-
- Service Provider
- Posts: 97
- Liked: 13 times
- Joined: Jun 06, 2019 2:10 pm
- Full Name: Toussaint OTTAVI
- Contact:
Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?
Hi,
I'm a Veeam Cloud Service Provider (VCSP). I'm hosting a Veeam Backup Server in my data center. It connects to my customer's servers through VPNs to make off-site backups.
Since Update 4 (or 4a, don't know exactly), the Application-Aware feature is not working anymore. A case support case is open, but people are telling me "it's by design" !
The support is saying I must keep full NetBIOS/SMB traffic open through the firewall from my VBR server to all my remote cutomer locations. On a machine that contains Administrator credentials for all the remote systems, on a security point of view, that's just terrible !
Moreover,the following link does not say Netbios ports must be open between the VBR server and the Guest Proxy :
https://helpcenter.veeam.com/docs/backu ... 95u4#guest
According to this document, Netbios must be (and currently is) allowed only between the Guest proxy and the Guest OS, not between the VBR and the Guest Proxy.
And for the finish, the severity level of my case has been lowered, stating this is not a production critical problem. Of course, I clearly do not agree with that ! What would happen if any of our customers's protected VMs crashes, and can not be restored, because the backup server is not working anymore after Update 4 ?
What's wrong with Update 4 and Guest Proxy ? As far as the support seems to say "it's by design", what solution could I expect ?
Case # 03601090
Kind regards
I'm a Veeam Cloud Service Provider (VCSP). I'm hosting a Veeam Backup Server in my data center. It connects to my customer's servers through VPNs to make off-site backups.
Since Update 4 (or 4a, don't know exactly), the Application-Aware feature is not working anymore. A case support case is open, but people are telling me "it's by design" !
The support is saying I must keep full NetBIOS/SMB traffic open through the firewall from my VBR server to all my remote cutomer locations. On a machine that contains Administrator credentials for all the remote systems, on a security point of view, that's just terrible !
Moreover,the following link does not say Netbios ports must be open between the VBR server and the Guest Proxy :
https://helpcenter.veeam.com/docs/backu ... 95u4#guest
According to this document, Netbios must be (and currently is) allowed only between the Guest proxy and the Guest OS, not between the VBR and the Guest Proxy.
And for the finish, the severity level of my case has been lowered, stating this is not a production critical problem. Of course, I clearly do not agree with that ! What would happen if any of our customers's protected VMs crashes, and can not be restored, because the backup server is not working anymore after Update 4 ?
What's wrong with Update 4 and Guest Proxy ? As far as the support seems to say "it's by design", what solution could I expect ?
Case # 03601090
Kind regards
-
- Product Manager
- Posts: 14836
- Liked: 3083 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?
Hello,
before I start further investigations: could you tell me whether the "Try application processing, but ignore failures" was set before? As far as I understood the case, it never worked. It just did not show an error because of the configuration.
In general, it's correct, that you need all SMB ports between guest interaction proxy and guest VM.
The port requirements we have today is something we are aware of. But there won't be a short term solution for that.
Best regards,
Hannes
before I start further investigations: could you tell me whether the "Try application processing, but ignore failures" was set before? As far as I understood the case, it never worked. It just did not show an error because of the configuration.
In general, it's correct, that you need all SMB ports between guest interaction proxy and guest VM.
if you don't have additional guest interaction proxies, then your backup server is the guest interaction proxy. So support would be correct in that case. Also see this pictureIt connects to my customer's servers through VPNs to make off-site backups.
The port requirements we have today is something we are aware of. But there won't be a short term solution for that.
Best regards,
Hannes
-
- Service Provider
- Posts: 97
- Liked: 13 times
- Joined: Jun 06, 2019 2:10 pm
- Full Name: Toussaint OTTAVI
- Contact:
Re: Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?
Hi,
Thank you for your answer. After further troubleshooting with support teams, my current understanding of the situation is :
- Option "Try application processing, but ignore failures" is set. It's what I want : "Try App Aware; in case of problems, failback to standard mode (but warn me)"
- VSS proxy has never worked before. System was failing over to standard mode (as expected) but no Warnings were issued. Log messages were unclear and final status was OK, what made me think the backups were done with App Aware, while they were not.
- Update 4 did not seem to change the VSS proxy behavior itself, but it added a clear Warning when using failback mode. This made me aware of the problem.
What is not in the specs is that full SMB seems to be needed also between the VBR server and the Guest proxy, because an executable is pushed at every start of a new backup task. The provided picture, and other parts of the documentation, seems to be wrong : ports 6190 and 6290 are not sufficient between the VBR and the Guest Proxy for App Aware processing.
The real problem is here : Full SMB access is not acceptable on a security point of view in a scenario where I am a Service Provider, and my VBR server needs to connect to several Guest Proxies belonging to different customers in different locations.
Moreover, it's counter-productive in terms of WAN utilization : why paying for an additional (pretty efficient) WAN accelerator if Veeam will waste WAN bandwidth by sending the same executable at every start of a new remote backup task ?
Please note this is a critical situation here, because, with my current understanding, Veeam Backup and Replication is not really usable in a Cloud Service Provider scenario. I'm selling backup services that are partially broken to our customers, and all my investment in the last 12 months may be lost. This would be a severe drawback for my small company. If you don't have a short term scenario, I'll have to find one very quickly !
Kind regards,
Thank you for your answer. After further troubleshooting with support teams, my current understanding of the situation is :
- Option "Try application processing, but ignore failures" is set. It's what I want : "Try App Aware; in case of problems, failback to standard mode (but warn me)"
- VSS proxy has never worked before. System was failing over to standard mode (as expected) but no Warnings were issued. Log messages were unclear and final status was OK, what made me think the backups were done with App Aware, while they were not.
- Update 4 did not seem to change the VSS proxy behavior itself, but it added a clear Warning when using failback mode. This made me aware of the problem.
Of course. That's in the specs. And I have no filtering between them.In general, it's correct, that you need all SMB ports between guest interaction proxy and guest VM.
What is not in the specs is that full SMB seems to be needed also between the VBR server and the Guest proxy, because an executable is pushed at every start of a new backup task. The provided picture, and other parts of the documentation, seems to be wrong : ports 6190 and 6290 are not sufficient between the VBR and the Guest Proxy for App Aware processing.
The real problem is here : Full SMB access is not acceptable on a security point of view in a scenario where I am a Service Provider, and my VBR server needs to connect to several Guest Proxies belonging to different customers in different locations.
Moreover, it's counter-productive in terms of WAN utilization : why paying for an additional (pretty efficient) WAN accelerator if Veeam will waste WAN bandwidth by sending the same executable at every start of a new remote backup task ?
Please note this is a critical situation here, because, with my current understanding, Veeam Backup and Replication is not really usable in a Cloud Service Provider scenario. I'm selling backup services that are partially broken to our customers, and all my investment in the last 12 months may be lost. This would be a severe drawback for my small company. If you don't have a short term scenario, I'll have to find one very quickly !
Kind regards,
-
- Product Manager
- Posts: 14836
- Liked: 3083 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?
Hello,
I agree with you about how it should be.
Best regards,
Hannes
PS: it is expected that the case priority of the case cannot be "1" as referenced in the support policy
I agree with you about how it should be.
Please give me some time to check as the documentation does not say that (I saw the answer from support in the case).because an executable is pushed at every start of a new backup task
Best regards,
Hannes
PS: it is expected that the case priority of the case cannot be "1" as referenced in the support policy
-
- Service Provider
- Posts: 97
- Liked: 13 times
- Joined: Jun 06, 2019 2:10 pm
- Full Name: Toussaint OTTAVI
- Contact:
Re: Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?
Thank you for your answer and your efforts.
The last logs sent in the case contain the two scenarios :
- Netbios/SMB closed between VBR an Guest Proxy : Communication with Guest Proxy errors, and Application Aware processing fails
- Netbios/SMB open between VBR and Guest Proxy : Application Aware seem to work fine
About case priority : as a "Cloud Service Provider", I have a slightly different point of view. I asked yesterday afternoon a callback from a Partnership Program Manager to discuss about that. I'm still waiting... In the meantime, I have several $$$$$ of orders to extend my Veeam datacenter capacity. According to your policy, how long do you think I must wait for an answer before deciding what to do ?
The last logs sent in the case contain the two scenarios :
- Netbios/SMB closed between VBR an Guest Proxy : Communication with Guest Proxy errors, and Application Aware processing fails
- Netbios/SMB open between VBR and Guest Proxy : Application Aware seem to work fine
About case priority : as a "Cloud Service Provider", I have a slightly different point of view. I asked yesterday afternoon a callback from a Partnership Program Manager to discuss about that. I'm still waiting... In the meantime, I have several $$$$$ of orders to extend my Veeam datacenter capacity. According to your policy, how long do you think I must wait for an answer before deciding what to do ?
-
- Service Provider
- Posts: 97
- Liked: 13 times
- Joined: Jun 06, 2019 2:10 pm
- Full Name: Toussaint OTTAVI
- Contact:
Re: Veeam Cloud Solution Provider : VSS proxy broken / Full Netbios access required since Update 4 ?
Answer received right now Investigations in progress...
Who is online
Users browsing this forum: No registered users and 23 guests