Veeam Hardened Repository Part 2 - Installation on HPE ProLiant DL380 G11

Note: This article covers Veeam Backup & Replication 12.3.1 and Veeam Hardened Repository ISO 2.0.0.8 for v12. Very recently, Veeam Software Appliance 13 (containing VBR 13.0.0) was released along with Veeam Infrastructure Appliance 13, which can be used as a Hardened Repository (can only be added to VBR 13). This is currently an Early Release and there is no upgrade or migration available from version 12. Hardened Repository installed from VHR ISO 2.0 should be upgradeable to Veeam Infrastructure Appliance 13 in the future.

Backup Repository Selection

I spent a long time studying, testing, and comparing various On-Premises solutions for primary backup storage that supports Immutability in the Veeam Backup & Replication environment. I summarized this in the article Choosing a secure backup storage solution for Veeam, where there was no conclusion.

Finally, given our requirements and conditions, I decided to use Veeam Hardened Repository. Financially, it's probably the cheapest option, while having many advantages that I mentioned in the article. I chose a physical server from Hewlett Packard Enterprise (HPE), model HPE ProLiant DL380 G11. This is a tested solution within the Veeam Ready program HPE ProLiant DL380 G11 - Hardened Appliance, Immutability.

HPE ProLiant DL380 Gen11 Server

• HPE ProLiant DL380 Gen11 QuickSpecs
• HPE ProLiant DL380 Gen11 Server User Guide
• HPE ProLiant DL380 Gen11

Server Parameters

• rack server 2U Form Factor
• processor Intel Xeon Silver 4509Y, 8 core, 2.6GHz
• memory 64 GB DDR5
• storage for system HPE NS204i-u Gen11 Boot Controller (2x 480 GB NVMe SSD, RAID 1)
• storage for data 10x 7.86 TB NVMe High Performance Read Intensive SFF
• storage controller HPE MR416i-p Gen11
• network 2x 10GBase-T - BCM 57416, 10Gb 2-port Base-T OCP3 Adapter
• network 2x 25GBase-SR SFP28 - BCM 57414, Broadcom P225p NetXtreme-E Dual-port 10Gb/25Gb Ethernet PCIe Adapter
• power supply 2x HPE 1000W Flex Slot Titanium Hot Plug Power Supply
• management HPE iLO 6 Advanced

Network Connection

For management/installation, we'll connect the iLO Management Port to Gigabit Ethernet (1000Base-T) LAN using a copper cable with RJ45 connectors.

For data transfer, we'll use 25 Gigabit Ethernet (25GBase-SR) with optical cables and LC connectors. On both switches and servers, we'll use transceivers (converters) SFP28. I have good experience with cheap OEM SFP28 transceiver 10/25Gbps. We'll connect the server redundantly to two Cisco Catalyst 9500 switches connected via StackWise Virtual into a stack.

For redundant connection, we'll use link aggregation using IEEE 802.3ad and Link Aggregation Control Protocol (LACP). On switches, this is called Port Channel or EtherChannel, on servers as NIC Teaming or Bonding (which the VHR installer uses).

Configuration in Cisco IOS or IOS XE:

interface TwentyFiveGigE1/0/1
 description backupStorage
 switchport access vlan 100
 switchport mode access
 channel-group 1 mode active
end
interface TwentyFiveGigE2/0/1
 description backupStorage
 switchport access vlan 100
 switchport mode access
 channel-group 1 mode active
end
interface Port-channel1
 description backupStorage
 switchport access vlan 100
 switchport mode access
end

We need to prepare an IP address in the management network for iLO and another IP address and DNS name in the network where the Veeam Backup & Replication infrastructure will communicate with the storage.

Initial iLO Configuration

• HPE iLO 6 User Guide - Setting up iLO

First, we need to connect to the iLO web interface. We have many options for performing the initial setup. The iLO Management Port uses DHCP by default. Even if we want to connect it to a network without DHCP, we can first use a network where a DHCP server is present.

• connect the iLO port to the network
• connect power to the server
• connect to the assigned IP address using a web browser
• log in with the initial username and password found on the label on the server
• change the default username and password in the Administration - User Administration menu
• set a static IP address in the iLO Dedicated Network Port menu, along with connection parameters, Hostname, IPv4 or IPv6, SNTP
• connect the iLO port to the new network (or change VLAN)

Firmware Upgrade

At the beginning, it's advisable to perform a firmware upgrade of hardware components. We can download the complete Service Pack as an ISO image from Service pack for HPE ProLiant Gen11 (directory HPE SPP support bundle) and boot from it.

• connect to iLO using a web browser
• launch the HTML5 Integrated Remote Console (bottom left or Remote Console & Media menu)
• click the Virtual Media - CD/DVD - Local *.iso file icon at the top and mount the downloaded Service Pack ISO

• click the Menu - Power - Momentary Press icon, confirm OK
• the server will start booting from the ISO, where the default option is automatic firmware update
• components with available new versions will be upgraded (the entire process is quite long, more than half an hour)
• restart the server

Creating Logical Drive - RAID Configuration

• HPE MR Gen11 Controller User Guide - Configuration in UEFI System Utilities
• Creating a logical drive

Generally, RAID 6 is recommended as optimal, which uses double parity (can tolerate the loss of 2 drives). It's also recommended to have 1 Spare Disk, which I didn't follow. The optimal RAID Stripe Size is stated as 256 kB.

We can find recommended parameters in the older document Selecting Hardware and Setting Up Environment for Veeam Hardened Repository. Specifically for HPE ProLiant DL380 Gen11, we have the manufacturer's recommended settings for use as a Veeam Hardened Repository, document Veeam hardened repository installation for HPE ProLiant DL380 Gen11 Server. The link is in the tested compatibility report Veeam Ready - Hardened Appliance, Immutability.

Configuration Using UEFI System Utilities

Note: This can be done via iLO Remote Access.

• during server startup (POST), press F9 to invoke UEFI System Utilities
• System Configuration - HPE MR416i-p Gen11
• Main Menu - Configuration Management - Create Logical Drive

Logical Drive Parameters

• choose RAID 6
• Select Drive - select the drives from which we want to create the logical drive
• Logical Drive Name - our drive identification
• Logical Drive Size - maximum capacity in TiB is automatically set
• Strip size - choose 256 kB
• Read Policy - choose No Read Ahead
• Write Policy - choose Write Back, the controller has 8 GB of persistent cache
• Default initialization - choose Full, otherwise initialization will be slow and run in the background
• click Save Configuration, confirm permanent data deletion Yes

iLO Volume Information

We can view server storage information in iLO - System Information - Storage.

Security Settings

We must secure the server and iLO as much as possible. Detected security risks can be found in the Information - Security Dashboard menu (also indicated by an icon in the top right corner). Recommended settings are found in the documentation Security guidelines and others in Veeam hardened repository installation for HPE ProLiant DL380 Gen11 Server.

This includes enabling Secure Boot (System Utilities - System Configuration - BIOS/Platform Configuration (RBSU) - Server Security - Secure Boot Settings), disabling USB boot (System Utilities - System Configuration - BIOS/Platform Configuration (RBSU) - System Options - USB Options), using secure passwords and preferably MFA, disabling services we don't use, disabling HTTP (without encryption), etc.

Generally, it's recommended to block iLO remote access. Physically disconnect the iLO port, block access at the FW level and allow only outgoing SMTP and SNMP, or connect iLO to a special separate network. We'll use iLO for installing Veeam Hardened Repository. So during that time we need to have remote access enabled, as well as USB booting.

Veeam Hardened Repository (VHR)

• Hardened Repository

In an older article, I described VHR ISO 0.1 Veeam Backup & Replication - Managed Hardened Repository. Recently, I tested the beta version of the new Veeam Infrastructure Appliance 13 Veeam Backup & Replication Hardened Repository v13 Beta.

Veeam Hardened Repository ISO

• [RELEASE] Managed Hardened Repository ISO by Veeam
• Preparing Hardened Repository Using Veeam ISO

System Requirements

• Veeam Backup & Replication 12.2 or newer
• at least 2 storage volumes, each at least 100 GB in size, the smaller one will be used for the system
• UEFI Secure Boot enabled
• HTTPS communication to the internet on selected addresses

Downloading the Installation ISO

Veeam Hardened Repository ISO for v12 can be downloaded from the Customer Portal or trial downloads in the Additional downloads section under the Extensions and Other tab. Currently, this is version 2.0.0.8 from January 29, 2025, file VeeamHardenedRepository_2.0.0.8_20250117.iso with a size of 2.9 GB. A newer version probably won't appear because the transition will be to Veeam Infrastructure Appliance 13.

Installation from VHR ISO

We'll perform the installation using iLO Remote Console and remote ISO file mounting.

Booting the Installation

• connect to iLO using a web browser
• launch the HTML5 Integrated Remote Console
• click the Virtual Media - CD/DVD - Local *.iso file icon at the top and mount the downloaded VHR ISO
• click the Menu - Power - Momentary Press icon, confirm OK
• during server startup (POST), press F11 to invoke the Boot Menu
• select iLO Virtual USB 3 : iLO Virtual CD-ROM
• in GRUB, choose Install Hardened Repository (deletes all data)

• the GUI installation wizard will start with options to set keyboard, time, and network

Network Configuration (Link Aggregation)

• click on Network & Host Name
• available network interfaces will be displayed (here 2x BCM57416 and 2x BCM57414)
• select the 25 Gbps interfaces that we have connected to the network one by one and enable them

• click the plus icon to add a device and choose Bond

• enter the connection name and click Add to add interfaces (on the Bond tab)
• select Ethernet as connection type and choose our network interface (device), save using Save
• repeat for the second network interface

• in our case, we choose 802.3ad mode for link aggregation (Bond)

• switch to the IPv4 Settings tab and enter network parameters
• click the Save button to create a new interface; when we select it, we should see Connected status
• below the network interface list, we can enter Host Name
• finish the configuration by clicking Done

On the Cisco switch, we can see that the connection has been established and the LACP protocol is being used.

SWITCH#sho int status | inc backupStorage

Port         Name             Status       Vlan       Duplex   Speed Type
Twe1/0/1     backupStorage    connected     100         full     25G SFP-25GBase-SR
Twe2/0/1     backupStorage    connected     100         full     25G SFP-25GBase-SR
Po1          backupStorage    connected     100       a-full     25G N/A

SWITCH#sho etherchannel summary | inc Po1

Group  Port-channel  Protocol     Ports
------+-------------+-----------+-----------------------------------------------
1      Po1 (SU)        LACP        Twe1/0/1(P)    Twe2/0/1(P)

Time Configuration

• click on Time & Date
• set the time zone
• if not enabled, we can enable NTP by clicking Network Time and edit the servers in the configuration
• or enter date and time information

Installation

• click Begin Installation and confirm that data will be deleted
• installation will complete in a few (8) minutes
• click the Virtual Media - CD/DVD - Force Eject Media icon at the top
• restart the server Reboot System

Server Configuration After Installation

• Rocky Linux will start up

• log in with the default username vhradmin and password vhradmin
• we must enter a new complex password, which has several restrictions (also maximum 4 characters of the same class in a row)

• agree to the license terms
• we'll enter the Veeam Hardened Repository Configurator, where we have several options available
• we can modify network settings, Proxy, time, perform updates using Update all