Comprehensive data protection for all workloads
Post Reply
mikeely
Expert
Posts: 224
Liked: 69 times
Joined: Nov 07, 2016 7:39 pm
Full Name: Mike Ely
Contact:

Feature Request: reduce firewall sprawl

Post by mikeely » 9 people like this post

The official "Used Ports" page is... daunting. There are a LOT of edge cases requiring a LOT of holes poked through firewalls. Some of that surely makes sense - weird storage arrays etc. But to highlight where I believe most of the problem is, look at the sections labeled "Backup Server -> Linux Server" and compare that to "Backup Server -> Windows Server."

Put differently, when Veeam wants to control a Linux box it logs in via SSH and gets work done. When Veeam wants to control a Windows box it lazily expects a kazillion various NetBIOS and RPC ports to be open and ready to roll, and from what I've been experiencing, Veeam fails miserably when one of those ports isn't in the right state. When you're a sysadmin working with a networking team and constantly have to go hat in hand to beg for yet another large number of firewall rules to be poked, this is a huge time sink and a major drag.

What I propose is that Veeam develop some sort of runtime middleware that spawns on the Windows box (using the same install method as the Transport service perhaps) that only requires one control port open to the management server, guest interaction proxy, etc.

Note: I'm not complaining about the port range for Data Mover. That is at least consistent across platforms. I am complaining about needing to poke TCP 111, 135, 137-139, 445, 1058+ 2049+, 6060-6162, 49152-65535 and UDP 111, 135, 137-139, 445, 1058+, 2049+ for each and every Windows box out there versus TCP 22 for each Linux box.

Really, control data should be limited to SOAP over 443, SSH on 22, and some single Windows port. Please Veeam, you gotta do something about all this sprawl.
'If you truly love Veeam, then you should not let us do this :D' --Gostev, in a particularly Blazing Saddles moment
Andreas Neufert
VP, Product Management
Posts: 6707
Liked: 1401 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Feature Request: reduce firewall sprawl

Post by Andreas Neufert » 4 people like this post

Agree that Veeam uses a wide range of ports. I do not want to argue with you, as I agree that it is sometimes hard to discuss this with the security department and I feel as well that there is need for a solution like you had described. But really you do do not need all of those ports. Let me explain a bit.

As Veeam is agentless, the only real way to interact with any kind of Windows box is by standard installed things.
This is Windows RPC. As Microsoft had designed this protocol with a high port count useage, we can not do something against this.
It means you need the following ports for RPC: DCE, NetBios, CIFS, Dynamic RPC HighPorts => TCP, UDP 135, 137-139, 445, and the dynamic range of 49152-65535 by default. It can be different if you have Exchange, modified the range manually or use Windows 2003.
For Guest processing (consistency at backup) and File Restore there are 2 alternatives to avoid those ports at all. This is Guest Interaction by VMware VIX or in case of Hyper-V 2016 with Win2016 VMs we can use "PowerShell Direct". We use both as fallback automatically, if we can not speak with the VM over RPC. You can as well reverse the order and process those protocolls first before RPC.

As we interact at restore with specific applications directly (again instead of installing Agents on your systems), we need the ports of the applications as well.
An easy one is Exchange and Sharepoint. There we need only port 443 (and in some older versions of the applications TCP port 80).

For AD restore we need the LDAP ports.

SQL restore (and SQL Log Shipping) is a bit more complex.
At Log Backup we start a Veeam service to do so. This need an extra port 6167 and the Veeam Standard Transport Ports TCP2500-5000. For any parallel connection we use one of those ports. That means in most of the cases you need only TCP2500-2501 (maybe use TCP2500-2505 to have some spare ports).
At restore we use a iSCSI connection to the Veeam server to access the SQL backups instantly. This uses some additional ports and a management port (installer) TCP6160.


111, 2049+, 1058+, not used in Guest Interaction... only in the backend of the Veeam Servers.
6060-6162 is a wide range with huge amount of ports not used at all from Veeam. If you mean 6160-6162... then some of them are only used in the backend not in Guest Interaction like 6161 for our NFS Service and 6162 for our WAN accelerator... see above for TCP6160.

So you see that the ports are used that way, because of our agentless approach and the demand to use the from Microsoft given ports.

Would you prefer to install a "Agent Helper Proxy" that work on a single port to allow us to interact with the VM, instead of the agentless approach? Maybe as optional component?
Ejdesgaard
Enthusiast
Posts: 43
Liked: 8 times
Joined: Aug 24, 2012 11:59 am
Contact:

Re: Feature Request: reduce firewall sprawl

Post by Ejdesgaard »

What about TCP/5986 - WinRM ?
Andreas Neufert
VP, Product Management
Posts: 6707
Liked: 1401 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Feature Request: reduce firewall sprawl

Post by Andreas Neufert »

Hi, I think we don´t use WinRM.

If you asking for Veeam usage of WinRM instead of RPC, it is not enabled by default in many installations and the protocol was built for something else.
StephanF
Enthusiast
Posts: 60
Liked: 19 times
Joined: Mar 26, 2015 1:15 pm
Contact:

Re: Feature Request: reduce firewall sprawl

Post by StephanF » 1 person likes this post

Hi,

I wanted to add +1 for this Feature Request.

Let me explain our use case that is a little bit different to the one of the thread owner:
We have some endpoints in our production environment that are located in separate LAN segments behind a firewall for security purpose. We use Veeam Agent for Windows to backup those clients.

To access the backup repository (Windows server) we need to open a lot of ports (RPC port range, etc.). This could be a security issue. At least there is a bad taste. A kind of "port proxy" that reduces the number of ports would be helpful.
cbc-tgschultz
Enthusiast
Posts: 65
Liked: 11 times
Joined: May 13, 2016 1:48 pm
Full Name: Tanner Schultz
Contact:

Re: Feature Request: reduce firewall sprawl

Post by cbc-tgschultz » 1 person likes this post

As a possible workaround, you can configure Windows such that when two hosts communicate to each other they do so using an ESP tunnel. This should get your firewall rules down to just allowing IP protocol #50 (ESP) between Veeam and the servers, and you can deploy it using GPO.

This guide should get you started: https://blogs.technet.microsoft.com/ask ... ity-rules/

In my opinion, we can file this whole issue under problems-that-could-have-been-solved-20-years-ago-if-Microsoft-wasn't-actively-hostile-to-standards.

If you're really ambitious, you could setup a Linux server on each side of the firewall that create a layer 3 tunnel to each other using a tun interface and SSH, then configure them to route between Veeam and the Server(s) over that tunnel, then add a static route entry on each server pointing to the appropriate Linux server.

Though at that point one really has to wonder why you don't just allow all IP traffic between the IP addresses of Veeam and each server.
voyager529
Influencer
Posts: 17
Liked: 14 times
Joined: May 14, 2015 8:41 pm
Full Name: Joey Famiglietti
Contact:

Re: Feature Request: reduce firewall sprawl

Post by voyager529 » 1 person likes this post

Andreas Neufert wrote:Would you prefer to install a "Agent Helper Proxy" that work on a single port to allow us to interact with the VM, instead of the agentless approach? Maybe as optional component?
I think having both as an option makes sense. Agentless is helpful in certain circumstances, single-port traffic would be helpful in others. Also, a simple UI saying the name of the server managing it, the date of last successful backup, and a "can you successfully talk to the server" button would be super helpful in those cases (I'm fine with a CLI-only interface for this purpose). By contrast, the agentless method is helpful in other cases, especially where firewalls don't come into play.

So yes, I'll formally put in a request for a small proxy application to assist with corner cases where firewall soup is a problem. Admittedly this isn't an issue with Veeam, so much as the unfortunate and infuriating hell that is "having to configure a dozen firewall and NAT rules in a Sonicwall".

Thank you!
mikeely
Expert
Posts: 224
Liked: 69 times
Joined: Nov 07, 2016 7:39 pm
Full Name: Mike Ely
Contact:

Re: Feature Request: reduce firewall sprawl

Post by mikeely »

voyager529 wrote:So yes, I'll formally put in a request for a small proxy application to assist with corner cases where firewall soup is a problem.
Seconded.
'If you truly love Veeam, then you should not let us do this :D' --Gostev, in a particularly Blazing Saddles moment
mikeely
Expert
Posts: 224
Liked: 69 times
Joined: Nov 07, 2016 7:39 pm
Full Name: Mike Ely
Contact:

Re: Feature Request: reduce firewall sprawl

Post by mikeely »

Andreas Neufert wrote:Let me explain a bit.
I'd say you've explained more than a bit. Thank you for the detailed reply - I'll refer back to it as I deal with the various people who manage different network segments here.

I do like the option to have a proxying agent manage all this if needed.
'If you truly love Veeam, then you should not let us do this :D' --Gostev, in a particularly Blazing Saddles moment
Andreas Neufert
VP, Product Management
Posts: 6707
Liked: 1401 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Feature Request: reduce firewall sprawl

Post by Andreas Neufert »

Oh, and let me mention, that some of our customer place the Guest Interaction components in a separate firewall zone to manage access to VMs and backend Infrastructure separately.

In case of RPC communication, we can provide the Veeam RPC UUIDs so that you can use RPC UUID filtering in the firewalls if available.
jo_strasser
Lurker
Posts: 1
Liked: never
Joined: Jul 27, 2017 11:30 am
Full Name: Johannes Strasser
Contact:

Re: Feature Request: reduce firewall sprawl

Post by jo_strasser »

Hi,

+1 for this Feature Request.

We are running a very complex firewall infrastructure and it is not possible to open so much dynamic ports (security policy --> not allowed).

In our case a helper agent will be preferred.

Is there a complete UUID list available to configure firewalls?

We want to backup windows, sql and active directory.

Thanks JO
Andreas Neufert
VP, Product Management
Posts: 6707
Liked: 1401 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Feature Request: reduce firewall sprawl

Post by Andreas Neufert »

VSS
FA8573FC-2445-4EF5-82F1-30E34E7A07C7 GuestHelperCtrl
D9D20617-05AA-4142-96C0-9D68034A2C46 LogShipper

Agent
844D6366-6A97-4eb5-8345-B88E8276C20D HvIntegrationSvc
D107C6E0-FC35-49ba-BA03-3E192DE6797D DeploymentSvc
D1C2C07A-D989-48cc-A423-B73ECD518D40 Common RpcInvoker

Potenitally you need some additional ones from Windows iteself. Best would be to open these and test all functionallity. If you monitoring shows additional ones, you can look them up in google => You will find them as Microsoft services and can add them as well.

Example: 367abb81-9844-35f1-ad32-98f038001003 => RPC Server
lowlander
Service Provider
Posts: 450
Liked: 30 times
Joined: Dec 28, 2014 11:48 am
Location: The Netherlands
Contact:

Re: Feature Request: reduce firewall sprawl

Post by lowlander » 1 person likes this post

Hi,

I would like to have a simple program that can run on each system that uses a Veeam backup service component. Based on this program it should be possible to inform if the component is compliant with the latest port requirements for a specific Veeam version, checking all required ports. Having the option to create a report would be great feedback to provide to the security department if there are things failing. Also it could be used as a delivery report for a status where everything is ok. Ideal would be a infrastructure health section in the VBR console interface, not like Veeam One but just for the technical component health and communication of Veeam services that create your backup solution. Maybe it should only be visible when you select an advanced view ;)

Thanks !
Andreas Neufert
VP, Product Management
Posts: 6707
Liked: 1401 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Feature Request: reduce firewall sprawl

Post by Andreas Neufert »

For the Guest components there is the „Test“ button within the jobs. For the other Veeam components the communication is tested by adding the servers.

In theory you can use any network connection test tool or port scanner. Most of them have the option to create templates for specific port checks.
mikeely
Expert
Posts: 224
Liked: 69 times
Joined: Nov 07, 2016 7:39 pm
Full Name: Mike Ely
Contact:

Re: Feature Request: reduce firewall sprawl

Post by mikeely » 1 person likes this post

For the Guest components there is the „Test“ button within the jobs. For the other Veeam components the communication is tested by adding the servers.
You kind of just proved the point of the previous poster, who was referring to not only setting up new services but also changing requirements as we upgrade our existing systems.

It's amazing - this post is three years old now and the port-requirement sprawl issue is still just as awful as it was the day I wrote the original post in this thread. I actually like the idea of a simple proxy that sits on each Linux or Windows box which requires ONE port and either handles all the traffic (obviously best way) or as the previous commenter suggested sends back a report of exactly which ports can't communicate between which hosts and in which direction.

Right now there are too many ports and too much guesswork as to which one is not communicating successfully. Y'all still need to address this.
'If you truly love Veeam, then you should not let us do this :D' --Gostev, in a particularly Blazing Saddles moment
jmmarton
Veeam Software
Posts: 2092
Liked: 309 times
Joined: Nov 17, 2015 2:38 am
Full Name: Joe Marton
Location: Chicago, IL
Contact:

Re: Feature Request: reduce firewall sprawl

Post by jmmarton » 2 people like this post

Here's a new tool that helps you identify needed ports by specifying information about your infrastructure and the Veeam components you are deploying.

https://www.veeambp.com/ports/index.html

Joe
mikeely
Expert
Posts: 224
Liked: 69 times
Joined: Nov 07, 2016 7:39 pm
Full Name: Mike Ely
Contact:

Re: Feature Request: reduce firewall sprawl

Post by mikeely »

Joe,

Thanks for posting this. It's a start!
'If you truly love Veeam, then you should not let us do this :D' --Gostev, in a particularly Blazing Saddles moment
poulpreben
Certified Trainer
Posts: 1024
Liked: 448 times
Joined: Jul 23, 2012 8:16 am
Full Name: Preben Berg
Contact:

Re: Feature Request: reduce firewall sprawl

Post by poulpreben » 1 person likes this post

This tool is indeed very cool.

A suggestion, if you don’t mind: Would it be possible to add an “All” scenario to application processing?

Most companies have multiple/all applications in a single network, so it would be useful to add all required ports for processing all applications in a single operation.
mikeely
Expert
Posts: 224
Liked: 69 times
Joined: Nov 07, 2016 7:39 pm
Full Name: Mike Ely
Contact:

Re: Feature Request: reduce firewall sprawl

Post by mikeely »

Or maybe go "Is this a VSphere environment, a Hyped-up-V environment, or both?" at the beginning and then skip that question later on.
'If you truly love Veeam, then you should not let us do this :D' --Gostev, in a particularly Blazing Saddles moment
Post Reply

Who is online

Users browsing this forum: ante_704, Bing [Bot], Google [Bot], knut-weber, Noushad, restore-helper, Semrush [Bot] and 175 guests