Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
ICHAPMAN
Novice
Posts: 6
Liked: 4 times
Joined: Jun 09, 2011 1:50 pm
Full Name: Iain Chapman
Contact:

V3 - Restrict VPN connections and Cisco AnyConnect

Post by ICHAPMAN »

Hi,

I've updated the latest V3 product mainly in the hope that I could 'control' it better when using a VPN connection.

After upgrading I've activated the "Restrict VPN connections usage" option, thinking that when I was using a VPN connection no backup would run. Yet when using our Cisco AnyConnect VPN service, my backup continues to take place just as it did in the V2 product.

Is my understanding of the "Restrict VPN connections usage" wrong?. Should this option be able to detect a VPN when using Cisco AnyConnect?.

Thank you

Iain .
HannesK
Product Manager
Posts: 14288
Liked: 2877 times
Joined: Sep 01, 2014 11:46 am
Full Name: Hannes Kasparick
Location: Austria
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by HannesK »

Hello,
Let me check how we detect VPN connections and whether it would help to create a support case.

As a workaround my customers used in the past: they just did not allow connections the backup-server in the VPN configuration or added a rule in the windows firewall.

Best regards,
Hannes
ICHAPMAN
Novice
Posts: 6
Liked: 4 times
Joined: Jun 09, 2011 1:50 pm
Full Name: Iain Chapman
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by ICHAPMAN »

Hello Hannes,

Thank you for the reply. We have also previously blocked access to the IP of the backup unit to work around this issue. I was just hoping that this would be a better solution, which would perhaps prevent the "failed" backup notice that we currently experience in this situation.

Thanks

Iain.
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Dima P. »

Hello Iain,

I am afraid some implementations of VPN wont work as we mostly reply on MS Windows APIs to detect if that's VPN or not . To be absolutely sure I'll check it with RnD team and update this thread with investigation results. Thank!
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Gostev » 1 person likes this post

Dima, if this is confirmed - let's consider detecting top 3 market-leading corporate VPN implementations, such as Cisco AnyConnect. Otherwise, this whole feature is going to be quite useless for the majority of customers. Thanks!
wayne7215
Influencer
Posts: 23
Liked: 7 times
Joined: Oct 07, 2016 8:37 am
Location: Switzerland
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by wayne7215 »

OMG! We waited as well until V3 and get this "Restrict VPN connections usage" functionality, but hey, who the hell is using the Microsoft VPN? In our case it's Fortinet, so do we have to wait until V7 to get such a basic function, no backup through WAN connections? :shock:
Most important Veeam is changing the license model to Instances to earn more money, sometimes it would also be nice to get the product improved :roll:
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Dima P. »

I was not correct with my last post, sorry for that. We perform a check of assigned NIC, specifically - Network Interface Type. Based on the check result we detect if that's VPN connection or not.

If you see that your VPN is not being detected (backup job works when you are connected over VPN despite 'Restrict VPN connections usage' being checked) please:

1. Open a support case and share the case ID as we want to be completely sure about the root cause of your issue and most likely we will need debug logs anyway.
2. Name your VPN client
3. If possible execute the following PowerShell script on the affected machine and share the output

Code: Select all

[System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces() | ? {$_.name -eq “InterfaceName”} | Select -Property NetworkInterfaceType
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Gostev »

wayne7215 wrote: Feb 13, 2019 2:40 pmMost important Veeam is changing the license model to Instances to earn more money
This is somehow the biggest misconception about U4. License model did not change, nor subscription pricing - which remained the same as when it was first introduced a few years ago. The ONLY change is how license counters look (and the fact that instance license file is portable and can be used with any Veeam product).
ICHAPMAN
Novice
Posts: 6
Liked: 4 times
Joined: Jun 09, 2011 1:50 pm
Full Name: Iain Chapman
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by ICHAPMAN »

Hello Gostav / Dima P,

Sorry to come back to this older conversation.

As you suggest I have now opened a support case to advise that 3.0.2.1170 still backups up over a VPN connection when used with the Cisco AnyConnect client. This is case number 03833172.

I could now workout the Powershell command that you posted, but below is the information that I believe you were looking for:

Id : {D59E37A7-FD27-4203-8955-0792A57EBCE4}
Name : Ethernet 2
Description : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
NetworkInterfaceType : Ethernet
OperationalStatus : Up
Speed : 862366500
IsReceiveOnly : False
SupportsMulticast : True

I have included this with the support case.

Hopefully this can help you blocked backups from occurring when the Cisco AnyConnect VPN client is used in a later release.

Thank you

Iain
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Dima P. »

Hello Iain,

Thank you for sharing the results. I've added your notes to the improvement request to support Cisco AnyConnect VPN. Cheers!
ICHAPMAN
Novice
Posts: 6
Liked: 4 times
Joined: Jun 09, 2011 1:50 pm
Full Name: Iain Chapman
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by ICHAPMAN »

Hi,

Coming back to this topic - does the V4 product include any better support for other VPN adaptors - such as Cisco AnyConnect?.

Thanks

Iain
Egor Yakovlev
Veeam Software
Posts: 2536
Liked: 680 times
Joined: Jun 14, 2013 9:30 am
Full Name: Egor Yakovlev
Location: Prague, Czech Republic
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Egor Yakovlev »

Hi Iain,
Additional VPN providers(including Cisco AnyConnect) will be added to "VPN detection engine" in the next agent version(VAW v5).
Thanks!
NightBird
Expert
Posts: 242
Liked: 57 times
Joined: Apr 28, 2009 8:33 am
Location: Strasbourg, FRANCE
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by NightBird »

Hello,

I think the main vendors should be added, Cisco, Pulse Secure, Fortinet
ICHAPMAN
Novice
Posts: 6
Liked: 4 times
Joined: Jun 09, 2011 1:50 pm
Full Name: Iain Chapman
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by ICHAPMAN »

Hi Egor,

Thanks for the reply.

Given that v4 was only released in February 2020 - should I assume that any v5 release won't be before fiscal Q4 2021?

Thanks

Iain
Egor Yakovlev
Veeam Software
Posts: 2536
Liked: 680 times
Joined: Jun 14, 2013 9:30 am
Full Name: Egor Yakovlev
Location: Prague, Czech Republic
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Egor Yakovlev »

Cannot estimate release date. It will be out "When it is ready"(c).
/Cheers!
Gostev
Chief Product Officer
Posts: 31460
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Gostev »

Our major release cadence is annual, so more like Q4 2020 / Q1 2021.
andrie
Service Provider
Posts: 29
Liked: 8 times
Joined: Nov 20, 2015 12:37 pm
Full Name: Andy
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by andrie »

This is probably one of the bigger problems now when everyone is working from home. We are blocking the ports used by the agent on our firewall to prevent the backups blocking the company's internet connection.
We are using the Sophos SSL client, which is just a rebranded OpenSSL VPN client.
Post Reply

Who is online

Users browsing this forum: No registered users and 39 guests