How to backup the computers in my office and store the backup data off-site

This webpage helps you setup Backup for Workgroups to backup the computers in your office and use the Internet to send the backup data to a Backup Server that is off-site. When you want to use the Internet to transmit your backup data to an off-site location, you need to realize that you actually have 3 networks that you need to get to play together nicely: (1) - The office network; (2) – the Internet; and (3) – the off-site network.  These are separate networks and you need to do some preparation to make them all work together.  (Step-by-step instructions are below the diagram.)

The key element in this configuration is that the Backup Clients are on one network, which we refer to as your office network and the Backup Server, which holds your backup data, is located at your off-site location, which we are presuming is separated by the Internet.

This backup strategy is viable when you have one or a relatively small number of computers that you are backing up.  As the number of computers that you are backing up grows – the more you can make a case for “bringing the Backup Server closer to the Backup Clients” – so that you can perform a backup/restore at internal network speeds (which are usually fast) and not at Internet speeds (which are usually slower than internal network speeds).

Another feature to point out is that when a backup is initiated, the Backup Client computer connects to the Backup Server to store the backup data. The network has to be configured to allow the Backup Client to have outbound access to the Internet and inbound access to the Backup Server.  This document contains the steps you need to perform to set this up.  Note, you do not need to setup a VPN to implement this backup strategy.

The Backup Client encrypts data prior to transmitting it to the Backup Server, so as a result your backup data is encrypted as it travels over the Internet.  Please note that if you are using the Backup for Workgroups 30-day trial download, only the scrambling encryption method is available during the evaluation period.  Once you purchase and register the product the 256-bit and 56-bit encryption methods become available.  To provide extra security, we recommend using the 256-bit encryption method.  Once you have entered a license key into your installation, you can choose the encryption method you would like to use from that point forward.

The Backup Client also compresses data prior to transmitting it to the Backup Server, which will reduce the bandwidth required to send the data to the Backup Server.

It is important to realize that when you want to setup a backup solution that uses the Internet to store the backup data to an off-site location – this is a scenario where the your office computers communicate with the Internet and then the Internet communicates with the off-site network.  This is a 2-step process.  Note that the office network does not directly communicate with the off-site network.

The bridge between the 2-step process is the cable modem or DSL router at the off-site network.  The reason why this is important is that the Backup Client software communicates with the device provided by your off-site ISP. This bridge between the Internet and the off-site network commonly contains a firewall which you will need to configure to allow the backup data to flow through by opening a port in the firewall.

When you configure the Backup Client on the office network you need to specify the Internet connection to the off-site network.  In this scenario, the Backup Client communicates with the firewall device that provides the Internet connection to the off-site network.  The firewall device at the off-site network forwards the backup data to the computer that is running the Backup Server on the off-site network.

Follow along with these steps to set this up:

1. Go to the computer running the Backup Server.
2. Write down the IP Address of the computer running the Backup Server: ________________________.  To get the IP Address, you can: 
   
   1. Press the Start button.
   2. Select Run.  On Vista, you can use the Search bar instead of Run.
   3. A DOS Command shell runs.  At the DOS prompt, type IPCONFIG and press Enter.
   4. Windows will show you your IP Address.
   5. Write this down in the space above.
3. Open a port on all Firewalls between the Internet and the Backup Server computer.  - You need to open a port to allow the Backup Client to connect to the Backup Server computer.  The Backup Client connects to the Backup Server using port 2125 and the protocol TCP. There are 2 places where firewalls typically exist = 1 – a software based firewall running on the Backup Server computer and 2 – a hardware based firewall that is built into the DSL router, cable modem, or Internet access appliance that you use to connect your off-site Network to the Internet.
4. How to open a port on the software-based firewall running on the Backup Server computer.
   1. If the computer is running the Windows built in firewall then you will need to go to control panels and choose the Security Center.  At the Security Center click on the Firewall Settings and modify the settings to allow Port 2125 TCP inbound.
   2. If the computer is running a Firewall from a security suite, such as Norton, McAfee, Trend Micro, etc., you need to consult the documentation that came with that firewall.  When you configure the software firewall to open port 2125, you must provide that software firewall with instructions that allow port 2125 TCP for inbound traffic.
5. How to open a port on the Firewall / Internet access appliance (Cable Modem, DSL Router, etc)
   1. Most appliances that provide access to the Internet contain a built-in firewall.  They also typically contain a web-based management utility that allows you to configure their settings.  Bring up an Internet browser and login to the management utility.  Use the features of this utility to open port 2125 for TCP, inbound traffic.  Most hardware based firewalls include an option that allows you to specify an IP address of a computer that that firewall will forward all the port 2125 traffic to.  You will need to enter the IP address of the computer running the Backup Server as the IP address that the firewall should forward all the port 2125 traffic to.  Note that this is the IP address that you wrote down in Step #2 above.
6. How to verify that you have properly opened Port 2125 from the Internet to the computer running the Backup Server.
   1. You can use a free, port-probing service that is available on the Internet.  We recommend that you use the Shields Up utility from Gibson Research Corporation.
   2. Go to http://www.grc.com. 
   3. Click on Shields UP!!
   4. Scroll to the middle of the page.  Look under the section called “Hot Spots” and click on the word Shields UP!! again.
   5. Press the Proceed button.  This button is under the informational banners.
   6. Between the two (2) grey bars, type the port number 2125 and click on the button labeled User Specified Custom Port Probe.
   7. Review the analysis.  If GRC reports Stealth or Passed, then your firewall is still active and Port 2125 is NOT open.  Repeat Steps 4 & 5 above until GRC reports that Port 2125 is OPEN and FAILS the test.  In this case – FAIL is what we are looking for, it means the Port is not firewall protected.  We want the port open to allow the Backup Client to send backup data thru this port.
   8. While reviewing the analysis of Shields UP! – write down the IP Address that Shields UP! shows for this test.  Write this down here: ______________________________.  This IP Address is the Internet address that your ISP has provided for your off-site Network to connect to the Internet.  In other words, this is the IP address of the Internet side of the firewall or Internet access gateway.  In our diagram, this is the Internet side of the off-site Network  - it is the B part of the A to B side.
7. Go to the computer that you want to backup.  Install the Backup for Workgroups Backup Client software on this computer. After the software has been installed, a setup wizard runs. The setup wizard needs 3 pieces of information: 1-The IP Address of the Backup Server computer, 2-The name of the account that you have setup for this computer that resides on the Backup Server computer, and 3-The account’s associated password.
   1. At the Setup - Welcome screen, select the option to "Backup this computer and other computer on my network and press Next.
   2. At the Create Client or Server screen choose the option "Backup Client Only" and press Next.
   3. When you are on the “Backup Server Name” dialog, you need to enter the public IP Address of the firewall or Internet access appliance at your off-site Network into the first type in field that is labeled “Enter the computer name of IP address of the Backup Server.” Since you want to backup this computer and use the Internet to send the backup data to an off-site computer (your off-site Network computer), you need to tell the Backup Client to connect to the Backup Server using the firewall as the IP Address.  Enter the IP Address that was written down in Step 6h above.  Verify access to the Backup Server then press Next.
   4. You can now select the name of your account at the Backup Server from the account name list.  Enter the Password for your account.  The Client Name and Password correspond to the account information that you created when you installed the Backup Server. If you do not know the account details, go to the Backup Server computer, run the Backup Server, and go to the Clients panel. Review the list of Client names. This is the list of accounts that you have defined – one account for each computer that you want to backup.
   5. Before leaving this dialog, we recommend that you press the Verify… button to verify that the Backup Client can connect to the Backup Server and that the account name and password that you have entered correspond to the account that you have created for this computer at the Backup Server.  A failure to login reported as “incorrect user name or password” indicates that the Backup Client successfully connected to the Backup Server, but the account name or it’s password is incorrect. Retype the account name and password and try again. You may need to go to the Backup Server and verify the account name on the Clients panel.  You can modify the account passwords by editing the account name at the Backup Server.
   6. After verifying successful access to the Backup Server, press Next and proceed through the rest of the Backup Client Setup Wizard.
8. Run your first backup.  At this point, you have installed and configured your Backup Server, you have installed and configured your Backup Client(s), and you have opened up the associated firewalls to allow for the Backup Client to communicate via TCP over Port 2125 as inbound traffic.  Keep in mind that opening the port is only necessary at the Backup Server and you only need to perform this process once.  Remember that the first or initial backup of any computer takes the most time because every file needs to be backed up.  Subsequent backups will be faster because only the files that are new or those that have changed get backed up.  Also note that “backing up over the Internet” is slow because the speed is dependent on both the uplink speed at the Office Network and on the downlink speed at the off-site Network.  Typically, the uplink speed is significantly slower than the downlink speed.
9. If you want to add additional Backup Clients to your Backup for Workgroups configuration, all you need to do is install the Backup Client software on that new computer and setup their associated accounts. Remember that when you add a computer to the backup process, you need to first have a license for that computer at the Backup Server and you setup an account for that computer at the Backup Server.  Then, you need to use this information when you install and configure the Backup Client on the computer that you want to backup.  You do not need to open additional firewall ports because all the traffic flows out from the Backup Client computer to the off-site Network that has already been configured to accept Backup Clients.