As a MSP, I'm attempting to use Veeam ONE to connect to all our customer servers running Veeam Backup and Replication so that I can monitor them all from one pane of glass and not have to remote into each individual server.
I've opened ports 135 and 445 on the customer's firewall to the server running Veeam B&R at the customer's site. However, when I try to add the server to Veeam ONE, I get the following error message:
Veeam ONE Monitor could not connect to <servername>. The object exporter specified was not found. (Exception from HRESULT: 0x80070776)
The Firewall packet capture indicates that traffic to the customer B&R server is hitting the server on Port 135 without issue.
Any help to put me back on the right path and get this sorted would be greatly appreciative.
Does this happen on all Veeam backup servers? Can you please tell me if you're able to remotely connect to WMI of that backup server? If not, then make sure that this firewall configuration is also applied.
Hi,
I work for an MSP as well and we were trying to do the same but was told but support that it was not possible. I would really be interested if you were able to get it working.
That's absolutely possible. Can you please give me the case ID where you were told that it was not possible? Also can you please describe the network you have between your site and customers"? Do you have VPN connection between these sites?
Hi,
Thanks for the reply, the case # was 3093497. There is no VPN connect between the sites. we have opened the requested firewall ports between us and them and locked them down to only respond to our WAN IP. No windows firewalls turned on. Is a VPN required to make it work?
VPN will make the connection more secure and will not expose your backup server to the internet. Some companies have restrictions on this matter. The easiest way to check out if all ports are open or not is to run a WMI test which should show if you're able to connect to the remote server or not.
On a side note, can you please clarify the main use case for you to connect to these backup servers? Do you manage them? Do you need to check job states or there is something else you want to do?
We are a MSP that provides managed and cloud backup to all of our clients. We currently us the VAC to manage the backups. we would like to use the reporting functions of the software to help us with being proactive with their environment. Do you have a certain test that's good to for the WMI testing?
Got it! Well you can try to use a Wbemtest tool to verify this, but I'm pretty sure you will need to open way more dynamic ports to make it work. If you would like to have more visibility into customers infrastructures, then scheduling pre-built reports and dashboards might solve the case. All reports will land into your inbox and if there is an issue you will be able to RDP or use Remote backup console to fix the backup related problem.
Not sure about dynamic ports (need to verify that), but regardless of that, the backup server should have a public IP address and you should configure port forwarding/firewall rules on the gateway (customer site) to route traffic from the remote public network (your site) to that backup server. VPN will make your WAN connection act as if you're running both servers in one network.
This thread is probably too dead to resurrect, but I am in the exact same boat, and have hit the same roadblock with Support. Basically, for the life of me I cannot get WBEMTest to connect to any remote device.
In opening a ticket with support, I was informed that BEM is supposed to act as a broker to One, so by adding BEM to one, nothing further should be needed for One to enumerate the components. However when adding BEM to One, it can see the existence of components, but is unable to communicate with any of them. I ended up as a test trying to directly add machines to One, and it has yet to succeed unless we open a BOVPN tunnel, which isn't an option at scale.
I am also getting the exact same error mentioned above when attempting to connect via wmi / wbemtest of: "The object exporter specified was not found"
I went through the documents referenced, applied all workarounds, and while WBEMTest works fine on the client's LAN, it can never reach into the LAN from the WAN. Interestingly, if I give WBEMTest deliberately incorrect credentials, I immediately get an access denied message, so it is getting far enough to authenticate before it fails. As this point, Veeam support seems to suspect the issue is a protocol level failure on Msft's end with WMI, but seeing this exact same set of symptoms leads me to believe it is an issue with Veeam.
Bigger picture here, I feel like I am missing some obvious easier way to make this connection. Having to make a huge set of port rules and local permission changes per device doesn't seems scalable. Is there no way to drop some agent in place on all servers that have Veeam, and have that agent know how to "phone home" to a One instance? Or more to the point, is this just a case where One is not designed to administer anything larger than a single LAN? If so, is there an equivalent to ONE designed for MSP's?
As an update to this, I found the answer to the bug at hand, but was informed that Veeam One is not to be used this way.
I ended up getting on a call with our Veeam reps, and they indicated that Veeam One is not designed to run over the WAN. It is technically possible to do, and I was able to finally solve the problem listed on this server; aside from all listed ports, you also need to be sure you can ping the device by its name, that was the cause of the wbemtest failure.
However in making this run over the internet, a massive array of ports must be opened, it doesn't work over snat so each device would need its own external IP, and some of the required ports are blocked by default by some ISP's including Comcast, so you would have to call per client to open this up.
After speaking with the veeam reps, we have taken a different approach.
1) We utilize BEM to administer all devices. (pro tip, create a DNS zone called 'Veeam' and add that as an alternate dns lookup value. Then you can just add A records for the external IP's of each device by name)
2) We utilize VAC for monitoring and reporting
3) We have Veeam One installed on each local instance for gathering more detailed local logs, the idea being we can dive into that to investigate any weird longer term issues. It is possible that VAC can do all that Veeam One can do, we have not done a deep dive into this product, being more focused on configuring BEM at scale.
Bigger picture here, it seems like frequently Veeam makes the design assumption that all infrastructure will be on one network. This is not ever the case for the MSP model. Having Veeam one instead rely on an agent that could phone home over a single port and negotiate anything further it needs over upnp or similar would be magical. Same with BEM, while it uses a much more reasonable set of ports, it is still annoying to configure at scale. Any monitoring product should support the option to drop a small MSI in place that can phone home to a central server.