• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1112
  • Last Modified:

Best way to use MS DPM to backup branch office

I currently have Microsoft Data Protection Manager set up a one location on domain A.  I am looking to protect domain B (at another location).  I have a VPN setup and DNS forwarding as well as a two-way active directory trust in place.  I think I could have the DPM agent use the VPN to backup the data, but this seems like it may be inefficient.  Is the VPN my best or only option or is there a better way?  My concern is to use my bandwidth efficiently because each location only has a 2Mb internet connection.

  • 2
  • 2
1 Solution
a few things about backing up to via a vpn tunnel:
you have to check the MTU's on the target and host machines to minimize data fragmentation  and data integrity.

you will have to monitor the vpn connections.
For deployments such as this I have used third party solutions such as Peer-Sync Double-take or SteelEye, which has intelligent error-checking and syncing engines to ensure data integrity.

I have not use DPM, but if it has these characteristics to insure data integrity, then it should be fine. You don' t want corrupt data across the tunnel. Obviosly, the vpn solution is the most cost effective, as there is no monthly fee for leased lines. External backups over the internet such as Iron Mountain are quite expensive, so budgetary considerations usually rule. If the data transfer rate over the vpn is acceptable, then you could use this method. You can use QOS to prioritize the packets from this application.
Checkpoint and Cisco ASA firewalls have QOS built in to accomplish this
jdroger2Author Commented:
DPM will check the data integrity, I am just concerned about the overhead of the VPN connection.  For example, when I download a file from one location to the other over http, it seems to move A LOT faster than if I copy it over the VPN.  How much overhead should a VPN cost me?  Maybe the answer is that I need to tweak my VPN settings to maximize throughput.  I am using pfsense firewalls on each endpoint and have created an IPSEC vpn in pfsense.  

for phase 1 I am using
:: aggressive negotiation
:: 3DES(other choices are DES, blowfish, cast128, rinjdael-AES, and rinjdael-256)
:: SHA1 (other choice is MD5)
:: 1024bit (could be 768 or 1536)

for phase 2 I am using
:: ESP (other choice is AH) for protocol
:: 3DES (other choices are DES, blowfish, cast128, rinjdael-AES, and rinjdael-256)
:: SHA1 (could be MD5)
:: 1024 bit (other choice are OFF, 768, 1536)

Any suggestions for changing these settings to maximize performance?  Also, I dont have to many great ways to measure my VPN speeds, other than copying large files.
QlemoC++ DeveloperCommented:
There are many things which can significantly slow down a VPN:
  • Excessive fragmentation, because MTU limit is heat thru adding IPSec headers. As a result, packets are split into a big and a small remainder fragment each. Reducing MTU to 1400 (instead of 1536) on one or both sides can help here.
  • Overly needed calculation power of the encryption algorithm. 3DES can eat more performance than AES (Rijendael). Rijendael 192 is sufficient here. Blowfish is comparable in security and slightly slower/more consuming.
  • Phase 1 encryption and DH group/bit length can be chosen longer than for Phase 2, as the data is encrypted with P2 settings, P1 is only for key exchange, which does not matter if it is harder to calculate.
  • DH-2 (1024) is ok.
jdroger2Author Commented:
Thanks Qlemo!  Is there a good way to measure/benchmark the VPN's performance so I can get a baseline before I try tweaking things?  Also, when you say reduce MTU, do you mean the MTU on the WAN connection or is there usually an MTU just for the IPSEC?
QlemoC++ DeveloperCommented:
Sorry, I seem to have lost track of this question ... But here I am again.

Well, VPN performance can be measured as any network layer performance. E.g. netio can be used for a client-client transfer. This will give you the payload throughput.
Additionally, the CPU burden of the VPN routers should be considered while you do a network performance test - this will show you which encryption is faster and less CPU stressing.

For measuring MTU, you can use mturoute (http://www.elifulkerson.com/projects/index.php) with -t option and the (public) VPN gateway address. If you see a reduction of the MTU, e.g. 1492 or 1024, you will have an issue.


Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now