We have a somewhat-static web app with a large amount of media files that runs on a 2008 R2, non-domain server on the DMZ. I need to backup the media files on the server. The current backup mechanism for servers on the trusted network are BackupExec agents.
What would be best practice to backup the DMZ server? I don't really feel comfortable pushing a BackupExec client to it, and having it connect back through the firewall to the BE server on the trusted network....
Use RSync over SSH, or another appropriate and secure method of file transfer, to get the files from the production DMZ machine to your internal network. Then back that up.
Depending on your security stance, you'll need to determine if you can open up the port(s) for the transfer in both directions. If it's only one, your security stance will determine which direction. Is it more secure for the DMZ machine (your production website) to initiate and push these files into your internal network? Or, would it be more secure for your internal network to initiate and pull the files from the DMZ machine?
Either way, the account being used should have the least privileges necessary to perform the transfer, so that if the account is compromised, it can't do much more damage than just delete the files, and maybe fill a disk.
-With all that said, how different is this from allowing the BE protocol and data to move this data anyway?