NetBackup Granular Recovery Technology (GRT) and NFS - Security and Manageability Considerations

NFS (Network File System) is a file-sharing protocol developed by Sun Microsystems in 1984. It is a standard part of all UNIX and Linux implementations, and is also commonly found in Windows installations. NetBackup uses NFS for the GRT (Granular Recovery Technology) feature in its SharePoint, Exchange and Active Directory agents.

Note: Some Windows administrators are unfamiliar with NFS, or are concerned about its impact on security and manageability, and therefore by extension have some concerns about the NetBackup GRT feature. This article is intended to address these concerns. 
 

The technology behind NetBackup granular recovery requires the NetBackup media server to generate a virtual disk volume, which is then mounted on a client application server remotely across the network. This allows NetBackup to query the application server in order to extract individual items from a database. NFS was chosen as the protocol behind this requirement in order to make it possible to use any NetBackup media server platform – Windows, UNIX or Linux. The choice of NFS will also make it possible to implement GRT features for UNIX/Linux database applications in the future.

NFS is a standard component in Windows Server 2003 Release 2 and later, but is not installed by default. Fortunately, installation of the protocol is a quick and simple procedure, clearly documented in the relevant NetBackup administration guides.

NFS is installed in much the same way as any other Windows component, using the Add/Remove Programs function in the Windows control panel for Windows Server 2003 or the Server Roles application for Windows Server 2008.  The installation media may be required, and for Windows Server 2003 R2 servers it may be necessary to reboot the server after installation (this is generally not required for Windows Server 2008 systems). To enable GRT, NFS must be installed on both the application server and the NetBackup media server (if the media server is based on UNIX or Linux, NFS is pre-installed).

Note: There are no configuration steps.once the selected NFS components are installed there is no further maintenance or management required.
 

Some administrators are concerned about security and firewall ramifications for NFS. NetBackup does not use the full NFS suite to perform GRT. In fact, most of the components usually installed with NFS are not required. The NetBackup administrations guides explain which components are needed. In particular, we recommend against installing Microsoft’s NFS server service on any machine, and there is no requirement for any NFS components at all beyond the basic protocol stack on the master server, so it is not possible to use NFS to steal data from NetBackup clients, media servers or master servers. NetBackup media servers use a specialized, custom-written NFS server (NBFSD) which can only be used for the NetBackup GRT feature; it cannot be used to transfer general data, and it is only active while a backup or restore is active.
 

Finally, unlike standard NFS, the NetBackup implementation requires just two ports open on the media server -- port 7394 (configurable by the administrator) and port 111 (the standard RPC port mapper access port). This makes the agent firewall-friendly and also adds to security, since a standard NFS client cannot connect to NetBackup’s port. 
 

In summary, administrators should be comfortable with the NFS protocol as used by NetBackup for granular recovery. As a standard part of Windows Server 2003 R2 or later it’s stable, non-invasive and well-supported, and the security and management issues have been addressed well enough that there should be no additional concerns.