must be opened in Windows Firewall.
Security zones
The different components should be put within the following zones (networks):
| Security zone | Component |
|---|---|
| DMZ | VB365 API/Portal |
| DMZ | VSPC Web UI |
| MGMT | VB365 Server |
| MGMT | VSPC Server |
| MGMT | Veeam ONE Server |
| STORAGE | VB365 Backup Proxy/Repo server(s) |
| STORAGE | On-premises (Object) Backup Storage |
| WAN | Public Cloud Object Storage |
This deployment can be further enhanced by:
-
Putting a Reverse Proxy Server in front of the API/Portal server. This can provide additional advantages, but not limited to:
- Protect the API/Portal server from exposure by having clients pass through the Reverse Proxy Server before reaching the API/Portal server.
- SSL/TSL certificates offloading (if applicable).
-
Putting a Web Application Firewall (WAF) in front of the API/Portal server. This can provide additional advantages, but not limited to:
- A WAF is a type of reverse proxy that protects the API/Portal server from exposure by having clients pass through the WAF before reaching the API/Portal server.
- Set policies to protect against vulnerabilities in the application by filtering out malicious traffic.
- DDoS attack protection (e.g. rate limiting).