Free Windows Agent backup to remote site with no VPN

[adispy]

Hi,
I have a site where I need to backup some Windows servers (using the free agent version) for archiving and I want to use the Veeam B&R from the main site as a repository. Between the two sites there is no VPN tunnel or anything, totally separate "entities" so backups will travel trough out the internet so to speak.
I managed to connect to the repository but the backup fails after a few minutes. All ports are opened and forwarded to the B&R server.

Just wondering if this is supported or if is double.

[Vitaliy S.]

Adrian,

If a backup job fails, then not all ports are opened It is doable, but highly not recommended due to the security reasons and possible data breaches. Can you please describe your set up in more details? Do you have different branches and remote offices or you are acting as a service provider to your clients?

Thanks!

[HannesK]

Hello,
and welcome to the forums

as you wrote "forwarded" I guess you are talking about a NAT setup. If that's the case, then I need to state that the setup is not supported (see requirements last sentence).

I have heard of an unsupported workaround where you add a loopback adapter on the backup repository behind NAT and assign it the external IP. Then it will start properly resolving to the public IP instead of the private IP of the repository and not time-out. https://support.quest.com/kb/148858

Best regards,
Hannes

PS: same as Vitaliy says, we don't recommend placing backup servers directly to the internet...

[adispy]

This is not a permanent solution. The servers in the remote site are running in the third party cloud and are going to be decommissioned, and as a consultant I want to backup those servers and archive them for a few weeks or months. You never know when the client wants some of the data back.

Now I don't get it why you need a public IP to the B&R server. Even if you are behind NAT, the client, windows agent in this case, still sees the public IP of the B&R server which sits on the router.
I guess the ports needed are listed here https://helpcenter.veeam.com/docs/agent ... tml?ver=30

[HannesK]

Hi,
yes, you need the ports you refer to. Please tell us the results of your tests.

Best regards,
Hannes

[Vitaliy S.]

If this a one-time operation, then it might be easier to back up this server locally, and then upload backup files to the remote site.

[adispy]

Yes Vitaliy I know, but I don't have any more disks except the system one. Thinking how to trick Veeam agent now with an extra storage.

I found out why you need a public address on the B&R server. Because the B&R server is sending to the agent the IP of the local system. I can fix that, but the problem is that I am using a Windows server backup repository which is on a different internal IP. The agent first authenticates and register itself on the B&R server using 10001 then it tries to transfer the data using ports between 2500-5000. Using NAT you can only forward the same port once from a single public IP. Yes, you can use policy based routing to send 10001 to the B&R server and 2500-5000 to the backup repository, but that's just complicating things too much.

I really thought the B&R server acts as a proxy, so when the agent sends data it hits the B&R server then the B&R server sends the data to the backup repository. Looks like the agent or clients that need to be backed up are sending data directly to the storage device. I don't know how it works on fiber but when the B&R server and backup repository are connected trough a TCP network this is what I have noticed.

Correct me if I am wrong.

[Vitaliy S.]

Adrian, yes, your assumption is correct. Veeam B&R does not work as a proxy server either for VM backup job (unless it is the default proxy in the infrastructure) or for Agents.

[adispy]

Just one last question since I have solved this a did in the end a volume level backup than transfer using FTP.

I already have a default backup proxy in the infra. Or you are referring in the site where the agents are running -remote site- (taking my example here)?

[Vitaliy S.]

I was referring to the site where the backup server is installed. If this backup server is an all-in-one deployment it will act as a proxy since the repository is also assigned to the backup server. Sorry for the confusion!