Veritas NetBackup™ 52xx Appliance Initial Configuration Guide

To perform the initial configuration on a NetBackup 52xx appliance from the NetBackup Appliance Web Console

1. On the laptop that is connected to the NIC1 appliance port, navigate to the Local Area Connection Properties dialog box.

   On the General tab, select Internet Protocol (TCP/IP) so that it is highlighted, then click Properties.

   

   On the Alternate Configuration tab, perform the following tasks:

   

   • Click User Configured.

   • For the IP address, enter 192.168.229.nnn, where nnn is any number from 2 through 254 except for 233.

   • For the Subnet mask, enter 255.255.255.0.

   • Click OK.

2. On the laptop that is connected to the appliance, open a web browser to the following URL:

   https://192.168.229.233

   Note:

   The NetBackup Appliance Web Console is accessible only over HTTPS on the default port 443. Port 80 over HTTP has been disabled.

3. Log on to the appliance as follows:

   • For User Name, enter admin.

   • For Password, enter P@ssw0rd.

4. On the Welcome to Appliance Setup page, review the summary of information that you need to perform the initial configuration.

   • Download Configuration Checklist

     To help with the initial configuration, click this link to open a file where you can record all of the configuration settings. Veritas recommends that you print this file and fill it out for use as you perform the configuration. Then store it in a secure location for future reference.

   • Setup Appliance

     After you have filled out the configuration checklist, click this item to start the configuration.

5. On the Password Change page, enter new appliance account passwords to replace the factory default passwords.

   Review the following password policy before setting a new password:

   • Passwords must contain at least eight characters.

   • Passwords must contain at least one lowercase letter (a-z) and one number (0-9).

   • Dictionary words are considered weak passwords and are not accepted.

   • Passwords for the sysadmin (IPMI) user must contain no more than 20 characters.

   • The last seven passwords cannot be reused and the new password cannot be similar to previous passwords.

   The following shows the order in which the accounts appear, and the prompts for each password change:

   admin	New admin password: Confirm new admin password:
   maintenance	New maintenance password: Confirm new maintenance password:
   sysadmin (IPMI)	New sysadmin (IPMI) password: Confirm new sysadmin (IPMI) password:

   Note:

   If you enter five consecutive invalid passwords for any user account, the appliance aborts the initial configuration process automatically. You must start the initial configuration process again.

   Note:

   If you enable the STIG feature after completing the initial configuration, you may be prompted to change the new passwords you entered here to meet the requirements of the STIG password policy.

   After you have changed all default passwords, click Next.

6. The Network Configuration page contains the following tabs and taskbars to identify and enter the necessary data to configure network connectivity. Expand each taskbar to enter the relevant network configuration information:

   • Interface Properties - Use to update network interface properties.

   • Routing Properties - Use to update network routing properties.

   • Create Bond - Use to create a bond between two or more network interfaces.

   • Tag VLAN - Use to configure VLANs in your existing network environments.

   • Add Static Route - Use to add a route configuration for your network.

   Note:

   These functions are independent of the other and do not require configuration in the order in which they appear.

   Enter the appropriate Create Bond information as follows:

   Create Bond data entry fields

   Network Interface Click on the drop-down box and select the interface or the device name between which you want to create the bond. Bond Mode Click on the drop-down box and select the bond mode to use for the NIC ports that you want to bond. Bonding lets you combine (aggregate) multiple network interfaces into a single logical "bonded" interface. The behavior of the bonded interfaces depends upon the mode. The default bond mode is balance-alb. The available bonding modes from the drop-down list are as follows: balance-rr active-backup balance-xor broadcast 802.3ad balance-tlb balance-alb Some bond modes require additional configuration on the switch or the router. You should take additional care when you select a bond mode. For more information about bond modes, see the following documentation: http://www.kernel.org/doc/Documentation/networking/bonding.txt After you have entered the appropriate data into all fields, you must click + to add and immediately plumb the selected network interface. To configure bonding, you must select multiple interfaces from the Bond Mode drop-down box. For IPv6 addresses, enter 64 as the Subnet Mask. IP Address [IPv4 or IPv6] Enter the IPv4 or the IPv6 address to be used for this appliance. Only global-scope and unique-local IPv6 addresses are allowed. Subnet Mask Enter the network address that identifies the IP address for this appliance server. After you have entered the appropriate data into all fields, click + to save and add the network configuration settings.

   If required for your environment, enter the appropriate Tag VLAN information as follows:

   Tag VLAN data entry fields

   Select Interface Select the network interface or the device name to which you want to tag the VLAN. Description Enter a description for the VLAN. For example, Finance or Human Resource. VLAN Id Enter a numeric identifier for the VLAN. VLAN IDs can range between 1- 4094. For example, 1 or 10. IP Address [IPv4 or IPv6] Enter the IPv4 or the IPv6 address to be used for this appliance. Subnet Mask Enter the subnet mask value that corresponds to the IP address. Click Add to add the configuration information for tagging VLAN into to your existing network environment. To enter information for tagging additional VLANs, click the + sign to add a row. To remove any of the rows, click the - sign that is adjacent to the Subnet Mask field.

   Enter the appropriate Add Static Route information as follows:

   Add Static Route data entry fields

   Destination IP Enter the network IP address of a destination network. The address can be either IPv4 or IPv6. Only global-scope and unique-local IPv6 addresses are allowed. See About IPv4-IPv6-based network support. Destination Subnet Mask Enter the subnet value that corresponds to the Destination IP address. For the initial configuration, this field contains a default value that cannot be changed. When you configure another route, you must enter the appropriate value. Gateway Enter the address of the network point that acts as an entrance to another network. The address can be either IPv4 or IPv6. Only global-scope and unique-local IPv6 addresses are allowed. See About IPv4-IPv6-based network support. Network Interface Click on the drop-down box and select the ethernet NIC port to use for a network connection. After you have entered the appropriate data into all fields, click + to save and add the routing configuration settings.

   After clicking + to save the entered network configuration settings, click Next at the bottom of the page to continue.

7. On the Host Configuration page, you can enter the host resolution information as follows:

   • To edit the hosts file manually, click here

     Add the IP address, the fully qualified host name, and the short host name directly into the /etc/hosts file. Click here to open and edit the /etc/hosts file file.

     Note:

     If you plan to configure Active Directory (AD) authentication on this appliance, the host name must be 15 characters or less. Otherwise, AD configuration can fail.

   • Enter the appliance host name and the related host resolution information in the following fields:

   Host Name	Note: If you plan to configure Active Directory (AD) authentication on this appliance, the host name must be 15 characters or less. Otherwise, AD configuration can fail. Enter the short host name or the fully qualified domain name (FQDN) of this appliance. The host name is applied to the entire appliance configuration with a few exceptions. The short name always appears in the following places: NetBackup Appliance Shell Menu prompts Deduplication pool catalog backup policy Default storage unit and disk pool names If this appliance has been factory reset and you want to import any of its previous backup images, the appliance host name must meet one of the following rules: The host name must be exactly the same as the one used before the factory reset. If you want to change the host name to an FQDN, it must include the short name that was used before the factory reset. For example, if "myhost" was used before the factory reset, use "myhost.domainname.com" as the new FQDN. If you want to change the host name to a short host name, it must be derived from the FQDN that was used before the factory reset. For example, if "myhost.domainname.com" was used before the factory reset, use "myhost" as the new short host name.
   For DNS systems:	Enter the following Domain Name System information: Domain Name Suffix Enter the suffix name of the DNS server. If you entered the FQDN in the Host Name field, this field is populated automatically. Note: The Domain Name Suffix is appended to the host name and cannot be changed after the initial configuration is completed. If you need to change the suffix or move the appliance to a different domain at a later time, you must perform a factory reset first, and then perform the initial configuration again. DNS IP Address(es) Enter the IP address of a DNS server, then click the + icon to add the address. Repeat as necessary for the number of addresses that you want to add. The address can be either IPv4 or IPv6. For IPv6 addresses, only global-scope or unique-local addresses are allowed. See About IPv4-IPv6-based network support. To remove an address, select it from the list that appears below the data entry field and click the x icon. Search Domain(s) If required for your environment, enter a search domain name, then click the + icon to add the name. Repeat as necessary for the number of search domains that you want to add. To remove a search domain, select it from the list that appears below the data entry field and click the x icon. After you have entered all of the necessary information, click Next.
   For the systems that do not use DNS:	Enter the following Host name resolution information: IP Enter the IP address of the appliance. The address can be either IPv4 or IPv6. For IPv6 addresses, only global-scope or unique-local addresses are allowed. See About IPv4-IPv6-based network support. Fully qualified host name Enter the fully qualified host name (FQHN) of the appliance. Short host name Enter the short name of the appliance. To enter two or more names, add a comma with no space between each name. After you have populated all fields, click the + icon. The added entries now appear below the fields. After you have entered all of the necessary information, click Next.

8. On the Date & Time page, enter the appropriate date and time for this appliance.

   You can enter the information manually or use a Network Time Protocol (NTP) server to synchronize the appliance date and time over the network.

   Time zone	To assign a time zone to the appliance, click on the Time zone drop-down box and select the appropriate region, country, and time zone.
   Specify date & time	To enter the date and the time manually, select this option and enter the following information: In the first field, enter the date by using the mm/dd/yyyy format. Or, click on the calendar icon and select the appropriate month, day, and year. In the second field, enter the time by using the hh:mm:ss format. Entries must be in the 24 hour format (00:00:00 - 23:59:59).
   NTP	To synchronize the appliance with a Network Time Protocol (NTP) server, select this option and enter the NTP Server IP address or Host name.

   After you have entered all of the necessary information, click Next.

9. On the Alerting and Call Home page, enter the information for the appliance to send alerts or to upload status reports by email to a Veritas Call Home server.

   To configure this server to upload alerts, enter the appropriate Alert Configuration information as follows:

   Alert Configuration
   Notification interval (in minutes) Enter the interval for the server to upload alerts to the Veritas Call Home server. Entries must be in increments of 15 minutes.
   SNMP Server Configuration Select one of the following options: SNMP V2 SNMP V3 None (default) SNMP Server Enter either the SNMP server host name or its IP address to define this server. The IP address can be either IPv4 or IPv6. For IPv6, only global-scope and unique-local addresses are allowed. SNMP Port Enter the port number of the SNMP server to allow communication with this server. The default is 162. Note: Your firewall must allow access from the appliance to the SNMP server through this port. SNMP Community This field is required for SNMP V2 and is optional for SNMP V3. Enter the community name where the alerts or traps are sent. For example, you can enter the same information that you used for the SNMP server. You can also enter a company name or another name like, admin_group, public, or private. If you do not enter anything, the default value is public. SNMP Username (SNMP V3 only) Enter an SNMP user name as follows: Enter up to 32 characters maximum. May include uppercase letters, lowercase letters, numbers, and the following punctuation marks: period, hyphen/dash, underscore. Spaces, commas, and special characters are not allowed. Authentication Protocol (SNMP V3 only) Configure as follows to set the security level: None (default) Sets the security level to no authentication and no privileges (authentication is disabled). Password and encryption fields are greyed out and not required. SHA256 or SHA512 Sets the security level for authentication. An SNMP password is required. SNMP Password/Confirm SNMP Password (SNMP V3 only) Enter a password for the SNMP user as follows: Must have 8 or more characters. May include uppercase letters, lowercase letters, numbers, and the following punctuation marks: period, hyphen/dash, underscore. Spaces, commas, and special characters are not allowed. Encryption Protocol (SNMP V3 only) Configure as follows to set the encryption policy: None (default) Encryption policy is not used or enforced. Passphrase fields are greyed out and not required. AES128 AES192 AES256 AES512 Select one of these options to enforce the associated encryption policy. An Encryption Passphrase is required. Encryption Passphrase/Confirm Encryption Passphrase (SNMP V3 only) If you set the Encryption Protocol to use an encryption policy, enter a passphrase for the SNMP user as follows: Must have 8 or more characters. May include uppercase letters, lowercase letters, numbers, and the following punctuation marks: period, hyphen/dash, underscore. Spaces, commas, and special characters are not allowed. The following describes summaries of the required fields for specific SNMP configuration scenarios: SNMP V2 SNMP Server SNMP Port SNMP Community All other fields are not required. SNMP V3 - no authentication/no privileges SNMP Server SNMP Port SNMP Community (optional) Authentication Protocol - None All other fields are not required. SNMP V3 - authentication/no privileges SNMP Server SNMP Port SNMP Community (optional) Authentication Protocol (SHA256, SHA512) SNMP Password/Confirm SNMP Password All other fields are not required. SNMP v3 - authentication/privileges SNMP Server SNMP Port SNMP Community (optional) Authentication Protocol (SHA256, SHA512) SNMP Password/Confirm SNMP Password Encryption Protocol (AES128, AES192, AES256, AES512) Encryption Passphrase/Confirm Encryption Passphrase View SNMP MIB file To set up the appliance SNMP Manager to receive hardware monitoring related traps, click this link to view the content of the MIB file. Then, copy the file to another location and use the content to update the SNMP Manager. The SNMP MIB file serves as a data dictionary that is used to assemble and interpret SNMP messages. If you configure SNMP, you must import the MIB file into the monitoring software so that the software can interpret the SNMP traps. The appliance can only accept traps in the SNMPv2c format.
   SMTP Server Configuration SMTP Server Enter either the SMTP server host name or its IP address. SMTP Port Enter the port number of the SNMP server to allow communication with this server. The default is 25. Software Administrator Email Enter the email address of your software administrator so that they can receive and notifications. Hardware Administrator Email Enter the email address of your hardware administrator so that they can receive and notifications. Sender Email Enter the email address of this server so that recipients can identify the source of the report. SMTP Account Enter an account name for the SMTP server. Password To increase security, enter a password for the SMTP server.

   You can configure this server to send email reports to a proxy server or to the Veritas Call Home server.

   The following describes the supported proxy servers:

   • Squid

   • Apache

   • TMG

   Note:

   NTLM authentication in the proxy configuration is also supported.

   For Call Home, enter the appropriate Call Home Configuration information as follows:

   Call Home Configuration

   To configure the appliance to send email reports to a proxy server or to the Veritas Call Home server, enter the following information: Enable Call Home Click this check box to enable the appliance to send email reports to the Veritas Call Home server. Enable AutoUpdate for Upgrade Readiness Check Check this box to enable automatic updates for the Appliance Upgrade Readiness Analyzer (analyzer tool). When the feature is enabled and a new analyzer tool version is available, the analyzer tool on the appliance is updated automatically. If an analyzer tool does not already exist on the appliance when you enable this feature, the latest version of the analyzer tool is downloaded automatically. You can also download the latest version of the analyzer tool from the Veritas Download Center. Veritas recommends that you enable AutoUpdate. Enable proxy server Click this check box to use a proxy server for email notification and provide the proxy information that follows. Enable proxy Tunneling To enable proxy tunneling, click this check box and provide the following proxy information: Proxy server Enter the IP address of the server. The IP address can be either IPv4 or IPv6. For IPv6, only global-scope and unique-local addresses are allowed. Proxy port Enter the port number of the proxy server to allow communication with this appliance. Proxy username Enter the user name for the proxy server. Proxy password Enter the password of the proxy server. Test Call Home After you have entered all of the necessary information, Veritas recommends that you click Test Call Home to verify communication with the Veritas server. If the test fails, check that you have entered all names, IP addresses, and port numbers correctly. If the test fails again, contact Veritas Technical Support.

   After you have entered all of the necessary information, click Next.

   A Call Home Test is performed after the settings are saved.

10. Configure the role for this appliance server as follows:

    Option or data entry field	Description
    Appliance Role	Primary When you select this role, you are required to provide a Veritas Usage Insights customer registration key. To obtain a registration key, follow the instructions on the page. Media If you select this role, do not continue configuration until you have performed or verified the following configuration on the primary server that you want to use with this media server. The following link provides specific instructions about how to accomplish the necessary tasks: See Configuring a primary server to communicate with an appliance media server. Make sure that the primary server and this media server have compatible software versions. Add the name of this media server to the SERVERS list on the primary server that you plan to use with it. Open the following ports on the primary server to allow communication to this media server: vnetd: 13724 bprd: 13720 PBX: 1556 Open the following ports if the primary server is an appliance primary server and TCP is used: 443, 5900, and 7578. Make sure that the date and time of this media server matches with that of the primary server. If you plan to use this media server in a NAT network, make sure to enable the DNAT feature on the primary server and to also add the media server name to the NAT servers list on the primary server.
    Primary server name DNAT configuration Certificate provisioning Certificate revocation list (CRL)	When you select this role, the following prompts appear: DNAT configuration Follow the prompts if you plan to use this media server in a NAT network. Primary Server Name For primary servers with only one name and IP address, enter the host name or the IP address of the primary server and click Add. For clustered primary servers or primary servers with multiple names and IP addresses, enter each host name or IP address in the field (one at a time) and click Add. If the primary server is clustered, the first entry must be the virtual host name of the cluster. Note: If the host name of the primary server is an FQDN, Veritas recommends that you use the FQDN to specify the primary server for the media server. Certificate provisioning/Certificate revocation list (CRL) After you have entered the primary server name, the appliance pings the primary server for the Certificate Authority (CA) status and shows the result. Each of the following bullet statements describes the possible status results. Follow the instructions that appear below the applicable status result to complete the certificate configuration. The primary server currently uses an external CA issued certificate. You are required to configure this appliance with a certificate issued by the same external CA. Enter the following certificate provisioning information: Host certificate Trusted certificate Private key Private key passphrase (Required only if the private key file is encrypted.) Select one of the following CRL options: Use CRL location from certificate Upload CRL file Do not use CRL After you have entered all of the necessary information, click Next. The primary server currently uses an external CA issued certificate and its own internal certificate. Would you like to proceed with the external CA issued certificate? If you select no, the following message appears: This appliance will use a NetBackup issued certificate for secure communication. If you select yes, enter the following certificate provisioning information: Host certificate Trusted certificate Private key Private key passphrase (Required only if the private key file is encrypted.) Select one of the following CRL options: Use CRL location from certificate Upload CRL file Do not use CRL After you have entered all of the necessary information, click Next. When the Certificate Verification dialog box appears, click Deploy to deploy the CA certificate to this appliance. If required, enter the token and click Deploy to deploy the host ID-based certificate to this appliance. This appliance will use a NetBackup issued certificate for secure communication. No further certificate configuration is required. Click Next to continue.

    For more information about security certificates, refer to the chapter Security certificates in NetBackup in the NetBackup Security and Encryption Guide.

11. On the Storage Configuration page, create names for the storage units and the disk pools that you plan to use, and configure the size of the disk partitions.

    You can configure storage partitions for AdvancedDisk, for Deduplication (MSDP), or for both.

    Note:

    If you choose to configure MSDP storage, a policy is automatically created to protect the MSDP catalog. Veritas recommends reviewing this policy and activating it once your appliance is configured.

    Note the following for MSDP partition sizes:

    • Make sure that the MSDP volume is larger than 10GB. Partitions smaller than 10GB or less than 1/100 of the average MSDP volume are not supported.

    • If the available disk space is more than 10GB, a message informs you that the partition has been created.

    • If the available disk space is less than 10GB, the process checks for the next disk in the storage array with more than 10GB of free space. A message informs you that the partition has been created.

    • If no disks have more than 10GB of available space, a message informs you of the maximum available space and allows you to create the partition at the smaller size.

    NetBackup Catalog	This tab lets you set the size of the NetBackup catalog partition on the primary server. This tab appears only for the appliances that are configured as a primary server. To change the size of the partition, enter a precise number in the Size field, or click and drag the box on the gray slide bar to the desired size. The size can be set in GB or TB units, depending on the maximum available space.
    AdvancedDisk	Enter the following information: Storage Unit Name Enter the name that you want to use to identify this storage unit. The name can contain any letters, numbers, or special characters. The name can include up to 256 characters. Note: The name should not start with the minus (-) character and spaces should not be used anywhere in the name. Disk Pool Name Enter the name that you want to use to identify this disk pool. The name can contain any letters, numbers, or special characters. The name can include up to 256 characters. Note: The name should not start with the minus (-) character and spaces should not be used anywhere in the name. Size Set the size for this partition by entering a precise number in the Size field, or click and drag the box on the gray slide bar to the desired size. The size can be set in GB or TB units, depending on the maximum available space.
    Deduplication Disk (MSDP)	Enter the following information: Storage Unit Name Enter the name that you want to use to identify this storage unit. The name can contain any letters, numbers, or special characters. The name can include up to 256 characters. Note: The name should not start with the minus (-) character and spaces should not be used anywhere in the name. Disk Pool Name Enter the name that you want to use to identify this disk pool. The name can contain any letters, numbers, or special characters. The name can include up to 256 characters. Note: The name should not start with the minus (-) character and spaces should not be used anywhere in the name. Size Set the size for this partition by entering a precise number in the Size field, or click and drag the box on the gray slide bar to the desired size The size can be set in GB or TB units, depending on the maximum available space.

    After you have entered all of the necessary information, click Next.

12. On the Configuration Progress page, you can monitor the progress of the appliance as it applies all of the data input from the configuration pages.

    The amount of time for the configuration to complete varies and depends on the complexity of your environment.

13. On the Summary of Configuration page, review the results of the configuration. Examine the results to make sure that the configuration completed successfully.

    This page also identifies any errors that may have occurred. You may need to perform the initial configuration again if errors appear in the results.

14. After the configuration has completed successfully, wait about 5 minutes for the NetBackup services to start. You must then use the fully qualified host name to reconnect and log into the appliance.
15. Disconnect the laptop from the NIC1 appliance port.

    Note:

    If your network uses the 192.168.x.x IP address range, refer to the following topic for important information:

    See About NIC1 (eth0) port usage on NetBackup appliances.

16. After all appliances are configured and operational, you are ready to install client software on the computers that you want to back up.

    See Downloading NetBackup client packages to a client from a NetBackup appliance.

    See Installing NetBackup client software through an NFS share.

17. If you want to configure the appliance for MSDP cloud, do the following:

    • Log in to the NetBackup Appliance Shell Menu on the appliance primary server and run the following command to change the default password for the nbasecadmin user:

      Main > Settings > Password nbasecadmin

    • Log in to the NetBackup web UI as the nbasecadmin user and configure the MSDP cloud storage as follows:

      • Create a disk pool.

      • Create a storage unit.

        For details, see the NetBackup Web UI Administrator's Guide.