Skip to main content

 

Druva Documentation

About the inSync Edge Server

inSync On-premise 5.4 Administrator Guide
On-premise Editions: File:/tick.png Private Cloud File:/cross.png Enterprise File:/cross.png Professional

Overview

In an inSync Private Cloud deployment, the inSync client might back up data outside the organization's firewall. This means providing access to the inSync Master and the inSync Storage Nodes from outside the firewall. As a security policy, your organization might not allow connections or requests that come from devices outside the firewall. In such scenarios, we recommend the use of inSync Edge Servers.

The inSync Edge Server sits in a demilitarized zone (DMZ), outside your organization's firewall and facilitates communication between the inSync client and the inSync Master, or the inSync client and the inSync Storage Node. By validating the requests that the inSync client sends to the inSync Master or to the inSync Storage Node, the inSync Edge Server introduces an additional layer of security. The inSync Edge Server acts as a gateway that filters requests via unauthorized networks to counteract the vulnerability of the Private Cloud setup.

inSync Edge Server deployment architecture

The following diagram illustrates a sample deployment of inSync Private Cloud with inSync Edge Servers. The organization has geographically distributed location, and each location is protected by a firewall.

As illustrated in the diagram, at least one inSync Edge Server is required for each location. Once inSync Edge Server is configured for the inSync Master or the inSync Storage Node. inSync Master and inSync Storage Nodes that are within the same network communicate directly. When the inSync Master needs to communicate with inSync Storage Nodes that are outside the network, the inSync Master communicates through the inSync Edge Server. The inSync client communicates with the inSync Master or the inSync Storage Node through the inSync Edge Server.

inSync Edge Server deployment scenarios

You can have any of the following Edge Server deployment scenarios in your inSync Private Cloud environment.

Deployment scenario Implementation

Single Master Server and Storage Node on the same machine.

Requires only one Edge Server.

Master Server and multiple remote Storage Nodes. All in the same geographical location.

Requires only one Edge Server.

Master Server and multiple remote Storage Nodes that are in different geographical locations.

Requires one Edge Server per network if you want the remote Storage Nodes to be accessible from all the networks.

Authentication and security

The following diagram illustrates the communication between the inSync client, inSync Edge Server, inSync Storage Node, inSync Master, and your firewall.

  • All communication between various components are encrypted by using 256-bit SSL encryption.
     
  • When the inSync Master connects with the inSync Edge server, inSync uses a shared unique key between the inSync Master and the Edge Server to authenticate the connection. This ensures that no untrusted application acts as the Edge Server or the inSync Master. Once the authentication is successful, a persistent connection is established between the inSync Master and the inSync Edge Server. The same authentication mechanism is used between the Storage Node and the Edge Server.
     
  • No incoming connection is required from anywhere outside the network to the inSync Master or the inSync Storage Node. Additionally, there are no outgoing connections from the Edge Server to the inSync Master or the inSync Storage Node. Therefore, you do not need to open any port on your firewall for inSync servers.
     
  • By default, the Edge Server has self-signed SSL certificates loaded. Customers can also choose to load their own certificates for production use.
     
  • When inSync client users who are outside the enterprise network try to connect with the Edge Server, the inSync client checks for certificate fingerprint and also refers to the root CA repository to verify the Edge Server identity. If the certificate fingerprint check fails, the inSync client stops communicating with the Edge Server.
     
  • The inSync Master also authenticates the inSync client and ensures that requests are coming from an authentic client. This prevents any man-in-the-middle attack.

Data flow through the inSync Edge Server

The following table explains the data flow between the inSync client, inSync Master, inSync Storage Node, and inSync Edge Server.

Step Description
1 The inSync client initiates a backup or restore request to inSync Edge Server.
2

The inSync Edge Server validates the request. The security mechanism in place for this stage is as follows:

a. The inSync client initiates an SSL connection with the Edge Server.

b. The Edge Server performs the parameter validation.

c. The Edge Server forwards the inSync client request to the inSync Master for authentication.

d. If the authentication is successful, the Edge Server creates the communication tunnel between the inSync Client and the inSync Master. This tunnel is SSL-encrypted.

If the authentication failed, the connection between the inSync client and the Edge Server is closed.

3 The inSync Master receives the backup or restore request from the inSync Client over a secure tunnel. The inSync Master then redirects the inSync Client to the appropriate inSync Storage Node. During this redirection, the inSync Master sends an encrypted token to the inSync Client. This encrypted token is used for the authentication of the inSync Client with the inSync Storage Node.
4

The inSync client sends the request to the inSync Edge Server that is configured for the inSync Storage Node with which the inSync client wants to communicate.

The security mechanism in place for this stage is as follows:

a. The inSync client initiates an SSL connection with the Edge Server.

b. The Edge Server performs the parameter validation.

c. The Edge Server forwards the inSync client authentication request to the inSync Storage Node to validate the encrypted token received from the inSync Master in step 3.

d. If the authentication is successful, the Edge Server creates the communication tunnel between the inSync Client and the inSync Storage Node. This tunnel is SSL-encrypted.

If the authentication failed, the connection is closed.

5

Data is backed up or restored over the SSL-encrypted tunnel. This data is stored on the inSync Storage Node by using AES encryption.

  • Was this article helpful?