Low Cost Disaster Recovery Options For VMware

For years now Corner Edge Solutions has been using VMware exclusively for all of our new server installs, and even for hardware upgrades by virtualizing the original server install and configuration to a new physical server with VMware.  This goes for even a small, one server setup as well.  We have felt this is a great way to increase reliability as well as improve disaster recovery times.

While having two complete setups of VMware is probably cost prohibitive, with the small footprint of VMware ESXi, you can use a simple workstation or even a laptop as a cold spare DR backup.  As you’ll see below, I have easily installed VMware on my laptop, and with a large enough hard drive, and enough memory, I could run a small to medium office server environment setup on my one laptop, or even a mid-range business desktop.  The cost of these is usually around $1500-2500, and when you consider the cost of a second server may come in at $5000 or more, this is a great low-budget way to have your office back up and working quickly in the event of a major disaster.

To do this simply, just power off the VM’s on a schedule that fits your DR needs and copy the files from the main DataStore and upload them the the DataStore on your backup setup.  You will want to make sure your backup processor is a 64-bit proc with VT enabled if you are running 64-bit VM’s, you have enough storage space for the foreseeable future, and definitely install as much memory as your budget and workstation will allow, and that should be it.

You clearly shouldn’t expect the same performance of this setup as you would get from a true server, but it would get people back online and running again while you work on the main server.

image

Here is a quick picture I took of my laptop running VMware ESXi just for fun.  I had installed ESXi on a USB stick, and booted to that when I powered on my laptop.  This install was originally done on a PowerEdge 2950, and without any modifications to the install, it came up just fine on an Dell Latitude E6500.  Simply carry a USB flash drive and a large external storage drive and you can have a backup ESXi server wherever you go.

pfSense Firewall Settings to Allow Internal Access via Public Name and IP Address

OK, who hasn’t tried to get to a website on your internal network using the public name or sometimes IP address when troubleshooting.  sure enough, “Page not Found” shows it’s head.  But i know it’s there and running, i can get to it using the internal IP or with a modified hosts file.  well, a lot of firewalls by default don’t redirect outgoing traffic back into the network.  Well, if you are using a pfSense (a FreeBSD based OS focused on firewall and routing tasks), this is a very simple fix.

Assuming you already have the port forwarding set and the site is accessible from the internet, there is only one check mark you need to remove to get this working from the inside.  Start by hovering over the “System” in the menu bar, then click “Advanced”.

Home Page of pfSense firewall

Home Page of pfSense firewall

From there, scroll almost all the way down to the “Network Address Translation” section, and uncheck the “Disable NAT Reflection” option.

pfSense System -> Advanced -> Network Address Translation

pfSense System -> Advanced -> Network Address Translation

Now you will be able to type the public name or IP address into your browser and be able to see the page being hosted on your internal LAN.  No more keeping hosts files to keep things easy, which sounds even easier to me.

Reduce SPAM and increase security with SMTP Submission over Port 587

Exchange server 2007 provides higher security and less SPAM potential by elimination authenticated mail over SMTP port 25.    This leaves us without the ability to relay mail from other SMTP servers without the following tips.

Here are some setup tips on setting up SMTP relay over port 587 securely.

After setting up your network with a back-end Exchange 2007 Hub Transport/Client Access/Mailbox server and an isolated Exchange 2007 Edge Transport server in a DMZ or separate internal network, try setting up an IMAP connection to the Exchange Client Access server.  Since all incoming mail traffic is supposed to flow through the Edge Transport server, you set up that as the endpoint for your outgoing SMTP server in your mail client like Microsoft Outlook or Mozilla Thunderbird, but no matter what you do, it just won’t work without authentication.  The Edge Transport server is not (or at least it’s not supposed to be) a member of the domain, and therefore cannot authenticate the user.

One way to fix this is to set your firewall(s) to pass SMTP Submission traffic to the back-end Client Access server (CAS).    Mail will  be sent first to the back end Exchange Client Access server for authentication, and then be forwarded on to the front end server for external delivery.

Also, don’t forget to to check off the TLS or SSL security option and change the outgoing SMTP port number to 587 for SMTP Submission, rather than port 25 for standard SMTP traffic.  And now, you should be sending mail securely.