VM behind firewall so can't upload agent?

[pkelly_sts]

We have a few VMs that MUST be behind a restricted double-bastion firewall for security purposes so our B&R server can't access the administrative share to upload the "agentless agent".

Ordinarily I'd consider pushing for FW rules to allow it but in this case I'm now also switching replication to be "pulled" from a B&R box we have at the DR site (as opposed to being pushed by the HQ site) so would also need to open the Fw to this remote site as well which really isn't going to happen for various reasons.

What options am I left with to get as clean a backup/replication as possible of these VMs?

Regards,

Paul

[foggy]

Leaving the firewall between the sites aside, there's actually no need for the backed up VM to be accessible over network at all, as in this case the job will fail over to VMware Tools (VIX) API to perform all the required activity.

[pkelly_sts]

That's what I thought, but I always get the following error:

Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share. Host: [x.x.x.x]. Account: []. Win32 error:The network path was not found. Code: 53 '
'
So what should I be doing differently to get it to quietly fail over to VIX?

[foggy]

You can try to set the InverseVssProtocolOrder (DWORD) registry key to 1 so that the job always try network-less processing (VIX) mode before trying to access via network. If that doesn't help, check the VMware Tools status for this VM.

Probably contacting support will be more effective in addressing this.

[pkelly_sts]

VMWare tools status is current/running & I'd rather not force all jobs to use VIX if I can avoid it. Will take your advice & give support a shout if I find it bothering me too much but at least I don't feel like I'm doing something obviously wrong, thanks.

[foggy]

You can also double-check the credentials used by the job, make sure to specify an account with local administrator privileges on this VM.

[pkelly_sts]

I did exactly that after my last post & I actually think it's the credentials now, will find out tomorrow when I let the job run another time...

[Gostev]

specify an account with local administrator privileges on this VM

This is not enough. Network-less interaction with Microsoft Windows guests with UAC enabled (Vista or later) requires that Local Administrator (MACHINE\Administrator) or Domain Administrator (DOMAIN\Administrator) account is provided on Guest Processing step.

[pkelly_sts]

That's interesting Gostev - I was just coming back here to confirm that configuring the job with the correct local admin account (an account which is a member of the local administrators group) solved the problem after all. This is how I have our backups mostly configured, using a service-specific user account - using even the actual local admin account for such things should very much be frowned upon IMHO, never mind the Domain Admin account which should *never* be used for such things in my opinion!

[foggy]

Do you have UAC enabled on that VM?

[pkelly_sts]

We do as default on all our 2008 VMs