Dell PowerProtect Data Protection Software Owner's Manual


Add to my manuals
118 Pages

advertisement

Dell PowerProtect Data Protection Software Owner's Manual | Manualzz

Dell EMC Integrated Data Protection

Appliance

Installation and Upgrade Guide for DP4400

2.7.2

February 2023

Rev. 03

Notes, cautions, and warnings

NOTE: A NOTE indicates important information that helps you make better use of your product.

CAUTION: A CAUTION indicates either potential damage to hardware or loss of data and tells you how to avoid the problem.

WARNING: A WARNING indicates a potential for property damage, personal injury, or death.

© 2017 - 2023 Dell Inc. or its subsidiaries. All rights reserved. Dell, EMC, and other trademarks are trademarks of Dell Inc. or its subsidiaries.

Other trademarks may be trademarks of their respective owners.

Contents

Chapter 1: Introduction................................................................................................................. 5

Document scope and audience........................................................................................................................................ 5

Product naming conventions and terminology changes............................................................................................ 5

Product features..................................................................................................................................................................6

Detailed configuration.........................................................................................................................................................8

Chapter 2: Install and Configure the Integrated Data Protection Appliance for DP4400.................9

Install the Integrated Data Protection Appliance Hardware..................................................................................... 9

Prerequisites................................................................................................................................................................... 9

Install the rails............................................................................................................................................................... 10

Secure the rails to the cabinet.................................................................................................................................. 11

Install the system in the cabinet...............................................................................................................................12

Install the bezel.............................................................................................................................................................13

Connect the system to the network....................................................................................................................... 14

Connect the power cables and power on.............................................................................................................. 15

Configure IDPA with a Juniper switch.................................................................................................................... 16

Configure iDRAC.......................................................................................................................................................... 16

Install the DP4400 Software........................................................................................................................................... 17

Preinstallation requirements...................................................................................................................................... 17

Separate management network requirements..................................................................................................... 20

Install Network Validation Tool.................................................................................................................................22

Firewall Ports................................................................................................................................................................22

Secure Remote Services (SRS)...............................................................................................................................22

License activation........................................................................................................................................................23

Configure IDPA DP4400 Software................................................................................................................................24

Connect to the ACM.................................................................................................................................................. 24

Configure ACM with IP range.................................................................................................................................. 25

Configure the ACM settings for single network.................................................................................................. 26

Configure the ACM settings for separate management network................................................................... 26

Configure ACM without IP range............................................................................................................................ 29

Troubleshooting Installation Failures............................................................................................................................. 31

Retry installation...........................................................................................................................................................31

Rollback installation..................................................................................................................................................... 31

Creating and downloading a log bundle................................................................................................................. 32

First Security Officer user account.........................................................................................................................32

Accessing Hypervisor Manager (Service)............................................................................................................. 32

Troubleshooting Secure Remote Services............................................................................................................ 32

Install the IDPA post-installation patch on DataProtection-ACM......................................................................... 38

Chapter 3: Upgrade the IDPA ...................................................................................................... 41

Supported upgrade paths................................................................................................................................................ 41

Prerequisites.......................................................................................................................................................................42

Run the PowerProtect DP Rapid Upgrade ChecKer utility............................................................................... 42

ACM................................................................................................................................................................................ 43

Contents 3

Protection Software ..................................................................................................................................................43

Cloud DR Service.........................................................................................................................................................43

Upgrade the IDPA............................................................................................................................................................. 45

Upgrade the external VM Proxy.................................................................................................................................... 48

Troubleshoot upgrade validation and upgrade failures............................................................................................ 48

Troubleshoot Upgrade Validation failures..............................................................................................................48

Troubleshoot Upgrade failures.................................................................................................................................55

Possible errors with firmware upgrade.................................................................................................................. 57

Manual upgrade of IDPA Server Firmware............................................................................................................68

Chapter 4: Manage Data Protection Central post IDPA installation ..............................................71

Perform a VM backup....................................................................................................................................................... 71

VM backups overview................................................................................................................................................. 71

Define vCenter and VMware clients........................................................................................................................71

Deploy VM Proxy (Service).......................................................................................................................................74

Create and run the backup policy............................................................................................................................75

Restoring a VM backup....................................................................................................................................................75

Restore a VM .............................................................................................................................................................. 75

Restore using Instant Access................................................................................................................................... 77

Restore specific files...................................................................................................................................................78

Generating reports............................................................................................................................................................78

Generate a report........................................................................................................................................................ 78

Chapter 5: Additional resources.................................................................................................. 80

IDPA training resources................................................................................................................................................... 80

Chapter 6: Self-contained deployment (optional)........................................................................ 81

Add IPs and hostname entries....................................................................................................................................... 82

Appendix A: Network ports..........................................................................................................84

Protection Software ........................................................................................................................................................84

Utility node required inbound ports.........................................................................................................................84

Storage node required inbound ports.....................................................................................................................94

Protection Software client required inbound ports............................................................................................ 96

Protection Software Downloader Service host required inbound port.......................................................... 98

Required ports when using a Protection Storage system.................................................................................99

NDMP accelerator node required inbound ports.................................................................................................99

Remote management interface inbound ports....................................................................................................101

Protection Software VMware Combined Proxy inbound ports...................................................................... 102

Inbound ports for the Azure network security group....................................................................................... 104

Protection Storage .........................................................................................................................................................106

Data Protection Central ................................................................................................................................................. 111

Search................................................................................................................................................................................. 112

Reporting & Analytics .....................................................................................................................................................113

Secure Remote Services ............................................................................................................................................... 115

Remote server management (iDRAC).........................................................................................................................116

Cloud DR............................................................................................................................................................................. 117

Index.......................................................................................................................................... 118

4 Contents

1

Introduction

This section contains the following topics.

Topics:

Document scope and audience

Product naming conventions and terminology changes

Product features

Detailed configuration

Document scope and audience

This document describes IDPA and explains how to install the hardware and perform the initial software configuration after the appliance hardware is set up.

The target audience for this document includes field personnel, partners, and customers responsible for managing and operating

IDPA.

Product naming conventions and terminology changes

The following table describes the recent name and terminology changes to Integrated Data Protection Appliance, starting with version 2.7.

Table 1. Product naming conventions and terminology changes

Existing Product/Component Name

Virtual Machines

New Name/Terminology

Services

ESXi vSphere vCenter/vCSA (VM) vCenter service daemon vSAN

ACM (VM) dpatools

PT-Agent

Avamar (VM)

Avamar Proxy / vProxy (VM)

DD / DDVE

DPC (VM)

DPA

(DP)Search

CDRA (VM)

CDRS

Hypervisor

Hypervisor Platform

Hypervisor Manager

Hypervisor Manager Service Daemon

Storage Pool

Appliance Configuration Manager (Service)

Infrastructure Management Service

Node Event Service

Protection Software (Service)

VM Proxy (Service)

Protection Storage

Data Protection Central (Service)

Reporting & Analytics

Search

Cloud DR (Service)

Cloud DR Server

Introduction 5

Table 1. Product naming conventions and terminology changes (continued)

Existing Product/Component Name

Integrated Dell Remote Access Controller (iDRAC)

New Name/Terminology iDRAC iDRAC Service Module (iSM) / iSM service iDRAC Service Module

Product features

IDPA provides a simplified configuration and integration of data protection components in a consolidated solution.

Integrated solution

The IDPA is an integrated solution that offers complete Backup, Replication, Recovery, Deduplication, Instant Access and

Restore, Search, Reporting & Analytics, cloud readiness with disaster recovery and long-term retention to the cloud, all in a single appliance. The appliance is available in various configurations based on your requirements and storage capacity. .

● DP4400

● DP5800

● DP8300

● DP8800

IDPA DP4400 model is a hyperconverged, 2U system that a user can install and configure onsite.

The DP4400 includes a virtual edition of Protection Software server ( Protection Software (Service)) as the Protection

Software node, a virtual edition of Protection Storage system (Protection Storage) as the Protection Storage node, Cloud DR,

Data Protection Central as a centralized system management , an (ACM) for simplified configuration and upgrades, Search,

Reporting & Analytics, and a compute node that hosts the virtual components and the software.

DP4400 contains an Hypervisor server , which hosts all these virtual editions of the point products mentioned above.

NOTE: The Cloud DR node is available in the appliance based on the license that you have.

If your organization enables communication through the Internet, as part of the initial configuration of the system, you can register the IDPA Appliance, Protection Software, Protection Storage and components with Secure Remote Services (formerly

ESRS). The Secure Remote Services is a secure, IP-based, distributed customer service support system that provides Dell EMC customers with command, control, and visibility of support-related activities.

Centralized management

The Data Protection Central provides advanced monitoring and management capabilities of the IDPA from a single pane of glass and includes the following features.

● A comprehensive dashboard that allows you to manage and includes information about Protection Software, Protection

Storage, Search, and components.

○ Backup activities

○ Replication activities

○ Assets

○ Capacity

○ Health

○ Alerts

● Advanced search and recover operations through integration with Search.

● Comprehensive reporting capabilities

● Cloud backups.

Appliance administration

The ACM provides a web-based interface for configuring, monitoring, and upgrading the appliance.

6 Introduction

The ACM dashboard displays a summary of the configuration of the individual components. It also enables the administrators to monitor the appliance, modify configuration details such as expanding the Protection Storage disk capacity, change the common password for the appliance, update customer information, and change the values in the General Settings panel. The

General Settings panel on the ACM Dashboard allows you to change the LDAP settings, displays the time zones, NTP server status, external LDAP server status, status of FIPS, and so on. The ACM dashboard enables you to upgrade the system and its components. It also displays the health information of the Appliance Server and VMware components.

NOTE: IDPA does not support virtual NDMP (vNDMP).

Backup administration

The IDPA uses Protection Software (AVE) servers for the DP4xxx models perform backup operations, with the data being stored in a Protection Storage system.

You can also add an Protection Software NDMP Accelerator (you must manually configure the NDMP Accelerator) to enable

backup and recovery of NAS systems. For more information about the configuration details, see Configuration options for each model

. The Protection Software NDMP Accelerator uses the network data management protocol (NDMP) to enable backup and recovery of network-attached storage (NAS) systems. The accelerator performs NDMP processing and then sends the data directly to the Protection Storage Server (Protection Storage Storage).

NOTE: IDPA does not support virtual NDMP (vNDMP).

Reporting and Analytics

The feature offers a robust reporting functionality with dedicated sections for various features. These reports help you retrieve information about the Protection Storage and Protection Software. Using these reports, you can identify outages in the environment, diagnose problems, plan to mitigate risks, and forecast future trends. You can also run system and customized reports, dashboard templates, and schedule the reports generation as per your requirements.

Search

The Search feature provides a powerful way to search backup data within the IDPA and then restore the backup data based on the results of the Search. Scheduled collection activities are used to gather and index the metadata (such as keyword, name, type, location, size, and backup server/client, or indexed content) of the backup, which is then stored within the IDPA.

Disaster recovery

The Cloud DR is a solution, which enables disaster recovery of one or more on-premise Services to the cloud. Cloud DR integrates with the existing on-premise backup software and a Protection Storage system to copy the service backups to the cloud. It can then run a disaster recovery test or a failover, which converts a VM to an Amazon Web Services Elastic Compute

Cloud (EC2) or a Microsoft Azure instance, and then runs these instances in the cloud.

NOTE: Installing Cloud DR components, Search, and (based on ) is optional. Also, if these components are already configured in your environment, then the appliance can be configured to use the central implementation in your environment. You do not need to configure the optional components that are bundled in IDPA again.

NOTE: While configuring the network, if you select IPv6 network protocol, then Cloud DR and Search are disabled.

However, the dashboard does not display any data that is associated with external Cloud DR, Search, and . Moreover, you must manage and configure any such external instances. Also, IDPA does not support local Search and Analytics (not part of IDPA but are centrally implemented at the customer environment) when these functions are performed by external implementations.

Scalability

The IDPA models are designed to be scalable so it can scale up with ever-changing needs. See the Expanding storage capacity section in the Dell EMC Integrated Data Protection ApplianceInstallation and Upgrade Guide for more information about how to add storage capacity.

Introduction 7

● For the DP4400 model with a capacity from 8 TB to 24 TB, you can expand the storage capacity in multiples of 4 TB increments up to 24 TB. By adding the Disk Expansion Kit, you can also expand the capacity beyond 24 TB in 12 TB increments.

● For the DP4400 model with a capacity from 24 TB to 96 TB, you can expand the storage capacity in 12 TB increments, and you can expand the capacity up to a maximum of 96 TB.

The following table details the configuration for the IDPA models.

Table 2. Configuration for IDPA Model

Model

DP4400

Configuration Details

From 8 TB up to 24 TB

From 24 TB up to 96 TB

Unified support

The same Customer Support team supports both the hardware and the software that is used in the appliance.

Detailed configuration

The IDPA is available in the following models:

Table 3. Configuration options for the DP4400 model

Model Protection Storage model

Protection Storage configuration options

(usable TB)

DP4400

DP4400

Protection Storage

Protection Storage

24, 36, 48, 60, 72, 84, or 96 TB

8, 12, 16, 20 or 24 TB

Protection Software Protection Software

Accelerator Node for

NDMP/NAS Backup

(optional)

NDMP Accelerator (1) Protection Software

(Service) 3 TB

Protection Software

(Service) 3 TB

NDMP Accelerator (1)

8 Introduction

2

Install and Configure the Integrated Data

Protection Appliance for DP4400

This section details how to install the IDPA for DP4400 hardware. It also explains how to perform the initial software configuration after the appliance hardware is set up.

Topics:

Install the Integrated Data Protection Appliance Hardware

Install the DP4400 Software

Configure IDPA DP4400 Software

Troubleshooting Installation Failures

Install the IDPA post-installation patch on DataProtection-ACM

Install the Integrated Data Protection Appliance

Hardware

This section is designed for the personnel who install, configure, and maintain the Integrated Data Protection Appliance for

DP4400, and such you should be familiar with digital storage equipment and cabling.

Prerequisites

The following are the prerequisites to install the Integrated Data Protection Appliance hardware.

Prerequisites

Verify that you have the following components:

● 2U DP4400 system

● Rail kit, including:

○ Two sliding rails

○ Two velcro straps

○ Four screws

○ Four washers

● Two power cables

● Bezel

● Phillips-head screwdriver with magnetic tip (not provided)

● Anti-static wrist strap and conductive foam pad

Table 4. Qualified Ethernet cables

Type of switch

10 Gb SFP+

NIC Type

SFP+ (optical)

Speed

10 Gb

1 Gb or 10 Gb RJ45

1 Gb or 10 Gb RJ45

SFP+ with 1GbBASE-T GBIC

10 GbBASE-T (RJ45)

1 Gb

1 Gb or 10 Gb (depending on the switch)

Cable Required

LC-to-LC with SR optical

GBICs or twinax

UTP with RJ45 (Cat5e or

Cat6)

UTP/STP with RJ45 (Cat6a or Cat7)

Install and Configure the Integrated Data Protection Appliance for DP4400 9

Install the rails

About this task

The rails are labeled left and right, and cannot be interchanged. The front side of each rail is labeled Left Front or Right Front when viewed from the cabinet front.

Steps

1. Determine where to mount the system, and use masking tape or a felt-tip pen to mark the location at the front and back of the cabinet.

NOTE: Install the left rail assembly first.

2. Fully extend the rear sliding bracket of the rail.

3. Position the rail end piece labeled Left Front facing inward and orient the rear end piece to align with the holes on the rear cabinet flanges.

4. Push the rail straight toward the rear of the rack until the latch locks in place.

Figure 1. Installing the rear end of the rail

5. For the front end piece, rotate the latch outward and pull the rail forward until the pins slide into the flange, and release the latch to secure the rail in place.

10 Install and Configure the Integrated Data Protection Appliance for DP4400

Figure 2. Installing the front end of the rail

6. Repeat the preceding steps to install the right rail assembly.

Secure the rails to the cabinet

The supplied screws and washers are used to secure the rail assemblies to the front and rear of the cabinet.

About this task

NOTE: For square hole cabinets, install the supplied conical washer before installing the screw. For unthreaded round hole cabinets, install only the screw without the conical washer.

Steps

1. Align the screws with the designated U spaces on the front and rear rack flanges.

Ensure that the screw holes on the tab of the system retention bracket are seated on the designated U spaces.

2. Insert and tighten the two screws using the Phillips #2 screwdriver.

Figure 3. Installing screws

Install and Configure the Integrated Data Protection Appliance for DP4400 11

Install the system in the cabinet

In an angled drop-in design, inner (chassis) rails are attached to the sides of the system and then the system slides into the outer (cabinet) rails that are installed in the rack.

About this task

WARNING: The system is heavy. To avoid personal injury and/or damage to the equipment, do not attempt to install the system in a cabinet without a mechanical lift and/or help from another person.

Steps

1. Pull the inner rails out of the rack until they lock into place.

2. Release the inner rail lock by pulling forward on the white tabs and sliding the inner rail out of the intermediate rails.

Figure 4. Pull out the intermediate rail a. Intermediate rail b. Inner rail

3. Attach the inner rails to the sides of the system by aligning the J-slots on the rail with the standoffs on the system and sliding forward on the system until they lock into place.

Figure 5. Attach the inner rails to the system

4. With the intermediate rails extended, install the system into the extended rails.

12 Install and Configure the Integrated Data Protection Appliance for DP4400

Figure 6. Install system into the extended rails

5. Pull the blue slide release lock tabs forward on both the rails, and slide the system into the rack.

Figure 7. Slide system into the rack

Install the bezel

Steps

1. Align and insert the right end of the bezel onto the system.

2. Press the release button and fit the left end of the bezel onto the system.

3. Lock the bezel by using the key.

Install and Configure the Integrated Data Protection Appliance for DP4400 13

Figure 8. Installing the front bezel

Connect the system to the network

The following figure shows the location of the DP4400 network ports and iDRAC port.

About this task

Figure 9. DP4400 network and iDRAC connections

Steps

1. Use a Cat5e or Cat6 UTP copper Ethernet cable to connect a 1 GbE port (10) to the service computer.

2. If the DP4400 contains 10 Gb SFP network cards, use fiber cables with a 10 Gb optical SFP to connect the four required 10

GbE ports (2, 3, 8, 9) to access ports on the switch in your network.

3. If the DP4400 contains 10 Gb BASE-T network cards, use Cat6a UTP or Cat7 copper cables to connect the four required 10

GbE ports (2, 3, 8, 9) to access ports on the switch in your network

4. Use a Cat5e or Cat6 copper Ethernet cable to connect the iDRAC port (1) in the lower left of the system chassis to the network.

14 Install and Configure the Integrated Data Protection Appliance for DP4400

DP4400 ports

About this task

Table 5. DP4400 port types

Callout number

4

5

6

1

2

3

7

8

9

10

11

Port type iDRAC

10 GbE (required)

10 GbE (required)

10 GbE (unused)

10 GbE (unused)

10 GbE (unused)

10 GbE (unused)

10 GbE (required)

10 GbE (required)

1 GbE

1 GbE (unused)

NOTE: Ports 2 and 9 are a vSwitch0 network team. Ports 3 and 8 are a vSwitch1 network team and are used during appliance configuration.

NOTE: Ensure that the four required 10 GbE ports (2, 3, 8, and 9) are connected to the access ports on the switch in your network.

NOTE: For more information about Separate Management Network prerequisites and procedure, see .

Separate management network requirements

on page 20.

NOTE: Switch MTU should be 1528 or higher for IDPA DP4400. Jumbo frames are not supported.IDPA DP4400 sometimes may fail with the following error message:

Adding back-end storage. Exception occurred while executing Avamar integration task.

Failed to add Data Domain as Avamar back-end storage.

To resolve this problem, you must either remove the MTU or increase it to 1518 or higher.

See KB Article 539946 for a detailed information on this.

Connect the power cables and power on

This topic describes how to connect the power cables and power on the system

About this task

NOTE: Use an uninterruptible power supply (UPS) to protect against data loss caused by unplanned power outages.

Steps

1. Connect the power supply units to the rack.

The system may not power on automatically after plugging in the AC power cords. The system identification button located on the rear of the chassis, on the lower left-hand side illuminates blue when power is on.

2. If the system does not power on automatically after connecting the power cables, press the power button on the right control panel at the front of the chassis to power on the system .

Install and Configure the Integrated Data Protection Appliance for DP4400 15

Configure IDPA with a Juniper switch

About this task

The following sections in this chapter describe configuration tasks for a IDPA deployment using a Dell switch. If your IDPA deployment uses a Juniper switch with Hypervisor hosts running a 10G X710 NIC card, you must perform the following configuration tasks.

Steps

1. Disable the Data Center Bridging Capability Exchange (DCBX) protocol on the Juniper switch port.

For more information, see KB article 000057774 .

2. Install the i40e driver, uninstall the i40en driver, and then reboot Hypervisor.

You can download the i40e driver from https://my.vmware.com/group/vmware/downloads/details?

%20downloadGroup=DT-ESXI60-INTEL-l40E-207&productld=743 .

For more information, see KB article 000042326 .

Configure iDRAC

You must configure the Integrated Dell Remote Access Controller (iDRAC) for system upgrade and maintenance operations.

Additionally, IDPA supports the use of iDRAC to change security settings and enables you to remotely power the system on.

Prerequisites

Connect to the unit using a VGA monitor with a keyboard or a serial port, power on the appliance, and perform the following steps:

NOTE: Do not use iDRAC to change the storage configuration, system settings, or BIOS settings, as making changes to these will impact the system functionality. Contact Support if changes are required in any of these areas.

Steps

1. During the system boot process, press F2 to access the BIOS menu.

2. In the System Setup Main Menu page, click iDRAC Settings .

The iDRAC Settings page is displayed.

3. Click Network .

The Network page is displayed.

4. Under IPv4 Settings , specify static IP address details.

5. Press Esc to return to the previous menu.

6. Select User Configuration .

a. Enable the root user.

b. Change the root user password.

Note that the default password is Idpa_1234 .

16 Install and Configure the Integrated Data Protection Appliance for DP4400

Install the DP4400 Software

The following topics provide detailed instructions on installing and configuring Integrated Data Protection ApplianceDP4400 software.

Preinstallation requirements

Before installing the Integrated Data Protection Appliance DP4400 software, you must meet the below preinstallation requirements.

Cable connectivity

The following image shows the location of DP4400 network ports and iDRAC port.

Figure 10. DP4400 network and iDRAC connections

1. Ports 2 and 9 are for vSwitch0 network team. Ports 3 and 8 are for vSwitch1 network team and are used during appliance configuration.

2. Ensure that the four required 10 GbE ports (2, 3, 8, and 9) are connected to the access ports on the switch in your network.

NOTE: All ports on switch should be in "Access mode or untagged" and the MTU must not be less than 1528 bytes. All switch ports should be active and should not be configured in LACP.

NOTE: If the CISCO switch port security is enabled on the IDPA ports, then the IDPA deployment fails due sporadic networking ping issues. A virtual machine fails to ping any other host on the physical network, or it cannot ping the gateway

IP address due to the Cisco Port security restriction. Find a detailed explanation, see https://kb.vmware.com/s/article/

1002811

IP address requirements

The tables below details the IP addresses required by IDPA for various components.

Using a range is the preferred method as it simplifies the assignment and reduces the chance for errors while entering the IP addresses.

When you reserve the IP addresses, you must assign the IP addresses to a fully qualified domain name (FQDN) in the DNS server. The following is the supported format for a FQDN:

● Supported characters:

○ Upper or lower case letters (A-z, a-z)

○ Numbers (0-9)

○ Hyphen ( - )

● Must not exceed the 255 character limit.

● Must not include any special characters, symbols, spaces, or punctuation other than a hyphen ( - ).

Install and Configure the Integrated Data Protection Appliance for DP4400 17

Labels are the strings in the FQDN which are separated by a period ( . ). Use a period only as a separator between labels. The following is the supported format for labels:

● Each label must start with a letter or number.

● Must not exceed the 63 character limit.

● Each label must have at least one letter.

● A label must not start or end with a hyphen ( - )

When you configure the DNS server settings during appliance configuration, ensure that you configure the settings properly.

After you configure the hostname and domain name of the point products, you cannot modify the hostnames for the point products. However, you can modify the DNS server IP address on the point products after the appliance is configured.

Ensure that the new DNS server has the same hostname and domain names that are associated with the corresponding point product IP addresses. For more information about modifying the DNS server IP address, see KB Article 537628 .

Ensure to have a valid NTP IP address which is reachable from the appliance.

NOTE: Ensure that the time difference between the NTP and Hypervisor server is not more than 10 minutes. If the time difference between the two servers is more than 10 minutes, then the appliance network configuration may fail.

In case there is no valid IP address for DNS, NTP, and Gateway, the appliance can be configured using the ACM IP address. See

Self Contained Deployment (optional)

for more information.

When a range of IP addresses is used during the IDPA configuration, the IP addresses are assigned in a standard order. Once assigned, each IP should be registered in DNS with forward and reverse lookup entries.

A total of 13 IP addresses are needed for all components and one each for Hypervisor and ACM. Total number of IP address requirement varies according to optional component (shown in below table) selection. iDRAC also needs an IP address.

1

1

1

1

1

1

2

2

1

1

Table 6. IP address requirements

Number of

IP addresses required

1

Component

Appliance Configuration Manager

IDPA Hypervisor

IDPA Hypervisor Manager

Protection storage (management)

Protection Storage (backup)

Protection Software

Protection Software internal proxy

Data Protection Central

Reporting and Analytics (optional)

Search (optional)

Cloud DR (optional)

DNS entry required

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

No

It is recommended to assign the range of IP addresses in the following sequence. The table also shows how these IPs will be allocated to different components when an IP range option is selected during deployment on the ACM wizard.

Table 7. IP address assignment for single network for the DP4400 model

IP Range

Allocation

+0

Example

192.0.2.1

Component

Hypervisor Manager (Service)

Assigned Field

VMware Hypervisor Manager (Service) Server

Service

+1

+2

+3

192.0.2.2

192.0.2.3

192.0.2.4

Protection storage

Protection storage

Protection storage

Management IP

Backup IP 1

Backup IP 2

18 Install and Configure the Integrated Data Protection Appliance for DP4400

+7

+8

+9

+10

Table 7. IP address assignment for single network for the DP4400 model (continued)

IP Range

Allocation

+4

+5

+6

Example

192.0.2.5

192.0.2.6

192.0.2.7

Component

Protection Software

Protection Software internal proxy

Data Protection Central

Assigned Field

Server IP

Protection Software Proxy Service

Data Protection Central VM

192.0.2.8

192.0.2.9

192.0.2.10

192.0.2.11

Reporting and Analytics (optional) Application Server Host Service

Reporting and Analytics (optional) Datastore Server Host Service

Search (optional) Index Primary Node Host Service

Cloud DR (optional) CDRA (optional) Add-on Virtual Appliance

Install and Configure the Integrated Data Protection Appliance for DP4400 19

Separate management network requirements

You can configure separate management network on IDPA during the appliance installation.

Data and control flow

In IDPA, Protection Software stores only the metadata information about the backup, and actual backup data in stored on Protection Storage. In a separate management network, the Protection Software remains on management network and

Protection Storage is configured with both management and backup IPs.

Figure 11. Data and control flow

1. User initiates the backup request from Protection Software UI.

2. Protection Software initiates communication with client over management network.

3. Client receives the Protection Storage details for backing up the data, and starts the data back up through the backup network.

NOTE: The management (or corporate network) as well as the backup network should be accessible from client.

20 Install and Configure the Integrated Data Protection Appliance for DP4400

IP address requirement for separate management network

The tables below details the IP addresses required by Integrated Data Protection Appliance for various components.

About this task

Using a range is the preferred method as it simplifies the assignment and reduces the chance for errors while entering the IP addresses.

When a range of IP addresses is used during the Integrated Data Protection Appliance configuration, the IP addresses are assigned in a standard order. Once assigned, each IP should be registered in DNS with forward and reverse lookup entries.

A total of 14 IPs are needed for all components and one each for Hypervisor and ACM. The total number of IP address requirement varies according to optional component (shown in below table) selection. iDRAC also needs an IP address.

The following tables details the total IP address requirements.

1

1

1

1

1

1

1

1

1

2

Table 8. Management network IP address requirements for the DP4400

Number of

IP addresses required

Component DNS entry required

Appliance Configuration Manager

IDPA Hypervisor

IDPA Hypervisor Manager

Protection Storage (management)

Protection Software (backup)

Protection Software internal proxy

Data Protection Central

Reporting & Analytics (optional)

Search (optional)

Cloud DR (optional)

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Table 9. Backup network IP address requirements for the DP4400

Number of IP addresses required for Component DNS entry

Component DNS entry required

2 Protection Storage No

1 Protection Software internal proxy No

It is recommended to assign range of IP addresses which are in sequence. Below table shows how these IP addresses will be allocated when the IP range option is selected during deployment.

+1

+2

+3

+4

+5

+6

Table 10. Management IP range allocation

Management IP

Range Allocation

+0

Component

Hypervisor Manager (Service)

Protection storage

Protection Software

Protection Software internal proxy

Data Protection Central

Reporting & Analytics (optional)

Reporting & Analytics (optional)

Assigned Field

VMware Hypervisor Manager (Service) Server Service

Management IP

Server IP

Protection Storage Service

Data Protection Central Service

Application Server Host Service

Datastore Server Host Service

Install and Configure the Integrated Data Protection Appliance for DP4400 21

Table 10. Management IP range allocation (continued)

Management IP

Range Allocation

+7

+8

Component

Search (optional)

Cloud DR (optional)

Assigned Field

Index Primary Node Host Service

CDRA (optional) Add-on Virtual Appliance

See below tables for Backup IP address range assignments with Dedicated Backup Network

Table 11. Backup IP Address range assignments with Dedicated Backup Network

Backup IP Range Allocation

+0

+1

Component

Protection Storage

Protection Storage

Assigned Field

Backup IP1

Backup IP 2

+2 Protection Software internal proxy Protection Software Service

Install Network Validation Tool

The Network Validation Tool (NVT) for IDPA runs multiple automated tests to validate the network configuration. You must run the NVT for IDPA from a system on the management network.

Before you install IDPA, network configuration must be completed for the data center. After completing all network configurations required for IDPA installation, install and run the Network Validation Tool to validate the network requirements for a successful deployment of IDPA in the data center. To download the NVT, and for more information about NVT, see https://central.dell.com/solutions/NVT-PP .

Firewall Ports

For the IDPA to function properly, the firewall ports need to be open. For more information see the appendix section.

Secure Remote Services (SRS)

If your organization enables communication through the Internet, as part of the initial configuration of the system, you can register the IDPA, Protection Software, Protection Storage and Reporting and Analytics components with Secure Remote

Services. The Secure Remote Services is a secure, IP-based, distributed, customer service support system that provides Dell

EMC customers with command, control, and visibility of support-related activities.

It is strongly recommended to complete the Secure Remote Services registration process. To prepare the IDPA environment for

Secure Remote Services registration, add the customer site IDs to the SRS gateway and confirm the site ID is visible through the ServiceLink .

Your SRS Server must be either version v3.20.00.08

or higher and accessible to the IDPA. The DataProtection-ACM can be configured with SRS during the installation process or can be configured later from the ACM dashboard. The SRS gateway hostname must be registered in the DNS and both forward and reverse lookup must work.

Complete information about SRS is available at the Online Support site . The SRS registration is done by the Customer Service

(CS) during deployment or by the Solution Architect (SA).

It is recommended to complete the SRS registration process, which enables you to have the following advantages:

● Dell EMC delivers product event reports such as error alerts, thus greatly increasing the availability of your information infrastructure.

● Dell EMC provides rapid remote services either through automated recognition and notification or through interpretation and response when a support event occurs, eliminating the need for on-site support visits.

● Provides increased protection of your information

● Reduced risk

● Improved time-to-repair

If the customer opts not to deploy the SRS, the Project Manager (PM) must log in to http://gcsdocs.corp.emc.com

and complete the details in the opt-out form.

22 Install and Configure the Integrated Data Protection Appliance for DP4400

Online Support

To create an Online Support account, go to https://www.dell.com/support . Your username and password is required for Secure

Remote Services configuration

Site ID

A Site ID is created in Support systems for each location within your organization where Dell EMC products are installed. Your

Site ID is required during initial configuration. To verify your Site ID number on Online Support, perform the following steps:

1. Log in to Online Support with your credentials.

2. Hover over your username and select Manage Company Information .

3. Click View Sites .

NOTE: You can also search for a site and add it to the My Sites list. If a site ID is not available or the correct site ID is not listed, you must notify your local field representative to request one.

License activation

You need a license to use IDPA. To use all the features of IDPA you need to activate the license that you have received. To activate the licenses you need to be connected to a network with an internet connection for In-product activation or you must have received the License Activation Code (LAC) letter through email during the fulfillment process to manually activate the licenses. The LAC letter includes the license authorization code that is associated with your order, instructions for downloading software binaries, and instructions for activating the entitlements online through Dell EMC Software Licensing Central.

The IDPA licenses are automatically downloaded. In case you are at a dark site or if you are having any network restrictions, and if the licenses are not automatically downloaded, then you must manually activate the license. See

Manual Activation

for more details.

In-product activation

The In-product license activation is a feature where the ACM automatically downloads the licenses for Protection Storage ,

Backup Server , and Reporting and Analytics point products from the ELMS server.

Ensure that the appliance is connected to a network to automatically download the licenses. After the licenses are successfully downloaded, the License tab on the IDPA Configuration page is not displayed. If the licenses are not downloaded successfully during network configuration, the License tab is displayed on the Integrated Data Protection Appliance Configuration page with a Check online for licenses button. You can click Check online for licenses to download the licenses from the ELMS server.

NOTE: In-product license activation is not supported in the following cases:

● On a IPv6 enabled network

● When ACM is being used as DNS

NOTE: If the system is unable to download the licenses automatically from the ELMS server, an error message is displayed,

and you must manually activate the licenses. For more information about how to manually activate the licenses, see Manual

Activation

.

Manual activation

The manual license activation feature enables you to upload and activate the licenses that you have downloaded from the ELMS server.

About this task

To manually activate the licenses, download the license files for Protection Storage, Protection Software, and Reporting &

Analyticsfrom the Dell EMC Software Licensing Central.

The contact person mentioned on your sales order should have received the License Authorization Code (LAC) letter through an email during the order fulfillment process. This LAC letter includes the license authorization code associated with your order, instructions for downloading software binaries, and instructions for activating the entitlements online through Dell EMC

Software Licensing Central.

Install and Configure the Integrated Data Protection Appliance for DP4400 23

Perform the following steps to manually activate the licenses of the software products tied to the PowerProtect Data

Protection Appliance:

Steps

1. Get the LAC letter from the contact person mentioned in your sales order. Contact Dell Support if they have not received the letter.

2. Click the link to the Software Licensing website in the LAC letter.

3. Select the following and click START THE ACTIVATION PROCESS :

● Protection Software

● Protection Storage

● Data Protect Central

● Reporting & Analytics

● Search

● Cloud DR

● ACM

● Hypervisor Manager

● Hypervisor and server firmware

4. Review and confirm the products you wish to activate, and the email addresses to which you want to send the licenses to.

NOTE: You can add a locally available email address to get the license keys directly.

5. Click Activate .

6. Click Save to File or View License Key to save the license key.

7. Submit the license files in the License page when configuring the appliance.

Configure IDPA DP4400 Software

The following topics describe how to configure IDPA DP4400 Software.

Connect to the ACM

Connect to the ACM user interface and begin the configuration process. For a seamless experience, enable both private and public network connections to your service computer.

Prerequisites

● After powering on the appliance, wait 5 minutes for startup to finish.

● Verify that the service computer is connected to the 1 GbE port identified as (10) in

DP4400 network and iDRAC connections

on page 25.

● On the service computer, record the IP address settings for the Ethernet interface that is connected to the DP4400.

NOTE: IDPA uses the 192.168.100.xxx

IP addresses for the internal components. Ensure that 192.168.100

network is not used in your environment. If the network addresses are in use, contact Customer Support for assistance.

24 Install and Configure the Integrated Data Protection Appliance for DP4400

Figure 12. DP4400 network and iDRAC connections

Steps

1. On the service computer, assign the static IP address 192.168.100.98

and the subnet mask 255.255.255.224

for the

Ethernet interface that is connected to the DP4400.

A default gateway is not required.

2. Verify that the ACM responds to a ping on the default ACM IP address, 192.168.100.100

.

3. To connect to the ACM user interface, type https://192.168.100.100:8543/ in a browser window.

4. Log in to the ACM with the default system account username and password:

● User Name: root

● Password: Idpa_1234

Configure ACM with IP range

After a successful login, the Change Appliance Password screen is displayed.

Steps

1. Log in to the ACM with the default system account username and password.

2. The Change Appliance Password page is displayed.

The Change Appliance Password page consists of Update Appliance Password .

● Update Appliance Password

This password will be assigned to all components of the appliance. It must contain 9–20 characters and include at least one of each type of supported character.

The following types of characters are supported:

○ Uppercase letters ( A – Z )

○ Lowercase letters ( a – z )

○ Numbers ( 0 – 9 )

○ Special characters: period ( .

), hyphen ( ), and underscore ( _ ) .

The password must not include common names or usernames such as root or admin . Also, the password must not start with a hyphen ( ) and end with a period ( .

).

3. Once you successfully change the passwords, the system logs you out. You must log in again with your new credentials.

4. On the End User License Agreement screen, accept the EULA.

The Network Configuration screen is displayed.

After accepting the EULA, configure the initial network connectivity to the DP4400 appliance. The IDPA supports both IPv4 and IPv6-enabled networks. Network configuration wizard will configure public network for the and the Hypervisor Server.

Install and Configure the Integrated Data Protection Appliance for DP4400 25

Configure the ACM settings for single network

Depending on the type of the network you have selected (IPv4 or IPv6), provide the following information to configure ACM for single network.

Steps

● IPv4 network

Subnet mask IP address mask that identifies the range of IP addresses in the subnet where the appliance is connected.

● IPv6 network

Prefix Length IP address length that identifies the range of IP addresses where the appliance is connected.

IP Address

IP Address/

Hostname

Gateway IP address

Domain name

NTP server

IP Address/

Hostname

Primary DNS server IP address

This is the IP address to assign to the ACM. This is the first IP address of the 13 IP addresses that are reserved for the ACM.

This is the IP address to assign to the Hypervisor Server. This is the second IP address of the 13 IP addresses that are reserved for Hypervisor.

The default gateway IP address of the appliance.

The domain name for your network environment.

The NTP server IP address for your network environment

The primary DNS server for your network environment.

Secondary DNS server IP address

The secondary DNS server for your network environment.

NOTE: If the network configuration fails due to a reverse or forward lookup failure, then verify if the provided DNS server is operational. If the issue persists, then use another DNS server or use ACM as the DNS server and click Retry .

Configure the ACM settings for separate management network

If you want to configure the ACM settings for separate management and backup network, perform the following steps.

Steps

1. Click the Separate Management Network check box.

2. Provide the following information to configure the Management network settings :

Appliance

Configuration

Manager

IP Address/

Hostname

ESXi IP Address/

Hostname

Subnet mask

The IP address to assign to the ACM. This is the first IP address of the 14 IPs that is reserved for the

ACM.

The IP address to assign to the Hypervisor server. This is the second IP address of the 14 IPs that is reserved for Hypervisor.

The IP address mask that identifies the range of IP addresses in the subnet where the appliance is connected.

The default gateway IP address of the appliance.

Gateway IP address

Domain name The domain name for your network environment.

26 Install and Configure the Integrated Data Protection Appliance for DP4400

NTP server

IP Address/

Hostname

Primary DNS server IP address

Secondary DNS server IP address

The NTP server IP address for your network environment.

The primary DNS server for your network environment.

The secondary DNS server for your network environment.

3. Click Yes to continue.

If the network configuration fails, you can click Retry to revert all the settings. You must review the settings, make any changes if required, and then configure the network settings again.

NOTE: If the network configuration fails due to a reverse or forward lookup failure, then verify if the provided DNS server is operational. If the issue persists, then use another DNS server or use ACM as the DNS server and click Retry .

After you configure the basic networking infrastructure, your web browser automatically redirects to the ACM IP address assigned during the network configuration.

For automatic forwarding to work correctly, the system that you use to complete the configuration must be connected to the same network as the configured ACM IP address.

If you cannot have connections to both public and private networks simultaneously, disconnect from the private appliance configuration network and then connect to the network that the ACM IP address is on, to complete the rest of the configuration.

Once the network configuration is complete, revert the network adapter IP address settings on the service computer to their previous state.

4. Login to the ACM using the public IP Address.

The SRS page appears.

5. On the Dell EMC Secure Remote Services configuration for Integrated Data Protection Appliance, perform the following steps: a. Specify the SRS Gateway IP address.

b. Specify the online support credentials in the Username and Password fields.

c. Click Configure .

If the SRS configuration fails, you will get an error message. Refer to SRS Troubleshooting section to resolve the issue and configure again.

It is strongly recommended that skip the SRS configuration and configure it from the ACM dashboard later.

6. The Integrated Data Protection Appliance configuration page appears. On the Integrated Data Protection Appliance configuration page, perform the following steps.

NOTE: Ensure that you click the prerequisites link available on the Welcome page and read them before you continue.

a. On the Welcome page, select the optional components that you want to install in the configuration and click Next .

NOTE: If you have selected IPv6 as your network, then the optional components such as Search and CDR are not available to install as they do not support IPv6-enabled networks.

7. If you are connected to the network with an Internet connection, the system automatically downloads the licenses for

Protection Storage, Protection Software, and Reporting and Analytics point products.

In-product activation is not supported on IPv6-enabled network and dark side appliance. If you are not connected to the network or the licenses are not downloaded from the ELMS Server, click Browse to locate and upload the license files manually. The system validates the license files with the following checks:

● The maximum storage capacity for the appliance cannot be more than 24 TB (appliance with 8 TB to 24 TB capacity) and 96 TB (appliance with capacity of 24 TB to 96 TB) based on the appliance you have. Depending on the appliance you have, you can upgrade the storage capacity from 8 TB to 24 TB in increments of 4 TB or 24 TB to 96 TB in increments of

12 TB.

● The license file should not have the hash ( # ) character.

● The license must be in multiples of 4 TB.

8. Click Next .

The General settings page is displayed.

Install and Configure the Integrated Data Protection Appliance for DP4400 27

9. On the General settings page, perform the following actions:

● Verify the number in the Serial Number field, which is the Locking ID mentioned in the Dell EMC software license activation notification email.

● Select the Time zone from the list.

● Select and enter the IP address in the IP address range (11) field. The system automatically assigns 11 IP addresses in a chronological order, which is based on the IP address that you specify to configure the other components of the appliance. For example, if you specify 10.200.1.10

, the system automatically generates a range of IP address from

10.200.1.10 to 20.

NOTE: If any of the optional components such as Reporting & Analytics, Search, and CDR is not selected on

Welcome page, then the IP address range will be reduced here.

● If you have configured separate management network, specify the IP addresses in the IP address range (9) and IP address range (3) fields in the Management network settings and Backup network settings sections respectively.

NOTE: If any of the optional components such as Reporting & Analytics, Search, and CDR is not selected on

Welcome page, then the IP address range will be reduced here.

● Click Validate .

The system validates the availability of the IP addresses and allocates them to the IDPA components. To view the list of

IP addresses allocated to the individual components, hover on the green check mark.

NOTE: If you do not select the IP address range checkbox, you must manually configure and specify the IP addresses for each component. See

Single Network Configuration without IP range

for more info.

10. Click Next .

The Customer Information Settings page is displayed.

11. On the Customer information settings page, perform the following actions: a. On the Customer information section, enter information in the mandatory fields.

● Enter the name of the company in the Company name field.

● Enter the name of the administrator in the Admin contact name field.

● Enter the contact number of the administrator in the Admin contact number field.

● Enter the location in the Location field.

● Enter the site ID in the Site ID field.

NOTE: If you select the Email notification checkbox, the Email Configuration section is displayed.

b. In the Email Configuration section, enter information in the mandatory fields.

NOTE: If you select the Email notification check box, the Email Configuration section is displayed .

● Enter the SMTP server IP address in the SMTP server field.

● Enter the port number in the Port field.

NOTE: The Port field is auto populated and is the default SMTP port.

● Enter the email address of the administrator in the Administrator email field.

● Click Test Email to send a test email to the administrator's email address.

12. Click Next .

13. In the Summary page, review the information that you entered and click Submit to start the configuration.

14. Click the Submit button. A confirmation message is displayed.

15. Click Yes to continue to configure the Appliance.

28 Install and Configure the Integrated Data Protection Appliance for DP4400

Configure ACM without IP range

Configuring the ACM without IP range consists of two parts, namely Single Network Configuration without IP Range and

Separate Network Configuration without IP Range.

Single network configuration without IP range

The following procedure details configuring the ACM without IP range.

Steps

1. On the Network Configuration page, ensure that you do not select the Separate Management Network checkbox.

2. On the General Settings page, ensure that you do not select the IP address range checkbox in the Network section.

3. Click Next .

The Customer Information page is displayed.

4. Provide all the required inputs on the Customer Information page.

5. Click Next .

The Hypervisor Manager (Service) Configuration page is displayed.

6.

On the Hypervisor Manager (Service) Configuration page, specify a unique IP address in the IP address field to configure the internal Hypervisor Manager (Service). The associated hostname will be automatically populated on the right-hand side.

7. Click Next .

The Protection Storage Configuration page is displayed.

8. On the Protection Storage Configuration page, specify a unique IP addresses under the Protection Storage and Data

Network sections for the following fields:

● Management Network IP address.

● Backup IP address1.

● Backup IP address 2.

9. Click Next .

The Backup Server Configuration page is displayed.

10. On the Backup Server Configuration page, specify a unique IP address under the Backup node and Image Proxy section for the following fields.

● Backup Node IP.

● Image Proxy IP address.

11. Click Next .

The DPC page is displayed.

12. On the DPC page, specify a unique IP address in the Management Network IP field.

13. Click Next .

14. If you selected any optional component such as Reporting and Analytics, Search, or Cloud DR in Welcome page , specify a unique IP address for the optional component.

15. Click Next and go to the Summary page.

16. Review the information that you specified, and click Submit to start the configuration.

17. On the Configuration progress page, you can download the following when Integrated Data Protection Appliance is configured successfully:

● Solution ID.

● Configuration.

● Configuration XML file.

18. Click Finish . The First Security Officer User Update confirmation message is displayed.

19. Click OK .

The Secure Remote Services configuration for Protection Software, Protection Storage Operating System, and Reporting and Analytics pages are displayed. If you want, you can skip the Secure Remote Services configuration as you have an option to configure Secure Remote Services from the ACM dashboard.

Install and Configure the Integrated Data Protection Appliance for DP4400 29

20. The Integrated Data Protection Appliance is installed and deployed.

You are prompted to log in to the DPC in a new browser window. The default username for the DPC is Idpauser . In case it takes longer to login, refresh the browser and login to the ACMACM Dashboard.

Separate network configuration without IP range

The following procedure details configuring separate network without IP range.

Steps

1. On the Network Configuration page, ensure that you select the Separate Management Network checkbox.

2. On the General Settings page, ensure that you do not select the IP address range checkbox in the Network section.

3. Click Next .

The Customer Information page is displayed.

4. Provide all the required inputs on the Customer Information page.

5. Click Next .

The Hypervisor Manager (Service) Configuration page is displayed.

6.

On the Hypervisor Manager (Service) Configuration page, specify a unique IP address in the IP address field to configure the internal Hypervisor Manager (Service). The associated hostname will be automatically populated on the right-hand side.

7. Click Next .

The Protection Storage Configuration page is displayed.

8. On the Protection Storage Configuration page, specify a unique IP addresses under the Protection Storage and Data

Network sections for the following fields:

● Management Network IP address.

● Backup IP address1.

● Backup IP address 2.

9. Click Next .

10. The Backup Server Configuration page is displayed. In the Backup Server Configuration page, specify a unique IP address under the Backup Node and the Image Proxy section for the following fields:

● Backup Node IP

● Image Proxy IP address

● Backup Proxy IP address

11. Click Next .

The page is displayed.

12. In the page, specify a unique IP address under the Management Network IP field.

13. Click Next .

14. If you selected any optional component such as Reporting and Analytics, Search, or Cloud DR in Welcome page , specify a unique IP address under the Management Network IP field for the optional component.

15. Click Next and go to the Summary page.

16. Review the information that you specified, and click Submit to start the configuration.

17. On the Configuration progress page, you can download the following when Integrated Data Protection Appliance is configured successfully:

● Solution ID.

● Configuration.

● Configuration XML file.

18. Click Finish .

The Secure Remote Services configuration for Protection Software, Protection Storage Operating System, and Reporting and Analytics pages are displayed. If you want, you can skip the Secure Remote Services configuration as you have an option to configure Secure Remote Services from the ACM dashboard.

19. The Integrated Data Protection Appliance is installed and deployed.

30 Install and Configure the Integrated Data Protection Appliance for DP4400

You are prompted to log in to the DPC in a new browser window. The default username for the DPC is Idpauser . In case it take longer to login, refresh the browser and login to the ACMACM using the URL <https:<ACM_IPAddress>:8543/ dataprotection>, using the common credentials.

Troubleshooting Installation Failures

This section contains basic troubleshooting information to help resolve the possible issues.

Retry installation

If the installation fails, you can continue from the point where the installation failed.

About this task

During the appliance deployment, if any of the critical components fail to install you can retry the installation of the component from the point where the installation failed. To retry the installation, perform the following actions.

Steps

1. Click Retry on the Configuration progress page.

If the Retry operation is done after 5 days of configuration failure, Note that the user can retry without destroying file system warning message is displayed.

The Retry Configuration dialog box is displayed.

NOTE: The ACM reverts the changes that are made to the component that failed during installation and resumes the appliance configuration.

2. Click Yes to continue the installation.

The Configuration progress page is displayed. The installation continues from the point where the installation failed.

NOTE: If the ACM is rebooting or the ACM web service is restarting during IDPA deployment the Retry option is not available, you can only Rollback the installation.

Rollback installation

If the installation fails, you can rollback the installation when the Retry functionality does not resolve the issue, and follow the wizard to set up and deploy the Integrated Data Protection Appliance.IDPA. The Rollback feature reverts the changes that are made to the appliance configuration. You can review the settings and start the appliance installation and configuration again.

Prerequisites

Ensure that you click Download log bundle to download the logs before you start the Rollback .

About this task

To Rollback the appliance configuration, perform the following actions.

Steps

1. Click Rollback on the Configuration progress page.

The Rollback Configuration page is displayed.

NOTE: The ACM reverts the changes that are made to the appliance configuration.

If the Retry operation is done after 5 days of configuration failure, Note that without destroying the filesystem on Protection Storage, next configuration can be submitted warning message is displayed.

2. Click Yes to continue the installation.

The Configuration progress page is displayed. The system reverts all the changes that are made to the appliance.

Install and Configure the Integrated Data Protection Appliance for DP4400 31

NOTE: You can see the details of the Rollback progress of all the components on the Configuration progress page.

Results

After the Rollback is successful, the Configuration Welcome page is displayed. Configure the appliance from the

Configuration Welcome page.

Creating and downloading a log bundle

You can create and download a log bundle that can be analyzed or sent to customer support.

Steps

1. In the ACM dashboard, click the log bundle icon in the upper right and select Create log bundle .

2. On the Create log bundle dialog, select the components you want included in the log bundle and click OK .

3. When the log bundle is created, reselect the log bundle icon and select Download log bundle . .

4. Specify the download location and click OK .

First Security Officer user account

After you click the Finish button to complete the appliance installation, the First Security Officer User Update pop-up window is displayed.

It is recommended to create the Protection Storage Security Officer user account for compliance and security requirements.

See section Create first Security Officer user in Integrated Data Protection Appliance Product Guide and create a Security

Officer user account on the system.

Accessing Hypervisor Manager (Service)

If you need to log in to Hypervisor Manager (Service) to troubleshoot an issue encountered during installation, use the user idpauser@localos and the common password for the Integrated Data Protection Appliance. This user account has limited privileges but has access to information that can help identify and address problems.

Troubleshooting Secure Remote Services

For the DP4400 model, the Appliance Serial ID is always auto populated on the Secure Remote Services configuration page.

About this task

After the appliance and component product serial numbers are verified, continue to register the appliance and the components with Secure Remote Services, by performing the following steps:

Steps

1. Configure Secure Remote Services through the ACM for the Appliance, Protection Storage, Protection Software and

Reporting and Analytics either during the fresh install through the ACM wizard or from the ACMDashboard.

2. Enter customer Secure Remote Services Gateway IP.

3. Enter the Online Support credentials (username and password).

In case you encounter any issues, refer to the following table for some common issues and the associated resolution.

Table 12. Common Issues and Resolution while troubleshooting Secure Remote Services

Issue

Authentication failure

Resolution

Verify the credentials

Point of Contact

Security Team

Authorization errors if the user account address is not assigned to the Site ID:

Open an IT incident in SNOW to request assistance on

32 Install and Configure the Integrated Data Protection Appliance for DP4400

Table 12. Common Issues and Resolution while troubleshooting Secure Remote Services (continued)

Issue

● Unauthorized user

● Error occurred while communicating to DRM

Service

Resolution these Secure Remote Services registration errors.

Point of Contact

Device mismatch

● Serial number may not be associated with the correct

Site ID

● Serial number may not be added in Secure Remote

Services Device Extract

Appliance, Protection Storage,

Protection Software, Reporting and Analytics registration failure.

● Verify that the Site ID is added in the Secure Remote

Services Gateway.

● Verify the SWID from license activation notification email.

● Verify and request for Serial

Number (SWID), Site ID (Ship to Party/Reg ID from SO), and SWID part number (item number).

● Devices may be registered under a different Site ID.

Verify from the Device

Extract page and update the

Site IDs in the customer

Secure Remote Services

Gateway accordingly.

● If the ACM server.log

file has an entry for the error that occurred while communicating with the DRM

Service, restart the services on the customer Secure

Remote Services Gateway

Server.

● If the ACM server.log

file has an entry with the error message Failed to register device: SSL peer certificate or

SSH remote key was not OK , ensure that the exact gateway hostname used during gateway deployment is used in this command also.

Secure Remote Services Support.

Secure Remote Services Support or chat with

Licensing Team.

Re-registering theSecure Remote Services and updating the Appliance

Serial Number

The following are some of the cases where re-registration of the Appliance Serial Number is required:

Case 1

Incorrect Appliance Serial Number is registered with Secure Remote Services

Case 2

A dummy serial number was set on the appliance during the installation, but not registered with Secure Remote Services

Install and Configure the Integrated Data Protection Appliance for DP4400 33

High-level steps to resolve Case 1 and Case 2

1. Get the correct Appliance Serial Number for re-registration.

2. Unregister the Appliance if it is already registered with the Secure Remote Services.

3. Set the correct Appliance Serial Number on the Appliance.

4. Register or re-register the Appliance with the Secure Remote Services once again.

Files that are required to be edited to re-register the Appliance

● esrsconfigstatus.xml

- This file contains the status of the Secure Remote Services registration configuration for the

Protection Storage, Protection Software, Reporting and Analytics and the Appliance components. This file is read to check the status of the Secure Remote Services registration when a request to configure Secure Remote Services is received.

● selskuconfig.xml

- This file contains the Serial ID for the appliance. This file is read when the request to configure the

Secure Remote Services for the appliance is received.

○ If you encounter the serial number mismatch in the selskuconfig.xml

file, then contact Licensing Escalation Team through chat.

● solutionId.xml

- This file also contains the Appliance Serial Number.

Performing high-level tasks

1. Get the correct Appliance Serial Number for re-registration.

For Case 1, contact Support.

For Case 2, the correct Appliance Serial Number can be obtained from the sales order.

2. Unregister the Appliance if it is already registered with Secure Remote Services.

● a. Login to the customer Secure Remote Services Gateway.

b. Click the Device tab and click Manage Device .

c. Select the checkbox for the model with the corresponding incorrect Appliance Serial Number that you want to unregister d. Click the Remove button.

3. Contact the Secure Remote Services Support to approve the Pending Delete status of the device on the Secure Remote

Services ServiceLink Server ( https://servicelink.emc.com

).

4. Set the correct Appliance Serial Number on the appliance.

a. Connect to the ACM using SSH.

b. Open the /usr/local/dataprotection/var/configmgr/server_data/config/esrsconfigstatus.xml

file.

c. Remove the product tag from the esrsconfigstatus.xml

file. An example of the esrsconfigstatus.xml

file has been provided below

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<EsrsConfigStatus>

<isAcmRegistered>true</isAcmRegistered>

<isComponentRegistered>false</isComponentRegistered>

<isDdRegistered>false</isDdRegistered>

<isDpaRegistetred>false</isDpaRegistetred>

<product>

<productName>ACM</productName>

<ipAddress>10.241.180.37</ipAddress>

<serialNumber>DPAPPLIANCEDEV09-ACM</serialNumber>

<deviceKey>uKsnjbSc7zjmrK5G4Wpe4xszfGkYPNc0EOTqKQTpnK9A0QrGj8DPTOFV6a7Ejc7m1Zb1KnzIC qXzrdUaR1kTAEsp58ZU+6jXEjy+zMYI3e2FJ1TKPdtbrhC0O8pZbwJ60mCTUMr4Q9T9Lo0DHGDQM0kgGw6uC

57Ab/ULG8ougWqJpKVEZtNtYqntEequSnt53qtXAkLuUtk3g1WP</deviceKey>

</product>

</EsrsConfigStatus> d. Change the value of the isAcmRegistered parameter to false if it is true . An example of the isAcmRegistered parameter has been provided below

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<EsrsConfigStatus>

34 Install and Configure the Integrated Data Protection Appliance for DP4400

<isAcmRegistered>true</isAcmRegistered>

<isComponentRegistered>false</isComponentRegistered>

<isDdRegistered>false</isDdRegistered>

<isDpaRegistetred>false</isDpaRegistetred>

</EsrsConfigStatus> e. Open the /usr/local/dataprotection/var/configmgr/server_data/skuconfig/selskuconfig.xml

file. An example has been provided below

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<VCEDPA>

<Model Name="Integrated Data Protection Appliance" Version="4400S">

<SerialID>IDP00180200001</SerialID>

<singleNetworkIpCount>10</singleNetworkIpCount>

<MultipleNetworkIpCount>

<managementNetworkIpCount>0</managementNetworkIpCount>

<backupNetworkIpCount>0</backupNetworkIpCount>

...

f. Update the SerialID parameter with the new ACM Serial Number. An example has been provided below

<SerialID>IDP00180200001</SerialID> g. Open the /usr/local/dataprotection/var/configmgr/server_data/config/solutionId.xml

file. An example has been provided below.

<?xml version="1.0" encoding="UTF-8" standalone="yes"?>

<SolutionIdentifier>

<solutionName>Integrated Data Protection Appliance</solutionName>

<solutionSerialNumber>IDP00180200001</solutionSerialNumber>

<components>

...

h. Update the solutionSerialNumber parameter with the new Appliance Serial Number. An example has been provided below.

<solutionSerialNumber>IDP00180200001</solutionSerialNumber> i.

Run the rm command to delete the following file.

/usr/local/dataprotection/var/configmgr/server_data/config/

DataProtectionConfiguration.pdf

DataProtectionConfiguration.pdf

/usr/local/dataprotection/var/configmgr/server_data/config/

DataProtectionConfiguration.xml

j.

Use the Refresh button on theACM ACM Dashboard to reflect these changes.

5. Re-register the Appliance with Secure Remote Services. You can now re-register the Appliance from the ACM Dashboard.

Once Secure Remote Services registration is done successfully, Support staff and the users get notifications related to critical and fatal events or errors on the Appliance through the Connectivity Lifecycle Management ( https://clm.isus.emc.com/clmdashboard/dashboard/index.jsp

).

Adding Site IDs to Secure Remote Services Gateway

Adding Site IDs to the Secure Remote Services Gateway is no longer required for Secure Remote Services Gateway version 3.34

and above.

For Secure Remote Services Gateway version 3.34 and above, your account address is assigned to the Site ID, so that you can use the specified user account address during Secure Remote Services registration, without having to add the Site ID in the

Secure Remote Services Gateway.

Install and Configure the Integrated Data Protection Appliance for DP4400 35

Errors encountered if the user account address is not assigned to the Site ID are as follows:

● User un-authorized .

● Error occurred while communicating to DRM Service.

Open an IT incident in SNOW to request assistance on the above Secure Remote Services registration errors.

For users with Secure Remote Services Gateway version 3.34 and below, perform the following steps to connect and add Site

IDs to the Secure Remote Services Gateway:

1. Connect to the customer Secure Remote Services Gateway by navigating to https:// srs_gateway_ip_address :9443/ .

2. Log in using your Secure Remote Services Gateway username and password.

If you encounter any of the following issues:

● Customer Secure Remote Services Gateway not reachable by IP and/or hostname - Customer environment network issue

Verify that the customer Secure Remote Services Gateway hostname is registered in the DNS forward and reverse lookup zones. Ensure ping and nslookup are successful and valid. The point of contact for this issue is Customer environment IT Team/Secure Remote Services Support.

● SRS Gateway connection denied - Incorrect credentials

Login directly to support portal to validate credentials. Wait for the SSO token rollover if you are using a token for authorization between login/registration attempts. Point of Contact for this issue is IDPA/SRS Support Team.

3. Verify the status of the services running on the Secure Remote Services Gateway by clicking on the Dashboard > Service

Status tab and verify the status of the services running on the Secure Remote Services Gateway system.

4. Ensure network connectivity from the Secure Remote Services Gateway to all the required Dell EMC Servers by clicking on the Configuration > Network Check > Run Test .

Add SiteID to Secure Remote Services

Add site IDs to the Secure Remote Services gateway host.

Steps

1. From the Devices menu, select Manage Device .

The following figure shows the Secure Remote Services console and the Devices menu.

Figure 13. Secure Remote Services Devices menu

2. Click the Add SiteID button.

NOTE: Do not add the Site ID without customer’s permission.

36 Install and Configure the Integrated Data Protection Appliance for DP4400

Figure 14. Secure Remote Services Add SiteID window

3. In the Secure Remote Services Add SiteID window, type the Site ID , and then click OK .

If you encounter any issues, see below where common issues and their resolutions are documented.

● The Site ID already exists, please enter another Site ID or The Site ID is invalid.

Please contact your local EMC representative or The specified Site ID is not a valid site Number .

Verify if a valid Site ID is entered. You can find the Site ID in the (Ship to Party/Reg ID from SO). The Point of Contact for this issue is the Accounts Team.

Required Serial IDs for Integrated Data Protection Appliance, Protection

Storage, Protection Software and Reporting and Analytics

The Serial ID that is required on the Secure Remote Services configuration window for the Appliance, Protection Storage,

Protection Software and Reporting and Analytics components, is referred as follows:

● Activation Serial Number - In the Dell EMC software license activation notification email, under the Software IDs section, or the Locking ID that is listed at the beginning of the email.

● SWID or LOCKING_ID - In the component product license files.

1. Get the Activation Serial Numbers for the Appliance, Protection Storage, Protection StorageProtection Software and

Reporting and Analytics components from the Software IDs section of the Dell EMC software license activation notification email.

The following table lists the input for the Serial ID field in the Secure Remote Services configuration window:

Table 13. Secure Remote ServicesSerial ID Fields

Component

DP4400 model

Protection Storage(DP4400 model)

Protection Software/Protection Software

Reporting and Analytics

Software ID / Serial Number

Locking ID (auto-populated)

Locking ID (auto-populated)

Software ID (auto-populated)

Software ID (auto-populated)

If you encounter any issues such as Dell EMC software license activation notification email is not readily available with the customer :

● Secure Remote Services registration can be performed later after the appliance is configured from the ACM Dashboard.

● The Software IDs (SWID) and Locking IDs for the Appliance, Protection Storage, Protection Software, and Reporting and

Analytics components can be found in the corresponding component license files.

● The serial number for the Appliance (DP4400) can be found in the selskuconfig.xml file. More information about this file is provided later in this document.

● The Point of Contact for this issue is the Licensing Escalation Team.

Install and Configure the Integrated Data Protection Appliance for DP4400 37

Additionally, for Protection Storage, where the DP4400 models have an instance of Protection Storage instead of a physical Protection Storage, the Instance software-id is used for Secure Remote Services registration. An example is provided below:

# system show serialno detailed

Serial number: IDP00180200004

System software-id: ELMDDV0218XCG5

Instance software-id: ELMDDV04199S11

...

In the DP4400 model, for Protection Storage, the auto-populated Serial Number displayed in the Serial ID field is the same as the Locking_ID of the Appliance when configuring Secure Remote Services for Protection Storage.

However, the Instance ID obtained from the above command is what will be used for Secure Remote Services registration and can be verified from the Device Extract DB after the Secure Remote Services registration is successful.

Install the IDPA post-installation patch on

DataProtection-ACM

Perform the following steps to install a postinstallation patch:

Prerequisites

NOTE: Failing to update the firmware before running the software upgrade workflow (installing the preinstallation or postinstallation patches) causes loss of capability of receiving hardware fault alerts on the ACM.

You must go through the readme file available along with this postinstallation patch to verify if there are any preinstallation tasks that you must perform before applying this postinstallation patch.

Steps

1. Identify the current version of your IDPA by running the following command:.

# rpm -qa | grep dataprotection

2. Go to https://www.dell.com/support/home/en-in/product-support/product/integrated-data-protection-appliance/drivers to see if any postinstallation patches are available for your version of IDPA. If any postinstallation patch is available, download it to your local folder.

3. Extract the contents of this ( Idpa_post_update_ N.N.N

.

nnnnnn .zip

file.

This zip file contains the Idpa_post_update_N.N.N.nnnnnn.tar.gz

patch and an associated ReadMe.txt

file.

Where:

N.N.N

is the latest postinstallation patch version.

nnnnnn is the build number.

4. Copy the Idpa_post_update_ N.N.N

.

nnnnnn .tar.gz

file to /data01/upgrade location on the ACM.

NOTE: Ensure that only the postinstallation patch file exists in this folder and no other packages exist. If there are any other install files in this folder, you must delete them before installing the patch.

5. Ensure that you have the executable permission for the install package that you copied to the /data01/upgrade directory. If you do not have the executable permission, run the chmod 644 Idpa_post_update _< version.build

number > .tar.gz

command to obtain the permission.

6. Log in to the ACM and click the Upgrade tab.

The latest upgrade package file is automatically detected and is displayed in Upgrade Binary Location .

7. Click Extract .

The browser redirects to https://<acm_configured_public_ip>:9443 with a changed port number.

NOTE: The validation process takes approximately 15 minutes, and the ACM can time out while waiting. To resume the session, you must log in once again.

The system validates the following:

● VLAN status

38 Install and Configure the Integrated Data Protection Appliance for DP4400

○ Validates if it can connect to all 3 Hypervisor servers

○ Validates the number of Storage Pool clusters

○ Validates if the Storage Pool datastore is greater than 16.2 TB.

● Validates the connection to all components.

● Validates the license status.

● Validates if Protection Software services are running.

● Validates to ensure that no backup jobs are running on Protection Software.

● Validates if the DD capacity used is less than 85%.

● Protection Software checkpoint validation

● Storage Pool requirements:

○ Checks for inaccessible Storage Pool objects or virtual machines.

○ Checks if the Storage Pool cluster requires a disk data rebalance.

○ Checks if a component rebuilding task is in progress in the Storage Pool cluster.

○ Checks for sufficient disk space requirements (30%).

● Hypervisor upgrade prerequisites:

○ Requires valid connection points to all the required Hypervisor servers.

○ Requires that the applicable Hypervisor servers are in maintenance mode.

○ Requires that the Hypervisor Manager version is higher than Hypervisor version. In case, there is a major upgrade to

Hypervisor Manager, then the private IP address of the Hypervisor Manager, 192.168.100.108 should not be in use.

NOTE: The private IP address of the Hypervisor Manager, 192.168.100.108, is only required temporarily during the upgrade process.

A table displays the current version, new version, and type (for example, major, patch) of each component for which an upgrade is available.

If the validation is not successful, check the errors that are displayed when you hover over the exclamation mark. Resolve all the errors and then click Extract .

8. Click Upgrade , type the ACM password, and click Authenticate .

9. To start the upgrade, click Yes .

The upgrade process starts.

NOTE: The upgrade process can take five to six hours, during which all activity on the IDPA must be quiesced. The system is not accessible during parts of the upgrade.

WARNING: If the upgrade process is still running, do not shut down/reboot the ACM or restart the

dataprotection_webapp

service. For some reason, if you have shut down/rebooted the ACM or restarted the

dataprotection_webapp

service while the upgrade process is still running, and if you are unable to see the progress of the upgrade after the ACM is rebooted, then contact a technical support professional.

The Upgrade Progress displays the following:

● The ACM upgrade progress bar with the progress percentage and description of the upgrade step in progress

● Individual component upgrade progress bar with progress percentage and description of the upgrade step in progress

10. After all the components are upgraded successfully and the overall IDPA upgrade progress bar shows 100%, click Finish .

11. Click OK on the Upgrade Finish window.

NOTE: After the upgrade is complete, there can be a scenario where Protection Software is in maintenance mode andthe jobs cannot be run then. After Protection Software comes out of the maintenance mode, the jobs are run.

NOTE: After the upgrade is complete, acknowledge the notification Event Connect EMC notification failed on the

Protection Software Administrator. This notification is generated during upgrade when the MC service is disconnected.

NOTE: After the upgrade is complete, there is a warning on Hypervisor Manager about a potential vulnerable issue that is described in CVE-2018-3646. Integrated Data Protection Appliance uses the Hypervisor version which has the fix for this vulnerability, however this fix is not enabled by default as it has severe performance impact. See the Integrated

Data Protection Appliance Security Configuration Guide for more information.

NOTE: If you have NDMP Accelerator nodes added to IDPA, you must manually upgrade the NDMP accelerator nodes.

To upgrade NDMP accelerator nodes, see the Upgrading the accelerator software section in the Dell EMC Avamar

NDMP Accelerator for Dell EMC NAS Systems User Guide .

Install and Configure the Integrated Data Protection Appliance for DP4400 39

The dashboard with all the products and their upgraded versions are displayed along with the newly configured ACM.

If the upgrade for any component fails, then the upgrade process is stopped until you troubleshoot and resolve the failure.

However, if there are any noncritical warnings, the upgrade process continues. These warnings must be resolved once the upgrade process is completed.

40 Install and Configure the Integrated Data Protection Appliance for DP4400

3

Upgrade the IDPA

This chapter describes how to upgrade the Integrated Data Protection Appliance on the DP4400 model. The software, firmware, and infrastructure components are upgraded in the appliance upgrade .

The following components are upgraded:

● Protection Software

● Protection Storage

● Data Protection Central

● Reporting and Analytics (optional)

● Search (optional)

● Cloud DR (optional)

● ACM

● Hypervisor Manager

● Hypervisor and server firmware

The components are upgraded in the following sequence:

1. Protection Software, Protection Storage, Data Protection Central, Reporting and Analytics, Search , Cloud DR, and ACM.

2. Hypervisor Manager, Hypervisor and server firmware.

Contact Dell EMC Support to upgrade the NDMP nodes.

NOTE: Performing the infrastructure upgrade before the software upgrade is not supported.

Topics:

Supported upgrade paths

Prerequisites

Upgrade the IDPA

Upgrade the external VM Proxy

Troubleshoot upgrade validation and upgrade failures

Supported upgrade paths

The following table details the supported upgrade paths for Integrated Data Protection Appliance 2.7.2 on the DP4400 model.

NOTE: To verify if you are upgrading the appliance from a supported version, click the About icon on the top left corner of the ACM Dashboard.

Table 14. Supported upgrade paths

Current Version

Integrated Data Protection Appliance version 2.2

Integrated Data Protection Appliance version 2.3

Integrated Data Protection Appliance version 2.4

Integrated Data Protection Appliance version 2.4.1

Integrated Data Protection Appliance version 2.5

Integrated Data Protection Appliance version 2.6

Integrated Data Protection Appliance version 2.6.1

Supported Upgrade path

Upgrade to Integrated Data Protection Appliance version 2.5

and then to version 2.7.2

Upgrade to Integrated Data Protection Appliance version 2.6

and then to version 2.7.2

Upgrade to Integrated Data Protection Appliance version 2.7.2

Upgrade to Integrated Data Protection Appliance version 2.7.2

Upgrade to Integrated Data Protection Appliance version 2.7.2

Upgrade to Integrated Data Protection Appliance version 2.7.2

Upgrade to Integrated Data Protection Appliance version 2.7.2

Upgrade the IDPA 41

Table 14. Supported upgrade paths (continued)

Current Version

Integrated Data Protection Appliance version 2.7

Integrated Data Protection Appliance version 2.7.1

Supported Upgrade path

Upgrade to Integrated Data Protection Appliance version 2.7.2

Upgrade to Integrated Data Protection Appliance version 2.7.2

Prerequisites

This section provides you information about the prerequisites that you need to complete before you begin the upgrade procedure.

Run the PowerProtect DP Rapid Upgrade ChecKer utility

The PowerProtect DP Rapid Upgrade ChecKer utility runs all the upgrade pre-checks on the appliance components. These pre-checks help you identify any errors which could result in an upgrade failure. Ensure that you perform the pre-checks before the appliance upgrade.

Prerequisites

Ensure that you download the latest PowerProtect-DP-Rapid-Upgrade-ChecKer-<version>.jar

and the corresponding checksum PowerProtect-DP-Rapid-Upgrade-ChecKer-<version>.jar.sha256

files from Dell

Support , to the /data01 on the ACM VM.

About this task

Perform the following steps to run the PowerProtect DP Rapid Upgrade ChecKer utility.

Steps

1. Connect to the ACM with root credentials using SSH.

2. Change the directory to the /data01 folder.

3. Run the sha256sum -c PowerProtect-DP-Rapid-Upgrade-ChecKer-<version>.jar.sha256 command to verify the checksum of the downloaded file.

The output must be PowerProtect-DP-Rapid-Upgrade-ChecKer-<version>.jar: OK

4. Run the java -jar PowerProtect-DP-Rapid-Upgrade-ChecKer-<version>.jar command to run the

PowerProtect DP Rapid Upgrade ChecKer utility.

Add the component name to perform the checks for a specific component. For example, you must run the following command to run the upgrade pre-check for just ACM: java -jar PowerProtect-DP-Rapid-Upgrade-ChecKer-

<version>.jar ACM

The following details are displayed:

● The details of the appliance.

● The status of the pre-checks.

● A message describing the pre-checks.

.

● The resolution to fix the issues where the pre-checks have Failed or given a Warning status.

5. Fix any of the issues where the pre-checks have failed, by following the given resolution. If all the pre-checks have a Pass or a Warning status, proceed to the next prerequisites.

NOTE: It is recommended to understand why the pre-checks give a Warning status, and to then fix these issues before proceeding with the appliance upgrade.

Next steps

You can use the java -jar PowerProtect-DP-Rapid-Upgrade-ChecKer-<version>.jar help command to see all options in the utility.

See the /tmp/upgrade_precheck.log

and /tmp/upgrade_precheck_status.txt

file to check the logs, and the status respectively.

42 Upgrade the IDPA

For more information on the PowerProtect DP Rapid Upgrade ChecKer utility, see KB article 000196100 .

ACM

● Ensure that the upgrade binary idpa-hw-upgrade_ <version> .tar.gz

is downloaded from Dell EMC Support , and copied on the /data01/upgrade folder in the ACM.

NOTE: The /data01/upgrade folder must not contain any other post or prepatch packages.

NOTE: If you are upgrading both the Software as well as the Infrastructure components, then you may delete the upgrade binary, which is approximately 50 GB, from the source location after the file is transferred to the ACM.

However, if you are upgrading only the software components (from version 2.4.x and 2.5), then you must retain the upgrade binary as you will have to copy the same file again to the ACM for the Infrastructure upgrade.

● Log in to the ACM Service IP using SSH. and then run the following command to validate the upgrade package using the

SHA256 checksum process: sha256sum -c <*tar.gz.sha256 file name>

● Ensure that you have executable permission for the downloaded upgrade package. To get the executable permission, run the following command: chmod 644 idpa-hw-upgrade_ <version> .tar.gz.

● Back up any customized scripts made for the ACM and Reporting and Analytics before you proceed with the appliance upgrade. You may have to restore these scripts and add the new host keys once the appliance is upgraded to run the customized scripts.

Protection Software

● The Integrated Data Protection Appliance upgrade must be performed during the Protection Software maintenance window when no other maintenance activities or backup replication jobs are running.

● Ensure that the replication policies are disabled and that there are no replication jobs that are triggered from the source

Protection Software Server while the upgrade is in progress, either on the source or on the destination Protection Software servers. See Stop Backup and Replication jobs if you are unable to cancel the replication or backup job.

Cloud DR Service

This section is applicable only if the Cloud DR Service deployed on the IDPA is configured with the Cloud DR Server. If it is not configured, then directly proceed with the appliance upgrade, as the Cloud DR Service is automatically upgraded to its 19.9

version with the appliance upgrade.

The following are the Cloud DR Service and Cloud DR Server requirements before upgrading the appliance:

● The Cloud DR Service must be manually upgraded to version 19.5.x or 19.6.x

● The Cloud DR Server must be manually upgraded to version 19.9

The versions of the Cloud DR Server and Cloud DR Service do not have to be identical, and you are not required to upgrade them simultaneously (unless otherwise instructed). When uploading an upgrade package, if the upgrade package version is not supported, you receive a notification.

When upgrading from Cloud DR Server/Cloud DR Service Version after 18.3, you can directly upgrade to a version that is four times later than the current version (for example, 18.3 > 19.3 > 19.5).

Sequence of manual Cloud DR Service or Cloud DR Server upgrade

The table below describes the upgrade paths and the sequence in which the Cloud DR Service and Cloud DR Server must be upgraded.

Table 15. Sequence of Cloud DR Service or Cloud DR Server upgrade

Appliance version Corresponding CDR version

IDPA 2.4

18.3

Cloud DR Service and Cloud DR

Server upgrade steps

1. Upgrade Cloud DR Service and Cloud

DR Server from version 18.3 to 19.1.

2. Upgrade Cloud DR Service and Cloud

DR Server from version 19.1 to 19.5.

Upgrade the IDPA 43

Table 15. Sequence of Cloud DR Service or Cloud DR Server upgrade (continued)

Appliance version Corresponding CDR version Cloud DR Service and Cloud DR

Server upgrade steps

3. Upgrade Cloud DR Server from version 19.5 to 19.9.

IDPA 2.4.1

19.1

IDPA 2.5

IDPA 2.6

IDPA 2.6.1

IDPA 2.7

IDPA 2.7.1

19.2

19.5

19.6

19.8

19.8

1. Upgrade Cloud DR Service and Cloud

DR Server from version 19.1 to 19.5.

2. Upgrade Cloud DR Server from version 19.5 to 19.9.

1. Upgrade Cloud DR Service and Cloud

DR Server from version 19.2 to 19.6.

2. Upgrade Cloud DR Server from version 19.6 to 19.9.

Upgrade Cloud DR Server from version

19.5 to 19.9.

Upgrade Cloud DR Server from version

19.6 to 19.9.

Upgrade Cloud DR Server from version

19.8 to 19.9.

Upgrade Cloud DR Server from version

19.8 to 19.9.

Upload upgrade packages

About this task

Perform the following steps to download the upgrade packages and upload them from the Cloud DR Server system:

Steps

1. Download the Cloud Disaster Recovery Upgrade multi_package from the Dell EMC Support site.

2. From the Cloud DR Server System menu, select Upgrades .

3. To upload the upgrade package that you just downloaded, click Upload Package .

4. To replace the currently uploaded package with another Cloud DR Servicepackage, click Upload Different Package .

NOTE: After you upload an upgrade package for Cloud DR Server, the Upgrade Cloud DR Server button is displayed.

NOTE: After uploading an upgrade package for the Cloud DR Service, a message indicates that the CDRA Upgrade is pending . If the upgrade package includes both Cloud DR Server and Cloud DR Service, then the Cloud DR Service upgrade starts after the Cloud DR Server has been upgraded. The Cloud DR restore ova package is upgraded as part of the Cloud DR Service upgrade process.

NOTE: Do not upgrade the Cloud DR Server while the rapid recovery process is running. If you upgrade the Cloud DR

Server while the rapid recovery process is running, the process is not monitored after the upgrade and the machine image is lost.

For detailed information on how to upgrade Cloud DR Service/Cloud DR Server, see Upgrading the CDRS and CDRAs chapter in the Dell EMC Cloud Disaster Recovery Installation and Administration Guide , which can be obtained from the Dell

EMC Support site.

44 Upgrade the IDPA

Upgrade the Cloud DR Server

To upgrade the Cloud DR Server perform the following steps.

Prerequisites

Download the upgrade package (Cloud DR Server or Cloud DR Service, or both) from the Dell EMC Support site.

Ensure that there is no rapid recovery process running.

Steps

1. From the Cloud DR Server System menu option, select Upgrades .

NOTE: If a disaster recovery operation is in progress, the upgrade process is disabled.

2. Click Upgrade Cloud DR Server .

3. In the Cloud DR Server Upgrade dialog box, click Upgrade .

Expect a short downtime during the upgrade while the Cloud DR Server restarts. You cannot perform disaster recovery operations until the upgrade completes and you restart the browser.

4. Restart the browser and log in to the Cloud DR Server interface.

Results

After the Cloud DR Server upgrade is successful, it may take about 10 to 15 minutes for the changes to reflect in the Cloud DR

Service UI. The time taken for the changes to reflect depends on network connection between the Cloud DR Service and Cloud

DR Server. Wait for the Cloud DR Server upgrade to reflect in the Cloud DR Service UI, and then continue with the Cloud DR

Service upgrade if required.

Upgrading the Cloud DR Service

To upgrade the Cloud DR Service perform the following steps.

Steps

1. From the Cloud DR System menu option, select Upgrades .

The Upgrades page displays and provides information about the current version and upgrade status of the Cloud DR

Service.

2. If an upgrade package is available for the Cloud DR Service, click Upgrade Cloud DR Add-on .

The Cloud DR Service is upgraded to the new version. A short downtime may occur during the upgrade while the Cloud DR

Service restarts. At the end of the upgrade process, the Cloud DR Service login page is displayed.

3. Restart the browser and log in to the Cloud DR Service interface.

Upgrade the IDPA

About this task

This section describes how to upgrade the appliance to its 2.7.2 version. Both the software and infrastructure components are upgraded in this upgrade process.

● Software Upgrade : Upgrades Protection Storage, Protection Software, Data Protection Central, Reporting & Analytics,

Search, Cloud DR, and ACM.

● Infrastructure Upgrade : Upgrades Hypervisor Manager and Hypervisor, and the PowerEdge server firmware.

Steps

1. Log in to the ACM UI using https:// <ACM_hostname> :8543 .

It is recommended to use ACM hostname to connect to the ACM UI instead of using the IP address.

Upgrade the IDPA 45

NOTE: Ensure that there are no errors or operations in progress in the ACM dashboard before moving to the next step.

If you are unable to connect to the ACM UI using the hostname, add the following entry in the hosts file: <ACM IP address> <ACM hostname> , and restart the browser.

● For Windows computers, the hosts file is located at C:\Windows\System32\drivers\etc\hosts

● For Linux computers, the hosts file is located at /etc/hosts

2. Verify that the tar.gz

file is automatically populated in the Upgrade File Location field of the Upgrade tab.

If the tar.gz

file is not automatically populated, then type the path in the Upgrade File Location field.

NOTE: Ensure that the upgrade tar.gz

file name begins with idpa .

If the path or the file name is incorrect , then an error message is displayed.

3. Click Upgrade Readiness .

Once the upgrade readiness completes successfully, the upgrade End User License Agreement page is displayed.

NOTE: If the End User License Agreement page is not displayed, ensure that the port 9443 is open in your network firewall, and then access the upgrade UI from the following link: https://< ACM_FQDN_OR_IP_ADDRESS >:9443/ dataprotection-upgrade

NOTE: If you had canceled the upgrade operation earlier, then the End User License Agreement page is not displayed as the End User License Agreement is already accepted. You will be directed to the page that provides upgrade options.

See

Unable to Access ACM UI

if you are not able to access the above URL.

4. Read the Dell EMC End User License Agreement and click Agree to continue with the upgrade validations.

If you click Disagree , and then Cancel , you will be directed back to the ACM dashboard.

5. Check the upgrade options, and then click Validate to perform validation checks on the components to be upgraded.

Software Upgrade and Infrastructure Upgrade are selected by default. Go with either the default Software Upgrade and Infrastructure Upgrade , or just Software Upgrade .

NOTE: If you unselect Infrastructure Upgrade , then you must upgrade the infrastructure components later. You will not be allowed to upgrade to future versions of IDPA without upgrading the corresponding infrastructure components.

It is recommended to only use this method if you can afford two comparatively shorter upgrade windows instead of one long upgrade window.

NOTE: When upgrading only the software components from versions IDPA 2.5 and older, the upgrade tar.gz

bundle is not preserved in the ACM. When you perform the infrastructure components upgrade you will have to manually copy the upgrade tar bundle to the ACM /data01/upgrade folder again.

6. Wait for the validation checks to complete.

The software verifies the requirements for performing the upgrade based on the options selected in the Upgrade

Validation page. See

Troubleshoot Upgrade failures

if you encounter any upgrade validation failures. See

Possible Errors with firmware upgrade

if you encounter any firmware related validation errors.

NOTE:

If you selected the Infrastructure Upgrade option, the Current Version of the Server Firmware row may be displayed as N/A or Unknown .

N/A is displayed when the upgrade validation process is unable to retrieve the firmware block version, which may be an exception or may be due to a run time error. Unknown is displayed when the upgrade validation process is unable to identify the firmware block version from the retrieved information as the hardware components on the server node have different firmware versions from the known firmware block.

Proceed with the next step as this does not impact the upgrade process.

7. Click Upgrade , and then click Ok after all the validations are complete.

The Upgrade Progress page displays the details of the upgrade progress. This process may take a few hours to complete based on the upgrade options selected in the Upgrade Validation page. If the upgrade for any component fails, then the upgrade process is stopped until you troubleshoot and resolve the failure. See

Troubleshoot Upgrade Validation failures if you

encounter any upgrade failures. See

Possible Errors with firmware upgrade

if you encounter any firmware upgrade errors.

46 Upgrade the IDPA

NOTE: The browser session may time out if the Upgrade Progress page is idle for some time. Refresh the browser and log in to the ACM again to reconnect to the Upgrade Progress page.

NOTE: If you click Cancel instead of Upgrade , then you are redirected to the ACM dashboard. When you proceed with upgrade process again, the End User License Agreement page is not displayed as the End User License Agreement is already accepted.

NOTE: During the upgrade, the upgrade workflow performs some operations on the individual components such as renaming or restarting the components, which generates alerts. You can ignore these alerts as they are part of the upgrade process workflow. However, if there are any critical hardware-related alerts, contact Dell EMC Technical

Support personnel.

8. Optional: Click Download Logs to collect the logs after the upgrade process completes.

9. Click Finish , and then Ok to finish the upgrade operation.

Wait for the time displayed in the pop-up window, after which you are redirected to the ACM dashboard. Do not move to another screen when the timer is displayed in the pop-up window.

NOTE: If you close the pop-up window before the specified time, you have to open ACM dashboard manually in browser. However, the ACM dashboard may be inaccessible, or the status of some components may be displayed incorrectly due to post upgrade startup which is in progress. You need to wait for at least 45 minutes after you click finish till ACM and other appliance services restarts.

NOTE: If the appliance was upgraded from version 2.4.x or version 2.5, then it will take longer for the ACM dashboard to be displayed. During this time, do not attempt to delete or power on any of the ACM services (especially the ACM-old service).

The Hypervisor server restarts along with all the application services hosted on it. The DP4400 appliance takes between 5 to

45 minutes to start up depending on the

upgrade paths

.

10. Verify that all the components started up, and that there are no errors in ACM dashboard.

If you went with the default software and infrastructure upgrade in Step 6, then the appliance is successfully upgraded to its

2.7.2 version.

NOTE: If errors are displayed in the ACM dashboard, then close the existing browser window and open the ACM UI in a new browser window.

NOTE: The Firmware Version may be displayed as N/A or Unknown when you move your cursor next to Hardware

Version in the ACM UI. For more information, see the note in step 6.

NOTE: If you enabled FIPS when upgrading the appliance IDPA, the Protection Software internal VM proxy will not be upgraded. During the upgrade, the Protection Software internal VM proxy is powered off because it does not meet FIPS compliance. After the upgrade, the Protection Software internal VM proxy will remain at 19.3 (not 19.4.x.x).

11. If you had unselected the Infrastructure Upgrade check box in step 6, then the ACM dashboard displays a notification that the infrastructure components upgrade is pending. Go to the Upgrade tab and repeat all the upgrade steps again to upgrade the infrastructure components.

NOTE: When upgrading only the software components from versions IDPA 2.5 and older, the upgrade tar.gz

bundle is not preserved in the ACM. When you perform the infrastructure components upgrade you will have to manually copy the upgrade tar bundle to the ACM /data01/upgrade folder again.

NOTE: The upgrade tar.gz

bundle is the same as the one used for the software upgrade.

Next steps

Run the

PowerProtect DP Rapid Upgrade ChecKer

utility again to ensure that the appliance and its components are in a healthy state.

Upgrade the IDPA 47

Upgrade the external VM Proxy

Prerequisites

● Ensure that all required hotfixes are installed in Protection Software before you upgrade the internal and external proxies.

● Ensure that the Protection Software upgrade is completed.

● Ensure that there is no backups or restores in progress.

About this task

Perform the following steps to upgrade proxy using the Proxy Deployment Manager(PDM) . The following steps are also listed in the KB article 20235 .

If you are unable to deploy the proxy using the steps in KB article 20235 , then see

Upgrade the external VM Proxy manually

.

NOTE:

● Upgrading proxy using PDM is possible only if the proxy was previously deployed using PDM.

● Non-standard proxy cannot be upgraded using PDM, for example, more than one NIC.

Steps

1. From a browser connect to the Avamar administrator using the URL: https:// hostname /aui

2. Select Proxy Management .

3. Under Config section, select vCenter from the drop-down list.

4. Click Create Recommendation .

The recommendation is created and the Proxy which needs to be upgraded is displayed with a thunderbolt. If the thunderbolt icon does not show up next to the proxy, then the proxy must be

manually upgraded

.

5. Click Apply .

6. In the Upgrade pending dialog box, click Continue .

7. Verify that the upgraded Proxy is deployed in the Hypervisor Manager, and backups using the newly deployed Proxy are successful.

8. Delete the old VM Proxy from the Hypervisor Manager Server UI.

These steps are also listed in the KB article 20235 . If you are unable to deploy the proxy using the steps in KB article 20235 , then see

Upgrade the external VM Proxy manually

.

Troubleshoot upgrade validation and upgrade failures

● See

Troubleshoot Upgrade Validation failures

for any issues encountered with validation checks performed during the upgrade process.

● See

Troubleshoot Upgrade failures for any issues you encounter during the appliance upgrade.

NOTE: For any Storage Pool related upgrade validation failures, contact Dell Support .

Troubleshoot Upgrade Validation failures

This section describes some of the possible upgrade validation failures and their workaround.

Unable to access the ACM UI

.

About this task

If you are unable to access the ACM UI from https://< ACM_FQDN_OR_IP_ADDRESS >:9443/dataprotectionupgrade , then perform the following steps:

48 Upgrade the IDPA

Steps

1. Stop the ACM tomcat service using the following command: service dataprotection_webapp stop .

2. Stop the ACM upgrade tomcat service if it is running, using the following command: service dataprotection_webapp_upgrade stop

3. Check if the ACM tomcat service is running using the following command: service dataprotection_webapp status

4. Check if the appliance status is ESRS_AV_CONFIGURED in the applianceStatus.xml

file using the following command: cat /usr/local/dataprotection/var/configmgr/server_data/status/applianceStatus.xml | grep applianceState

5. Copy the upgrade Tomcat logs from the /usr/local/dataprotection/upgrade-tomcat/logs/ folder using the following command: cp -R /usr/local/dataprotection/upgrade-tomcat/logs/ /data01/upgradetomcat-logs-backup/

6. Delete the upgrade-tomcat folder from the /usr/local/dataprotection/ folder using the following command: rm

-rf /usr/local/dataprotection/upgrade-tomcat

7. Copy upgrade logs from /data01/tmp/patch/logs and then delete patch folder from path /data01/tmp/

8. Ensure that the port 9443 is open, and access the following URL: https://< ACM_FQDN_OR_IP_ADDRESS >:9443/ dataprotection-upgrade . If you are unable to access the URL, then contact Dell Support .

Protection Storage

This section describes the possible solutions for Protection Storage upgrade validation failures. You must perform the steps given in this chapter using an SSH client, and connect to the Protection Storage with the sysadmin user account.

Perform the following to fix the possible upgrade validation failures:

● Check that the Protection Storage storage consumption is less than 99% by running the following command: filesys show space

If the storage consumption is above 99%, then contact Dell Support .

● Check the file system status by running the following command: filesys status

If the file system status is in a healthy state but busy, then wait for the task to complete and then retry the upgrade validation.

● Check if any clean up operations are in progress by running the following command: filesys clean status .

Wait for the clean up task to complete, and then retry the upgrade validation.

● Check for any critical alerts using the following command: alerts show current

Fix the issues to clear the alerts, and then retry the upgrade validation.

Used capacity of the / partition on Search exceeds 55 percent

About this task

The upgrade validation may fail if the used capacity of the / partition on Search exceeds 55 percent.

Perform the following steps:

Steps

1. Using an SSH connection, with root credentials, connect to Search.

2. Verify the used space on Search by running the following command: df -h

3. Verify that the used space of the / partition is 55 percent and above.

4. Change the directory to the /var/log/ folder.

5. Delete all the files with the extension .xz

. The following command provides an example: rm *.xz

6. Clear the large log files if required. For example, you can clear the messages files.

Upgrade the IDPA 49

7. Verify that the used space of the / partition is below 55 percent.

8. If the used space of the / partition is still 55 percent or above, then follow the steps mentioned in the KB Article 000186645 .

Used capacity of the partitions other than the / partition on Search exceeds

90 percent

About this task

The upgrade validation may fail if the used capacity of the partitions other than the / on Search exceeds 90 percent.

Perform the following steps:

Steps

1. Using an SSH connection, with root credentials, connect to the Search.

2. Verify the used space on Search by running the following command: df -h

3. Identify the partitions that are using 90 percent and above of the storage space.

4. For the partition mounted on /mnt/es_data , you can reduce the used space by deleting the indices from the Search Web

UI .

5. For the partition mounted on /mnt/search , you can reduce the used space by deleting the older or unwanted log files.

6. Ensure the Search services are running.

● Verify the status of Search services.

○ service elasticsearch status

○ service search-cis-core status

● If the services are in a stopped state, then start the service.

○ service elasticsearch start

○ service search-cis-core start

● If the services fail to start, restart the Search VM, and then check the status of the services again.

○ reboot

Protection Software

This section describes the possible solutions for Protection Software (Service) upgrade validation failures. You must perform the steps given in this chapter on Protection Software using an SSH client.

Perform the following to fix the possible upgrade validation failures:

● Check if there is at least 38GB of free space in the /space directory on the Protection Software server by running the following command df -h . If the free space in the directory is lower than 38GB, then delete unwanted files from the directory

If the total size of /space partition is less than 96GB, then see the KB Article 000190523 to obtain the utility and instructions for increasing the partition size in the Protection Software (service).

● Check if any policies are enabled. All policies must be disabled before an appliance upgrade.

● Check if a replication server is configured. The upgrade validations may fail if a replication server is configured.

Contact Dell Support to validate the configuration using the latest AV Proactive check and continue with the upgrade.

● Check if any Protection Software Backup clients and agents were manually upgraded before the Protection Software Server upgrade.

Contact Dell Support to validate the configuration using the latest AV Proactive check and continue with the upgrade.

50 Upgrade the IDPA

Create a validated checkpoint

Prerequisites

● Check if you have a validated checkpoint which is not older than 24 hours with an HFScheck by running the following command: status.dpn

About this task

The upgrade validation may fail if you do not have a validated checkpoint on the Protection Software. The validated checkpoint must not be older than 24 hours, with a HFScheck which is not older than 36 hours. To create a new validated checkpoint perform the following steps:

Steps

1. Log in to the Protection Software Server using the admin user account.

2. Run the following command to create a checkpoint: mccli checkpoint create -override_maintenance_scheduler=true --wait=0

3. Run the following command to view the created checkpoint: cplist --lscp

4. Run the following command to validate the checkpoint: mccli checkpoint validate -cptag=CheckpointTagFromPreviousCommand --override_maintenance_scheduler=true -–wait=0

Terminate hung sessions

About this task

The upgrade validation may fail if there are any hung sessions running on the proxy. To terminate these hung sessions, perform the following steps:

Steps

1. Log in to the Protection Software system as an Admin user, using putty.

2. Run the following command to see the active sessions in the system: avmaint sessions | grep "path\| sessionid\|starttime"

● path: Displays the path for the client.

● sessionid: Displays the unique identifier of the session.

● starttime: Displays the UNIX time stamp of when the session began.

3. Translate the value from the starttime parameter to a readable format by running the following command: t.pl

<starttime>

4. Compare the value with the backup scheduler to confirm if the session is running. If the session started several days ago and is not configured as overtime , then it may be a hung session.

5. Run the following command to remove the hung sessions: avmaint kill <sessionid>

6. After you have removed all of the hung sessions, run the following command to see the list of sessions running on the

Protection Software server: avmaint sessions --full

Stop backup and replication jobs

About this task

The Integrated Data Protection Appliance upgrade must be performed during a maintenance window when no other Protection

Software maintenance activities, backup or replication jobs are running. To ensure this, perform the following steps.

Steps

1. Connect to the utility node using SSH and log in as an admin user.

2. Run the following command to verify if the server status is idle: opstatus.dpn

3. Run the following commands:

● avmaint sessions | grep path : To check if any backup jobs are in progress.

Upgrade the IDPA 51

● mccli activity show --active | grep Replication : To check if any replication jobs are in progress.

Sample output: admin@dp4400-08-10:~/>: avmaint sessions | grep path path="/AVI_BACKUPS" path="/" admin@dp4400-08-10:~/>: mccli activity show --active | grep Replication

9163194680374209 Running 0 2021-09-18 02:33 EDT 00h:02m:10s 2021-09-19 02:33 EDT

Replication Source 133.4 MB 83% dp4400-08-10.datadomain.com /MC_SYSTEM

1631946917158146 Running 0 2021-09-18 02:35 EDT 00h:00m:14s 2021-09-19 02:33 EDT

Replication Source 140.2 MB 2.1% EM_BACKUPS / admin@dp4400-08-10:~/>:

If any backup or replication jobs are running, you can either wait for these jobs to complete or you can terminate these jobs.

You can also contact Dell Support to terminate these backup jobs.

4. Run the following command to terminate the backup or replication jobs: mccli activity cancel --id=<job_id>

5. Run the following commands to confirm that the jobs are no longer in progress.

● avmaint sessions | grep path : To check if any backup jobs are in progress.

● mccli activity show --active | grep Replication : To check if any replication jobs are in progress.

Upgrade validation fails because of the SSHD banner

The upgrade validation may fail if the SSHD banner is enabled on the Protection Software when upgrading the appliance.

Temporarily remove the SSHD banner and retry the upgrade validation. You can enable the SSHD banner again once the upgrade completes.

Reporting and Analytics

About this task

The size of the /data01 partition on the Reporting and Analytics DataStore VM must not exceed 60 GB. If the size of the /data01 partition is over 60 GB, then the upgrade validation will fail.

To verify the size of /data01 partition, perform the following steps

Steps

1. Connect to the Reporting and Analytics DataStore VM using SSH with root credentials.

2. Verify the size of the /data01 partition using the following command: df -h

3. Verify the value in size column of the /data01 partition.

4. If the size is over 60GB, then contact Dell support to upgrade the Reporting and Analytics components.

Data Protection Central

If you have configured an external LDAP server, ensure that it is configured from the ACM Dashboard.

Prerequisites

If you have configured an external LDAP server in theData Protection Central manually (not through the ACM Dashboard), then the upgrade validation for the Reporting & Analytics component upgrade will fail.

NOTE: Configuring an external LDAP from the Data Protection Central is not supported.

About this task

Perform the following steps to check if the LDAP settings are configured through the ACM Dashboard:

52 Upgrade the IDPA

Steps

1. Login to the ACM Dashboard.

2. Click the icon on the left of the Shutdown Appliance and download the current configuration to view the Appliance

Configuration PDF file with the current appliance configuration details.

3. To connect to the Data Protection Central, specify the username mentioned in the LDAP settings of the IDPA Configuration

PDF. If you successfully login using the provided username, it indicates that the LDAP configuration is in sync.

If you are unable to login using the username mentioned in the LDAP settings of the IDPA Configuration PDF, then reconfigure the Data Protection Central LDAP configuration using the ACM hostname (usually idpauser) as LDAP server. See

Revert to internal LDAP environment section in the IDPA Product Guide for more information.

4. Reconfigure the external LDAP from the ACM Dashboard. See Configure external LDAP environment section in the

IDPA Product Guide for more information.

Cloud DR

About this task

The upgrade validation for the Cloud DR Service component may fail for the following reason:

● If the Cloud DR Server is not connected to the Cloud DR Service.

● If the Cloud DR Service is configured with your Cloud Account and Cloud DR Target, but not with the Cloud DR Server.

Perform the following steps to configure the Cloud DR Server with the Cloud DR Service.

Steps

1. Click Cloud DR Server on the menu bar.

● If no Cloud DR Server has been deployed, the Deploy Cloud DR Server page appears.

● If the Cloud DR Server has already been deployed, the Cloud DR Server page appears. You cannot deploy additional

Cloud DR Server instances.

2. In the Cloud DR Server Configuration section, select the Cloud DR target on which to deploy the Cloud DR Server .

3. To allocate IP addresses for the Cloud DR solution, provide the IPV4 CIDR Range .

4. In the User Configuration section, enter and confirm passwords for the Cloud DR Server Admin and Cloud DR Server

Monitor users.

The passwords must:

● A minimum length of eight characters

● At least one lower case character (a-z)

● At least one upper case character (A-Z

● At least one number (0-9)

● At least one special (non- alpha numeric) character a. Enter and confirm passwords for the Cloud DR Server Admin and Cloud DR Server Monitor users.

b. Enter an email address for DD Cloud DR password reset requests.

When the Cloud DR Server is successfully deployed, AWS sends an email to this address for verification. Follow the instructions in the email within 24 hours of deployment.

5. To confirm that you accept the marketplace terms, click the I have accepted the AWS Marketplace terms checkbox.

6. Click Deploy Cloud DR Server.

The Cloud DR Server begins deployment of the Cloud DR Server to the Cloud DR target. If an error occurs during deployment, click Cleanup to delete the cloud resources that Cloud DR Server creates, and then retry deployment.

Deploying the Cloud DR Server may take up to 30 minutes.

If the deployment is successful, the Cloud DR Server page appears, listing the hostname of the Cloud DR Server host, and the region. Also deployed are:

● A Virtual Private Cloud (VPC).

● An Amazon Relational Database Services (RDS) catalog, to maintain persistent data.

● A private subnet for communication between the RDS and Cloud DR Server.

● A public subnet (Standard Mode) or private subnet (Professional Mode) with internet access to be used by Cloud DR

Server.

● The Cloud DR Server EC2 instance.

Upgrade the IDPA 53

The M4.Large instance type is used for the Cloud DR Server instance. To reduce deployment costs, you may want to purchase reserved instances from AWS; otherwise an on-demand instance is used. An elastic IP address is automatically assigned to the Cloud DR Server instance. You cannot change this IP address.

NOTE: Multiple Cloud DR Add-on appliances can connect to a single Cloud DR Server instance. However, one Cloud DR

Add-on appliance cannot connect to multiple Cloud DR Server instances.

Results

Click the Cloud DR Server hostname after the Cloud DR Server is deployed to connect to the Cloud DR Server.

ACM, Hypervisor Manager, and Hypervisor

This section describes the possible solutions for ACM, Hypervisor Manager, and Hypervisor upgrade validation failures.

Perform the following to fix the possible upgrade validation failures:

● Check if the private IP addresses 192.168.100.108

used by the Hypervisor Manager component, and

192.168.100.113

used by the ACM component are available for the upgrade validation. If the IP addresses not available then the upgrade validation will fail. Ensure that these IP addresses are available, and then retry the upgrade validation.

If a custom internal IP address range is used, then update the ACM's temporary IP address and the gateway in the / data01/tmp/patch/ip_details.properties

file.

● Check if you have created or copied any VMs, folders, or files on the Hypervisor or Hypervisor Manager servers of the appliance. Ensure the following, and then retry the upgrade validation:

○ No non-IDPA-VMs, vApps, Resource pools, or any custom settings are deployed or configured on the appliance.

○ No custom files and folders exist on the Hypervisor and Hypervisor Manager (Service) servers.

○ No files are copied to the Hypervisor or Hypervisor Manager (Service) Server partitions. These include ISO, VIB, or other binary files manually copied to the Hypervisor or Hypervisor Manager (Service) Server storage partitions.

Set correct hostname in Hypervisor server

About this task

The upgrade validation may fail if the hostname (short and FQDN) is not set correctly on the Hypervisor server. To ensure you have the correct hostname for the Hypervisor server which reflects on iDRAC, perform the following steps:

Steps

1. Connect to the ACM Server using an SSH connection

2. Run the following command to view the hostname of the IP addresses associated with the Hypervisor Server: nslookup

3. Connect to the Hypervisor server using an SSH connection.

4. Run the following commands to verify if the hostname matches the one retrieved from the nslookup command:

● hostname -s

● hostname -f

5. If the hostname on the Hypervisor is incorrect, then run the following commands:

● esxcli system hostname set --host=hostname

● esxcli system hostname set --fqdn=fqdn

6. Log in to the iDRAC console.

7. Go to System Panel in the iDRAC dashboard and verify the value in the Host Name field.

If you are unable to access the iDRAC console for any of the Hypervisor servers, follow the steps listed in KB article 21500 .

8. If the hostname does not reflect not reflect correctly on the iDRAC Dashboard , then refresh the console and then verify the hostname.

9. If the hostname does not reflect correctly even after refreshing the console, then stop and restart the iDRAC service: a. Run the following command: esxcli system wbem set –e=true b. Run the following command to stop the service: /etc/init.d/sfcbd-watchdog stop c. Run the following command to start the service again: /etc/init.d/sfcbd-watchdog start

54 Upgrade the IDPA

Reduce storage space in Hypervisor Manager partition

About this task

The validation for the Hypervisor Manager may fail with if the used storage space for the /storage/log partition is more than

90%. To reduce the used storage space in the /storage/log perform the following steps:

Steps

1. Using an SSH client, connect to the Hypervisor Manager Server Service as a root user.

2. Switch to the Shell prompt: shell

3. Run the following command to ensure that the Hypervisor Manager services are running: service-control --all

--status

4. Run the following command to verify the size of the /storage/log partition: df -h

NOTE: This partition is over 90% in use. Delete unwanted files and bring this percentage value below 90% to ensure the upgrade validations are successful.

5. Run the following command to identify the top 20 files with high disk usage: du -a /storage/log | sort -n -r | head -n 20

6. Delete the files listed in the output of the above command.

7. Run the following command to verify that the % Use value for the /storage/log partition is below 90%: df -h

8. Repeat the steps 5 to 7 until the /storage/log partition is below 90%.

9. Run the following command to restart all of the Hypervisor Manager services and Platform Services Controller services: service-control --start --all

10. Run the following command to ensure that all the Hypervisor Manager services are running before the start of the update procedure: service-control --all --status

Troubleshoot Upgrade failures

This section describes the possible issues you may encounter when upgrading the appliance

Unable to start the appliance after upgrade

About this task

If the appliance fails to start up after you click Finish , connect to the Hypervisor UI and perform the following tasks:

Steps

1. Check if the Hypervisor server is in maintenance mode.

2. Exit the maintenance mode.

3. Power on the Data-Protection-ACM VM.

NOTE: Do not power on any of the other VMs (especially the ACM-old VM). Once the Data-Protection-ACM VM powers on, you can monitor the progress of the appliance startup from the ACM UI

Protection Software

This section describes the possible upgrade errors you may encounter with Protection Software and their possible workaround.

Protection Software unable to start after upgrade

The Protection Software may fail to start or may have functionality issues if you have installed unsupported custom SSL certificates on the Protection Software. Contact Dell Support to resolve the issue.

Upgrade the IDPA 55

Install correct Protection Software installer CLI

About this task

The protection software upgrade may fail if the required version of the avi-cli is not installed on the Appliance Configuration

Manager (ACM). To install the correct version of the avi-cli , perform the following steps:

Steps

1. Using an SSH client, connect to the ACM as a root user.

2. Run the following command to verify that the following binaries are installed: rpm -qa emc-avi-cli emc-ruby emc-tools

Make a note of the versions of these binaries.

3. Browse to the /data01/tmp/patch/products/ACM/AVICLI/binaries/ folder using the following command: cd / data01/tmp/patch/products/ACM/AVICLI/binaries/

4. Run the following command to list the files in the folder: ls

NOTE: This folder contains the relevant versions of the RPMs required to install avi-cli.

5. Verify if the version numbers of the binaries installed on the ACM VM from step 3 correspond with the files in the current folder.

NOTE: If the RPM version values are the same as the ones in the current folder, then contact Dell EMC Support for assistance. If the RPM version values are different than the ones in the current folder, then continue with the steps below to update the binaries from the current folder.

6. Uninstall the existing outdated binaries.

a. Run the following command to uninstall the existing emc-avi-cli binary: rpm -e emc-avi-cli b. Run the following command to uninstall the existing emc-ruby binary: rpm -e emc-ruby c. Run the following command to uninstall the existing emc-tools binary: rpm -e emc-tools

7. Install the relevant RPMs from the current folder.

a. Run the following command to install the required emc-tools rpm: rpm -ivh /data01/tmp/patch/ products/ACM/AVICLI/binaries/emc-tools*.rpm --force b. Run the following command to install the required emc-ruby rpm: rpm -ivh /data01/tmp/patch/ products/ACM/AVICLI/binaries/emc-ruby*.rpm --force c. Run the following command to install the required emc-avi-cli rpm: rpm -ivh /data01/tmp/patch/ products/ACM/AVICLI/binaries/emc-avi-cli*.rpm --force

Search is disconnected from the Protection Software after IDPA upgrade

About this task

After you upgrade the IDPA, Search may be disconnected from the Protection Software. If this is the case, there will be a red broken link icon over the idpa-backupServer listed in the Search UI > Manage: Avamar > Administration > Sources page.

To connect Search to the Protection Software, perform the following steps.

Steps

1. In the upper right corner of the Search UI, in the Manage: field, select Avamar from the drop-down menu.

2. In the left navigation pane, click Administration > Sources .

A list of Protection Software Search sources appears.

3. Click within the row that contains idpa-backupServer .

4. Click the Repair Agent button (hammer and wrench icon) in the right vertical toolbar.

This executes a repair agent job to connect Search to the Protection Software.

56 Upgrade the IDPA

Upgrade the external VM Proxy manually

This section describes the steps to upgrade the VM Proxy manually. If the existing VM Proxy is not available for upgrade in the

Proxy Deployment Manager (PDM), delete the existing Proxy Service and deploy a new Proxy Service.

Prerequisites

NOTE: Ensure that all required hotfixes are installed in Protection Software before you upgrade the internal and external proxies.

Steps

1. Connect to the VM Proxy and gather all network related details such as the assigned IP address, DNS, Gateway, Netmask and NTP server IP addresses.

2. Connect to the vCenter Server UI using a browser at https://<vCenter Server IP> .

3. In the Hosts and Clusters view, in the left navigation pane, browse through to the vCenter server node and select the VM

Proxy.

4. Note the name of the AV Proxy VM, Datastore on which it is hosted, and the network it uses. Right-click the VM Proxy and select Power > Shut Down Guest OS .

5. Right-click the VM Proxy and select Rename .

6. Rename the VM Proxy by appending -old to the original name.

7. Connect to the Protection Software UI using <https://<Avamar Server IP> .

8. Deploy a new Proxy Service on the same vCenter that you had connected to in Step 6.

a. Select Proxy Management from the left pane.

b. Under the Proxy Deployment tab, in the Config Window , select the vCenter.

c. Verify all other settings and click CREATE RECOMMENDATION .

d. The New Proxy is listed under the Recommendations window.

e. Select New Proxy and click the Edit button.

f. Change the Name and set it to the same name as was the name of the old VM Proxy on the vCenter server.

g. Provide the same IP address and all other details as that of the old VM Proxy.

h. Verify that the IP address and the hostname of the VM Proxy is DNS resolvable by running the following command: host -W 10 -T <Avamar_Proxy_VM_IP_Address>

The above command should return the hostname of VM Proxy IP if the DNS server is accessible and Proxy IP is registered in DNS server.

See the KB Article 168924 for assistance.

i.

Click Save .

j.

Click Apply Changes to deploy the new VM Proxy.

9. Perform a backup of one of the vCenter to ensure backups run successfully with the new VM Proxy.

10. Delete the -old VM Proxy from the vCenter Server UI.

Possible errors with firmware upgrade

If you encounter an issue with the firmware upgrade, then the appliance upgrade fails, and you get an error message and its corresponding error code on the ACM UI. See the table below to get the resolution steps for the errors. The operation column describes the firmware upgrade process at which the error occurs. After you resolve the error, click Retry to proceed with appliance upgrade.

Table 16. Firmware upgrade errors and resolution

Error Code Operation Error message and remedy displayed in the ACM UI

9000 Any Operation Internal server error:

Infrastructure Management

Service encountered an unexpected condition that prevented it from fulfilling the request. Contact Support.

Resolution

You may get this error if the fail client task scripts are missing in the Hypervisor host.

This may occur if the Hypervisor host is not power-cycled in the re-imaging process.

To resolve this issue, perform the following tasks:

Upgrade the IDPA 57

Table 16. Firmware upgrade errors and resolution (continued)

Error Code Operation Error message and remedy displayed in the ACM UI

9001

9002

Querying firmware versions

Querying firmware versions

Resolution

1. Log in to the Hypervisor host using SSH and note down the list of files in the / scratch/dell/extern folder.

2. Log in to ACM using SSH and note down the list of files in the /usr/local/ dpatools/bin/clienttask folder.

3. If the files in the Hypervisor folder are not present in the ACM folder, then use the secure copy (scp) command to copy the files to the Hypervisor host.

4. Retry the upgrade operation from the

ACM UI.

If the issue is not resolved, then contact Dell

Support .

Failed to connect to Node Event service. Check Node Event service status or IP connection.

Failed to query software inventory from Node

Event service (HttpStatus.

SERVICE_UNAVAILABLE).

Check iDRAC Service Module or iDRAC status.

1. Log in to the Hypervisor host using SSH and run the following command to change the Node Event

Service rest_ip configuration: /opt/ dell/DellPTAgent/tools/pta_cfg set rest_ip=https:// <host internal IP> 8086

2. Run the following command to check the status of the Node Event service: /etc/ init.d/DellPTAgent status

● If the Node Event Service is down, run the following command to start the service: /etc/init.d/

DellPTAgent start

● If the Node Event Service is up and running, then run the following command to restart the service: /etc/init.d/

DellPTAgent restart

3. To avoid further pre-check failures, login to all Hypervisor hosts and repeat steps 1 and 2.

To check iSM status, perform the following steps:

1. Log in to the host in which the iSM issues is observed.

2. Run the following command to check iSM status: /etc/init.d/dcism-netmonwatchdog status

● Run the following command if the service is stopped: /etc/init.d/ dcism-netmon-watchdog start

● If the status is iSM is active (not running) then perform the following steps:

1. Run the following command to stop the service: /etc/init.d/dcismnetmon-watchdog stop

2. Run the following command to restart iSM: /etc/init.d/dcismnetmon-watchdog start

58 Upgrade the IDPA

Table 16. Firmware upgrade errors and resolution (continued)

Error Code Operation Error message and remedy displayed in the ACM UI

9003

9004

Querying firmware versions

Firmware precheck

Resolution

Failed to query software inventory from Node

Event service (HttpStatus.

BAD_GATEWAY). Check iDRAC or iDRAC Service Module status.

Failed to connect to Node Event service. Check Node Event service status or IP connection.

3. Log in to iDRAC using SSH.

4. Run the following command to reset iDRAC: racadm racreset soft

If the iDRAC GUI shows the error Not running (TLS error) , then perform the following steps:

1. Log in to the host in the iSM issue is observed.

2. Run the following command to stop iSM: /etc/init.d/dcism-netmonwatchdog stop

3. Run the following command to reinstall iSM to establish a new TLS connection with iDRAC: /etc/init.d/dcismnetmon-watchdog start install

To check iSM status, perform the following steps:

1. Log in to the host in which the iSM issues is observed.

2. Run the following command to check iSM status: /etc/init.d/dcism-netmonwatchdog status

● Run the following command if the service is stopped: /etc/init.d/ dcism-netmon-watchdog start

● If the status is iSM is active (not running) then perform the following steps:

1. Run the following command to stop the service: /etc/init.d/dcismnetmon-watchdog stop

2. Run the following command to restart iSM: /etc/init.d/dcismnetmon-watchdog start

3. Log in to iDRAC using SSH.

4. Run the following command to reset iDRAC: racadm racreset soft

If the iDRAC GUI shows the error Not running (TLS error) , then perform the following steps:

1. Log in to the host in the iSM issue is observed.

2. Run the following command to stop iSM: /etc/init.d/dcism-netmonwatchdog stop

3. Run the following command to reinstall iSM to establish a new TLS connection with iDRAC: /etc/init.d/dcismnetmon-watchdog start install

1. Log in to the Hypervisor host using SSH and run the following command to change the Node Event

Service rest_ip configuration: /opt/ dell/DellPTAgent/tools/pta_cfg

Upgrade the IDPA 59

Table 16. Firmware upgrade errors and resolution (continued)

Error Code Operation Error message and remedy displayed in the ACM UI

9005

9006

Firmware precheck

Firmware precheck

Resolution

Failed to query software inventory from Node

Event service (HttpStatus.

SERVICE_UNAVAILABLE).

Check iDRAC Service Module or iDRAC status.

Failed to query software inventory from Node

Event service (HttpStatus.

set rest_ip=https:// <host internal IP> 8086

2. Run the following command to check the status of the Node Event service: /etc/ init.d/DellPTAgent status

● If the Node Event Service is down, run the following command to start the service: /etc/init.d/

DellPTAgent start

● If the Node Event Service is up and running, then run the following command to restart the service: /etc/init.d/

DellPTAgent restart

3. To avoid further pre-check failures, login to all Hypervisor hosts and repeat steps 1 and 2.

To check iSM status, perform the following steps:

1. Log in to the host in which the iSM issues is observed.

2. Run the following command to check iSM status: /etc/init.d/dcism-netmonwatchdog status

● Run the following command if the service is stopped: /etc/init.d/ dcism-netmon-watchdog start

● If the status is iSM is active (not running) then perform the following steps:

1. Run the following command to stop the service: /etc/init.d/dcismnetmon-watchdog stop

2. Run the following command to restart iSM: /etc/init.d/dcismnetmon-watchdog start

3. Log in to iDRAC using SSH.

4. Run the following command to reset iDRAC: racadm racreset soft

If the iDRAC GUI shows the error Not running (TLS error) , then perform the following steps:

1. Log in to the host in the iSM issue is observed.

2. Run the following command to stop iSM: /etc/init.d/dcism-netmonwatchdog stop

3. Run the following command to reinstall iSM to establish a new TLS connection with iDRAC: /etc/init.d/dcismnetmon-watchdog start install

To check iSM status, perform the following steps:

1. Log in to the host in which the iSM issues is observed.

60 Upgrade the IDPA

Table 16. Firmware upgrade errors and resolution (continued)

Error Code Operation Error message and remedy displayed in the ACM UI

BAD_GATEWAY). Check iDRAC or iDRAC Service Module status.

9012 Firmware update

Resolution

2. Run the following command to check iSM status: /etc/init.d/dcism-netmonwatchdog status

● Run the following command if the service is stopped: /etc/init.d/ dcism-netmon-watchdog start

● If the status is iSM is active (not running) then perform the following steps:

1. Run the following command to stop the service: /etc/init.d/dcismnetmon-watchdog stop

2. Run the following command to restart iSM: /etc/init.d/dcismnetmon-watchdog start

3. Log in to iDRAC using SSH.

4. Run the following command to reset iDRAC: racadm racreset soft

If the iDRAC GUI shows the error Not running (TLS error) , then perform the following steps:

1. Log in to the host in the iSM issue is observed.

2. Run the following command to stop iSM: /etc/init.d/dcism-netmonwatchdog stop

3. Run the following command to reinstall iSM to establish a new TLS connection with iDRAC: /etc/init.d/dcismnetmon-watchdog start install

Contact Dell Support to resolve the issue.

9013 Firmware update

Failed to unpack firmware payload. Check if the iDRAC LC job queue is clear.

Failed to connect to Node Event service. Check Node Event service status or IP connection.

1. Log in to the Hypervisor host using SSH and run the following command to change the Node Event

Service rest_ip configuration: /opt/ dell/DellPTAgent/tools/pta_cfg set rest_ip=https:// <host internal IP> 8086

2. Run the following command to check the status of the Node Event service: /etc/ init.d/DellPTAgent status

● If the Node Event Service is down, run the following command to start the service: /etc/init.d/

DellPTAgent start

● If the Node Event Service is up and running, then run the following command to restart the service: /etc/init.d/

DellPTAgent restart

3. To avoid further pre-check failures, login to all Hypervisor hosts and repeat steps 1 and 2.

Upgrade the IDPA 61

Table 16. Firmware upgrade errors and resolution (continued)

Error Code Operation

9014

9015

Firmware update

Firmware update

Error message and remedy displayed in the ACM UI

Failed to process firmware payload with Node

Event service (HttpStatus.

SERVICE_UNAVAILABLE).

Check iDRAC Service Module or iDRAC status.

Failed to process firmware payload with Node Event service

(HttpStatus. BAD_GATEWAY).

Check iDRAC or iDRAC Service

Module status.

Resolution

To check iSM status, perform the following steps:

1. Log in to the host in which the iSM issues is observed.

2. Run the following command to check iSM status: /etc/init.d/dcism-netmonwatchdog status

● Run the following command if the service is stopped: /etc/init.d/ dcism-netmon-watchdog start

● If the status is iSM is active (not running) then perform the following steps:

1. Run the following command to stop the service: /etc/init.d/dcismnetmon-watchdog stop

2. Run the following command to restart iSM: /etc/init.d/dcismnetmon-watchdog start

3. Log in to iDRAC using SSH.

4. Run the following command to reset iDRAC: racadm racreset soft

If the iDRAC GUI shows the error Not running (TLS error) , then perform the following steps:

1. Log in to the host in the iSM issue is observed.

2. Run the following command to stop iSM: /etc/init.d/dcism-netmonwatchdog stop

3. Run the following command to reinstall iSM to establish a new TLS connection with iDRAC: /etc/init.d/dcismnetmon-watchdog start install

To check iSM status, perform the following steps:

1. Log in to the host in which the iSM issues is observed.

2. Run the following command to check iSM status: /etc/init.d/dcism-netmonwatchdog status

● Run the following command if the service is stopped: /etc/init.d/ dcism-netmon-watchdog start

● If the status is iSM is active (not running) then perform the following steps:

1. Run the following command to stop the service: /etc/init.d/dcismnetmon-watchdog stop

2. Run the following command to restart iSM: /etc/init.d/dcismnetmon-watchdog start

3. Log in to iDRAC using SSH.

62 Upgrade the IDPA

Table 16. Firmware upgrade errors and resolution (continued)

Error Code Operation Error message and remedy displayed in the ACM UI

9017

9018

9019

9020

9021

9022

Resolution

4. Run the following command to reset iDRAC: racadm racreset soft

If the iDRAC GUI shows the error Not running (TLS error) , then perform the following steps:

1. Log in to the host in the iSM issue is observed.

2. Run the following command to stop iSM: /etc/init.d/dcism-netmonwatchdog stop

3. Run the following command to reinstall iSM to establish a new TLS connection with iDRAC: /etc/init.d/dcismnetmon-watchdog start install

Contact Dell Support to resolve the issue.

Firmware precheck

Post-update tasks

Firmware post-update tasks

Firmware pre-update tasks

Firmware pre-update tasks

Firmware update

No firmware profile. Ensure that the correct ID module is installed.

Failed to retrieve vSAN status.

Ensure vSAN is in healthy state.

Node event service failed to process reboot request. Check

Node Event service status.

Failed to restart Node event service. Check if Node event service is an error state, and ensure it is installed properly.

Failed to perform pre-requisite tasks due to an internal error.

Check upgrade logs for details.

Firmware payload file is not found. Add the firmware payload path to the request body and then retry the firmware update

API.

Contact Dell Support to resolve the issue.

1. Log in to the Hypervisor host using SSH and run the following command to change the Node Event

Service rest_ip configuration: /opt/ dell/DellPTAgent/tools/pta_cfg set rest_ip=https:// <host internal IP> 8086

2. Run the following command to check the status of the Node Event service: /etc/ init.d/DellPTAgent status

● If the Node Event Service is down, run the following command to start the service: /etc/init.d/

DellPTAgent start

● If the Node Event Service is up and running, then run the following command to restart the service: /etc/init.d/

DellPTAgent restart

3. To avoid further pre-check failures, login to all Hypervisor hosts and repeat steps 1 and 2.

Contact Dell Support to resolve the issue.

Contact Dell Support to resolve the issue.

Contact Dell Support to resolve the issue.

Upgrade the IDPA 63

Table 16. Firmware upgrade errors and resolution (continued)

Error Code Operation

9023 Firmware update

Error message and remedy displayed in the ACM UI

Failed to update firmware due to an internal error. Check Node

Event service, iDRAC service module, or iDRAC status and the review logs for details

9024 Firmware pre-update tasks Failed to connect to Node Event service. Check Node Event service status or IP connection.

9025

9028

9029

Resolution

Contact Dell Support to resolve the issue.

Firmware post-update tasks Failed to connect to Node Event service. Check Node Event service status or IP connection.

1. Log in to the Hypervisor host using SSH and run the following command to change the Node Event

Service rest_ip configuration: /opt/ dell/DellPTAgent/tools/pta_cfg set rest_ip=https:// <host internal IP> 8086

2. Run the following command to check the status of the Node Event service: /etc/ init.d/DellPTAgent status

● If the Node Event Service is down, run the following command to start the service: /etc/init.d/

DellPTAgent start

● If the Node Event Service is up and running, then run the following command to restart the service: /etc/init.d/

DellPTAgent restart

3. To avoid further pre-check failures, login to all Hypervisor hosts and repeat steps 1 and 2.

1. Log in to the Hypervisor host using SSH and run the following command to change the Node Event

Service rest_ip configuration: /opt/ dell/DellPTAgent/tools/pta_cfg set rest_ip=https:// <host internal IP> 8086

2. Run the following command to check the status of the Node Event service: /etc/ init.d/DellPTAgent status

● If the Node Event Service is down, run the following command to start the service: /etc/init.d/

DellPTAgent start

● If the Node Event Service is up and running, then run the following command to restart the service: /etc/init.d/

DellPTAgent restart

3. To avoid further pre-check failures, login to all Hypervisor hosts and repeat steps 1 and 2.

Contact Dell Support to resolve the issue.

Firmware post-update tasks Failed to perform post-update tasks due to an internal error.

Check vSAN status and review upgrade logs for details.

Any Operation Timeout while waiting for an internal task to complete. Check

Node Event service, iDRAC

Contact Dell Support to resolve the issue.

64 Upgrade the IDPA

Table 16. Firmware upgrade errors and resolution (continued)

Error Code Operation Error message and remedy displayed in the ACM UI

Service Module, or iDRAC status and check logs for details.

9030

Resolution

9031

9032

9033

9034

9035

9036

N/A

Firmware post-update tasks Hypervisor failed to exit maintenance mode. Check

Hypervisor status and ensure that vSAN is in healthy state.

Firmware post-update tasks Timeout while waiting to reconnect and update the next host. Check Hypervisor status and ensure vSAN is in healthy state.

Firmware update The maximum wait time for system reset exceeded. Check iDRAC and Node Event service status.

Firmware-update readiness check

Firmware precheck

Contact

Contact

Contact

Dell Support

Dell Support

Dell Support

to resolve the issue.

to resolve the issue.

to resolve the issue.

Failed to verify if the current firmware is valid. Check the iDRAC software inventory and upgrade log for details.

Failed to get firmware profile.

Check installed firmware payload and upgrade logs for details.

Contact Dell Support to resolve the issue.

Contact Dell Support to resolve the issue.

Firmware precheck Contact Dell Support to resolve the issue.

Firmware update

Firmware-update readiness check

Failed to get firmware versions due to missing firmware profiles.

Check installed Infrastructure

Management Service version and upgrade logs for details.

Failed to clear pending jobs in iDRAC job queue. Check Node

Event service, iDRAC Service

Module, or iDRAC status and check upgrade logs for details.

Failed to connect to Node Event service. Check Node Event service status or IP connection.

Contact Dell Support to resolve the issue.

1. Log in to the Hypervisor host using SSH and run the following command to change the Node Event

Service rest_ip configuration: /opt/ dell/DellPTAgent/tools/pta_cfg set rest_ip=https:// <host internal IP> 8086

2. Run the following command to check the status of the Node Event service: /etc/ init.d/DellPTAgent status

● If the Node Event Service is down, run the following command to start the service: /etc/init.d/

DellPTAgent start

● If the Node Event Service is up and running, then run the following command to restart the service: /etc/init.d/

DellPTAgent restart

3. To avoid further pre-check failures, login to all Hypervisor hosts and repeat steps 1 and 2.

Upgrade the IDPA 65

Table 16. Firmware upgrade errors and resolution (continued)

Error Code Operation

N/A

N/A

Firmware-update readiness check

Firmware-update readiness check

Error message and remedy displayed in the ACM UI

Failed to query host summary from Node

Event Service (HttpStatus.

SERVICE_UNAVAILABLE).

Check iSM or iDRAC status.

Failed to query host summary from Node Event Service

(HttpStatus. BAD_GATEWAY).

Check iDRAC or iSM status.

Resolution

To check iSM status, perform the following steps:

1. Log in to the host in which the iSM issues is observed.

2. Run the following command to check iSM status: /etc/init.d/dcism-netmonwatchdog status

● Run the following command if the service is stopped: /etc/init.d/ dcism-netmon-watchdog start

● If the status is iSM is active (not running) then perform the following steps:

1. Run the following command to stop the service: /etc/init.d/dcismnetmon-watchdog stop

2. Run the following command to restart iSM: /etc/init.d/dcismnetmon-watchdog start

3. Log in to iDRAC using SSH.

4. Run the following command to reset iDRAC: racadm racreset soft

If the iDRAC GUI shows the error Not running (TLS error) , then perform the following steps:

1. Log in to the host in the iSM issue is observed.

2. Run the following command to stop iSM: /etc/init.d/dcism-netmonwatchdog stop

3. Run the following command to reinstall iSM to establish a new TLS connection with iDRAC: /etc/init.d/dcismnetmon-watchdog start install

To check iSM status, perform the following steps:

1. Log in to the host in which the iSM issues is observed.

2. Run the following command to check iSM status: /etc/init.d/dcism-netmonwatchdog status

● Run the following command if the service is stopped: /etc/init.d/ dcism-netmon-watchdog start

● If the status is iSM is active (not running) then perform the following steps:

1. Run the following command to stop the service: /etc/init.d/dcismnetmon-watchdog stop

2. Run the following command to restart iSM: /etc/init.d/dcismnetmon-watchdog start

3. Log in to iDRAC using SSH.

66 Upgrade the IDPA

Table 16. Firmware upgrade errors and resolution (continued)

Error Code Operation Error message and remedy displayed in the ACM UI

N/A

N/A

N/A

Firmware-update readiness check

Firmware-update readiness check

Firmware-update readiness check

Resolution iDRAC is in recovery mode.

Clear the recovery mode before the firmware update.

There are some pending jobs in iDRAC job queue. Clear iDRAC job queue before firmware upgrade.

4. Run the following command to reset iDRAC: racadm racreset soft

If the iDRAC GUI shows the error Not running (TLS error) , then perform the following steps:

1. Log in to the host in the iSM issue is observed.

2. Run the following command to stop iSM: /etc/init.d/dcism-netmonwatchdog stop

3. Run the following command to reinstall iSM to establish a new TLS connection with iDRAC: /etc/init.d/dcismnetmon-watchdog start install

Contact Dell Support to resolve the issue.

Current iDRAC firmware is older than 3.30.30.30. Direct upgrade to target version is not supported. iDRAC firmware needs to be updated to

3.36.103.36 first.

1. Log in to iDRAC using SSH.

2. Run the following command to clear all the jobs in the job queue: racadm jobqueue delete -i

JID_CLEARALL_FORCE

NOTE: It is recommended to use JID_CLEARALL instead of JID_CLEARALL_FORCE. Use

JID_CLEARALL_FORCE only to recover the iDRAC Lifecycle controller from a failed state or when a running job job is not progressing.

NOTE: iDRAC reset is required after using JID_CLEARALL_FORCE to ensure that iDRAC a good working state

3. Wait for 5 minutes for iDRAC to settle down.

1. Log in to the ACM using SSH

2. Run the following command to verify if the Infrastructure Management Service is of version 2.3.0 or higher: rpm -qa | grep dpatools

3. Check if the firmware bundle IDPA-10.308-10.308.tar.gz

is available at /usr/local/ dpatools/bin/payload

4. Run the following command to install iDRAC version 3.36.103.36 on the node(s): dpacli -fwupdate /usr/ local/dpatools/bin/payload/

IDPA-10.308-10.308.tar.gz

-skipReboot

5. Click Revalidate in the ACM Upgrade UI to run the upgrade pre-checks again.

Upgrade the IDPA 67

Manual upgrade of IDPA Server Firmware

For Gen 14 models, if the iDRAC firmware version is below 3.30.30.30, then you will not be able to proceed with the appliance upgrade. You must update the iDRAC firmware version to 3.36.103.36, and then proceed with the appliance upgrade

If the firmware of the IDPA was upgraded to firmware block bundled with IDPA, then you need not upgrade the firmware on the

IDPA.

Ensure the following before you upgrade the sever firmware:

● Download the required firmware upgrade packages from the Dell EMC support website to your local folder.

● Ensure that you are connected and have configured the iDRAC.

● Ensure that ACM is up and running.

NOTE: The SSH session is configured to time out after 10 minutes of inactivity. Either refresh the session to keep it alive or change the timeout value. For more information, see the Session timeout section in the IDPA Security

Configuration Guide .

● Ensure that you have valid connection points to the required Hypervisor Server.

● Pause all activities on IDPA, including the Services.

● Ensure that all the services on ACM have green checkmarks indicating that they are all healthy, up and running, and properly configured. If any of the services are not in green, log in that particular service and restart it.

● Use the sha256 checksum validation process to verify its integrity.

● Download the latest Infrastructure Management Service package from the Dell EMC support website to your local folder and use the sha256 checksum to verify its integrity.

● On the ACM GUI, click the Download Current Configuration to generate the DataProtectionConfiguration.xml

file that is required for enabling the service mode.

NOTE: The DataProtectionConfiguration.xml

file is automatically generated for IDPA version 2.5 and later.

To upgrade the server firmware manually, perform the following:

1.

Install the Infrastructure Management Service package

2.

Install the firmware update package

3.

Update the firmware (ACM configured systems only)

Install the Infrastructure Management Service Package

Steps

1. Using an SSH client, connect to the ACM as a root user.

2. Create a new directory by running the following command: mkdir /root/firmware/

3. From the latest Infrastructure Management Service package that you downloaded from the Dell EMC Support site, copy the dpatools-< version >.rpm

to the new /root/firmware/ directory.

4. On the SSH session, verify the version of Infrastructure Management Service that is installed on the ACM.

rpm -qa dpatools . The following is a sample output of this command: dpatools-<version>.noarch

5. If the version that you downloaded is a later version than the one already installed, then upgrade the Infrastructure

Management Service package by running the following.

rpm -Uvh --force dpatools-<version>.rpm

Install the Firmware Update Package

Steps

1. Using an SSH client, connect to the ACM as a root user.

2. Verify the firmware version on the IDPA.

dpacli -fwversions

The dpacli -fwversions command displays the firmware version of all components on the IDPA server.

68 Upgrade the IDPA

3. From the latest firmware upgrade package that you downloaded from the Dell EMC Support website, using WinSCP or any other terminal emulation applications, copy the dpafw-< version >.rpm

to the root directory.

4. Run the following command: rpm -Uvh --force dpafw-<version>.rpm

Update the Firmware (for ACM configured systems only)

Steps

1. Connect to the ACM using an SSH client.

2. On the ACM, start the firmware update workflow by running the following command: dpacli -fwworkflow /usr/local/dpatools/bin/payload/IDPA-<version>-<version>.tar.gz

For example, dpacli -fwworkflow /usr/local/dpatools/bin/payload/IDPA-2.310-2.310.tar.gz

a. If the IDPA is in an unconfigured state (only the ACM VM is present on the appliance), then run the following command: dpacli -fwupdate /usr/local/dpatools/bin/payload/IDPA-<version>-<version>.tar.gz

For example, dpacli -fwupdate /usr/local/dpatools/bin/payload/IDPA-2.310-2.310.tar.gz

3. Monitor the dpacli log file by running the following command: tail -f /usr/local/dpatools/logs/dpacli.log

4. Optionally, you can monitor the progress of the firmware update on the iDRAC GUI by navigating to Maintenance Job

Queue .

NOTE: The firmware update process including restarting the server can take up to 45 minutes to complete.

After the firmware updates are completed successfully, the Storage Pool should be in healthy state. You can run the dpacli -fwprecheck command on the ACM to validate if the firmware is updated properly.

If the Storage Pool is not in a healthy state, you can recover the Storage Pool using the following steps: a. Enable Maintenance mode on all Hypervisor hosts.

b. Shut down all the Hypervisor hosts (power off).

c. Power on the Hypervisor hosts one at a time.

NOTE: Ensure that the Hypervisor host is up and running before powering on the next Hypervisor host. Health checks will fail until the second Hypervisor host has joined the cluster.

Firmware block version

Once the firmware is upgraded, check the table to below to validate if the firmware block version for the hardware components is correct.

The table below lists the firmware versions of the IDPA 2.7.2 hardware components.

NOTE: You can verify the firmware block version on the IDPA by running the dpacli -fwversions command from the

ACM Service. It displays the firmware block version of all the hardware components on the IDPA Server.

Table 17. Dell PowerEdge December 2021 firmware block stack (version 2.312) for DP4400

Component Firmware version SWB

BIOS 2.12.2

4CRD2 iDRAC

BOSS-S1 Adapter

Intel(R) Ethernet Converged Network Adapter X710

● Intel(R) Ethernet 10G X710 SFP+ rNDC

● Intel(R) Ethernet 10G 4P X710 SFP+ PCIe

● Intel(R) Ethernet 10G 4P X710 BASE-T PCIe

5.10.00.00

2.5.13.3024 (A07_02)

20.5.13

20.5.13

P8HC9

3P39V

M20T0

M20T0

Upgrade the IDPA 69

Table 17. Dell PowerEdge December 2021 firmware block stack (version 2.312) for DP4400 (continued)

Component

● Intel(R) Ethernet 10G 4P X550 BASE-T rNDC

● Intel(R) Gigabit 2P I350-t Adapter

Firmware version

20.5.13

SWB

HR5TP

Lite_on 1100W PSU Firmware

Delta 1100W PSU Firmware

Artesyn 750W PSU Firmware

Non-expander Storage Backplane Firmware

Expander Backplane

● PCIe SSD

● Dell Express Flash NVMe 1725

● PCIe SSD

● Dell Express Flash NVMe 1725a

● PCIe SSD

● Dell Express Flash NVMe 1725b

● PCIe SSD

● Dell Express Flash NVMe 1735

Hitachi Leo-A 12TB SAS DRIVE

Seagate Mobula 12TB SAS DRIVE

Toshiba MG07 12TB SAS DRIVE

Toshiba HK4 RI 1920GB SSD SATA 6Gbps 2.5

SEAGATE 1.8TB SAS DRIVE

H730P PERC

Intel M.2 (for BOSS)

Intel Youngsville 240G M2 Card

Micron M.2 (for BOSS)

1.92TB SSD, 6Gbps SATA, 2.5, 512e, 5200 RI ISE

Samsung 1.92TB SSD SATA RI 6Gbps 512n 2.5in Hot-plug Drive P863, ISE

Samsung 1.92TB SSD SATA RI 6Gbps 512n 2.5in Hot-plug Drive P863a, ISE

Samsung 1.92TB SSD SATA RI 6Gbps 512n 2.5in Hot-plug Drive P883, ISE

Intel 1.92TB SSD SATA RI 6Gbps 512n 2.5in Hot-plug Drive Youngsville s4500 , ISE

Intel 1.92TB SSD SATA RI 6Gbps 512n 2.5in Hot-plug Drive Youngsville s4510 , ISE

Toshiba 1.8TB 10K RPM SAS 12Gbps 512e 2.5in Hot-plug Hard Drive

AL14SE,ISE

Toshiba 1.8TB 10K RPM SAS 12Gbps 512e 2.5in Hot-plug Hard Drive

AL15SE,ISE

HBA330 Mini

00.23.32

00.1D.7D

N/A

4.35_06

2.52

KPYABD3Q

1.2.1

1.2.2

2.3.0

DL43

DL6N

E012

N/A

N/A

N/A

N/A

N/A

NS06

RSL2

EI0C

N/A

N/A

25.5.9.0001

N/A

N/A

N/A

N/A

H8Y6K

C4M76

N/A

VV85D

60K1J

WM6VX

34C36

3F3N1

RP8RC

N/A

N/A

N/A

N/A

C6PNG

JWKDW

GT72W

N/A

N/A

700GG

CHJGV

5WH9V

6FGD4

N/A

N/A

N/A

N/A

N/A

70 Upgrade the IDPA

4

Manage Data Protection Central post IDPA installation

After you successfully install IDPA, the system opens Data Protection Central in a new browser window or tab. You can perform a service backup, restore a service backup and generate reports for Protection Software and Protection Storage using Data

Protection Central.

This section contains the following topics:

Topics:

Perform a VM backup

Restoring a VM backup

Generating reports

Perform a VM backup

This section provides you information on how to backup a VMware client using the Data Protection Central UI.

VM backups overview

As soon as your environment is up and running, you can follow the steps in this section to backup a VMware client.

If you are using Protection Software for the first time, the section includes preparatory tasks, such as defining vCenter and

VMware clients and deploying a VM proxy (Service).

The entire process is organized into the following procedures:

Define vCenter and VMware clients.

Deploy the VM proxy (Service).

Create and run the backup policy

Further information about Protection Software backups is available in the Protection Software documentation, including the

Avamar Administration Guide and the Avamar Backup Clients User Guide .

Define vCenter and VMware clients

This procedure shows you how to create the vCenter and VM clients, and add a dataset to the VM client.

About this task

To create the Hypervisor Manager (Service) and serice clients and add a dataset to the service client, perform the following actions.

Steps

1. Open a browser and enter https://<ACM IP address>:8543 to access the ACM UI.

2. Click DPC Web UI and log in to the DPC .

The DPC dashboard page is displayed.

3. Click System Management on the left pane to display the Data Protection Central page.

4. Click the vertical ellipsis for the Protection Software-Protection Software and select Protection Software Restore .

The Asset Management page on the Protection Software UI is displayed.

5. To add the VMware vCenter server as a backup client,, perform the following actions.

Manage Data Protection Central post IDPA installation 71

a. Click the vertical ellipsis beside ADD CLIENT and select Add VMware vCenter .

NOTE: Ensure that you are on the root domain.

The New vCenter Client window is displayed.

b. Select or enter the details that are required in the fields to create a vCenter client using the following table. Click Next to continue to the next page.

Table 18. Adding vCenter Clients

Page Field

Client Information Client Type vCenter Information

New Client Name or IP

Client Domain

User Name

Advanced

Password

Verify Password

Port

Auto Discovery

● Enable Dynamic VM import by rule

● Enable Changed Block Tracking

Description

Select VMware vCenter.

Client name or IP address.

Domain name.

The user name of the vCenter server administrator.

The administrator password.

Enter the same password to verify if they are identical.

The vCenter HTTPS port number.

Select the check box to enable the options. This an optional field.

NOTE: The Enable Changed Block

Tracking checkbox is enable only when you select Enable Dynamic VM import by rule .

Optional Information Optional Information

● Contact

● Phone

● Email

● Location

Enter the relevant information in the fields. All fields are optional for this task.

c. Click ADD on the Summary page. Then refresh the screen to verify the new vCenter client.

d. Click OK on the Finish page.

The vCenter client is added and the Asset Management page is displayed

NOTE: Refresh the page to verify if the vCenter client is added.

6. To add the VMware client, perform the following actions.

a. In the Domain pane, expand the new vCenter client and click VirtualMachines .

b. In the Asset Management pane, click ADD CLIENT .

The Select VMware Entity page is displayed.

c. On the Select VMware Entity window, expand the host or cluster tree and select the cluster hosting the VM that you want to back up.

NOTE: To view the host or cluster details toggle the Host/Cluster button.

The VMs assigned to the cluster are displayed in the right panel.

d. In the right panel, click the + icon to select the VM you want to back up and click YES .

7. To add the dataset perform the following actions.

a. Click Setting under the Adminstration section on the left pane.

NOTE: Ensure that you are on the root domain.

b. Click the Dataset tab in the Setting pane. and then click the plus sign ( + ) to display the Create DataSet window.

c. Click + ADD .

The Create DataSet window is displayed.

72 Manage Data Protection Central post IDPA installation

d. In the Dataset Name field, enter the dataset name.

e. Select Windows VMware Image from the list of Plugins available.

NOTE: You can select a different plugin from the list of plugins available. The setting options and source data are different for the different plugins.

The Windows VMware Image options are displayed under the Options tab.

f. Select the Index VMware Image Backups checkbox.

g. Click Source Data tab to view the setting options.

The options available in the source data tab allows you to backup the source data based on your selection.

h. Click Submit .

The application displays Dataset created successfully message on the Protection Software dashboard page.

NOTE: Indexing is used for restoring specific files and is optional for backing up entire VMs. Selecting it here will allow you to restore specific files as described in

Restore specific files

.

Manage Data Protection Central post IDPA installation 73

Deploy VM Proxy (Service)

This section provides you information about how to deploy the Protection Software proxy.

About this task

Deploy the VM Proxy (Service) proxy on each vCenter that you intend to protect.

Steps

1. Open a browser and enter https://<ACM IP address>:8543 to access the ACM UI.

2. Click DPC Web UI and log in to the DPC .

The DPC dashboard page is displayed.

3. Click System Management on the left pane to display the Data Protection Central page.

4. Click the vertical ellipsis for the Protection Software-Protection Software and select Protection Software Proxy

Deployment .

The Proxy Management page on the Protection Software UI is displayed.

5. In the right pane, click the vertical ellipsis in front of the IDPA Protection Software and select Protection Software Proxy

Deployment .

6. In the Config section, perform the following actions. Data Change Rate , and Backup Window . Then select the checkbox.

a. Select the To add the VMware vCenter server as a backup client, that you added. For more information about adding a

To add the VMware vCenter server as a backup client,, see

vCenter and VMware clients

b. Enter the data change rate in the Data Change Rate (%) field.

c. Enter the number of minutes in the Backup Window (minutes) field.

d. Select the Protect Virtual Machines on Local Storage checkbox.

7. Click CREATE RECOMMENDATION .

The Recommendations section displays the proposed new proxies under each host.

8. Expand the listings in the Recommendations section and select New proxy under the Hypervisor server host.

9. Click .

The Proxy window is displayed.

a. Enter the proxy hostname in the Name field.

b. Select an Protection Software server Domain where this proxy resides.

c. Enter the IP address in the IP field.

d. Select a datastore from the Datastore list.

e. Select a network from the Network list.

f. Enter the server name or IP address in the DNS field.

g. Enter the network gateway IP address in the Gateway field.

h. Enter the network mask in the Netmask field.

i.

Enter the IP address in the NTP field.

j.

Click SAVE .

10. Click on the Recommendations section to deploy the proxy.

The proxy deployment is displayed in the lower panel.

74 Manage Data Protection Central post IDPA installation

Create and run the backup policy

This section provides you information about how to create a backup policy. The backup policy is created to protect the VMware client.

About this task

To create the policy, perform the following actions.

Steps

1. Click DPC Web UI and log in to the DPC .

The DPC dashboard page is displayed.

2. Click System Management on the left pane to display the Data Protection Centralpage.

3. Click the vertical ellipsis for the Protection Software-Protection Software and select Manage Policies .

The System Management > Manage Policies page is displayed.

4. In the Manage Policies page, click plus ( + ).

The Add policy window is displayed.

5. Select or enter the details that are required in the fields to create a new backup policy using the following table. Click Next to continue to the next page.

Table 19. Adding Policies

Page

Information

Clients (Optional)

Proxies (Optional)

Field

Name

Domain

Enabled

Dataset

Schedule

Retention

Available clients

Available proxies

Description

The policy name.

Accept the default entry.

Click to enable the policy.

Select VMware Image Dataset .

Select Daily Schedule .

Select Default Retention .

Select the VM client defined earlier in this guide.

Select the proxy defined earlier in this guide.

6. Click Finish .

The new policy is displayed in the policy list.

7. To run the policy, select the policy from the list and click BACKUP NOW .

8. Monitor the policy by clicking Systems under Job Activities in the left pane.

Restoring a VM backup

This section describes the three different methods of restoring the service backup using the UI.

Restore a VM

Restore using instant access

Restore specific files

Restore a VM

This section provides you information about the basic Service restore procedure.

Prerequisites

A backup of the VM must exist in order to perform a restore.

Manage Data Protection Central post IDPA installation 75

About this task

To restore a service, perform the following actions.

Steps

1. Click DPC Web UI and log in to the DPC .

The DPC dashboard page is displayed.

2. Click System Management on the left pane to display the Data Protection Central page.

3. Click the vertical ellipsis for the Protection Software-Protection Software and select Protection Software Restore .

The Asset Management page on the Protection Software UI is displayed.

4. Expand the vCenter that you added in the Domain pane and select Virtual Machines to display the VM clients belonging to that vCenter.

5. In the client list, select the VM client that you want to restore.

6. Click VIEW MORE to view the list of all the backups.

7. Select the latest backup from the list and click RESTORE .

The Select Restore Content window is displayed.

8. Select the content that you want to restore and click NEXT .

The Restore window is displayed.

9. Select or enter the details that are required in the fields to restore from a virtual machine using the following table. Click

Next to continue to the next page.

Use following table to complete each wizard page, clicking NEXT to proceed to the next page.

Table 20. Restoring from a VM

Wizard page

Basic Config

Field

Destination

Advanced Config

Post Restore Options

Proxy

Use CBT to increase performance vCenter

VM Name

Location

Host/Cluster

Resource Pool

Datastore

Description

Select Restore to new Virtual Machine .

Select Do not power on VM after restore .

Select Automatic .

Select the checkbox to increase the performance using CBT.

Select the IP address of the vCenter to manage the restored VM.

Enter a name for the restored VM.

Expand the tree and select the VM where you want to perform the restore.

Expand the tree and select the Hypervisor host/cluster.

Expand the tree and select the resource pool.

Select the destination ESX datastore.

NOTE: The options in the Restore wizard change based on the options you select during the restore procedure.

10. On the Summary page, review your entries and click FINISH to perform the restore.

NOTE: To monitor the results, click Activity in the Protection Software UI navigation tree and view the processing results on the right Activity pane.

76 Manage Data Protection Central post IDPA installation

Restore using Instant Access

You can use the instant access feature to perform near real-time recovery of a service. Protection Software mounts a service backup image on a NFS share in your backup environment and powers on the service so that it can be managed in vCenter.

.

About this task

To restore a VM using the instant access feature, perform the following actions.

NOTE: After you complete these steps, you should move the service from your backup environment to the production system

Steps

1. Click DPC Web UI and log in to the DPC .

The DPC dashboard page is displayed.

2. Click System Management on the left pane to display the Data Protection Central page.

3. Click the vertical ellipsis for the Protection Software-Protection Software and select Protection Software Restore .

The Asset Management page on the Protection Software UI is displayed.

4. Expand the vCenter that you added in the Domain pane and select Virtual Machines to display the VM clients belonging to that vCenter.

5. In the client list, select the VM client that you want to restore.

6. Click RESTORE .

The Quick Restore dialog box is displayed.

NOTE: The quick restore feature restores the latest backup.

7. Click OK .

The Select Restore Content window is displayed.

8. Select the content that you want to restore and click NEXT .

The Restore window is displayed.

9. Select or enter the details that are required in the fields to restore from a virtual machine using the following table. Click

NEXT to continue to the next page.

Use following table to complete each wizard page, clicking NEXT to proceed to the next page.

Table 21. Restore Using Instant Access

Wizard page

Basic Config

Field

Destination

Advanced Config

Proxy vCenter

VM Name

Location

Host/Cluster

Resource Pool

Description

Select Instant Access .

Select Automatic .

Select the IP address of the vCenter to manage the restored VM.

Enter a name for the restored VM.

Expand the tree and select the VM where you want to perform the restore.

Expand the tree and select the Hypervisor host/cluster.

Expand the tree and select the resource pool.

NOTE: The options in the Restore wizard change based on the options you select during the restore procedure.

10. On the Summary page, review your entries and click FINISH to perform the restore.

NOTE: To monitor the results, click Activity in the Protection Software UI navigation tree and view the processing results on the right Activity pane.

Manage Data Protection Central post IDPA installation 77

Restore specific files

You can restore specific files directly from search results.

Prerequisites

Ensure that Protection Software is indexing your backed-up service images. For instructions, see the Dell EMC Search

Administration Guide .

About this task

In this procedure, the Search application is used to search for and restore specific files in a service backup. To restore specific files, perform the following actions.

Steps

1. Click DPC Web UI and log in to the DPC .

The DPC dashboard page is displayed.

2. Click Search and Recovery on the left pane.

The application opens the Search page.

3. In the Search field, enter a query to retrieve specific files and click Search . (You can also use filter options to refine the search results.)

The application displays the list of files based on your query.

4. Select one or more files that you want to restore and click Restore to display the Restore dialog.

5. Select or enter the details that are required in the fields to restore from the search results using the following table. Click

Next to continue to the next page.

Table 22. Restore Specific Files

Field Description

Original path / Destination path Select the restore location. When applicable, click Overwrite and select Restore Access Control List to protect the file with the same access control list settings

Client

Restore to

Username / Password

When Destination Path is selected, select the client where you want to save the file.

Specify the path where you want to save the file.

Specify the service user name and password.

6. Click Restore to initiate the restore process.

7. To monitor the results, click View Jobs under the Search field, refreshing the screen to view ongoing actions.

Generating reports

This section provides information on how to generate reports using the Data Protection Central UI.

Generate a report

This feature enables you to generate reports for Protection Software and Protection Storage systems. There are 11 preconfigured reports that you can generate.

About this task

For more information about these reports, see the Dell EMC Data Protection Advisor Product Guide .

If you want to generate your own reports, see the Dell EMC Data Protection Custom Report Guide .

78 Manage Data Protection Central post IDPA installation

Steps

1. Click DPC Web UI and log in to the DPC .

The DPC dashboard page is displayed.

2. Click Reports on the left pane.

On the right pane, each type of report is displayed. The pane displays both Protection Software and Protection Storage reports. You can select the Protection Software and Protection Storage, or both check boxes in the upper right to filter the reports shown.

The report period for each report is displayed in the lower right. The default report period is the previous week, but you can change the time period by clicking LAST WEEK list and selecting a different period.

3. To generate a report, click RUN REPORT under the report name.

IDPA generates the report and displays the View Last Report with the timestamp on completion.

4. Click View Last Report to display the report in a new window.

Manage Data Protection Central post IDPA installation 79

5

Additional resources

Topics:

IDPA training resources

IDPA training resources

Video walkthroughs, demonstrations, and explanations of product features are available online.

You can obtain additional IDPA training and information at https://education.emc.com

.

80 Additional resources

6

Self-contained deployment (optional)

Self-contained deployment refers to configuring the appliance network using the ACM IP for DNS, NTP, and Gateway. This is an optional task. Perform this task only if you do not have a valid IP address for DNS, NTP, and Gateway. After the appliance is deployed and configured successfully, you can change the DNS, NTP, and Gateway from the ACM dashboard.

Prerequisites

● Self-contained deployment is supported only on IPv4 network.

NOTE: You cannot configure the ACM as DNS and NTP on a IPv6 network.

● In a single network configuration, there should be atleast two uplinks that are connected to the switch.

Perform the following temporary workaround if you do not have two uplinks:

Assign two temporary IPs in different subnets (subnet should be different than Protection Storage management IP) to

Protection Storage backup IPs. These IPs do not require DNS entries. After the deployment, change the Protection Storage

IPs assigned to these NICs and update the Protection Storage ifgroup . This workaround prevents the Protection Storage configuration failure.

About this task

Perform the following steps when you are on the Network Configuration page on ACM.

Steps

1. Open an SSH session as a root user on ACM using a private IP.

2. Run the command: cd /usr/local/dataprotection/var/configmgr/server_data/config/

3. Open the file commonconfig.xml

using vi editor: vi commonconfig.xml

4. Find the following tags:

<configureAcmDNS>false</configureAcmDNS>

<configureAcmNTP>false</configureAcmNTP>

5. Change the values of the tags based on the mode of deployment:

● To configure DNS, set the value of tag configureAcmDNS as true

● To configure NTP, set the value of tag configureAcmNTP as true

6. Save the commonconfig.xml

file.

7. Perform these steps to configure DNS: a. Run the command: cd /usr/local/dataprotection/customscripts/ b. Open the file dns_ip_hostname_mappings.properties

using vi editor: vi dns_ip_hostname_mappings.properties

The content of the file depends on the appliance model. Verify if the required keys are present in the file, else you can add them manually.

c. Enter the required IPs, hostname mapping, and other details as per the keys present in the file. See the following guidelines for updating the file:

● To use the IP range for assigning IP addresses and host names to the respective components, see

IP address requirements on page 17.

NOTE: IP range validation is not supported in self-contained deployment.

● For a single network, leave the separate backup network fields blank.

NOTE: Enter the short hostname and not the FQDN.

● Hostname entries must not contain underscore (_).

Self-contained deployment (optional) 81

● Enter the IP address or hostname for the optional components (Reporting and Analytics, Search, and Cloud DR).

If the corresponding IP addresses or hostnames are not added in the file during deployment, then the optional components cannot be deployed from the ACM dashboard later while ACM is being used as DNS.

d. Save the dns_ip_hostname_mappings.properties

file.

e. Go to the ACM Network Configuration page on the Internet browser and refresh the page.

The Network Configuration page should be automatically populated if the dns_ip_hostname_mappings.properties

file is updated with all the required fields.

8. Enter the ACM IP in NTP server IP Address field.

9. Click Submit .

Results

● After you configure basic networking, your web browser automatically redirects to the ACM IP address assigned during network configuration.

NOTE: For automatic forwarding to work correctly, the computer you use to complete the configuration must be connected to the same network as the configured ACM IP address.

● If you cannot have connections to both public and private networks simultaneously, disconnect from the private appliance configuration network and then connect to the network that the ACM IP address is on to complete the rest of the configuration.

● If the network configuration fails, you can click Rollback to revert all the settings. Review the settings, modify if required, and then configure the network settings again.

Next steps

● After the network configuration is complete, revert the network adapter IP address settings on the service computer to their previous state.

● After completing the network configuration, see

Configure IDPA DP4400 Software

on page 24 for the steps to install and deploy the appliance.

● For adding new IP addresses and hostname entries in the DNS running as ACM, see

Add IPs and hostname entries

on page

82.

● After deploying the appliance, you can change the DNS, NTP, and Gateway IP addresses from the ACM dashboard. See the

Integrated Data Protection Appliance Product Guide for more information.

Topics:

Add IPs and hostname entries

Add IPs and hostname entries

This section describes the steps to add the IP addresses and hostname entries to the DNS server running as ACM.

About this task

Perform these steps to add the IPs and hostname entries:

Steps

1. Go to the directory /var/lib/named/master on ACM using the command: cd /var/lib/named/master

2. Add IPs and hostname entries (similar to other entries present in the file) at the end of the following two files. Ensure to add the .

at the end of FQDN while adding the entries.

NOTE: Apart from adding the new IPs and hostnames to the files, do not modify any other content.

● Forward lookup - <domain_name> file

Where, domain_name is the domain name mentioned in the file usr/local/dataprotection/customscripts/ dns_ip_hostname_mappings.properties

during network configuration.

● Reverse lookup - < first three octets of reverse subnet IP >.in-addr.arpa

file

For example, xx.xx.xx

.in-addr.arpa

82 Self-contained deployment (optional)

Where, xx.xx.xx

is the reversed subnet mentioned in the file /usr/local/dataprotection/customscripts/ dns_ip_hostname_mappings.properties

during network configuration.

3. Restart the named service using the command: service named restart

Self-contained deployment (optional) 83

A

Network ports

This appendix contains information about the network ports for the following components:

Topics:

Protection Software

Protection Storage

Data Protection Central

Search

Reporting & Analytics

Secure Remote Services

Remote server management (iDRAC)

Cloud DR

Protection Software

The following table lists the Protection Software port requirements.

Table 23. Port requirements

Port/Protocol

29000/TCP

Source

Utility node

Destination

Storage node

29000/TCP

30001/TCP

30001/TCP

30002/TCP

30002/TCP

30003/TCP

30003/TCP

Storage node

Utility node

Storage node

Storage node

Utility node

Storage node

Utility node

Protection Software server Protection Software client

Protection Software client Protection Software server

Utility node Storage node

Utility node

Description

Protection Software subsystem using

SSL

Protection Software subsystem using

SSL

MCS using SSL

MCS using SSL

Protection Software client using SSL

Protection Software client using SSL

MCS using SSL

MCS using SSL

For detailed information about ports, see the Port Requirements Appendix in the Dell EMC Avamar 19.4 Product Security Guide .

Utility node required inbound ports

The table in this section describes the inbound ports that must be open on a Protection Software utility node.

The following table describes the inbound ports that must be open on a Protection Software utility node. For every port listed in this table, the Protection Software utility node is the destination and the source is listed in the Source computer column.

NOTE: Protection Software 7.5.1 removes support for HTTP access to TCP ports 80 and 7580. Use the HTTPS ports 443 and 7543 to access these services instead.

84 Network ports

Table 24. Required inbound ports on the utility node

Port Protocol Service name

N/A ICMP

22

69

123

163

443

700

703

1234

ICMP

Types 3, 8, and 11

TCP

TCP

TCP/UDP

UDP

TCP

TCP/UDP

TCP

TCP

SSH

TFTP

NTP

SNMP

HTTPS protocol over

TLS/SSL

Login Manager

AKM service

Protection Software installation utility

HTTPS

Source computer

● Protection Software clients

● Other Protection

Software servers

● Protection Storage system

Additional information

Protection Software clients periodically ping the Protection

Software server to determine the best interface for communicating with the MCS. The

Protection Software server sends an ICMP response. Protection

Software servers also ping associated systems, such as replication destinations and Protection Storage.

Secure shell access.

● Administrator computers

● Other Protection

Software server nodes

Internal switch

NTP time servers

Protection Storage system

● Web browser clients

● Reverse proxy web server

● AvInstaller

● Protection Software

Downloader Service host

● Protection Software

Key Manager

Provides web browsers with HTTPS access to Protection Software services. A reverse proxy web server can be used to limit access to this port.

● Web browser clients

● Reverse proxy web server

Provides clock synchronization from network time protocol servers.

Getter/setter port for SNMP objects from a Protection

Storage system.

Required when storing

Protection Software client backups on a Protection Storage system.

Protection Software server nodes

Web browser clients

Used for key management.

Only open this port for installation of the Protection

Software. Only permit access from

Network ports 85

Table 24. Required inbound ports on the utility node (continued)

Port

2888

5555

5568

5671

6667

7000

Protocol

TCP

TCP

TCP

TCP

TCP

TCP

Service name Source computer Additional information trusted administrator computers that are used during software installation.

NOTE: Close this port when installation of the Protection

Software is complete.

Protection

Software services do not listen on port 1234.

AVDTO

PostgreSQL administrator server

PostgreSQL

Protection Software

Extended Retention

Media Access Node

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

● Clients running

Protection Software

Client Manager and Reporting and

Analytics

● PostgreSQL administrator client computers

This port is open by default. The section Securing the

Postgres firewall port in the Avamar Product

Security Guide provides more instructions to enable selective access.

Limit access to trusted administrator computers.

AProtection Software

Extended Retention

Media Access Node

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

Message Bus

Archive Service Event Protection Software

Extended Retention

Media Access Node

Apache Tomcat

● localhost

● Other Protection

Software utility nodes

● Protection Software

Extended Retention computers

● Backup and

Recovery Manager computers

Message Bus is a message broker who is used to enhance asynchronous interprocess communication.

Protection Software

Extended Retention

Media Access Node

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

The firewall rules open this port when you install support for

86 Network ports

Table 24. Required inbound ports on the utility node (continued)

Port Protocol Service name

7443

7543

7544

7778–7781

8105

8109

8181

8444

8505

TCP

HTTPS/SSL

TCP

TCP

TCP

TCP

TCP

TCP

TCP

Apache Tomcat

Update Manager

Update Manager

RMI

Apache Tomcat

Apache Tomcat

Apache Tomcat

Apache Tomcat

Apache Tomcat

Source computer

Protection Software

Extended Retention

Media Access Node

Web browser clients

Jetty socket clients

Protection Software

Administrator management console

Protection Software client computers

Protection Software client computers

Protection Software client computers

Web browser clients

Utility node or singlenode server

Additional information

Protection Software

Extended Retention.

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

Web browser clients use this port to create

HTTPS connections to

Protection Software

Installation Manager.

Limit access to trusted administrator computers.

Jetty socket clients use this port to send a shutdown signal to its Jetty web server. Limit access to trusted administrator computers.

Used for connections from the Protection

Software console.

Limit access to trusted administrator computers.

Used by Protection

Software Desktop/

Laptop.

Used by Protection

Software Desktop/

Laptop.

Connections from

Protection Software client computers and from AvInstaller hosts are redirected to this port.

Web browser connections from

Protection Software

Desktop/Laptop client computers are redirected to this port.

Protection Software

Desktop/Laptop uses this port to send a shutdown command to its Apache Tomcat server. Limit access to the utility node or single-node server.

Network ports 87

Table 24. Required inbound ports on the utility node (continued)

Port

8580

9443

19000

19500

20000

20500

25000

25500

26000

26500

27000

27500

28001

Protocol

TCP

TCP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

Service name

AvInstaller

Source computer

Web browser clients

Additional information

Used for connections from Protection

Software Downloader

Service computer, and for access to

AvInstaller from other web browser clients.

RMI - Protection

Software Management

Console web services

Protection Software subsystem (also known as GSAN)

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Web browser clients

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software server

Protection Software server nodes

Protection Software subsystem communication.

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

● Protection Software client computers

● Protection Software server nodes

● Protection Software nodes acting as a replicator source

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication. This port is blocked by default for new

Protection Software installations. Open this port to allow unencrypted backups.

Protection Software server

● Protection Software server nodes

● Protection Software nodes acting as a replicator source

Protection Software subsystem communication.

● Protection Software server CLI

● MCS

● Avagent

● Protection Software client computers

● VMware proxy

● Replication source

● CLI commands from client computers.

● Avagent to MCS communication.

88 Network ports

Table 24. Required inbound ports on the utility node (continued)

Port Protocol Service name

28002–28011

28009

28810-28819

29000

TCP

TCP

TCP

TCP avagent ddrmaint

Protection Software server SSL

Source computer

● Replication target

Additional information

● Bi-directional communication between avagent and MCS on the replication source Protection

Software server and the replication destination

Protection Software server to permit authentication key exchange.

Protection Software

Extended Retention

Media Access Node

VMware proxy localhost

● Protection Software client computers

● Protection Software server nodes

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

Unsecure communication with

VMware proxy.

Internal use only for token-based authentication when connecting to

Protection Storage; only localhost can use it.

Protection Software subsystem communication.

30001 TCP

30002

30003

30102–30109

61617

TCP

TCP

TCP

TCP

MCS ● Protection Software client computers

● VMware proxy

● Protection Software server nodes

● 2-way secure socket communication.

● Avagent to MCS communication.

● MCS communication over

SSL.

avagent

MCS avagent

Apache ActiveMQ SSL

Protection Software client computers

● Protection Software client computers

● Protection Software server nodes

MCS communication over SSL.

VMware proxy

Protection Software

Extended Retention

Media Access Node

Client communication over SSL.

Secure communication with VMware proxy.

The firewall rules open this port when you install support for

Protection Software

Extended Retention.

Network ports 89

Utility node optional inbound ports

This section describes the recommended, but optional, inbound ports for an Protection Software utility node.

The following table describes the recommended, but optional, inbound ports for an Protection Software utility node. For every port listed in this table, the Protection Software utility node is the destination and the source is listed in the Source computer column.

Table 25. Optional inbound ports on the utility node

Port Protocol Service name Source computer

514

8509

UDP

TCP syslog

Apache Tomcat

Utility node or singlenode server

Utility node or singlenode server

Additional information

Protection Software server connects to this port to communicate events to syslog.

The Apache JServ

Protocol (AJP) uses port 8509 to balance the work load for multiple instances of

Tomcat.

Utility node required outbound ports

This section describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software utility node.

The following table describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software utility node. For each row, the utility node is the source computer that must have outgoing access to the listed port on the listed destination computer.

Table 26. Required outbound ports for the utility node

Port

N/A

Protocol

ICMP

Types 3, 8, and 11

Destination computer

● Protection Software clients

● Other Protection Software servers

● Protection Storage system

Additional information

Protection Software clients periodically ping the

Protection Software server to determine the best interface for communicating with the MCS. The Protection

Software server sends an

ICMP response. Protection

Software servers also ping associated systems, such as replication destinations and

Protection Storage.

7 TCP Protection Storage system

23

25

53

TCP

TCP

TCP/UDP

Internal

Protection Software

Customer Support

DNS

Required to register a

Protection Storage system for storing Protection Software client backups.

Required for communication with internal switches and for firmware upgrades.

Required to allow

ConnectEMC to make an

SMTP connection with

Customer Support.

Required for name resolution and DNS zone transfers.

90 Network ports

Table 26. Required outbound ports for the utility node (continued)

Port

88

111

123

161

389

Protocol

TCP/UDP

TCP/UDP

UDP

TCP/UDP

Destination computer

Key Distribution Center (KDC) Required for access to

Kerberos authentication system.

RPC port mapper service on the Protection Storage system

Only required when backups are stored on a Protection

Storage system. Access to

RPC and NFS port mapper functionality on a Protection

Storage system.

NTP time servers

SNMP service on the

Protection Storage system

LDAP

Additional information

VMware proxy nodes require the TCP connection to DNS.

Provides synchronization of system time from network time protocol servers.

Only required when backups are stored on a Protection

Storage system.

Provides access to directory services.

443 ● Hypervisor Platform API

● TCP

464

902

2049

2052

5671

5696

7443

TCP

TCP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

● Hypervisor Manager

● Protection Software Key

Manager

Key Distribution Center (KDC) Required for access to the Kerberos Change/Set password.

Hypervisor server proxy service

NFS daemon on the

Protection Storage system

NFS mountd process on the

Protection Storage system

● localhost

● Other Protection Software utility nodes

● Protection Software

Extended Retention computers

● Backup and Recovery

Manager computers

Only required when backups are stored on a Protection

Storage system. Outbound communication must be open for both TCP and UDP protocols.

Message Bus messaging.

Message Bus is a message broker used to enhance asynchronous interprocess communication.

KMIP-compliant key management server

Only required when backups are stored on a Protection

Storage system.

Media Access node that hosts Protection Software

Extended Retention

Recommended port for AKM external key management operation.

Only required when using the Protection Software

Extended Retention feature.

Network ports 91

Table 26. Required outbound ports for the utility node (continued)

Port

7444

7543

7544

7543

8080

8580

9443

Protocol

TCP

HTTPS/SSL

TCP

HTTPS

TCP

TCP

TCP

Destination computer

Hypervisor Manager

Update Manager

Update Manager

Additional information

For utility node configurations that also run the VMware

Backup Appliance this port is opened by an if/then clause in the firewall rules. Otherwise, this port is not required. Used to test Hypervisor Manager credentials.

Web browser clients use this port to create HTTPS connections to Protection Software

Installation Manager. Limit access to trusted administrator computers.

Jetty socket clients use this port to send a shutdown signal to its Jetty web server.

Limit access to trusted administrator computers.

Update Manager

NetWorker server

Computer running Protection

Software Downloader Service

Used for connections from the Protection

Software Downloader Service computer, and for access

Update Manager from other web browser clients.

For utility node configurations that also run the VMware

Backup Appliance this port is opened by an if/then clause in the firewall rules. Otherwise, this port is not required. Used to register with a NetWorker server.

Used to make requests for package downloads from the Protection

Software Downloader Service computer.

Managed Protection Software servers

Protection Software

Management Console web services use this outbound port for RMI communication via a dynamically assigned port on managed Protection

Software servers.

19000

19500

20000

20500

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

92 Network ports

Table 26. Required outbound ports for the utility node (continued)

Port

25000

25500

26000

26500

27000

28001

28009

28011

Protocol

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

TCP

Destination computer

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Additional information

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Replication source system and replication target system

Replication requires bidirectional access between the replication source

Protection Software server and the replication destination

Protection Software server to permit authentication key exchange.

VMware proxy

Protection Software

Extended Retention Media

Access Node

MCS access to proxy logs.

The firewall rules open this port when you install support for Protection Software

Extended Retention.

29000

30001

30002

30003

30002 - 30009

30102

61617

61619

TCP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

Protection Software server nodes

Protection Software server nodes

Protection Software client computers

Protection Software server nodes

VMware proxy

Protection Software subsystem communication over SSL.

MCS communication over

SSL.

Communication with avagent.

MCS communication over

SSL.

Avagent paging port. Secured communication with VMware proxy.

VMware proxy

Media Access node that hosts Protection Software

Extended Retention

Avagent paging port. Secure communication with VMware proxy.

Only required when using the Protection Software

Extended Retention feature.

Computer running Backup and

Recovery Manager.

Required to permit communication with Backup and Recovery Manager.

Network ports 93

Storage node required inbound ports

This section describes the inbound ports that must be open on each Protection Software storage node.

The following table describes the inbound ports that must be open on each Protection Software storage node. For every port listed in this table, the Protection Software storage node is the destination and the source is listed in the Source computer column.

Table 27. Required inbound ports on each storage node

Port Protocol Service name

22

123

19000

19500

20000

20500

25000

25500

26000

26500

27000

TCP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP

SSH

NTP

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software subsystem

Protection Software server

Source

Protection Software server nodes

Additional information

Secure shell access.

● Administrator computers

● Other Protection

Software server nodes

● NTP time servers

● Protection Software utility node

Permits clock synchronization from network time protocol servers (exochronous) and from the utility node (isochronous).

Protection Software server nodes

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software server nodes

Protection Software server nodes

Protection Software subsystem communication.

Protection Software subsystem communication.

● Protection Software client computers

● Protection Software nodes acting as a replicator source

Protection Software subsystem communication. This port is blocked by default for new installations. Open this port to allow unencrypted backups.

94 Network ports

Table 27. Required inbound ports on each storage node (continued)

Port

29000

30001

30003

Protocol

TCP

TCP

TCP

Service name

Protection Software server SSL

MCS SSL

MCS SSL

Source

● Protection Software client computers

● Protection Software server nodes

Additional information

Protection Software subsystem communication.

Protection Software server nodes

Protection Software server nodes

MCS communication.

MCS communication.

Storage node optional inbound ports

This section describes the recommended, but optional, inbound ports for an Protection Software storage node.

The following table describes the recommended, but optional, inbound ports for an Protection Software storage node. For every port listed in this table, the Protection Software storage node is the destination and the source is listed in the Source computer column.

Table 28. Optional inbound ports on the storage node

Port

623

Protocol

UDP

Service name

IPMI

Source computer

Remote management clients

Additional information

Management clients connect to this port to issue IPMI commands to the node operating system and BMC. This port is independent of the remote RMC console ports described in the Remote management interface ports section of the Dell EMC

Protection Software

Product Security Guide.

.

Storage node required outbound ports

This section describes the outbound ports that must be accessible to network packets that are sent from each Protection

Software storage node.

The following table describes the outbound ports that must be accessible to network packets that are sent from each

Protection Software storage node. For each row, the storage node is the source computer that must have outgoing access to the listed port on the listed destination computer.

Table 29. Required outbound ports for each storage node

Port Protocol Destination

53 TCP/UDP DNS

123 TCP/UDP NTP time servers and the

Protection Software utility node

Additional information

Required for name resolution and DNS zone transfers. TCP connection to DNS is required by VMware proxy nodes.

Permits clock synchronization from network time protocol servers (exochronous) and from the utility node

(isochronous).

Network ports 95

Table 29. Required outbound ports for each storage node (continued)

Port

703

Protocol

TCP

Destination

Utility node

19000

19500

20000

20500

25000

25500

26000

26500

27000

29000

30001

30003

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

TCP

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Protection Software server nodes

Additional information

Permits access to the AKM service on the utility node.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication.

Protection Software subsystem communication over SSL.

MCS communication over

SSL.

MCS communication over

SSL.

Protection Software client required inbound ports

This section describes the inbound ports that must be open on a Protection Software client.

The following table describes the inbound ports that must be open on a Protection Software client. For every port listed in this table, aProtection Software client is the destination and the source is listed in the Source computer column.

Table 30. Required inbound ports on a Protection Software client

Port Protocol Service name Source

28002

30001

TCP

TCP avagent

MCS

Protection Software server

Additional information

Provides management functionality from

Protection Software

Administrator.

2-way secure socket

30002 TCP avagent

Protection Software utility node

Protection Software utility node

96 Network ports

Protection Software client required outbound ports

This section describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software client.

The following table describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software client. For each row, the Protection Software client is the source computer that must have outgoing access to the listed port on the listed destination computer.

NOTE: Protection Software 7.5.1 removes support for HTTP access to TCP port 80. Use the HTTPS port 443 to access these services instead.

Table 31. Required outbound ports for an Protection Software client

Port

53

Protocol

TCP/UDP

Destination

DNS

111

123

443

2049

2052

3008

8105

8109

8181

8444

27000

28001

TCP/UDP

UDP

TCP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

Protection Storage system

NTP time servers

Protection Software server

HTTPS service

Protection Storage system

Protection Storage system

Archive tier service on

Protection Storage system

Protection Software server

Protection Software server

Protection Software server

HTTP redirect port

Protection Software server

HTTPS redirect port

Protection Software server

Protection Software server

Additional information

Required for name resolution and DNS zone transfers.

Required for backing up clients to Protection Storage.

Provides clock synchronization from network time protocol servers.

Required to use the web browser UI of Protection

Software Desktop/Laptop and the web browser UI of

Protection Software Web

Restore.

Required for backing up clients to Protection Storage.

Required for backing up clients to Protection Storage.

Only required when backups are stored on a Protection

Storage system and archive tier is used.

Used by Protection Software

Desktop/Laptop.

Used by Protection Software

Desktop/Laptop.

Required to use the web browser UI of Protection

Software Desktop/Laptop and the web browser UI of

Protection Software Web

Restore.

Required to use the web browser UI of Protection

Software Desktop/Laptop and the web browser UI of

Protection Software Web

Restore.

Protection Software subsystem communication.

CLI commands from client computers.

Network ports 97

Table 31. Required outbound ports for an Protection Software client (continued)

Port

29000

Protocol

TCP

Destination

Protection Software server

Additional information

Protection Software subsystem communication.

30001

30003

TCP

TCP

Protection Software utility node MCS

Protection Software utility node MCS

Protection Software Downloader Service host required inbound port

This section describes the inbound port that must be open on a Protection Software Downloader Service host.

The following table describes the inbound port that must be open on a Protection Software Downloader Service host. For the port listed in this table, a Protection Software Downloader Service host is the destination and the source is listed in the Source computer column.

Table 32. Required inbound port on a Protection Software Downloader Service host

Port Protocol Service name Source Additional information

8580 TCP Protection Software

Downloader Service

Protection Software server

Protection Software server connects to this port to access the

Protection Software

Downloader Service.

Protection Software Downloader Service host required outbound ports

This section describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software Downloader Service host.

The following table describes the outbound ports that must be accessible to network packets that are sent from an Protection

Software Downloader Service host. For each row, an Protection Software Downloader Service host is the source computer that must have outgoing access to the listed port on the listed destination computer.

NOTE: Protection Software 7.5.1 removes support for HTTP access to TCP port 80. Use the HTTPS port 443 to access these services instead.

Table 33. Required outbound ports for an Protection Software Downloader Service host

Port

21

Protocol

TCP

Destination

Protection Software FTP server

Additional information

Provides the Protection

Software Downloader Service with FTP access to updates, security rollup packages, hotfixes, and patches.

53 TCP/UDP DNS

123

443

UDP

TCP

NTP time servers

Protection Software server

HTTPS service

Required for name resolution and DNS zone transfers.

Provides clock synchronization from network time protocol servers.

Provides HTTPS access to the AvInstaller service.

98 Network ports

Required ports when using a Protection Storage system

The following table describes the general port requirements when a Protection Software system is deployed with a Protection

Storage system as a storage target:

Table 34. Required ports when using a Protection Storage system

Port

7

22

111

161

163

2049

2052

Protocol

TCP

TCP

TCP/UDP

UDP

UDP

TCP/UDP

TCP/UDP

Source Destination Service

Utility node Protection Storage system ECHO

Utility node Protection Storage system SSH

Utility node Protection Storage system RPC port mapper service Access to RPC and NFS

Protection

Software client port mapper functionality on a Protection Storage system.

Utility node Protection Storage system SNMP

Secure shell communication with the Protection Storage system.

This is the getter/setter port for SNMP objects from a utility node.

none Protection

Storage system

Utility node SNMP

Utility node Protection Storage system NFS daemon none

Protection

Software client

Utility node

Protection Storage system NFS daemon

Protection Storage system NFS mountd process

Additional information

Required to register a

Protection Storage system for storing Protection

Software client backups.

Only required when backups are stored on a Protection Storage system.

Outbound communication must be open for both protocols: TCP and UDP.

3008 TCP

Protection

Software client

Protection Storage system NFS mountd process

Protection Storage system Archive tier service

Only required when backups are stored on a Protection Storage system.

Only required when archive tier is used.

3009 TCP

Protection

Software client

Protection

Software client

Protection Storage system Archive tier service Only required when archive tier is used in the

REST API.

NDMP accelerator node required inbound ports

This section describes the inbound ports that must be accessible to network packets that are sent to each Protection Software accelerator node.

The following table describes the inbound ports that must be accessible to network packets that are sent to each Protection

Software accelerator node. For each row, the accelerator node is the destination and the source is listed in the Source computer column:

Network ports 99

Table 35. Required inbound ports for each accelerator node

Port

7543

Protocol

HTTP/SSL

Source

Web browser clients

Additional information

Web browser clients use this port to create HTTPS connections to Protection Software

Installation Manager. Limit access to trusted administrator computers.

28002-28202

30002-30202

TCP

TCP

Protection Software client/ agent

Protection Software client/ agent

NDMP accelerator node required outbound ports

This section describes the outbound ports that must be accessible to network packets that are sent from each Protection

Software accelerator node.

The following table describes the outbound ports that must be accessible to network packets that are sent from each

Protection Software accelerator node. For each row, the accelerator node is the source computer that must have outgoing access to the listed port on the listed destination computer.

Table 36. Required outbound ports for each accelerator node

Port Protocol Destination

7

25

TCP

TCP

Protection Storage system

Customer Support

111

443

2049

2052

3008

3009

8080

8580

9443

10000

28001

TCP/UDP

TCP

TCP/UDP

TCP/UDP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

Additional information

Required for SMTP connections between

ConnectEMC and Customer

Support.

Protection Storage system

Customer Support LDLS communication with

Customer Support.

Protection Storage system

Protection Storage system

Protection Storage system

Protection Storage system

Isilon

Computer running Protection

Software Downloader Service

Required for Isilon platform

API access.

Used to make requests for package downloads from the Protection

Software Downloader Service computer.

RMI - Protection Software

Management Console web services

NAS filer Required for NDMP control messages.

Protection Software

Administrator management console

100 Network ports

Table 36. Required outbound ports for each accelerator node (continued)

Port

30001

30003

Protocol

TCP

TCP

Destination

Protection Software

Administrator management console

Protection Software server nodes

Additional information

MCS communication over

SSL.

Remote management interface inbound ports

This section describes the inbound ports that should be open on the remote management interface of all Gen4T and Gen4Sbased Protection Software nodes.

The following table describes the inbound ports that should be open on the remote management interface of all Gen4T-based

Protection Software nodes. The actual ports that should be open depend on your network environment. For every port listed in this table, the remote management interface on the node is the destination and the source is listed in the Source computer column.

Table 37. Inbound ports for the remote management interface on all Gen4T-based nodes

Port

80

Protocol

TCP

Service name

HTTP

Source computer

Administrator computers

Additional information

HTTP access

443 TCP HTTPS access

2068 TCP

HTTP protocol over

TLS/SSL

Virtual console and media redirection

Administrator computers

Administrator computers

Virtual console keyboard/mouse, virtual media server, virtual media secure service, and virtual console video

The following table describes the inbound ports that should be open on the remote management interface of all Gen4S-based

Protection Software nodes. The actual ports that should be open depend on your network environment. For every port listed in this table, the remote management interface on the node is the destination and the source is listed in the Source computer column.

Table 38. Inbound ports for the remote management interface on all Gen4S-based nodes

Port

80

Protocol

TCP

Service name

HTTP

Source computer Additional information

HTTP access

443 TCP HTTPS

Administrator computers

Administrator computers

HTTPS access

5120 TCP

5123

7578

TCP

TCP

CDROM media redirection

Floppy/USB media redirection

Administrator computers

Administrator computers

Keyboard, video, mouse Administrator computers

Gen4-based Protection Software nodes have reached end-of-life. Past releases of this guide provide further information about

Gen4-based Protection Software nodes.

NOTE:

Network ports 101

Ensure that the local network environment allows for the creation of these connections.

If using a private intranet, configure the setup of firewall and Network Address Translation (NAT) accordingly.

Ensure that you open the ports bi-directionally at the firewall level.

Remote management interface outbound ports

This section describes the outbound ports that should be accessible to network packets that are sent from the remote management interface on all Protection Software nodes.

The following table describes the outbound ports that should be accessible to network packets that are sent from the remote management interface on all Protection Software nodes. The actual ports that should be open depend on your network environment. By default, none of these outbound ports are configured to be in use. You must modify the configuration to use those protocols. For each row, the node is the source computer that must have outgoing access to the listed port on the listed destination computer.

Table 39. Outbound ports for the remote management interface on all Protection Software nodes

Port Protocol Destination computer Additional information

25 TCP Administrator computers

53

68

69

162

636

3269

TCP/UDP

UDP

UDP

UDP

TCP/UDP

TCP /UDP

DNS server

Administrator computers

Administrator computers

Administrator computers

LDAPS server

LDAPS server

Required to make an SMTP connection with Administrator computers.

Required for DNS queries.

Required for DHCP-assigned

IP address.

Required for trivial file transfers (TFTP).

Required to send SNMP traps.

Required to make Secure

LDAP queries.

Required for LDAPS global catalog (CG).

NOTE:

Ensure that the local network environment allows for the creation of these connections.

If using a private intranet, configure the setup of firewall and Network Address Translation (NAT) accordingly.

Ensure that you open the ports bi-directionally at the firewall level.

Protection Software VMware Combined Proxy inbound ports

This section describes the inbound ports requirements for the Protection Software VMware Combined Proxy.

The following table describes the inbound ports requirements for the Protection Software VMware Combined Proxy:

Table 40. Required inbound ports for the Protection Software VMware Combined Proxy

Port Protocol Source Additional information

22

902

TCP / SSH TCP / SSH

TCP / Hypervisor server proxy service

Protection Software

Administrator

Protection Software server

Diagnostic support is optional, but recommended.

5489 TCP / CIM service Protection Software deployment

Used to register the proxy.

102 Network ports

Table 40. Required inbound ports for the Protection Software VMware Combined Proxy (continued)

Port

28009

Protocol

TCP / Access proxy logs

Source

Protection Software MCS

Additional information

30102 - 30109

30002 - 30009

TCP / avagent paging port

TCP / avagent paging port

Protection Software MCS

Protection Software server Secured communication with the Protection Software server (utility node).

Protection Software VMware Combined Proxy outbound ports

This section describes the outbound ports requirements for the Protection Software VMware Combined Proxy.

The following table describes the outbound ports requirements for the Protection Software VMware Combined Proxy:

Table 41. Required outbound ports for the Protection Software VMware Combined Proxy

Port

53

111

Protocol

UDP + TCP / DNS

TCP / UDP

Destination

DNS server

Additional information

UDP + TCP

Protection Storage system Access to RPC and NFS port mapper functionality on a

Protection Storage system

443

443

902

2049

2052

8543

27000

28001

28002 - 28010

29000

30001

30002 - 30010

30102 - 30109

TCP / Hypervisor Platform

API

TCP / Hypervisor Platform

API

TCP / VDDK

TCP/UDP

TCP/UDP

TCP

Hypervisor hosts

Hypervisor Manager

Hypervisor hosts

Protection Storage system

Protection Storage system Outbound communication must be open for both protocols: TCP and UDP

Protection Software server Used for VMware snapshot operations

TCP / GSAN communication Protection Software server Non-secured communication

TCP / Protection Software

MCS / avagent

Protection Software server

TCP / Protection Software

MCS / avagent

Protection Software server

TCP / GSAN communication Protection Software server Secured communication

Protection Software MCS Protection Software 7.2

TCP / avagent to MCS communication

TCP / Protection Software

MCS / avagent

TCP / Avagent paging port

Protection Software server

Protection Software server Secured communication with

Protection Software server utility node

Protection Software Hypervisor Platform Combined Proxy ports

This section describes the ports that are required for the Protection Software Hypervisor Platform Combined Proxy.

The following table describes the ports that are required for the Protection Software Hypervisor Platform Combined Proxy:

Network ports 103

Table 42. Required ports for the Protection Software Hypervisor Platform Combined Proxy

Port

443

Protocol

TCP / Hypervisor Platform

API

Source

Protection Software

Deployment Manager

Destination

Hypervisor hosts

443 Protection Software MCS Hypervisor Manager (Service)

7444

TCP / Hypervisor Platform

API

TCP / Test Hypervisor

Manager credentials

Protection Software MCS Hypervisor Manager (Service)

Inbound ports for the Azure network security group

This section describes the rules that should be added to an Azure network security group.

The following tables describe the rules that should be added to an Azure network security group:

NOTE: If you want to restrict the source traffic, set the source with IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address.

NOTE: Protection Software no longer supports HTTP access to TCP port 80. Use the HTTPS ports 443 to access these services instead.

For all table entries:

● The Source and Destination fields are Any .

● The Source port range field is *

● The Action is Allow .

● Assign a unique priority value to each rule, starting at 100.

● Type a unique description for each rule. The value must be unique for both inbound and outbound rules.

Table 43. Inbound ports for the Azure network security group

Type Protocol

SSH TCP

Custom TCP Rule

Custom UDP Rule

Custom TCP Rule

Custom UDP Rule

HTTPS

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

TCP

TCP

TCP

TCP

TCP

UDP

TCP

UDP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

161

163

163

Destination port range

22

161

443

700

7543

7778 - 7781

8543

9090

9443

27000

28001 - 28002

28810 - 28819

29000

30001 - 30010

104 Network ports

Outbound ports for the Azure network security group

This section describes the outbound ports for the Azure network security group.

NOTE: If you want to restrict the source of traffic, set the source with IPv4 or IPv6 CIDR block, or a single IPv4 or IPv6 address.

By default, Azure has a rule AllowInternetOutBound with priority 65001 to allow all outbound internet traffic. Override this rule by adding a rule with a priority (that is, an integer number) that is greater than all customized rules' priority, and less than

65000: source: *, destination: *, protocol: *, action: Deny . Azure documentation contains information about creating a firewall rule.

For all table entries:

● The Source and Destination fields are Any .

● The Source port range field is *

● The Action is Allow .

● Assign a unique priority value to each rule, starting at 100.

● Type a unique description for each rule. The value must be unique for both inbound and outbound rules.

Table 44. Outbound ports for the Azure network security group

Type Protocol

Custom TCP Rule TCP

SSH

SMTP

DNS (UDP)

Custom TCP Rule

Custom UDP Rule

Custom TCP Rule

Custom UDP Rule

Custom TCP Rule

Custom UDP Rule

HTTPS

Custom TCP Rule

Custom TCP Rule

Custom UDP Rule

Custom TCP Rule

Custom UDP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

Custom TCP Rule

TCP

UDP

TCP

UDP

TCP

TCP

TCP

TCP

TCP

UDP

TCP

UDP

UDP

TCP

UDP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

TCP

2049

2052

2052

3008

3009

8443

8888

9090

9443

27000

28001-28010

29000

161

161

163

53

111

111

Destination port range

7

22

25

163

443

700

2049

Network ports 105

Table 44. Outbound ports for the Azure network security group (continued)

Type

Custom TCP Rule

Protocol

TCP

Destination port range

30001-30010

Protection Storage

This section lists information about Protection Storage network ports.

Communication security settings

Communication security settings enable the establishment of secure communication channels between the product components, and between product components and external systems or components.

The following tables list the input and output ports for TCP and UDP:

Table 45. Protection Storage system inbound communication ports

Service Protocol Port Port

Configurable

Default

FTP TCP 21 No Disabled

Description

SSH and SCP

Telnet

HTTP

DD Boost/NFS

(portmapper)

NTP

SNMP

HTTPS

TCP

TCP

TCP

TCP

UDP

TCP/UDP

TCP

22

23

80

111

123

161

443

Yes

No

Yes

No

No

No

Yes

Enabled

Disabled

Enabled

a

Enabled

Disabled

Disabled

Enabled

Port is used only if FTP is enabled. Run adminaccess show on the Protection

Storage system to determine if it is enabled.

Port is used only if SSH is enabled. Run adminaccess show on the Protection

Storage system to determine if it is enabled. SCP is enabled as default.

Port is used only if Telnet is enabled. Run adminaccess show on the Protection

Storage system to determine if it is enabled.

Port is used only if HTTP is enabled. Run adminaccess show on the Protection

Storage system to determine if it is enabled.

Used to assign a random port for the mountd service that DD Boost and NFS use. The mountd service port can be statically assigned and can be run with the nfs option set mountd-port command.

1. Port is used only if NTP is enabled on the Protection Storage system. Run ntp status to determine if it is enabled.

2. The Protection Storage system uses this port to synchronize to a time server.

Port is used only if SNMP is enabled.

Run snmp status to determine if it is enabled.

Port is used only if HTTPS is enabled.

Run adminaccess show on the

Protection Storage system to determine if it is enabled.

106 Network ports

Table 45. Protection Storage system inbound communication ports (continued)

Service

CIFS (Microsoft-DS)

Protocol

TCP

Port

445

Port

Configurable

No

Default

Enabled

Description

Main port that CIFS uses for data transfer.

DD Boost/NFS TCP 2049 Yes Enabled

NFS v3/NFS v4

Replication

NFS ( mountd )

Protection Storage

Management Center

Port

TCP

TCP

TCP/UDP

TCP

2049

2051

2052

3009

Yes

Yes

Yes

No

Enabled

Enabled

Enabled

Enabled

Main port that NFS uses. Run the nfs option show command on the

Protection Storage system to determine the current NFS server port.

Main port that NFS service uses. Run nfs status to determine if NFS v3 or NFS v4 service is enabled. Run nfs option show nfs3-port or nfs option show nfs4-port on the

Protection Storage system to determine the current port that is listening.

Port is used only if replication is configured on theProtection Storage system. Run replication show config to determine if it is configured.

This port can be modified using the replication modify command.

Can be hardcoded using the nfs option set mountd-port command. (This command is SE mode, which means that only a Service

Engineer can issue this command.) Run nfs option show mountd-port on the Protection Storage system to determine the current port that mountd is listening on.

This port is used only if the Protection

Storage Management Center manages the Protection Storage system. It is not configurable.

a.

HTTP is enabled by default, but automatically redirects to HTTPS.

Table 46. Protection Storage system outbound communication ports

Service Protocol Port Port

Configurable

Default

SMTP TCP 25 No Disabled

SNMP

Syslog

RMCP

UDP

UDP

UDP

162

514

623

Yes

No

Open

Disabled

Disabled

Enabled

Description

The Protection Storagesystem uses this port to send email autosupports and alerts.

The Protection Storagesystem uses this port to send SNMP traps to SNMP host.

Use snmp show trap-hosts to see destination hosts and snmp status to display service status.

If enabled, the Protection Storage system uses this port to send syslog messages. Use log host show to display destination hosts and service status.

Remotely access BMC through IPMI.

Network ports 107

To reach a Protection Storage system behind a firewall, you may need to enable these ports defined in the preceding tables.

Use the net filter functionality to disable all ports that are not used.

Firewall Configuration

Table 47. Ports that Protection Storage uses for inbound traffic

Port

TCP 21

Service

FTP

TCP 22

TCP 23

TCP 80

TCP 111

UDP 111

UDP 123

UDP 137

UDP 138

TCP 139

UDP 161

TCP 389

TCP 443

TCP 445

TCP 464

SSH

Telnet

HTTP

DD Boost/NFS (port mapper)

DD Boost/NFS (port mapper)

NTP

CIFS (NetBIOS name service)

CIFS (NetBIOS datagram service)

CIFS (NetBIOS session service)

SNMP (query)

LDAP

HTTPS

CIFS (Microsoft-DS)

Active Directory

Note

Used only if FTP is enabled (run adminaccess show on the Protection

Storage system to determine).

Used only if SSH is enabled (run adminaccess show on the Protection

Storage system to determine).

Used only if Telnet is enabled (run adminaccess show on the Protection

Storage system to determine).

Used only if HTTP is enabled (run adminaccess show on the Protection

Storage system to determine).

Used to assign a random port for the mountd service that NFS and DD Boost use. The mountd service port can be statically assigned.

Used to assign a random port for the mountd service that NFS and DD Boost use. The mountd service port can be statically assigned.

Used only if NTP is enabled (run ntp status on the Protection Storage system to determine).

CIFS uses this port for NetBIOS name resolution.

CIFS uses this port for NetBIOS datagram service.

CIFS uses this port for session information.

Used only if SNMP is enabled (run snmp status on the Protection Storage system to determine).

The LDAP server monitors this port for

LDAP client requests; by default it uses

TCP.

Used only if HTTPS is enabled (run adminaccess show on the Protection

Storage system to determine).

Main port that CIFS uses for data transfer.

Kerberos change/set password; this is required to join an Active Directory domain.

108 Network ports

Table 47. Ports that Protection Storage uses for inbound traffic (continued)

Port

TCP 2049

TCP 2051

Service

DD Boost/NFS

Replication/DD Boost/Optimized

Duplication

Note

Main port that NFS uses; it can be modified using the nfs set serverport command, which requires SE mode.

Used only if replication is configured

(run replication show config on the Protection Storage system to determine).This port can be modified using replication modify .

TCP 2052 Main port that NFS Mountd uses.

TCP 3008

NFS Mountd/DD Boost/Optimized

Duplication

RSS

TCP 3009

TCP 5001

TCP 10000

SMS (system management) iPerf

NDMP

Required when the Protection Storage system has an Archive Tier.

Used for managing a system remotely with Protection Storage Data Protection

Central (DPC). This port cannot be modified. This port is used only on

Protection Storage systems running DD

OS 4.7.x or later. This port needs to be open if you plan to configure replication within Protection Storage DPC because the replication partner must be added to

Protection Storage DPC.

iPerf uses this by default. Changing the port requires the -p option from se iperf or the port option from the net iperf command. The remote side must listen on the new port.

NDMP uses this port.

Table 48. Ports that Protection Storage systems for outbound traffic

Port

TCP 20

Service

FTP

Note

Used only if FTP is enabled (run adminaccess show on the Protection

Storage system to determine).

TCP 25 SMTP

UDP/TCP 53

TCP 80

TCP 443

UDP 123

UDP 162

DNS

HTTP

HTTPS

NTP

SNMP (trap)

Used only if FTP is enabled (run adminaccess show on the Protection

Storage system to determine).

Used to perform DNS lookups when DNS is configured (run net show dns on the Protection Storage system to review

DNS configuration).

Used to upload log files to Dell EMC support using support upload.

Used to upload the Support Bundle

(SUB).

Used to synchronize to a time server.

Used to send SNMP traps to an SNMP host. Use to see destination hosts and snmp status to display service status.

Network ports 109

Table 48. Ports that Protection Storage systems for outbound traffic (continued)

Port Service Note

Use the snmp show trap-hosts command.

UDP 514 Syslog

TCP 2051

TCP 3009

Replication/DD Boost/Optimized

Duplication

SMS (system management)

If enabled, Used to send syslog messages. Use log host show to display destination hosts and service status.

Used only if replication is configured

(run replication show config on the Protection Storage system to determine).

Used for managing a system remotely using Protection Storage Data

Protection Central (DPC). This port cannot be modified. This port is used only on Protection Storage systems running DD OS 4.7.x or later.

If you plan to configure replication from within the Protection Storage DPC, this port needs to be opened. The replication partner has to be added to the Protection Storage DPC.

TCP 5001

TCP 27000 iPerf iPerf uses this port by default. Changing the port requires entering the -p option from se iperf or the port option from net iperf . The remote side must listen on the new port.

Protection Software client network hosts.

TCP 27000

TCP 28001

TCP 28002

TCP 29000

Protection Software client communications with Protection

Software server

Protection Software server communications with Replicator target server (Protection Software proprietary communication)

Protection Software client communications with administrator server

Protection Software server communications with Protection

Software client

Required if server is used as replication source.

Protection Software clients required.

Optional for browsing clients and canceling backups from Protection

Software Administrator management console.

Protection Software clients required.

TCP 29000

Protection Software client Secure

Sockets Layer (SSL) communications with Protection Software server

Protection Software server SSL communications with Replicator target server

Required if server is replication source.

110 Network ports

Data Protection Central

Data Protection Central uses inbound and outbound ports when communicating with remote systems.

Table 49. Outbound ports

Port number

7

902

2049

2052

3009

5671

8443

9002

9443

443

448

464

514

587

636

22

25

53

67, 68

80

88

111

123

161-163

389

TCP

TCP

TCP, UDP

TCP, UDP

TCP

TCP, UDP

TCP

TCP, UDP

TCP, UDP

TCP

TCP

TCP

TCP

TCP

Layer 4 protocol

TCP, UDP

TCP

TCP

UDP, TCP

TCP

TCP

TCP, UDP

TCP, UDP

TCP, UDP

TCP, UDP

TCP, UDP

Service

ECHO

SSO

SMTP

DNS

DHCP

HTTP

Kerberos

ONC RPC

NTP

SNMP

LDAP

HTTPS

Search Admin REST API

Kerberos rsh

SMPT

LDAPS

Hypervisor

NFS mountd, clearvisn

Protection Storage REST API

Message Bus over amqp

MCSDK 8443 is an alternative for 443

Reporting & Analytics REST API

Protection Software Management Console web service

Table 50. Inbound ports

Port number

22

80

443

5671

Layer 4 protocol

TCP

TCP

TCP

TCP

Service

SSH

HTTP

HTTPS

Message Bus over amqp

Network ports 111

Search

This section lists information about Search network ports.

Port usage

Table 51. Default ports

Component

Common Indexing

Service

Service

NGINX

Search and Admin UIs and APIs

NGINX

Protocol

TCP/HTTPS

Port

442

Common Indexing

Service

Elasticsearch cluster ports

Puppet

Protection Software

Client

NetWorker Client

OpenLDAP

SSH

NFS

NGINX

NGINX

Puppet

Protection

Software

Client

NetWorker

Client slapd sshd nfs

Description

Secure access to Elasticsearch.

TCP/HTTPS

TCP/HTTPS

TCP/HTTPS

TCP

TCP

TCP

TCP

TCP

TCP

443 Admin web application.

Search web application.

Admin REST API.

Search REST API.

445

9300–

9400

CIS REST API. The Common Indexing Service (CIS) provides a secure layer above Elasticsearch.

Ports for communicating with Elasticsearch (Index data nodes). Elasticsearch cluster ports are only opened internally, and are not for external access.

8140,

61613

28000-29

000,

30000-31

000

Puppet primary server, agent, and console. Puppet ports must be open between Search nodes to enable communication during an automatic upgrade.

Ports for Protection Software client communicating with Protection Software server. Each client requires two ports from each port range.

7937-8100 Ports for NetWorker client communicating with

Networker server.

389 Ports for the Search node communicating with

OpenLDAP, and sync between OpenLDAP, are only opened internally.

22 Client connects to server through ssh.

111, 2049 Ports for communicating with NFS are only opened internally.

Firewall rules

Search requires access to the following external (worldwide) ports:

● 442:445 (Web/Rest API)

● 28000-29000, 30000-31000 (Protection Software Client)

● 7937-8100 (NetWorker client)

● 22 (SSH)

Search requires access to the following internal ports:

● 389 (openLDAP)

● 8140 (Puppet primary server and primary server node only)

● 61613 (Puppet)

● 9300:9400 (Elasticsearch)

● 111, 2049 (NFS)

112 Network ports

To use ports 9300–9400, CIS provides access to IP addresses within a subnet. An example subnet is 128.222.162.

Elasticsearch nodes use ports 9300–9400 to form a cluster and to communicate with other Elasticsearch nodes.

Reporting & Analytics

The following tables list information about Reporting & Analytics network ports. Additional ports can be required for the

Reporting and Analytics agents depending on the systems being monitored.

Table 52. Reporting & Analytics application ports settings

Port

25

Description

TCP port used for the SMTP service

80

22

161

389/636 (over SSL)

3741

4447

4712

4713

5445

5455

8090

9002

TCP port used for the SharePoint service

TCP port used for SSH

UDP port used for SNMP service

TCP port used for LDAP integration

TCP port used for Reporting and

Analytics agents communications.

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for the HTTPS service.

9003

9005

9999

TCP port used for Reporting and

Analytics Datastore communications.

TCP port used for JBoss Management

TCP port used for JBoss Management

Traffic direction

Outbound connection to SMTP server

Outbound connection to SharePoint server

Bidirectional connection to SSH server

Outbound connection to SNMP devices

Outbound connection to LDAP server

Outbound connection to Reporting and

Analytics agents

Inbound connection

Localhost connection

Localhost connection

Localhost connection

Localhost connection

Localhost connection

Inbound connection over SSL from UI,

CLI, and REST API clients.

Outbound connection to Reporting and

Analytics Datastore.

Localhost connection

Localhost connection

Table 53. Reporting & Analytics datastore port settings

Port

3741

Description

TCP port used for Reporting and

Analytics agents communications.

9002 TCP port used for the HTTPS service.

9003 TCP port used for Reporting and

Analytics datastore communications.

Traffic direction

Inbound connection from Reporting and

Analytics application server.

Outbound connection over SSL to

Reporting and Analytics application server.

Inbound connection from Reporting and

Analytics application server.

Network ports 113

Table 54. Reporting & Analytics agent port settings

Port

3741

9002

Description

TCP port used for Reporting and

Analytics agents communications.

TCP port used for the HTTPS service.

Traffic direction

Inbound connection from Reporting and

Analytics application server.

Outbound connection over SSL to

Reporting and Analytics application server.

9003

9005

9876

9999

23364

45688

45689

45700

54200

54201

55200

Table 55. Reporting & Analytics cluster port settings

Port

25

Description

TCP port used for the SMTP service

80

161

389/636 (over SSL)

3741

4447

4712

4713

5445

5455

7500

7600

8090

9002

TCP port used for the SharePoint service

UDP port used for SNMP service

TCP port used for LDAP integration

TCP port used for Reporting and

Analytics agents communications.

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

TCP port used for intra-service communication

Multicast over UDP

Multicast over TCP

TCP port used for intra-service communication

TCP port used for the HTTPS service.

Traffic direction

Outbound connection to SMTP server.

Outbound connection to SharePoint server.

Outbound connection to SNMP devices.

Outbound connection to LDAP server.

Outbound connection to Reporting and

Analytics agents

Inbound connection

Localhost connection

Localhost connection

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Inbound connection for Cluster

Localhost connection

TCP port used for Reporting and

Analytics datastore communications.

TCP port used for JBoss Management

Multicast over TCP

TCP port used for JBoss Management

Multicast over TCP

Multicast over TCP

Multicast over TCP

Multicast over UDP

Multicast over UDP

Multicast over UDP

Multicast over UDP

Inbound connection over SSL from UI,

CLI, and REST API clients.

Outbound connection to Reporting and

Analytics datastore.

Localhost connection

Bidirectional connection for Cluster

Localhost connection

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Bidirectional connection for Cluster

114 Network ports

Table 55. Reporting & Analytics cluster port settings (continued)

Port

55201

Description

Multicast over UDP

57600 Multicast over TCP

Traffic direction

Bidirectional connection for Cluster

Bidirectional connection for Cluster

Secure Remote Services

Secure Remote Services (SRS) runs its services on the following ports:

The following ports should be opened on the Secure Remote Services (SRS) gateway server Service. The appliance components

(Protection Software, Protection Storage, ACM, and Reporting & Analytics) communicate with SRS using these ports.

Table 56. Port requirements for devices

Dell EMC product

TCP port or

Protocol

Direction open

Source-or-

Destination

Application name

Protection

Software

HTTPS 9443

HTTPS

Passive FTP (21)

SMTP (25)

Outbound to SRS REST

ConnectEMC

Communicati on (network traffic) type

Service notification

Performed by authorized

Dell EMC

Global Services personnel:

Support objective

(frequency)

NA

22 Inbound to SRS or to

Customer SMTP server from SRS CLI (through

SSH)

AVInstaller

Enterprise

Manager

Remote support

Administration

(occasional)

Troubleshooting

(frequent)

Protection

Storage

Reporting &

Analytics

443

80, 443, 8778,

8779, 8780, 8781,

8580, 8543, 9443,

7778, 7779, 7780, and 7781

7778, 7779, 7780,

7781, and 9443

HTTPS 9443 Outbound

443,25,21

80,443 Inbound

22

HTTPS 9443

HTTPS

Passive FTP (21)

SMTP (25)

22

Outbound

Inbound to SRS from SRS to SRS from SRS

MCGUI

REST

ConnectEMC

Enterprise

Manager

CLI (through

SSH)

REST

ConnectEMC

CLI (through

SSH)

Service notification

Remote support

Service notification

Remote support

NA

Administration

(occasional)

Troubleshooting

(frequent)

NA

Troubleshooting

(frequent)

Network ports 115

Table 56. Port requirements for devices (continued)

Dell EMC product

TCP port or

Protocol

Direction open

Source-or-

Destination

Integrated

Data

Protection

Appliance

9002, 9003, 9004

3389

HTTPS 9443

HTTPS

Passive FTP (21)

SMTP (25)

22

Outbound

Inbound

8543

443 to SRS from SRS

Application name

Communicati on (network traffic) type

Performed by authorized

Dell EMC

Global Services personnel:

Support objective

(frequency)

Reporting and

Analytics GUI

Remote desktop

REST

ConnectEMC

Service notification

NA

CLI (through

SSH)

ACM

Search UI,

Hypervisor

Platform Web

Client, iDRAC UI

Remote support

Troubleshooting

(frequent)

Remote server management (iDRAC)

The following table lists the ports that are required to remotely access iDRAC through firewall. These are the default ports iDRAC listens to for connections.

Table 57. Ports iDRAC listens for connections

Port number Type Function

22

23

80

161

443

623

5000

5900

5901 b

TCP

TCP

TCP

UDP

TCP

UDP

TCP

TCP

TCP

SSH

TELNET

HTTP

SNMP Agent

HTTPS

RMCP/RMCP+ iDRAC to iSM

Virtual console keyboard and mouse redirection, Virtual Media, Virtual folders, and Remote File Share

VNC

Configurable port Maximum Encryption

Level

Yes 256-bit SSL

Yes

Yes

Yes

Yes

No

No

Yes

None

None

None

256-bit SSL

128-bit SSL

256-bit SSL

a

128-bit SSL

Yes 128-bit SSL a.

b.

Maximum encryption level is 256-bit SSL if both iSM 3.4 or higher and iDRAC firmware 3.30.30.30 or higher are installed.

Port 5901 opens when VNC feature is enabled.

The following table lists the ports that iDRAC uses as a client:

116 Network ports

Table 58. Ports iDRAC uses as client

Port number Type

25

53

68

69

123

162

445

636

2049

TCP

UDP

UDP

TFTP

UDP

UDP

TCP

TCP

TCP

Function

SMTP

DNS

DHCP-assigned IP address

TFTP

Network Time Protocol (NTP)

SNMP trap

Common Internet File System (CIFS)

LDAP Over SSL (LDAPS)

Network File System (NFS)

Configurable port Maximum Encryption

Level

Yes

No

No

No

No

Yes

No

No

No

None

None

None

None

None

None

None

256-bit SSL

None

3269

5353

TCP

UDP

LDAPS for global catalog (GC) mDNS

No

No

256-bit SSL

None

NOTE: When Group Manager is enabled, iDRAC uses mDNS to communicate through port 5353. However, when it is disabled, port 5353 is blocked by iDRAC's internal firewall and appears as open|filtered port in the port scans.

514 UDP Remote syslog Yes None

Cloud DR

The following ports should be opened for communication between the specified components:

Table 59. Required Cloud DR ports

Port

111

443

Description

Communication between Protection Storage and Cloud DR

Communication between Cloud DR and AWS/Azure

443

443

443

2049

9443

Communication between Cloud DR and Cloud DR Server

Communication between Cloud DR and Hypervisor Manager (Service)

Communication between a local restore Service and AWS/Azure

Communication between Protection Storage and Cloud DR

Communication between Protection Software and Cloud DR

Network ports 117

Index

A add dataset

71

audience

5

Avamar proxy

74

B

backup policy 75

C

CDRA

45

CDRS 45

clients 71

Create backup policy 75

D

Deploy proxy

74

G

Generate Reports 78

I

IDPA

75

Install and Configure the

9

Install IDPA 24

Instant access

77

Introduction

5

J

Juniper switch

16

L

License activation 23

M

Manage Policies

75

N network ports

84

network ports

84

,

113

Network Validation Tool

22

NVT 22

P postinstallation

38

power on

15

Preinstall IDPA

14

Protection Software network ports

84

Proxy Deployment 74

R

Reporting & Analytics ports

113

Reports 78

requirements

9

Restore

75

,

77

, 78

restore specific files

78

Restore using instanty access 77

Restore VM

75

,

77

,

78

Retry installation 31

Rollback installation

31

S

Scope

5

Search disconnect from Protection Software

56

specific files

78

System Manager

75

U

Upgrade CDRA 45

Upgrade CDRS

45

V

vCenter 71

Virtual Machine

75

,

77

, 78

VMware

71

advertisement

Was this manual useful for you? Yes No
Thank you for your participation!

* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project

Related manuals

advertisement

Table of contents