Axcient Help Center

Cloud Failover

In the event the local appliance is not available in a disaster situation, the cloud failover feature in the Web Application allows you to start virtual machines (VMs) in the Axcient Cloud of one or more protected devices. The Axcient Cloud failover solution allows you to do the following:

  • Create a Virtual Office running in the Axcient data center that matches existing server configurations

  • Configure network settings for the virtual office, including:

    • Provide secure access to the Virtual Office by configuring VPN

    • Configure Site to Site Open VPN, allowing multiple remote networks to connect to the Virtual Office

    • Allow VMs to access the Internet by enabling outbound connections (disabled by default)

    • Establish Port Forwarding rules

  • Start the Virtual Office VMs of each server from separate restore points

This section of the guide will cover the various Virtual Office interfaces.

Starting the Virtual Office

To start the Virtual Office:

  1. On the Axcient Web Application, click Sites.

    BRC_Sites.png
  2. On the Sites page, click the Details button for the desired Site.

    ace-brc-sites-page.png
  3. On the Site Details page, click the Recover button.

    ace-brc-click-recover-1024x571.png
  4. On the Recover Something screen, click the Make it Virtual option and then select the Start a Virtual Office option.

    select-make-it-virtual.png
  5. Select the type of local virtualization to deploy:

    1. Select the Make it a Test option to test the virtualization process and verify the availability of recovery points in case of an emergency.

    2. Select the Put it in Production option in the event of a disaster. This local failover VM can be used to temporarily replace production devices until a permanent replacement is ready.

      select-type-of-virtualization.png
  6. On the Start Virtual Office (Failover) screen, select the services and configure settings:

    1. In the Services field, use the checkboxes to select the appropriate service(s).

    2. If you would like to set up a subnet for the Virtual Office, configure the Gateway and Netmask fields:

      1. In the Gateway field, enter the gateway IP address. This address should be the same as the default gateway on the physical network that the Virtual Office is trying to replicate. For example, if devices are on the 192.168.1.xxx network, the gateway will most likely be 192.168.1.1.

      2. In the Netmask field, enter the netmask value.

      3. Optionally, to add a new subnet for the Virtual Office, click the + Add Another link. Please note that you can add up to ten subnets. Subnets must not overlap with other subnets on the Virtual Office. To delete a subnet, click the red Delete icon.

    3. Click the Start Virtual Office button when you are finished.

      start-virtual-office.png
The Virtual Office Page

The Virtual Office page is accessible when a Virtual Office has been started. This page is the administrative page for the Virtual Office. From here, you can take any managerial and configuration actions for the Virtual Office.

There are five main sections to the Virtual Office View page:

virtual-office-page.png

1.pngVirtual Office Summary

This section provides a summary of the Virtual Office, showing which Clients are being virtualized and the type of virtualization (test or production).

Additionally, you can stop all running VMs and take steps to discard the Virtual office.

2.pngDevice List

This section displays all protected devices under the Client as well as the device states. The three device states are explained below.

3.pngConfigure Office

This button launches the Virtual Office Configuration page where you can configure various aspects of the Virtual Office.

4.pngResources

This section displays used and available resources across all live VMs, and information about how long the Virtual Office has been running

5.pngAxcient Tools

This section displays links to Axcient support documentation and Axcient Technical Support.

Virtual Machine States

A device will be listed in one of the following states:

  • The Offline state indicates that the VMs have yet to be rendered. To render a device, click the Render button.

  • The Ready state indicates that the VMs have been rendered. This means that you have allocated CPU cores and RAM to the VM. You can optionally click the Start button to start a device and make it accessible.

  • The Running state indicates that the VMs are live and accessible through a VNC or RDP agent. You can optionally click the Stop button to return the device to a Ready state, log in to access the VM using the built-in web VNC agent, or click the Discard button to return the device to an Offline state.

Configure the Virtual Office

While inside the Virtual Office, you can configure the cloud failover environment as needed. To configure these options:

  1. On the Virtual Office page, click the Configure Office button.

    VO1.png
  2. On the Configure: Virtual Office page, configure the various network options.

    1. On the Configure: Virtual Office page, click the Edit button in the Network section.

      VO2.png
    2. On the Network screen, enter a value for one or more of the following fields:

      1. In the Gateway field, enter a gateway IP address.

      2. In the Netmask field, enter the netmask value.

      3. Optionally, click the +Add Another link to add an additional subnet. Please note that you can add up to ten subnets. Subnets must not overlap with other subnets on the Virtual Office. To delete a subnet, hover your mouse over the appropriate row and click the red Delete icon.

      4. Optionally, in the VNC IP field, enter the IP address for the VNC clients, which can be any available (unused) IP address in the Virtual Office. VNC clients typically use the Virtual Office Gateway address, so a separate IP address is not necessary. However, when testing a Cloud Failover while the original gateway is still active, an alternative IP address should be specified.

      5. Optionally, enable the Outbound Access option to allow outbound access to the Internet. Enabling Internet connectivity allows both outbound and inbound messages between external devices and the server VMs in the Virtual Office. Disabling outbound access means that only devices within the Virtual Office can communicate with each other.

        VO3.png
Virtual Private Network (VPN) Settings

To configure or edit VPN settings:

  1. On the Configure: Virtual Office page, click the Edit button in the VPN section.

    ConfigureVirtualOffice_VPN.png
  2. In the VPN section of the screen, enter a value for one or more of the following fields:

    1. Enable the VPN setting to turn on VPN.

    2. Enable the Split Tunneling setting to route the VPN user’s Internet access through their device. Alternatively, disable to route all Internet traffic through the Virtual Office.

    3. In the VLAN IP field, enter the IP address that gets assigned to the virtual network interface inside the failover network. This address must be an unused IP address.

    4. In the Client IP Range field, enter the range of available IP addresses that are assigned to connecting VPN users. This range must not conflict with any devices in the Virtual Office.

    5. In the User Authentication section of the screen, select the preferred method of VPN authentication.

      configure-vpn.png
  3. Click the Active Directory radio button to integrate with Active Directory, which enables users to connect through VPN using their known Active Directory credentials. If you select this option, you will be prompted to configure the following fields:

    1. In the Active Directory server field, enter the IP address of the Active Directory server.

    2. In the Active Directory Domain field, enter the domain name of the Active Directory server.

    3. In the Domain Administrator Username field, enter the username of the Active Directory administrative user.

    4. In the Domain Administrator Password field, enter the password of the Active Directory administrative user.

    5. In the Connection Type field, use the radio buttons to select your preferred connection type, including: Unencrypted, LDAPS, or Start TLS.

      Please note that if you select LDAPS or the Start TLS method, you must also configure the Active Directory Certificate Services role on the domain controller. For more information, please reference the Configuring Active Directory Certificate Services Settings section below.

      ADIntegration.png
  4. Alternatively, in the User Authentication section of the screen, click the Direct radio button to manually create login credentials for users to connect through VPN. If you select this option, you will be required to configure the following fields:

    1. In the Username field, enter a username needed for users to connect through VPN.

    2. In the Password field, enter a password needed for users to connect through VPN.

      DirectIntegration.png
  5. Click the Save button when you are finished.

Configuring Active Directory Certificate Services Settings

When configuring VPN connection settings, you can optionally integrate with Active Directory for authentication purposes. This option requires that you select a connection type, including Unencrypted, LDAPS (LDAP over SSL/TLS), or Start TLS. LDAPS and Start TLS connection types both require that you set up the Active Directory Certificate Services role on the domain controller.

Please note that LDAPS (LDAP over SSL/TLS) is automatically enabled when you install an Enterprise Root CA on a domain controller.

To set up the Active Directory Certificate Services role on the domain controller:

  1. On the domain controller, start the Service Manager and select Add Roles and Features. The Add Roles and Features Wizard displays.

    ADCS1.png
  2. In the Wizard, click the series of Next buttons until you reach the Select server roles screen. On the Select server roles screen, click the Active Directory Certificate Services checkbox and then click the Next button to continue.

    ADCS4.png
  3. Continue through the Wizard until you reach the Select role services screen. On the Select role services screen, click the Certification Authority checkbox and then click the Next button to continue.

    ADCS5.png
  4. On the Setup Type screen, click the Enterprise CA radio button and then click the Next button to continue.

    ADCS7.png
  5. On the CA Type screen, click the Root CA radio button and then click the Next button to continue.

    ADCS8.png
  6. On the Private Key screen, click the Create a new private key radio button and then click the Next button to continue.

    ADCS9.png
  7. On the Cryptography for CA screen, configure the following settings:

    1. In the Select a cryptographic provider drop-down menu, select RSA #Microsoft Software Key Storage Provider.

    2. In the Key length drop-down menu, select 2048.

    3. In the Select the hash algorithm scroll-down menu, select SHA1.

    Click the Next button to continue.

    ADCS10.png
  8. On the CA Name screen, configure settings for the certificate authority (CA). Click the Next button to continue.

    Continue through the Wizard until you successfully configure the Active Directory Certificate Services role, and then click the Close button when you are finished.

    ADCS11.png

Note

For alternative instructions, please reference the LDAP over SSL (LDAPS) Certificate Microsoft TechNet article.

Connecting to VPN

When the VPN has been configured, the Virtual Office will generate a link that allows you to connect to the VPN. This link can be copied and sent to the desired recipients.

  1. On the Configure: Virtual Office page, click the Login to VPN button in the VPN section.

    vpn-link.png
  2. On the VPN Access page, enter login credentials. These are the same credentials created in the User Authentication field on the VPN screen.

    vpn-log-in.png
  3. After logging in, click the Start button to connect to the VPN and follow the prompted connection steps.

    vpn-start.png

    Note

    The latest version of Java must be installed. If not already done so, you will be prompted to download a java plug-in that is required to complete the VPN connection process. If you are prompted to download the plug-in, install the plug‑in and then begin the VPN connection process from the beginning.

    If your browser blocks Java applets, you can connect through an alternative VPN client, such as the Windows 10 (built‑in) VPN client. For more information, please reference the Connecting to VPN Using an Alternative Connection Method section.

Connecting to VPN Using an Alternative Connection Method

Depending on browser type and settings, you might experience connection issues when attempting to connect to VPN, as described in the Connecting to VPN section. In these instances, an alternative VPN client can be utilized.

As an example, the following instructions provide steps for connecting through the Windows 10 VPN client (built-in).

  1. On the Configure: Virtual Office page, click the Login to VPN button in the VPN section.

    vpn-link.png
  2. From the local machine, download and install the Pulse Secure app from the Microsoft Store.

    When the Pulse Secure app is installed, click the Windows Start icon and enter Change Virtual Private Networks (VPN) in the search box. Then, click to launch Change Virtual Private Networks (VPN) settings.

    VPN_SearchWindowsVPN.png
  3. In the VPN window, click the Add a VPN button. Enter information into the Add a VPN Connection dialog box:

    1. In the VPN Provider field, select Pulse Secure.

    2. In the Connection Name field, enter a descriptive connection name.

    3. In the Server Name or Address field, paste the VPN connection URL.

    4. Click the Save button.

      AddVPNConnection.png
  4. When the connection is configured, click the title of the new VPN connection to launch.

    VPN.png
  5. When prompted, enter the appropriate user name and password and then click the OK button to connect. These credentials are the same credentials created in the User Authentication field on the VPN screen.

    VPN_Login.png
Port Forwarding

Port forwarding is not enabled by default but can be configured to work in the Virtual Office.

Enabling port forwarding could lead to network collisions if configured on a test Virtual Office. Do not enable and configure port forwarding for a test Virtual Office as productivity and data loss might occur.

Additionally, Port Forwarding must be enabled for Site to Site Open VPN to function.

To configure or edit the port forwarding settings:

  1. On the Configure: Virtual Office page, click the Edit button in the Port Forwarding section.

    ConfigureVirtualOffice_PortForward.png
  2. On the Port Forwarding screen, update the following fields:

    1. Enable the Port Forwarding option.

    2. Enter the appropriate values to set the port forwarding rules:

      • In the Ext Port field, enter the external port number to be forwarded.

      • In the Internal IP field, enter the internal IP address. The internal IP address must fall inside one of the Virtual Office's subnets.

      • In the Int Port field, enter the internal port number.

    3. Click the Add Another button to add additional entries. Repeat these steps as many times as necessary.

      configure-port-forwarding.png
  3. Click the Save button to save any new configurations.

DHCP Settings

DHCP is not enabled by default but can be configured to work in the Virtual Office environment. Please note that the DHCP applies only to virtualized devices and not for remote user IP addresses that are assigned through the VPN settings.

To configure or edit the DHCP settings:

  1. On the Configure: Virtual Office page, click the Edit button in the DHCP section of the page.

    DHCP_Edit.png
  2. On the DHCP screen, enter a new value for one or more of the following fields:

    • Enable the DHCP option.

    • In the Domain field, enter the domain name.

    • In the DNS Servers field, enter the host name or IP address of the DNS server. Click the Add Another button to add additional DNS servers.

    • In the Range field, enter a range of IP addresses that can be used by the DHCP. The range must reside inside one of the Virtual Office's subnets.

    • Optionally, in the MAC to IP field, assign an IP address to a server by entering the MAC address and the desired IP address.

    • Click the Add Another button to add more entries.

      configure-dhcp.png
  3. Click the Save button to save any new configurations.

STEP 1

 

STEP 2

 

 

Site to Site Open VPN Settings

Site to Site Open VPN allows you to create a single VPN endpoint for a local network through which any local user can connect to the Virtual Office. When the Site to Site Open VPN endpoint has been configured, a virtual image is generated, which must then be downloaded and run on any VMware virtual machine software.

Using Site to Site Open VPN is not recommended in a test environment. However, during a disaster, it can provide valuable services in the following situations:

  • When a disaster occurs in an organization with two (or more) sites linked together in a corporate network. A Site‑to‑Site VPN connection can be configured that recreates the corporate network for the unavailable physical site.

  • When a site is being rebuilt after a disaster and users can physically use the site itself, but not the servers. A Site‑to‑Site VPN connection can be configured as a replacement while the servers are being rebuilt.

For the Site to Site Open VPN feature to work, Port Forwarding must be enabled. When it is enabled, you can continue to configure the Site to Site Open VPN.

  1. Enable the Port Forwarding feature according to the instructions listed in the Port Forwarding section.

    ConfigureVirtualOffice_PortForward.png
  2. After Port Forwarding has been enabled, click the Edit button in the Site to Site Open VPN section.

    SitetoSite_Edit.png
  3. In the Site to Site Open VPN section, update the following fields:

    1. Enable the Site to Site Open VPN option.

    2. Optionally, in the Whitelisted IPs field, add an IP address that can access the Virtual Office. Only IP addresses from this list can access the Virtual Office. Click Add Another to whitelist additional IP addresses.

    3. Configure the Endpoint, including:

      1. In the Endpoint Name field, enter the desired name for the Endpoint.

      2. Optionally, in the Key Password field, set a password for the SSL RSA key. If configured, this password will be required to log in to the VPN.

      3. In the Configuring Using section, use the radio buttons to select whether to configure using a Static IP address or DHCP.

      4. In the Gateway field, enter the gateway IP address.

      5. In the Netmask field, enter the netmask value.

      6. In the IP of Endpoint field, enter the IP address of the Endpoint (static IP address only). This address should be on a different subnet than that of the Virtual Office. For example, if the Virtual Office IP address is 192.168.99.2, configure the endpoint address to 172.168.22.2.

      7. In the DNS (Static IP Only) field, enter the IP address of the DNS server.

      8. Once configured correctly, click the Add Endpoint button, or click the Done button.

        configure-site-to-site-vpn.png
  4. When Site-to Site VPN settings are configured, click the Download Client link to download the virtual image. This image should be deployed at the desired location using any VMware virtual machine software.

    When the virtual machine is deployed, all local devices must have their gateway changed to the IP address of the endpoint.

    endpoint-dl.png

Note

When the VM endpoint is powered on, a console window will print out a message acknowledging the Open VPN connection. A message will also appear with network instructions to reconfigure the host machine on which the VM endpoint is being deployed. If you do not see these console windows, please contact Axcient Support.

The message will be formatted as follows:

“Open VPN Connect *** ESTABLISHED ***”

Please add <Virtual Office Subnet> netmask <Host Machine Netmask> gw <Host Machine Gateway> to your subnet router.

IPSec Site to Site VPN Settings

The Internet Protocol Security (IPSec) Site to Site VPN feature allows you to establish IPSec VPN tunnels from the Virtual Office in the Axcient Cloud to any standard compliant IKEv2 IPSec VPN gateway on your local network. Specially, you can use this feature during a site disaster to:

  • Recreate the network in an organization with two or more sites linked together in a corporate network

  • Temporarily replace a connection while a machine room is rebuilt after a disaster

Note

IPSec Site-to-Site VPN is not recommended in a test environment.

To set up an IPSec Site-to-Site VPN connection, you must turn on the feature in your Virtual Office and also configure settings on your gateway.

  1. Enable the Port Forwarding feature according to the instructions listed in the Port Forwarding section.

    ConfigureVirtualOffice_PortForward.png
  2. After Port Forwarding settings have been configured, navigate to the Site to Site IPSec VPN section and click the Edit button. You can configure the following options:

    • Click the S2S IPSec option to enable Site to Site IPSec VPN settings.

    • In the Site Public IP field, enter the public IP addresss of the remote machine or hardware with IPSec software (for example, Cisco ASA).

    • In the Site Local Subnets section, enter the remote subnets and associated netmasks for sharing with the Virtual Office subnets. Please note that these subnets do not need to intersect with the Virtual Office subnets.

      SitetoSiteIPSecVPN.png
  3. Click the Save button when you are finished.

Gateway Settings

You can connect with any standard compliant IKEv2 IPSec VPN gateway. For examples and instructions, please reference the Axcient Knowledge Base.

Additional Failover Steps for Windows Server 2008 SP1

These additional steps only apply when recovering a Windows Server 2008 SP1 device with more than 4 drives that have been replicated by an Axcient appliance running AxOS 6.5.1.

Download the KB955430 Package

When protecting a device with the Windows Server 2008 SP1 operating system, you must confirm that the 955430 package has been installed on the target device before performing the recovery. Please refer to the Microsoft KB955430 article for more information and to download the package.

Without the 955430 package, WS2008 will be unable to install GPLPV drivers due to Windows not trusting the certificates used to sign drivers. This means that you will not be able to deploy a cloud failover VM for the device if it has more than 4 drives.

Run Script to Correctly Apply Drive Letters
  1. With the VM powered on and the GPLPV drivers installed, confirm that the GPLPV drivers have been successfully installed in the Program and Features window.

    confirm-gplpv-drivers.png
  2. When the GPLPV drivers have been successfully installed, run the following script, which is automatically copied over when deploying a Cloud Failover:

    %SYSTEMDRIVE%/Windows/System32/fixdisks.js

  3. Reboot the VM when the script has finished successfully. The Failover VM of the Windows Server 2008 SP1 is now ready to be used.

Failing Over a Device with 5+ Drives

When failing over a device with 5 drives or more in either a test or production environment, you might see an extra disk displayed in the Disk Management/Device Manager. This extra disk will not show up in the My Computer screen, and you will receive an Incorrect Function error when attempting to bring the disk online.

This extra disk will not affect the failover or any other recovery-related process associated with the failover VM.

5-disk-error.png