on 11-23-2015 12:58 PM
There are only a handful of Cisco recommended SFTP servers for UC application backups. One of them is Open SSH. This document explains how to install a SSH server based on Open SSH. The proxy / relay function is optional.
The server is a proxy / relay for backups from Cisco Unified Communications Appliances (Cisco Unified Communications Manager, Cisco Unity Connection, Cisco Unified Contact Center Express, etc.)
The UC appliance backups are received daily.
A script runs at 9pm each day to copy the backup files to a Windows file server after removing old backup files to preserve space.
The operating system for the backup server is Debian7 (Wheezy) 32-Bit (due to lower hardware requirements).
This guide assumes the server is installed on a virtual machine inside VMware ESXi.
Backup to SFTP Server:
Device | Backup time | Backup Destination |
CUCM | 18:30 | SFTP (10.10.10.50) |
CUC | 20:00 | SFTP (10.10.10.50) |
Copy on Windows file server:
Device | Backup Destination |
CUCM | \\fs1\UC\ Backup\cucm |
CUC | \\fs1\UC\ Backup\cuc |
Virtual machine setup:
Setting | Value |
VM Name | SFTP-Server |
Guest OS | Debian GNU/Linux 6 (32-Bit) |
Memory | 512 MB |
Network | VM Network / E1000 |
Storage | 40 GB |
All settings not mentioned were left at default.
Operating system installation:
ISO image: debian-7.8.0-i386-netinst.iso
Setting | Value |
Language / Location / Keyboard | English / Canada / American English |
Host name | SFTP-Server |
Domain name | domain.int |
Software selection | SSH server / Standard system utilities |
All settings / values not mentioned were left at default.
For usernames and passwords see appendix.
Below are the required CLI inputs.
Network settings:
First the IP address, subnet mask and gateway are configured. Then the name servers are added and the server is rebooted.
nano /etc/network/interfaces
# The primary network interface
allow-hotplug eth0
iface eth0 inet static
address 10.10.10.50
netmask 255.255.255.0
gateway 10.10.10.254
nano /etc/resolv.conf
domain domain.int
search domain.int
nameserver 10.10.10.1
nameserver 8.8.8.8
nameserver 8.8.4.4
shutdown -r now
Now you can login through SSH (e.g. Putty) using IP address 10.10.10.50
User accounts for the SFTP connections are created.
adduser cucm
Enter new UNIX password:
Retype new UNIX password:
Full Name []: CUCM Backup
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
adduser cuc
Enter new UNIX password:
Retype new UNIX password:
Full Name []: CUC Backup
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] Y
First the list of available software packages is updated.
apt-get update
Now the SMB file system (to access Windows file servers) is being installed.
apt-get install cifs-utils
First a new directory is created which will be used to mount the windows file share.
mkdir /mnt/fs1
A separate file contains the username and password for the file server access.
nano /root/.smbcredentials
username=Username
password=Password
domain=Domain
The file "/etc/fstab" contains all mount points that are loaded during startup. The Windows file share is added and the credential file is referenced.
nano /etc/fstab
//fs1/UC /mnt/fs1 cifs sec=ntlm,credentials=/root/.smbcredentials 0 0
The backup script is similar to a batch file and is called by the scheduler "cron".
nano /root/cp-backups.sh
# shell script to copy Backups to Windows Server
#
# Remove old Backup files on Windows Server before copy
echo "removing old Backup files..."
rm /mnt/fs1/Backup/cucm/*
echo "starting copy of cucm..."
cp -r -v /home/cucm/* -t /mnt/fs1/Backup/cucm
# Remove old Backup files on Windows Server before copy
echo "removing old Backup files..."
rm /mnt/fs1/Backup/cuc/*
echo "starting copy of cuc..."
cp -r -v /home/cuc/* -t /mnt/fs1/Backup/cuc
#
echo "Done"
exit 0
After creating the script it needs to be made executable.
chmod +x /root/cp-backups.sh
The scheduler is configured to run the script regularly.
crontab -e
0 21 * * * /root/cp-backups.sh 2>&1 > /var/log/cp-backups.log
The first five parameters define the time as follows:
An asterisk refers to "all the time" (ie. every day of the month, every month, every day of the week).
The script output will be written to the log file "/var/log/cp-backups.log".
After a reboot of the server it is ready to go (the network drive will be mounted).
shutdown -r now
Usernames and Passwords:
Username | Password | used for |
root | P@ssw0rd | Administrator of SFTP Server |
cucm | cisco | SFTP backup user for CUCM |
cuc | cisco | SFTP backup user for CUC |
backup-cisco | cisco | Domain user with access to Windows file share |
Directories:
/home/cucm | Backup directory for CUCM |
/home/cuc | Backup directory for CUC |
/root | Home directory of root user (e.g. for ".smbcredentials" file) |
/var/log | Default log directory |
The SFTP server is configured under Disaster Recovery System.
Please note, the field "Path Name" must use "./". Then enter the appropriate username / password for the SFTP user (e.g. "cucm" or "cuc").
Afterwards backups can be scheduled by clicking on "Scheduler".
Also be aware that with today Debian distribution you will have to modify the SSHD configuration file in order to re-enable old Cypher and Algorithm because Cisco SSH stack is still using old ones. If you don't do it you won't be able to pass the SFTP backup server validation in CUCM/CUC.
Here is the trick:
nano /etc/ssh/sshd_config
Add the following lines:
#Secure Ciphers and MAC
Ciphers aes128-cbc,3des-cbc,blowfish-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com
KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1
Thank you, this is good to know going forward. The last version I used was Debian 7.8 and it worked without those modifications.
This was what exactly I was looking for. Thank you!
There is a good solution called VoIP DRS that is built on OpenSSH and gives visual management GUI for backups and monthly reports. You can also backup your voice gateways at the same time.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: