Best way to use MS DPM to backup branch office

Posted on 2009-02-08
Last Modified: 2012-05-06
I currently have Microsoft Data Protection Manager set up a one location on domain A.  I am looking to protect domain B (at another location).  I have a VPN setup and DNS forwarding as well as a two-way active directory trust in place.  I think I could have the DPM agent use the VPN to backup the data, but this seems like it may be inefficient.  Is the VPN my best or only option or is there a better way?  My concern is to use my bandwidth efficiently because each location only has a 2Mb internet connection.

Question by:jdroger2
    LVL 15

    Expert Comment

    a few things about backing up to via a vpn tunnel:
    you have to check the MTU's on the target and host machines to minimize data fragmentation  and data integrity.

    you will have to monitor the vpn connections.
    For deployments such as this I have used third party solutions such as Peer-Sync Double-take or SteelEye, which has intelligent error-checking and syncing engines to ensure data integrity.

    I have not use DPM, but if it has these characteristics to insure data integrity, then it should be fine. You don' t want corrupt data across the tunnel. Obviosly, the vpn solution is the most cost effective, as there is no monthly fee for leased lines. External backups over the internet such as Iron Mountain are quite expensive, so budgetary considerations usually rule. If the data transfer rate over the vpn is acceptable, then you could use this method. You can use QOS to prioritize the packets from this application.
    Checkpoint and Cisco ASA firewalls have QOS built in to accomplish this
    LVL 1

    Author Comment

    DPM will check the data integrity, I am just concerned about the overhead of the VPN connection.  For example, when I download a file from one location to the other over http, it seems to move A LOT faster than if I copy it over the VPN.  How much overhead should a VPN cost me?  Maybe the answer is that I need to tweak my VPN settings to maximize throughput.  I am using pfsense firewalls on each endpoint and have created an IPSEC vpn in pfsense.  

    for phase 1 I am using
    :: aggressive negotiation
    :: 3DES(other choices are DES, blowfish, cast128, rinjdael-AES, and rinjdael-256)
    :: SHA1 (other choice is MD5)
    :: 1024bit (could be 768 or 1536)

    for phase 2 I am using
    :: ESP (other choice is AH) for protocol
    :: 3DES (other choices are DES, blowfish, cast128, rinjdael-AES, and rinjdael-256)
    :: SHA1 (could be MD5)
    :: 1024 bit (other choice are OFF, 768, 1536)

    Any suggestions for changing these settings to maximize performance?  Also, I dont have to many great ways to measure my VPN speeds, other than copying large files.
    LVL 67

    Expert Comment

    There are many things which can significantly slow down a VPN:
    • Excessive fragmentation, because MTU limit is heat thru adding IPSec headers. As a result, packets are split into a big and a small remainder fragment each. Reducing MTU to 1400 (instead of 1536) on one or both sides can help here.
    • Overly needed calculation power of the encryption algorithm. 3DES can eat more performance than AES (Rijendael). Rijendael 192 is sufficient here. Blowfish is comparable in security and slightly slower/more consuming.
    • Phase 1 encryption and DH group/bit length can be chosen longer than for Phase 2, as the data is encrypted with P2 settings, P1 is only for key exchange, which does not matter if it is harder to calculate.
    • DH-2 (1024) is ok.
    LVL 1

    Author Comment

    Thanks Qlemo!  Is there a good way to measure/benchmark the VPN's performance so I can get a baseline before I try tweaking things?  Also, when you say reduce MTU, do you mean the MTU on the WAN connection or is there usually an MTU just for the IPSEC?
    LVL 67

    Accepted Solution

    Sorry, I seem to have lost track of this question ... But here I am again.

    Well, VPN performance can be measured as any network layer performance. E.g. netio can be used for a client-client transfer. This will give you the payload throughput.
    Additionally, the CPU burden of the VPN routers should be considered while you do a network performance test - this will show you which encryption is faster and less CPU stressing.

    For measuring MTU, you can use mturoute ( with -t option and the (public) VPN gateway address. If you see a reduction of the MTU, e.g. 1492 or 1024, you will have an issue.


    Featured Post

    What Should I Do With This Threat Intelligence?

    Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

    Join & Write a Comment

    Suggested Solutions

    Storage devices are generally used to save the data or sometime transfer the data from one computer system to another system. However, sometimes user accidentally erased their important data from the Storage devices. Users have to know how data reco…
    If you use NetMotion Mobility on your PC and plan to upgrade to Windows 10, it may not work unless you take these steps.
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…
    After creating this article (, I decided to make a video (no audio) to show you how to configure the routers and run some trace routes and pings between the 7 sites…

    754 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    25 Experts available now in Live!

    Get 1:1 Help Now