Configure all connections to be established by the backup server

[AlexGre]

Hello,
let's say we have two physical servers, one being a hyper-v hypervisor and one the VBR backup server, both running windows server and each with only directly attached storage. As one step to protect the backup server, we would like to block any incoming connections in its firewall, to minimize the potential attack surface. The idea being, that any backup task is initiated from the backup server, thus there is no need for the hyper-v server to contact the backup server and any connections between them should be initiated by the backup server. However, we did not manage to get such a scenario working as it seems that the hyper-v server contacts the backup server once the backup has been started and does not do so in a connection initiated by the backup server. In our tests, we needed to enable at least the “Veeam Data Mover x64 (Veeam Transport Service) (In)” rule that is created by the setup, which allows incoming connections for C:\Program Files (x86)\Veeam\Backup Transport\x64\VeeamAgent.exe, in order for the backup to success.

Thus, we wonder if it is possible to configure the backup to only use connections initiated by the backup server or not.

Best,
Alex

[Mildur]

Hi Alex

The HyperV Proxy component on the HyperV server needs to connect to the backup repository component on your backup server. I assume your backup server is the backup repo your job has configured.

It is not possible to start the connection from the backup repo to the proxy when doing a backup. It‘s always from Proxy to Repository.
This is done by the Veeam Data Mover Service.