Host-based backup of VMware vSphere VMs.
Post Reply
isolated_1
Enthusiast
Posts: 45
Liked: 5 times
Joined: Apr 09, 2015 8:33 pm
Full Name: Simon Chan
Contact:

Application Aware Processing with VIX as a Service Provider

Post by isolated_1 »

Hello all,

I want to inquire as to the best way to incorporate application aware processing via the networkless/VIX mode. As a service provider, majority of our clients are sectioned off via separate VLAN port groups. Our Veeam backup server is also in a separate network.

There are many cases where we are not able to get the built-in domain\Administrator account from the client. Therefore when I test application aware processing in Veeam, the test fails because both RPC and VIX mode fails. We do have other domain accounts with domain administrator rights in the environment but I read that this is not supported when using VIX mode. I read disabling UAC is another possibility but it's not something we are considering to do in each client VM.

What would be the best way around this? I was thinking of deploying a very minimal Veeam proxy server for just the guest interaction task (not used for NBD backups as I have other proxy servers for that role) with Server 2012 and with 512MB of RAM inside each of these client environment that would be directly attached to our Veeam management network as well as another NIC to the clients. In Veeam console, I would configure the backup job for each client to use the specific Guest Interaction Proxy server. If I have 20 clients, then there would be 20 different guest interation proxies.

Would it make better sense to create one guest interaction proxy and attach multiple client networks instead? Would this work?

Does this make sense or would there be another better way to acheive this?

Thanks in advance!
Andreas Neufert
VP, Product Management
Posts: 7314
Liked: 1565 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Application Aware Processing with VIX as a Service Provider

Post by Andreas Neufert »

You are correct with the statements.

But let‘s talk about what you want to do with the guest interaction server?

Consistency?

You could use VMware Tools quiescence then instead (no account needed).

If you want to perform other tasks, please describe.

Beside this I would not place a VM with network cards in the customer environments, but would place it in a DMZ where you can work with firewall rules. That way you could control the communication goes only from GIP into the networks. As well you could use a firewall that can filter RPC calls and only allow the Veeam ones to avoid that by mistake it could spread something. As well I would not place this server in any mgmt domain and use separate accounts (never log into it from other servers). Give only Veeam access.

But let‘s first discuss what you want to achive, maybe there are better ways.
isolated_1
Enthusiast
Posts: 45
Liked: 5 times
Joined: Apr 09, 2015 8:33 pm
Full Name: Simon Chan
Contact:

Re: Application Aware Processing with VIX as a Service Provider

Post by isolated_1 »

Hey Andreas,

I basically just want to achieve application aware backups for mainly our client's domain controllers, SQL servers and mail servers. At the moment I am dreading having to restore a domain controller without any application aware processing because I've read that it might not work or if it does, a whole lot of extra work will need to be done before it can function again as a DC. This also gives us the ability to granularly restore AD items such as deleted user accounts and such.

I have read about VMware Tools quiescence before but I remember that this was considered a last resort. I can't remember if VSS writers are actually used or if some other method. If this works in achieving what I want, then that would be great.

Not sure how I'd implement the DMZ feature that you mentioned as my network knowledge is not spectacular but it is something I will be looking into and talking with my network team.

I have a scheduled call with a Veeam engineer Monday so hopefully he/she will be able to shed more info on this but would appreciate any other info you can give.

Thanks!
Andreas Neufert
VP, Product Management
Posts: 7314
Liked: 1565 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Application Aware Processing with VIX as a Service Provider

Post by Andreas Neufert »

I see. So you need more than consistency. You can check with the Veeam engineer about possible contacts. He can contact me as I have done some concepts arround this for other customers.
isolated_1
Enthusiast
Posts: 45
Liked: 5 times
Joined: Apr 09, 2015 8:33 pm
Full Name: Simon Chan
Contact:

Re: Application Aware Processing with VIX as a Service Provider

Post by isolated_1 »

Hey Andreas,

Funny you mentioned yourself as contact. While I was searching for other Veeam forum posts for users with similar issues, I came across this post:

vmware-vsphere-f24/veeam-and-guest-proc ... 49522.html

Your suggestion to create a GIP server in each subnet with one network leg in the Veeam network and one leg in the client's network was exactly what I originally thought of. It does make sense in that this is not the best of ideas like you mentioned due to security purposes so I was thinking that rather than put these servers in a DMZ network, I'd just use Windows Firewall to only allow communication for the required ports for GIP to function and only sourcing from the client network, everything else would be blocked.

I will provide and update as to what I have discussed with the engineer later today. If interested, case number is: 03328406
Andreas Neufert
VP, Product Management
Posts: 7314
Liked: 1565 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Application Aware Processing with VIX as a Service Provider

Post by Andreas Neufert »

That is the idea, but I would use real firewalls for it. The Veeam SE can discuss the concept.
isolated_1
Enthusiast
Posts: 45
Liked: 5 times
Joined: Apr 09, 2015 8:33 pm
Full Name: Simon Chan
Contact:

Re: Application Aware Processing with VIX as a Service Provider

Post by isolated_1 »

Hey Andreas,

Just got off the phone with one of the engineers

He basically confirmed what we've went over so far in regards to creating a dedicated dual-homed GIP server for each subnet/client with one nic on our Veeam network and another sitting in the client's. However, he was not able to go over the recommended best practices regarding security (he was the not original veeam engineer I had scheduled with) but stated to have the obvious on the GIP server like AV protection and Windows Firewall

At the moment I have the GIP server connected to our dedicated Veeam domain. Firewall profile is Domain for this network. The client network I have selected to be on the Public firewall profile. So far, the application aware processing test is all good using RPC method. I've logged in to one of the client machines to see if I could access shares and other connections back to the Veeam GIP server but was not able too. So far so good.

Would the GIP server need to be domain joined? If not, I could just make it a standalone server.

Thanks,
Simon
Andreas Neufert
VP, Product Management
Posts: 7314
Liked: 1565 times
Joined: May 04, 2011 8:36 am
Full Name: Andreas Neufert
Location: Germany
Contact:

Re: Application Aware Processing with VIX as a Service Provider

Post by Andreas Neufert »

GIP do not need to be added to domain (or domain trust) of the client unless customer enabled Kerberos only processing (which work only within a domain).

You can ask the SE to contact you with one of our solution architects that can help with the security model. Thanks.
Post Reply

Who is online

Users browsing this forum: No registered users and 40 guests