How Unitrends supports SMBv2

SUMMARY

There is a security_option for SMB2 available.

ISSUE

An Unitrends system may be configured to use SMB1 or SMB2. 

Beginning in release 10.4.8, the SMB 2.0 security option is enabled by default on Unitrends appliances.
 

RESOLUTION

    Enabling SMB2

    1. Navigate to Configure, select your Unitrends appliance then click Edit.
    2. Under the Advanced tab, select the Support Toolbox.
    3. Click the Samba SMB2 option button to enable SMB2.
    User-added image

    Alternatively, SMB2 can be enabled from command line by issuing the following command:

    security_option smb2
     

    Disabling SMB2


    To disable from SMB2 and enable SMB1, run the following commands:

    security_option smb1
    

     

    Using SMB2 with file recovery from Windows VMs


    To use a CIFS share for the recovery, SMB 2.0 must be enabled on the target Windows asset. 

    Note: Backup appliance running a pre-10.4.8 release – If the appliance is configured to use SMB 2.0, the following must be enabled on the target Windows asset: Insecure Guest Login and SMB 2.0.
     

    Hyper-V Instant Recovery


    To run a Windows replica on Hyper-V, SMB 2.0 must be enabled on the Hyper-V server.

    Note: Backup appliance running a pre-10.4.8 release – If the appliance is configured to use SMB 2.0, the the following must be enabled on the Hyper-V server: Insecure Guest Login and SMB 2.0.

     

    Windows Replicas created on a Hyper-V host server


    Release with Unitrends release v.10.4.2, enables Windows Replicas to a Hyper-V host utilizing SMB2 following these steps:

    1. On the Unitrends appliance, first disable smb1 then enable smb2 with the new 10.4.2 configuration:
    security_option smb1
    security_option smb2
    1. On the Hyper-V host, enable "Insecure Guest Logons"
      1. Open Local Group Policy Editor
      2. Navigate into Administrative Templates - Network - Lanman Workstation
      3. Enable the setting "Enable insecure guest logons"
     

    SharePoint 

    To perform backup and recovery operations, SMB 2.0 must be enabled on each node in the farm.
    Notes:

    • Backup appliances running pre-10.4.8 releases – If the appliance is configured to use SMB 2.0, the following must be enabled on each node in the farm: Insecure Guest Login and SMB 2.0.
    • SharePoint 2007 on Windows 2003 and prior is not supported on SMB 2.0 appliances. (To configure your appliance to use SMB 1.0, contact Unitrends Support.)
    • SharePoint may require custom client configuration for use with SMB 2.0. If SharePoint backups do not run successfully, see this Microsoft article for client configuration details: SharePoint Ports, Proxies and Protocols...An overview of farm communications.

     

      Agent Push

      To push install the Windows agent, SMB 2.0 must be enabled on the Windows asset.

      Notes:

      • If SMB 2.0 is enabled on your Unitrends appliance, agent push is NOT supported for the following: Windows 2003 R2, Windows XP, Windows Vista. Agent push to these operating systems is supported on appliances where SMB 1.0 is enabled. (To configure your appliance to use SMB 1.0, contact Unitrends Support.)
      • Backup appliance running a pre-10.4.8 release – If the appliance is configured to use SMB 2.0, the following must be enabled on the Windows asset: Insecure Guest Login and SMB 2.0.
       

      Oracle on Windows

      SMB 2.0 must be enabled on the Windows server so that the Unitrends agent can access the appliance's SMB 2.0 Samba share when performing backup and recovery operations.

      Note: If the backup appliance is running a pre-10.4.8 release and is configured to use the SMB 2.0, the following must be enabled on the Windows server: SMB 2.0 and Insecure Guest Login
       

      Oracle on Solaris

      • The Unitrends agent must have access to the appliance's SMB 2.0 Samba share to perform backup and recovery operations. These requirements apply:

      • A Samba client must be enabled. See KB 1303 for details.

      • A Samba key must be added for the backup appliance. To add the key, issue this command (the default password is samba):

      smbadm add-key -u [email protected]<applianceIP>
      
      Example:
      smbadm add-key -u [email protected]
      Where 192.168.111.22 is the UB IP address. 
       

      Windows Remote Desktop sessions

      1. Log On and Log Off procedures are executed to provide secure credential management and access to SMB2 shares. When using a RDP session, it is recommended to Log Off at the conclusion of the session. If the RDP session is closed, the Log Off procedure does not execute. Subsequently, the following Log On procedure will not execute and SMB2 shares will not be accessible.

      2. To prevent unsuccessful log-off operations, the command below may be used to save user credentials. This action is required only once as long as the session is used at least once every 30 days.

      cmdkey /add:<appliance_ip> /user:samba /pass:samba



      *Mounting external CIFS shares with SMB2-only access from the Unitrends system is not yet supported via CentOS6 on the Unitrends system.

      CAUSE

      The introduction of WannaCry illuminated a security flaw in the SMB1 protocol.  While Microsoft security patches have been made available to Windows systems, many have chosen to upgrade their environment to use only the SMB2 protocol.

      Furthermore, Microsoft is increasingly requiring their customers to configure environments with SMB1 disabled in favor of SMB2. 

      While Unitrends is not directly at risk, Unitrends supports both SMB1 and SMB2 environments.

      Many customers will have already configured their Windows environment for SMB2-only before contacting Unitrends, but below is an article from Microsoft describing methods to disable SMB1 and enable SMB2 on various Windows systems.  Usually the registry entries are the key component.
      https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

      Was this article helpful?
      0 out of 0 found this helpful
      Have more questions? Contact us