Discussions specific to the Microsoft Hyper-V hypervisor
Post Reply
bc-109
Service Provider
Posts: 4
Liked: never
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?

Post by bc-109 » Jun 06, 2019 2:32 pm

Hi,

I'm a Veeam Cloud Service Provider (VCSP). I'm hosting a Veeam Backup Server in my data center. It connects to my customer's servers through VPNs to make off-site backups.

Since Update 4 (or 4a, don't know exactly), the Application-Aware feature is not working anymore. A case support case is open, but people are telling me "it's by design" !

The support is saying I must keep full NetBIOS/SMB traffic open through the firewall from my VBR server to all my remote cutomer locations. On a machine that contains Administrator credentials for all the remote systems, on a security point of view, that's just terrible !

Moreover,the following link does not say Netbios ports must be open between the VBR server and the Guest Proxy :
https://helpcenter.veeam.com/docs/backu ... 95u4#guest
According to this document, Netbios must be (and currently is) allowed only between the Guest proxy and the Guest OS, not between the VBR and the Guest Proxy.

And for the finish, the severity level of my case has been lowered, stating this is not a production critical problem. Of course, I clearly do not agree with that ! What would happen if any of our customers's protected VMs crashes, and can not be restored, because the backup server is not working anymore after Update 4 ?

What's wrong with Update 4 and Guest Proxy ? As far as the support seems to say "it's by design", what solution could I expect ?

Case # 03601090

Kind regards

HannesK
Veeam Software
Posts: 5089
Liked: 677 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?

Post by HannesK » Jun 07, 2019 5:59 am

Hello,
before I start further investigations: could you tell me whether the "Try application processing, but ignore failures" was set before? As far as I understood the case, it never worked. It just did not show an error because of the configuration.

In general, it's correct, that you need all SMB ports between guest interaction proxy and guest VM.
It connects to my customer's servers through VPNs to make off-site backups.
if you don't have additional guest interaction proxies, then your backup server is the guest interaction proxy. So support would be correct in that case. Also see this picture

The port requirements we have today is something we are aware of. But there won't be a short term solution for that.

Best regards,
Hannes

bc-109
Service Provider
Posts: 4
Liked: never
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?

Post by bc-109 » Jun 07, 2019 7:44 am

Hi,

Thank you for your answer. After further troubleshooting with support teams, my current understanding of the situation is :
- Option "Try application processing, but ignore failures" is set. It's what I want : "Try App Aware; in case of problems, failback to standard mode (but warn me)"
- VSS proxy has never worked before. System was failing over to standard mode (as expected) but no Warnings were issued. Log messages were unclear and final status was OK, what made me think the backups were done with App Aware, while they were not.
- Update 4 did not seem to change the VSS proxy behavior itself, but it added a clear Warning when using failback mode. This made me aware of the problem.
In general, it's correct, that you need all SMB ports between guest interaction proxy and guest VM.
Of course. That's in the specs. And I have no filtering between them.

What is not in the specs is that full SMB seems to be needed also between the VBR server and the Guest proxy, because an executable is pushed at every start of a new backup task. The provided picture, and other parts of the documentation, seems to be wrong : ports 6190 and 6290 are not sufficient between the VBR and the Guest Proxy for App Aware processing.

The real problem is here : Full SMB access is not acceptable on a security point of view in a scenario where I am a Service Provider, and my VBR server needs to connect to several Guest Proxies belonging to different customers in different locations.

Moreover, it's counter-productive in terms of WAN utilization : why paying for an additional (pretty efficient) WAN accelerator if Veeam will waste WAN bandwidth by sending the same executable at every start of a new remote backup task ?

Please note this is a critical situation here, because, with my current understanding, Veeam Backup and Replication is not really usable in a Cloud Service Provider scenario. I'm selling backup services that are partially broken to our customers, and all my investment in the last 12 months may be lost. This would be a severe drawback for my small company. If you don't have a short term scenario, I'll have to find one very quickly !

Kind regards,

HannesK
Veeam Software
Posts: 5089
Liked: 677 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?

Post by HannesK » Jun 07, 2019 11:45 am

Hello,
I agree with you about how it should be.
because an executable is pushed at every start of a new backup task
Please give me some time to check as the documentation does not say that (I saw the answer from support in the case).

Best regards,
Hannes

PS: it is expected that the case priority of the case cannot be "1" as referenced in the support policy

bc-109
Service Provider
Posts: 4
Liked: never
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?

Post by bc-109 » Jun 07, 2019 12:45 pm

Thank you for your answer and your efforts.

The last logs sent in the case contain the two scenarios :
- Netbios/SMB closed between VBR an Guest Proxy : Communication with Guest Proxy errors, and Application Aware processing fails
- Netbios/SMB open between VBR and Guest Proxy : Application Aware seem to work fine

About case priority : as a "Cloud Service Provider", I have a slightly different point of view. I asked yesterday afternoon a callback from a Partnership Program Manager to discuss about that. I'm still waiting... In the meantime, I have several $$$$$ of orders to extend my Veeam datacenter capacity. According to your policy, how long do you think I must wait for an answer before deciding what to do ?

bc-109
Service Provider
Posts: 4
Liked: never
Joined: Jun 06, 2019 2:10 pm
Full Name: Toussaint OTTAVI
Contact:

Re: Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?

Post by bc-109 » Jun 07, 2019 12:49 pm

Answer received right now :-) Investigations in progress...

Post Reply

Who is online

Users browsing this forum: No registered users and 6 guests