How Unitrends supports SMB2

SUMMARY

There is a security_option for SMB2 available.

ISSUE

 

An Unitrends system may be configured to use SMB1 or SMB2. 

Beginning in release 10.4.8, the SMB 2.0 security option is enabled by default on Unitrends appliances.
 

RESOLUTION

 

Enabling SMB2

  1. Navigate to Configure, select your Unitrends appliance then click Edit.
  2. Under the Advanced tab, select the Support Toolbox.
  3. Click the Samba SMB2 option button to enable SMB2.
smb2.avif

Alternatively, SMB2 can be enabled from command line by issuing the following command:

security_option smb2

 

Disabling SMB2


To disable from SMB2 and enable SMB1, run the following commands:

security_option smb1

After disabling SMBv2, the Unitrends Samba Service must be restarted.  From the screen seen above, select the samba on/off toggle to disable then re-enable samba.  or, type the following command:

 

systemctl restart smb.service



Using SMB2 with file recovery from Windows VMs


To use a CIFS share for the recovery, SMB 2.0 must be enabled on the target Windows asset. 

Note: Backup appliance running a pre-10.4.8 release – If the appliance is configured to use SMB 2.0, the following must be enabled on the target Windows asset: Insecure Guest Login and SMB 2.0.
 

Hyper-V Instant Recovery


To run a Windows replica on Hyper-V, SMB 2.0 must be enabled on the Hyper-V server.

Note: Backup appliance running a pre-10.4.8 release – If the appliance is configured to use SMB 2.0, the the following must be enabled on the Hyper-V server: Insecure Guest Login and SMB 2.0.

*If smb2 is enabled on the appliance and Hyper-v but VM cannot start and errors with "operation failed"

Appliances that shipped with smb2 may not have all allowances enabled. Run:

security_option smb2
systemctl restart smb.service

 

Windows Replicas created on a Hyper-V host server


Release with Unitrends release v.10.4.2, enables Windows Replicas to a Hyper-V host utilizing SMB2 following these steps:

  1. On the Unitrends appliance, first disable smb1 then enable smb2 with the new 10.4.2 configuration:
security_option smb1
security_option smb2
  1. On the Hyper-V host, enable "Insecure Guest Logons"
    1. Open Local Group Policy Editor
    2. Navigate into Administrative Templates - Network - Lanman Workstation
    3. Enable the setting "Enable insecure guest logons"

 

SharePoint 

To perform backup and recovery operations, SMB 2.0 must be enabled on each node in the farm.
Notes:

  • Backup appliances running pre-10.4.8 releases – If the appliance is configured to use SMB 2.0, the following must be enabled on each node in the farm: Insecure Guest Login and SMB 2.0.
  • SharePoint 2007 on Windows 2003 and prior is not supported on SMB 2.0 appliances. (To configure your appliance to use SMB 1.0, contact Unitrends Support.)
  • SharePoint may require custom client configuration for use with SMB 2.0. If SharePoint backups do not run successfully, see this Microsoft article for client configuration details: SharePoint Ports, Proxies and Protocols...An overview of farm communications.

SMBv2/v3 on SMB Client processes for Windows

  • Detect:

    sc.exe qc lanmanworkstation
    
  • Disable:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/nsi
    sc.exe config mrxsmb20 start= disabled
    
  • Enable:

    sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
    sc.exe config mrxsmb20 start= auto

 

Agent Push

To push install the Windows agent, SMB 2.0 must be enabled on the Windows asset.

Notes:

  • If SMB 2.0 is enabled on your Unitrends appliance, agent push is NOT supported for the following: Windows 2003 R2, Windows XP, Windows Vista. Agent push to these operating systems is supported on appliances where SMB 1.0 is enabled. (To configure your appliance to use SMB 1.0, contact Unitrends Support.)
  • Backup appliance running a pre-10.4.8 release – If the appliance is configured to use SMB 2.0, the following must be enabled on the Windows asset: Insecure Guest Login and SMB 2.0.

 

Oracle on Windows

SMB 2.0 must be enabled on the Windows server so that the Unitrends agent can access the appliance's SMB 2.0 Samba share when performing backup and recovery operations.

Note: If the backup appliance is running a pre-10.4.8 release and is configured to use the SMB 2.0, the following must be enabled on the Windows server: SMB 2.0 and Insecure Guest Login

 

Windows Remote Desktop sessions

  1. Log On and Log Off procedures are executed to provide secure credential management and access to SMB2 shares. When using a RDP session, it is recommended to Log Off at the conclusion of the session. If the RDP session is closed, the Log Off procedure does not execute. Subsequently, the following Log On procedure will not execute and SMB2 shares will not be accessible.

  2. To prevent unsuccessful log-off operations, the command below may be used to save user credentials. This action is required only once as long as the session is used at least once every 30 days.

cmdkey /add:<appliance_ip> /user:samba /pass:samba

 

Samba share access from Windows where Agent is not install

To access the samba share from a Windows system where the Unitrends agent not already installed, run the following command. Use the IP address of your Unitends appliances instead of 'appliance_ip'.

net use appliance_ip /user:samba /pass:samba

 

Oracle on Solaris

  • The Unitrends agent must have access to the appliance's SMB 2.0 Samba share to perform backup and recovery operations. These requirements apply:

  • A Samba client must be enabled. See KB 1303 for details.

  • A Samba key must be added for the backup appliance. To add the key, issue this command (the default password is samba):

smbadm add-key -u samba@<applianceIP>
Example:
smbadm add-key -u root@192.168.111.22
Where 192.168.111.22 is the UB IP address. 


*Mounting external CIFS shares with SMB2-only access from the Unitrends system is not yet supported via CentOS6 on the Unitrends system.

CAUSE

The introduction of WannaCry illuminated a security flaw in the SMB1 protocol.  While Microsoft security patches have been made available to Windows systems, many have chosen to upgrade their environment to use only the SMB2 protocol.

Furthermore, Microsoft is increasingly requiring their customers to configure environments with SMB1 disabled in favor of SMB2. 

While Unitrends is not directly at risk, Unitrends supports both SMB1 and SMB2 environments.

Many customers will have already configured their Windows environment for SMB2-only before contacting Unitrends, but below is an article from Microsoft describing methods to disable SMB1 and enable SMB2 on various Windows systems.  Usually the registry entries are the key component.
https://support.microsoft.com/en-us/help/2696547/how-to-detect-enable-and-disable-smbv1-smbv2-and-smbv3-in-windows-and

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section