Archive

Archive for the ‘Disaster Recovery’ Category

The Hybrid Cloud Storage Transformation

A frustrating reality for IT leaders is that their teams continue to struggle with the complications of data growth even though they spend more money on storage every year. It’s not surprising that IT leaders are looking for new storage architectures to help them solve their scalability problems and reduce their costs. A post to this blog in June briefly discussed the problems customers are having with data growth and mentioned how a StorSimple Cloud-integrated Storage system could be used to alleviate them. This post expands on that conversation and introduces the Microsoft hybrid cloud storage solution.  

Wanted: a technology model to match the business model

Information systems that enable business agility are an asset and those that inhibit it are a liability.  Unfortunately, traditional storage technologies lack the flexibility to quickly re-align with changing business strategies. The combination of compound data growth and inflexible storage means that the IT team spends too much time, money and energy maintaining the status quo, as opposed to facilitating change. The result is that the data assets of the business cannot be leveraged the way business leaders want them to be. 

IT organizations need new power tools to manage storage and data affordably in an environment of unyielding data growth. The situation demands continuous, automated data and storage management that frees the IT team from time-consuming and error-prone tasks.

Hybrid cloud storage, an unlikely looking power tool

A recent development in business storage is hybrid cloud storage that integrates a StorSimple on-premises Cloud-integrated Storage (CiS) system with Windows Azure Storage, as shown in the figure below. The StorSimple part of the solution is an enterprise iSCSI SAN storage system with internal SSDs and hard disks to store data, along with software for data deduplication, compression and tiering that reduces capacity consumption and places data on resources that are optimized to reduce cost or deliver performance. Above and beyond these features, the StorSimple system automatically accesses Windows Azure Storage to transparently extend usable capacity, and protect and archive data. 

 Microsoft hybrid cloud storage solution

The Microsoft hybrid cloud storage solution

Unlike traditional storage systems that require periodic, disruptive and expensive capacity upgrades, the Microsoft hybrid cloud storage solution provides uninterrupted, pay-as-you-grow capacity expansion in Windows Azure. In other words, customers only pay for the cloud storage capacity they use, as opposed to over-buying storage capacity in advance. In addition, data is protected automatically by copying it to the cloud, where it can be kept for virtually any amount of time without the high cost of replication or the complications of working with tape. 

The StorSimple Cloud-integrated Storage system manages capacity by relocating dormant, unused data to Windows Azure Storage. If applications or users ever need data that was relocated to the cloud, it is transparently accessed and reloaded back onto the StorSimple system. Storage administrators don’t need to worry about running out of capacity unexpectedly because Windows Azure Storage can be instantly allocated whenever a capacity “relief valve” is needed.

Customer-settable data retention policies are easily implemented to comply with government regulations and corporate legal requirements. Data stored in the cloud is immutable and is checked to ensure data integrity with every read. Windows Azure Storage makes three copies of data and puts them in three different fault domains to protect them in the cloud with an option for three additional copies in a remote Windows Azure data center. All data written to the cloud is encrypted prior to being uploaded using encryption keys that are created and managed by the customer. Data in the cloud supports multiple storage functions simultaneously, including backup, DR, archiving and capacity expansion. Disaster recovery operations are location-independent and the data downloaded during recovery is restricted to those applications and users that need it, saving a great deal of time when time savings are most valuable.

Best use cases for the Microsoft hybrid cloud storage solution

The Microsoft hybrid cloud storage solution is optimized to address the problems caused by the growth of unstructured data. The scenarios that will generate the best results include corporate file sharing, large SharePoint installations, document management applications, data archiving, virtual server storage or any other environment where there is a sizable amount of dormant, inactive data that is not regularly accessed. To find out more about the Microsoft hybrid cloud storage solution, visit: http://www.microsoft.com/storsimple

Supporting Business Continuity, Disaster Recovery and Multi-Site Scenarios with UAG 2010 RTM and UAG 2010 Service Pack 1

December 1st, 2010 Comments off

With the upcoming release of Unified Access Gateway 2010 (UAG) Service Pack 1, we decided it was important to discuss some important scenarios that many of our customers have asked us about. These scenarios are:

  • Business Continuity
  • Disaster Recovery
  • Multi-Geo (Multi-site) deployment

We believe that support for each of these scenarios is important for an enterprise ready solution. Business continuity and disaster recovery needs to be part of any solution designed to provide your users seamless and transparent connectivity to resources that give your firm a competitive advantage. In addition, support for multiple, geographically dispersed sites is also considered important in an era of international business can travel and we consider support for this scenario to be central in our near term goals for UAG.

While UAG Service Pack 1 (UAG SP1) can provide you basic support for business continuity, disaster recovery and multi-geo scenarios, we want you to know that we plan to address each of these scenarios with a post-UAG SP1 update and that work is already underway.

However, until we are able to deliver this update to you, we want to provide you some guidance for supported workarounds for these scenarios.

Business Continuity and Disaster Recovery

In the area of business continuity and disaster recovery we recommend that you create a “mirrored” installation of your UAG DirectAccess server or array. This can be a hot or cold standby that is configured with the same IP addresses as the production server or array. If the production array should fail, you can bring up the standby server or array and take advantage of ISP subnet redundancy so that traffic is routed to the backup deployment. When the primary UAG DirectAccess server or array comes back up, you take down the backup and route the traffic back through the original route.

Multiple Geographic Locations and Load Balancing Multiple Entry Points

There are two primary scenarios to consider when deploying UAG SP1 DirectAccess servers or arrays in multiple locations:

  • Your intranet resources are all IPv4
  • Your intranet resources are a mix of IPv4 and IPv6

Intranet Resources are all IPv4

If all your intranet resources are accessible only through IPv4 addresses (IPv4-only network), then you will take advantage of the UAG SP1 NAT64/DNS64 IPv6 to IPv4 protocol translator. In this scenario the source IP address of the incoming connections from DirectAccess clients is always an internal IP address on the UAG DirectAccess server or array. Your existing IPv4 routing infrastructure will be able to route these connections from the UAG DirectAccess server or array to the destination resource and responses back to the UAG DirectAccess server or array that the DirectAccess client is connected to. In this scenario you do not need to worry about IPv6 routing on the intranet.

You would install multiple UAG DirectAccess servers or arrays and apply the DirectAccess client and server settings by using different GPOs (which are specific to the particular UAG DirectAccess server or array)and assigning those GPOs to different OUs or security groups. If you are using a pre-SP1 deployment of UAG, you can use the methods discussed in the blog post http://blogs.technet.com/b/edgeaccessblog/archive/2010/02/18/deep-dive-into-uag-directaccess-tweaking-the-gpos.aspx to deploy the settings to different OUs. If you plan to deploy this scenario with UAG SP1, you can take advantage of the new GPO deployment features included in UAG SP1 which make custom deployment of GPOs to OUs or security groups available in the UAG DirectAccess wizard.

This method enables you to assign a fixed number of clients (based on the fixed number of computer accounts that belong to an OU or security group that you configure) to each UAG DirectAccess server or array. While this method allows for a static level of load balancing (DirectAccess clients can be split relatively evenly between servers or arrays), this approach does not allow users to change which array they connect to. This change requires that an administrator move the computer account to a different security group or OU.

Intranet Resources are IPv4 and IPv6

In this scenario, you would take advantage of the same distribution of DirectAccess clients are you would with an IPv4-only intranet – by assigning clients to a specific UAG DirectAccess server or array through the use of different GPOs or security groups. What changes in this scenario is how you handle the IPv6 routing requirements in a geographically distributed environment.

In this scenario you can configure a single ISATAP cloud and deploy multiple ISATAP routers that are on-link with the UAG DirectAccess server or array at each location. To make this work, you need to do the following:

  • Prevent DirectAccess clients from connecting to the UAG DirectAccess server or array using the 6to4 protocol. You can accomplish this by blocking IP Protocol 41 inbound through your edge firewalls.
  • Install an ISATAP router on the same link as the internal interface of the UAG DirectAccess server or array (that is to say, on the same physical or virtual segment).
  • Generate an IPv6 address space and assign both the ISATAP and UAG server or array addresses from this address space. You can find detailed instructions on how to generate an internal IPv6 address space and how to assign and use these IPv6 addresses on a UAG DirectAccess server or array in the blog post http://blogs.technet.com/b/edgeaccessblog/archive/2010/05/17/configuring-an-external-load-balanced-uag-directaccess-array-for-an-ipv4-only-network.aspx
  • Allocate a /64 ISATAP prefix for your entire intranet and use the same prefix for all your ISATAP routers.
  • On each of the ISATAP routers, add a specific /64 Teredo route, based on the Teredo address space that is generated by the UAG for that server’s or array’s clients.
  • On each of the ISATAP routers, add a specific /64 IP-HTTPS route based on the IP-HTTPS address space that is generated by UAG for that server’s or array’s clients.
  • Add a resource record for ISATAP for each ISATAP router. ISATAP hosts will receive all ISATAP resource records from the DNS server and will send router solicitation requests to each ISATAP server so that the ISATAP hosts are aware of all routes back to DirectAccess clients.

One other thing worth highlighting is the fact that the ISATAP Router needs to be configured with two IPv6 addresses:

  • The ISATAP address is used by the entire organization to reach the ISATAP router
  • The native IPv6 address is used on the ISATAP router to communicate with the UAG server

Figure 1 provides a high level overview of what this configuration looks like.

image

Figure 1 Workaround for an intranet with IPv6 ISATAP resources

Figure 1 shows that the ISATAP router in Asia is configured with routes for the Asia UAG Teredo and IP-HTTPS address space to the Asia UAG DirectAccess server. It also shows that the ISATAP router in the USA is configured with routes for the USA UAG Teredo and IP-HTTPS address space to the USA UAG DirectAccess server.

If you have some experience with IPv6 and ISATAP, the configuration should not be too difficult to accomplish. However, if you would like to see how this configuration works in a Test Lab, we plan to publish a Test Lab Guide – Test Lab Guide: Demonstrate UAG SP1 DirectAccess in a Multi-Site Configuration soon after the release of UAG SP1, which should help speed you understanding of the overall solution. For a list of current UAG Test Lab Guides, be sure to check out UAG DirectAccess Test Lab Guide Portal page at http://social.technet.microsoft.com/wiki/contents/articles/uag-directaccess-test-lab-guide-portal-page.aspx

Authors:

Ben Bernstein, Senior Program Manager, DirectAccess
Tom Shinder (tomsh@microsoft.com), Knowledge Engineer/Principal Technical Writer, Anywhere Access Group (AAG)