Skip to main content
Prerequisites to install VMware backup proxy
Updated today

Prerequisites for deploying VMware backup proxy

  • Druva does not support ESXi hypervisor passwords that contain the character @ (at sign). If the password for an ESXi hypervisor on which a backup proxy is deployed contains "@", change the password to remove this sign before you register and configure the backup proxy.

  • The user setting up the proxy server must have Cloud Administrator for Enterprise workloads privileges.

  • ESXi/vCenter must have a valid license. See the article to verify if the ESXi/vSphere host has a valid license.

  • The vCenter/ESXi credentials must have the required user permissions.

  • The vCenter certificate must be valid.

  • The IP address / Network being provided to the Druva Backup Proxy must be able to communicate to Cloud on port 443.

  • Configure your antivirus and any third-party encryption programs to authorize the latest Druva applications and Druva and S3 URLs.

  • There must not be an SSL terminating proxy in the network.

  • The backup proxy must be deployed to a datastore that has a minimum 110 GB free space.

  • You must have the Web Proxy credentials (If you use a Web proxy in your environment).

  • You must have the IP settings details.

  • The backup proxy is deployed in the same cluster where the virtual machines being backed up reside.

  • Backup proxy is deployed through an OVA and is an Ubuntu (version 22.04) VM that resides in your VMware infrastructure.

Prerequisites for Druva Proxy Deployer

  • The Druva Proxy Deployer is supported in the following operating system:

    • macOS 10.14 or later (Mojave)

    • macOS 10.15 or later (Catalina),

    • Windows 8 and later
      ​For Windows 8, if you face any issues, you need to install the Windows update.

  • The Druva Proxy Deployer by default uses the port 20020. In case you want to use a different port, follow the steps:

    1. Close the Druva Proxy Deployer.

    2. Go to <install_location>\Druva-Proxy-Deployer\resources\service

    3. Open the ServiceConfiguration.json file.

    4. Update the port number in the srvRestPort field.

  • The local system must have a minimum of 7 GB space on the download location.

  • Ensure that the English language pack is installed on the hosts with a certified operating system that is localized to a language other than English. If the English language pack is not installed, Druva is unable to assign a static IP. To add the English language pack on Windows, see Available Language Packs for Windows. [External link to Microsoft documentation].

Prerequisites for VMC

Ensure VMC SDDC firewall rules are configured to enable http/https traffic over port 443 and NTP port 123 for the communication through Compute and Management Gateways.

The backup proxy communicates with Druva on port 443. The communication is outbound only and you need to create an inbound traffic rule. The backup proxy also communicates with the vCenter on port 443 to understand the VMware hierarchy and communicates with the virtual machines to perform backups and restores. The backup proxy also uses port 123 outbound connection to synchronize time with NTP server.

Compute Gateway settings

Create the following rules on the Compute Gateway:

  • Source: Druva-Proxy -> Destination: vCenter with Port: 443

  • Source: Druva-Proxy -> Destination: Any with Port: 443 applied to: internet interface ​

    Compute Gateway.png

Management Gateway settings

Open Port 443 for inbound and outbound communication.

Management Gateway.png

Druva only needs access to the Internet (only Druva provided IP addresses on port 443) and to the vCenter, so you can restrict all other communication.

Distributed Firewall settings (Optional step)

​The following steps are applicable only if your organization is using Distributed Firewall.

  1. Ensure that the environment is set to blacklist and create the following rules:

    • Source: Druva-Proxy -> Destination: ANY with Service: ANY -> Reject

    • Source: ANY -> Destination: Druva-Proxy with Service: ANY -> Reject

      Rules.png
    • Right now, each traffic will be blocked directly on the vNIC of the backup proxy.

  2. Open the internet traffic, allowing the https traffic to the backup proxy. Create the following rule:

    Source: Druva-Proxy -> Destination: is not! RFC1918 with Service 443 -> Allow ​

  3. Allow vCenter outbound and inbound traffic. Create the following rules:
    Source: Druva-Proxy -> Destination: vCenter with Service 443 -> Allow
    ​Optionally, you can add ICMP
    Source: vCenter -> Destination: Druva-Proxy with Service 443 -> Allow

    Destination2.png

Prerequisite for VMC on Dell EMC

  • For VMware Cloud on Dell EMC, configure the Fully Qualified Domain Name (FQDN) to resolve to a vCenter private IP address. Ensure the FQDN Access is set to Via internal network only in the VMware Cloud Services Console. ​

    2020-09-15 14_37_31-Microsoft Edge.png
  • For DR failback on Windows, ensure that the virtual machines on the VMware Cloud can access the AWS instance data using the SMB protocol.

Reference articles

Did this answer your question?