Backup and Restore Exchange on VMware using NetBackup with GRT – Part1

Backup and Restore Exchange on VMware using NetBackup – Part1

In this blogging series we will explore how we can protect MS applications installed on VMware using NetBackup, this part will be the first and will explore how to configure NetBackup to protect Exchange 2013 installed on VMware ESXi 5.5

Although it might look straight forward, it is not that straight forward, you must understand some requirements and prerequisites in order to protect MS applications installed inside VMware VMs using Symantec NetBackup.

This lab will assume that you have:

  • 1 Domain Controller installed.
  • 1 Server running ESXi 5.5
  • 1 Server running Exchange 2013 installed on a VM on the ESXi host.
  • 1 Server running NetBackup Software for Windows (the configuration should be different on Linux installation).


So let us get started:


Symantec Netbackup 7.6.x can protect VMs and perform VM level backup using offloaded backups to VMware backup host, this backup method can accelerate backup and offload the backup load from the server.

Backups that are performed at the VM level are quiesced for VM consistent backup using VSS, additionally you can perform backup while the machine is running using VMware Snapshot technology.

Often times, MS gurus mix with using snapshots for VM protection and using Snapshots to perform backups, I believe that no one can explain it better than AbdulRasheed , he wrote a great article about it here

 So in summary, using snapshots for backups is not the same as using Snapshots to protect Exchange VM.

Now, although we can perform VM level backup at the host level without an agent installed on the ESXi or the VM by connecting vCenter directly, this backup method doesn’t support file level recovery for applications or GRT (you can perform regular file restore but not mailbox or database restore for SQL for example), so you will need to install Symantec NetBackup client on the Exchange or SQL VM in order to perform application aware backup.

Note: up to the date of publishing this article 13/4/2015, Symantec doesn’t support GRT for Exchange 2013, but GRT is supported for earlier versions either using VM policies or Exchange policies.

A word about SAN transport:

One element is to be aware of is the SAN transport option, traditionally if you backup a VM using the backup agent, you will transport the data over the IP network, but what if you have large data set…very large ones.

Then you can use the FC or SAN transport, where you can back up the data directly to the SAN over the SAN network (either to SAN storage or Tape Library).

In VMware, you can perform VM agentless or agent assisted backups and transport the data over FC which can give you increased speed up to 4 times, all what you need is to present the LUNs to the VMware backup host as offline LUNs and configure the policy to use SAN transport, nice haaa


  • Install the NetBackup Agent inside the VM
  • Install Symantec VSS provider
  • Install and configure NFS to browse backup images for GRT (for Exchange 2007/2010).

You can Refer to the documentation on how to perform the above steps.

NetBackup Configuration:

Assuming that you have everything configured including installing the Netbackup agent on the Exchange VM, you can start connecting to the vCenter:

08-04-2015 08-03-07
Add VMware Virtual Machine Server


Enter the FQDN of the vCenter server


Add the vCenter information and account with credentials to connect, and specify the backup host, in my case it is the master server:

08-04-2015 08-03-35

08-04-2015 08-04-05

one note: make sure to add the account using domain\username, because the GUI doesn’t accept


Now you can proceed with configuring a policy, so you can launch the policy configuration wizard:

08-04-2015 08-06-06

Specify a policy name

08-04-2015 08-06-18

In the Policy Storage select your storage destination, unless you have many of them and you want to load balance the backup jobs:

08-04-2015 08-06-38

In the virtual machine options, make sure to specify the VMware backup host, and enable the Exchange recovery.

08-04-2015 08-07-40

Note: in the primary VM identifier, you can select the VM host name, this requires the VM tools to be installed and DNS lookups (forward and reverse) are working, for the simplicity I like to choose VM Display name.

08-04-2015 08-18-38

In order to select a VM for application protection you must use query based to select the VM or you will get the error “Application Protection options for VMware policies are only valid when using the query option for virtual machine selection in the clients tab”, so you need to create a query in the VM selection to include the required VM

08-04-2015 09-25-31

In the backup selection, you must select full backups, you have to note that you can’t perform application level backups using incremental backups, backups of applications at the VM level must utilize full backups.

08-04-2015 09-24-46

Then specify the desired internal and retention and schedule.

08-04-2015 09-25-01


08-04-2015 09-25-13

If everything is configured correctly, you should start seeing the policy kicking in and snapshot is being taken and backups are being performed

08-04-2015 09-31-36

08-04-2015 09-32-33

08-04-2015 09-43-07

08-04-2015 09-43-35

Note regarding policy schedule:
if you right click on the policy and chose to run manual backup, the policy will kick in but the backup job will be equivalent to copy backups, meaning that no Exchange logs will be flushed, in order to perform application level backup, you will have to wait for the policy to kick in.

Policy Schedule and Policy Window

Another point that many NBU admins struggle with is the policy frequency, Window and retention, so let me elaborate on this:

Policy Frequency: is how often the policy will kick in, so in the above screenshot, the policy will start every week and this is equivalent to weekly backups.

Policy Window: is the window allowed for the policy to start, so depending on the configured policies, running policies and queued policies, a policy will start when the window comes, or wait until additional resources are freed if all the resources are not available (like a free tape for example).

If the window ended without available resources, the policy will not start and you will miss the backup window, once the policy start, it can exceed the policy window safely, policy window affects the policy start and will not end the policy.

In part 2 of this series we will see how we can perform a restore from the taken backup.


الكلاود كما لم تراها من قبل – الجزء الثامن – متحط انتي فايروس على الفي ام ؟!!! بلاش احسن

الكلاود كما لم تراها من قبل – الجزء الثامن – متحط انتي فايروس على الفي ام ؟!!! بلاش احسن

متابعة لباقي الاجزاء ، حنتكلم عن نقطة شريرة شوية في ناس كتير مش بتاخد بالها منها ؟! ازاي حنحمي الفي ام بالانتي فايروس ؟!

سهلة مش كده ، حنحط انتي فايروس عادي على الفي ام و كله السطة !!! صح مش كده ، زي ما قولنا و حفكرك ، اما بنتكلم في الاجزاء دي عن كلاود بنتكلم عن عشرات السيرفرات و مئات او الاف الفي امات ؟ و بالتالي اللي بتعمله على السيرفر بتاعك اللي عليه 3 او 4 في ام ، مش حينفع هنا …ليه يا كوتش ؟! حقولك يا نجم

الفكرة في اكتر من جزئية ححاول افصصهملك كالتالي:

  • ازاي حتدخل الفي امات الجديدة في البوليسي بتاعتك و تتحكم فيها
  • ازاي اما حتعمل سكان لفايل ، متخليش الفي امات التانية تعمله سكان لو عليه نفس ال Signature ممكن تقرا اكتر هنا
  • ما يعرف بال Realtime scan في كتير من الاحيان مش بيكون مناسب للاحمال الفيرتشوال ، هو بيكون شغل كويس في العالم الفيزيكال ، بس في كتير من الاحيان بيحمل على الفي ام و بياخد بروسيسنج باور
  • ال Weekly Scan لازم يتعمل ليه توزيع كويس ، لو بتستعمل بوليسي ، ازاي حتعمل توزيع للسكان الاسبوعي على الفي ام بحيث تضمن انه ميحصلشي تحميل مفاجئي على ال SAN storage
  • الابديت ، عمليه الابديت نفسها بتحمل على البروسيسور و على الستوريدج و بالتالي محتاج تعمل توزيع للابديت الاسبوعي او اليومي او الشهري ، و لو الابديت شغال ريل تايم مش حينفع و عليك انه تظبطها و الا انت بتحمل على الستوريدج بتاعتك
  • ازاي حتحمي الهيابرفايزور نفسه (شوفت حقيقة بام عيني فايروس متخصص جدا بيعيدي من الفي ام للهايبرفايزور من خلال بروسيسنج ليك) و بيقدر يعمل انفكشن للهايبرفايزور

قد يكون الكلام اللي فوق مش باين اوي في حال وجود عدد بسيط من الفي امات ، بس اول ما تبتدي تحمل بشكل جدي على السيرفرات بتاعتك ، حتبتدي تشوف العجب

طب و الحلول ؟! مفيش حلول مرضية و ناجعة ، يعني ما بين انه تقوم بتوزيع الويكلي سكان و الابديت باستعمال بوليسيز متعددة او استعمل

Hypervisor level AV

و ده غالي مش رخيص ، تقدر توصل لحلول منطقية شوية

يطلع ايه يا مرسي اللي بتقول عليه فوق ده ؟!

اااه الهايبرفايزور انتي فيروس ؟! دي تقنية جديدة بتنزل Appliance بتعمل Scanning للفي ام من على الهايبرفايزور بدون Agent ممكن تشوف الحاجات دي


ممكن تنضم لينا بايميلك و تسأل اسئلتك و حنرد عليك و تشترك في المناقشة مع الاخرين بارسال رسالة فاضية على

او ابعت سؤالك على


Installing Symantec Encryption Server & Exchange 2010 Configuration Part3–Sending Encrypted Emails

In part1 and part 2 we explored the basics of installing the SES and configuring and managing encryption Keys, in this part we will glue part1 and part2 and send encrypted emails.

Understanding Email Policies:

Email policies are the foundation block for handling email, they determine how emails from specific senders sent to specific recipients with specific contents will be handled.

There are set of defaults policies created by default:


they determine how outbound/inbound emails will be handled, the default policy has the following settings:


the outbound client has the following settings:


which tell the SES to encrypt the emails if the source client is SMTP/MAPI to send it to the outbound chain which does the encryption actions:


if we explore the outbound chain, we will find the following settings:


which instructs the SES how to handle specific emails with specific conditions, so I edited this rule and added the “confidential rule”, which encrypts emails sent internally or externally with the word “confidential” in the subject line. You can add your own set of rules to meet your business and enforce certail delivery types link web or protected PDF:


Once you set the rules, you can send encrypted emails, let us see how:

from outlook client, I will send normal email to (which is fictional domain), the client will detect the policy that is set on the server and will send the email out of message steam to the SES:


Because we can’t find a key for, we will send the email to the SES server and the SES will send the user an email notifying him that there is a message waiting him:


In the above email, I am opening the EML file via notepad (I do have only SMTP server at the recipient side), so the message contains the link to open the email (take a look to how the email flowed from the client to keys “the SES Server” to Exchange to the recipient server)

when opening the link, the client will be prompted with the registration (to register in the SES portal with a passphrase), Then the user can login:


Once user login, he can see the email through the portal; The user can reply and interact securely with the internal user or ask for email delivery via secure PDF:



We reached the end of this series, we can send and exchange emails securely with Symantec Encryption Server now. I hope that you liked this series.