Backup and Restore Exchange on VMware using NetBackup with GRT – Part1

Backup and Restore Exchange on VMware using NetBackup – Part1

In this blogging series we will explore how we can protect MS applications installed on VMware using NetBackup, this part will be the first and will explore how to configure NetBackup to protect Exchange 2013 installed on VMware ESXi 5.5

Although it might look straight forward, it is not that straight forward, you must understand some requirements and prerequisites in order to protect MS applications installed inside VMware VMs using Symantec NetBackup.

This lab will assume that you have:

  • 1 Domain Controller installed.
  • 1 Server running ESXi 5.5
  • 1 Server running Exchange 2013 installed on a VM on the ESXi host.
  • 1 Server running NetBackup Software for Windows (the configuration should be different on Linux installation).


So let us get started:


Symantec Netbackup 7.6.x can protect VMs and perform VM level backup using offloaded backups to VMware backup host, this backup method can accelerate backup and offload the backup load from the server.

Backups that are performed at the VM level are quiesced for VM consistent backup using VSS, additionally you can perform backup while the machine is running using VMware Snapshot technology.

Often times, MS gurus mix with using snapshots for VM protection and using Snapshots to perform backups, I believe that no one can explain it better than AbdulRasheed , he wrote a great article about it here

 So in summary, using snapshots for backups is not the same as using Snapshots to protect Exchange VM.

Now, although we can perform VM level backup at the host level without an agent installed on the ESXi or the VM by connecting vCenter directly, this backup method doesn’t support file level recovery for applications or GRT (you can perform regular file restore but not mailbox or database restore for SQL for example), so you will need to install Symantec NetBackup client on the Exchange or SQL VM in order to perform application aware backup.

Note: up to the date of publishing this article 13/4/2015, Symantec doesn’t support GRT for Exchange 2013, but GRT is supported for earlier versions either using VM policies or Exchange policies.

A word about SAN transport:

One element is to be aware of is the SAN transport option, traditionally if you backup a VM using the backup agent, you will transport the data over the IP network, but what if you have large data set…very large ones.

Then you can use the FC or SAN transport, where you can back up the data directly to the SAN over the SAN network (either to SAN storage or Tape Library).

In VMware, you can perform VM agentless or agent assisted backups and transport the data over FC which can give you increased speed up to 4 times, all what you need is to present the LUNs to the VMware backup host as offline LUNs and configure the policy to use SAN transport, nice haaa


  • Install the NetBackup Agent inside the VM
  • Install Symantec VSS provider
  • Install and configure NFS to browse backup images for GRT (for Exchange 2007/2010).

You can Refer to the documentation on how to perform the above steps.

NetBackup Configuration:

Assuming that you have everything configured including installing the Netbackup agent on the Exchange VM, you can start connecting to the vCenter:

08-04-2015 08-03-07
Add VMware Virtual Machine Server


Enter the FQDN of the vCenter server


Add the vCenter information and account with credentials to connect, and specify the backup host, in my case it is the master server:

08-04-2015 08-03-35

08-04-2015 08-04-05

one note: make sure to add the account using domain\username, because the GUI doesn’t accept


Now you can proceed with configuring a policy, so you can launch the policy configuration wizard:

08-04-2015 08-06-06

Specify a policy name

08-04-2015 08-06-18

In the Policy Storage select your storage destination, unless you have many of them and you want to load balance the backup jobs:

08-04-2015 08-06-38

In the virtual machine options, make sure to specify the VMware backup host, and enable the Exchange recovery.

08-04-2015 08-07-40

Note: in the primary VM identifier, you can select the VM host name, this requires the VM tools to be installed and DNS lookups (forward and reverse) are working, for the simplicity I like to choose VM Display name.

08-04-2015 08-18-38

In order to select a VM for application protection you must use query based to select the VM or you will get the error “Application Protection options for VMware policies are only valid when using the query option for virtual machine selection in the clients tab”, so you need to create a query in the VM selection to include the required VM

08-04-2015 09-25-31

In the backup selection, you must select full backups, you have to note that you can’t perform application level backups using incremental backups, backups of applications at the VM level must utilize full backups.

08-04-2015 09-24-46

Then specify the desired internal and retention and schedule.

08-04-2015 09-25-01


08-04-2015 09-25-13

If everything is configured correctly, you should start seeing the policy kicking in and snapshot is being taken and backups are being performed

08-04-2015 09-31-36

08-04-2015 09-32-33

08-04-2015 09-43-07

08-04-2015 09-43-35

Note regarding policy schedule:
if you right click on the policy and chose to run manual backup, the policy will kick in but the backup job will be equivalent to copy backups, meaning that no Exchange logs will be flushed, in order to perform application level backup, you will have to wait for the policy to kick in.

Policy Schedule and Policy Window

Another point that many NBU admins struggle with is the policy frequency, Window and retention, so let me elaborate on this:

Policy Frequency: is how often the policy will kick in, so in the above screenshot, the policy will start every week and this is equivalent to weekly backups.

Policy Window: is the window allowed for the policy to start, so depending on the configured policies, running policies and queued policies, a policy will start when the window comes, or wait until additional resources are freed if all the resources are not available (like a free tape for example).

If the window ended without available resources, the policy will not start and you will miss the backup window, once the policy start, it can exceed the policy window safely, policy window affects the policy start and will not end the policy.

In part 2 of this series we will see how we can perform a restore from the taken backup.


How to publish Exchange 2013 using VMware NSX load balancer/Firewall part2 – SSL Offloading

How to publish Exchange 2013 using VMware NSX load balancer/Firewall part2 – SSL Offloading

In part 1, we have have seen the very basic steps to load balance Exchange 2013 using VMware NSX.

in this part, we will take a look on how to configure SSL offloading on NSX, the major steps are:

– Export certificate to base64 format using openssl and import them into Edge server.

– Configure the application profile to listen on SSL requests.

– Modify the pool to listen on port 80.

– Configure SSL offloading on Exchange 2013.

– Test the configuration.


So let us start:

Export the certificate base64 format:

In order to install the certificate on NSX, you must have the certificate in base64 format, NSX doesn’t allow you to import .cer or PFX format, in order to do that you will need to use openssl to export the private key and the certificate contents.

This step will assume that you generated the SSL certificate on Exchange 2013 and used internal Microsoft CA (or commerical CA) and have the CA in pfx format (I used internal MS CA and used wild card certificate):

  1. Install Openssl from here you can use the light version.
  2. once installed download and configure the configuration file, use the steps here
  3. once installed, copy the PFX certificate and root CA certificate to a folder, and use the following command to export the certificate contents and private key  openssl pkcs12 -in certname.pfx -nocerts -out key.pem -nodes
  4. Run the following command to export the certificate: openssl pkcs12 -in certname.pfx -nokeys -out cert.pem
  5. Run the following command to remove the passphrase from the private key: openssl rsa -in key.pem -out server.key 

repeat only step 3 for the root CA certificate, now you will have 3 files, root CA pem, certificate content key and private key, now open the NSX edge and install the certificate, first root CA


then the Exchange certificate



Once installed, you can modify the application profile to use the imported certificate and offload the SSL from Exchange server:


confirm the CA is selected:


Modify the pool to use port 80 instead of port 443:


Enable acceleration on the virtual server and you are ready to go:



Now you are ready to enable SSL offloading on the Exchange server, you can follow the steps from this article:

Once enabled, you can test and verify the configuration:




In part 3, we will look into more advanced features like transparency and cookies based presistence…


How to publish Exchange 2013 using VMware NSX load balancer/Firewall Part1

How to publish Exchange 2013 using VMware NSX load balancer/Firewall Part1

In this article, I will show you the very basic steps to achieve the very basic step in load balancing Exchange 2013 using VMware NSX load balancing and edge firewall.

in this lab, I have 2 edge servers deployed, Internal Edge and External EDGE, the internal EDGE will publish the Exchange servers to the external edge, which acts as a perimeter firewall and external router.

The first step is to configure the load balancing functionality on the internal router:


Once enabled, we will create an application profile, which allows protocols to be defined and published through the load balancer, in this example I will configure the session to expire after 60 seconds, but you might want to adjust it based on your environment, a nice documentation for this topic can be found here



for the sake of this basic guide, we will create it with bypass and without any SSL acceleration, in part 2 we will take a look into this in details.

Once created, create a server pool that includes the servers, ports:



Then create a virtual server that includes all the setting (pool, application profile and IP):


One important this to know about the load balancing in NSX, that you can’t assign multiple IP address to edge interfaces, meaning that the virtual server’s IP address has to be assigned to the edge interface, and you can’t assign multiple IP address in the same range to the same interface, which is something not usual for the normal load balancers.


Once created, you can check the pool statistics to verify the pool health


And you can access the Exchange servers via the load balanced virtual server:



In part 2 we will take a look into SSL offloading option and later parts will cover firewall rules, OSPF routing and more.