Future of Veeam MP

[D@ni]

Hi guys,

the last update of the Veeam MP (8.0 U6) was released more than one year ago (Aug. 30, 2018 to be exactly). We are wondering how the future of this product looks like?
There have been no improvements at all in more than one year. Even if MP8.0U6 is supported with the latest vSphere and SCOM version, we expect some new features, better speed and more security with this product.

Are there any news someone can share?
Are there other customers with more or less the same thoughts?

Many thanks in advance!

Cheers,
Daniel

[Alec King]

We are currently building v9.0 of the Veeam MP for System Center. Planning to ship it later this year. Closer to the release we will confirm all the new fixes and features.
Hope that helps!

[wishr]

Hi Daniel,

We would really appreciate it if you could share a bit more info on what features including those related to security you'd like to see in the next MP versions.

Thanks in advance!

[D@ni]

Hi guys,

Thank you very much for your quick answers! Following some points we discussed internally we would love to see in a future Veeam MP release:

- Security
o Collector Server now only work with NTLM as authentication protocol. Would be great to have Kerberos Support as we have disabled NTLM on all our Servers by default
o Collector UI (Web interface) works on custom Port 4430 instead of 80 or 443 (our security policies only allow "standard" ports for web applications by default)
o Collector UI (Web interface) works only with http instead of https (with custom certificate signed by our internal CA)

- Monitoring
o Basic Monitoring for other VMware Products like NSX Manager, vRNI, vRLI (would be enough to have just basic checks like http/s availability)
o The monitor “Datastore Unknown Files Analysis” should show the unknown files in the Alert Description. At the moment we have to search ourselves for the files or use other tools for that (like RVTools)
o Possibility of using multiple accounts for the Monitor “Run As Account for vCenter Failover functionality failed validation for one or more hosts” as we have one SCOM instance for three completely different vSphere environments
o More accuracy or Filter possibilities on the “Morning Coffee Dashboard” – now it shows all the different infrastructures as one infrastructure. However, we have much less load on our test environment than on the productive environment. So the numbers shown on the Dashboard are not really accurate/specific

- Performance
o Bit more speed for showing dashboards like “Morning Coffee”, “All Datastores” or “Cluster Capacity Forecast”

- Reporting
o A Report showing the load specific VMs (for example based by a vSphere Tag or a Folder within vCenter) generates in total -> This would help us showing our customers how much load their VM generates in total (for cost and support purposes)

I hope this helps a bit. I am looking forward to your feedback and the upcoming Veeam MP Version!

Have a nice weekend,
Daniel

[wishr]

Hi Daniel,

Thanks a lot for sharing these. Great list. We've noted all of them and will discuss what can be done in the future.

I would like to specifically comment a few points/ask a few questions.

Collector Server now only work with NTLM as authentication protocol. Would be great to have Kerberos Support as we have disabled NTLM on all our Servers by default

- Could you please share the approach you have used to disable NTLM within your environment? Guides, configuration details, all the possible detailed information are welcome.

Collector UI (Web interface) works on custom Port 4430 instead of 80 or 443 (our security policies only allow "standard" ports for web applications by default)

- While this has not been tested by our QC team, currently, it should be possible to configure the ports on the Internet Information Services (IIS) end.

Collector UI (Web interface) works only with http instead of https (with custom certificate signed by our internal CA)

- While this has not been tested by our QC team, currently, it should be possible to upload a custom SSL certificate and then configure HTTPS and desired ports on the IIS end.

More accuracy or Filter possibilities on the “Morning Coffee Dashboard” – now it shows all the different infrastructures as one infrastructure. However, we have much less load on our test environment than on the productive environment. So the numbers shown on the Dashboard are not really accurate/specific.

- Have you tried to create a custom Morning Coffee Dashboard scoped down to each environment using our Infrastructure Summary widget and SCOM groups?

The monitor “Datastore Unknown Files Analysis” should show the unknown files in the Alert Description. At the moment we have to search ourselves for the files or use other tools for that (like RVTools)

- Have you tried using Scan Datastore for Unknown Files Task? If so, why it is not convenient for you?

Bit more speed for showing dashboards like “Morning Coffee”, “All Datastores” or “Cluster Capacity Forecast”

- Could you please clarify these a bit. If you had support requests opened regarding these difficulties, please let us know the corresponding case IDs so we could take a look at the details.

Thanks!

[D@ni]

Hi there,

Thank you very much for your answer and please excuse my late reply. I will try to respond accordingly.

Could you please share the approach you have used to disable NTLM within your environment? Guides, configuration details, all the possible detailed information are welcome

Here is a Link to MS Docs which says following:
NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks.
This is one of the reason why we decided to disable NTLM(v2) by default. If possible, all our application in our company should use Kerberos as authentication protocol. Internal Security allows to use NTLM(v2) if Kerberos is not possible, but we have to report frequently some statements of the application company (in this case Veeam) why Kerberos is not supported and when it will be available.

While this has not been tested by our QC team, currently, it should be possible to configure the ports on the Internet Information Services (IIS) end.

While this has not been tested by our QC team, currently, it should be possible to upload a custom SSL certificate and then configure HTTPS and desired ports on the IIS end.

We are aware that the Veeam Collector UI runs on a "simple" IIS website and that we have the possibility to change those settings you mentioned. However, we do not know if this is supported and if Support would still assist in case of fault/crash. And as far as I have seen there is no documentation/KB article from Veeam regarding such settings. Am I right?

Have you tried to create a custom Morning Coffee Dashboard scoped down to each environment using our Infrastructure Summary widget and SCOM groups?

No, I did not. I was not aware that something like this is possible (to create easy). Is there any documentation you can reference to it? This would be great!

Have you tried using Scan Datastore for Unknown Files Task? If so, why it is not convenient for you?

Yes, we already tried this way. However, the Task reports not exactly the same result as its states on the "Alert Description". As our First Level manages the alerts, it would be great if the "Unknown Files" would directly appear in the Description. With this, the First Level could resolve the alert themselves. By now they open a ticket to us (Second Level). And as mentioned, we than have to use other Tools (like RVTools) to see which files exactly the alerts correspond to.

Could you please clarify these a bit. If you had support requests opened regarding these difficulties, please let us know the corresponding case IDs so we could take a look at the details.

I did not find any archived cases regarding "speed" of dashboards.
Situation is that I tell our First Level guys to keep an eye on the "Morning Coffee" Dashboard. They than reply that they need a few coffee to drink before the Dashboard appears But yes, maybe we can shrink such dashboards to specific environments, this would maybe help already to speed things up (see above).
At the moment it takes around 220 Seconds before the Morning Coffee Dashboard shows any data.

I am looking forward to hear from you!

Daniel

[wishr]

Hi Daniel,

Thank you for your reply. I apologize for delayed response. Please find my comments below.

1. NTLM and Kerberos
Am I right assuming that you have disabled NTLM globally on the DC level? We definitely consider Kerberos support for the next versions (no ETA yet), I just wanted to get more details on how the implementation is done in your particular case so we could perform some tests in an environment with a configuration similar to yours.

2. Custom ports and HTTPS support for VES UI
Correct, this has not been verified by our QC team yet and thus, not supported officially yet, but I've tried changing the ports myself and it worked (did not have a chance to give HTTPS a try, though). There is a variety of guides on how this can be done on the internet. Here are a few examples: 1, 2. You may give it a try in a test environment and then, in case of no issues roll out to production. We are planning to verify and support such configurations in the future - I will update this thread once we will have news to share with the community in this regard.

3. Custom "scoped" Morning Coffee Dashboard
You should first split your environments into groups, based on your needs, then create a new dashboard with our widget. Please refer to this UG section for more info.

4. Unknown Files tracking
The difference between the task and the monitor is the following. The monitor pulls the data using WMware API, but unfortunately, the API does not provide a functionality to show what are exactly the "garbage" files and where are they located. That's why we have our own script with a unique and wise logic to track down garbage files. The aforementioned task launches the script. The reason why we have not implemented the script into the monitor is simple: the script is quite "heavy" and can generate a lot of unnecessary load on Operations Manager if we run it frequently, let's say every few minutes, especially if you have a lot of unknown files. This is why we have separated the task and the monitor, so the common use-case scenario is to use the monitor for operational alerting while the task supplements it as an on-demand tool.

5. Morning Coffee Dashboard performance
Do you mean that 220 seconds is the amount of time required to reflect the environmental changes or just to load up the dashboard itself? We need a bit more details to be able to say whether this behavior is normal or not, but I would suggest you give "scoped" Morning Coffee widgets a try first. Please let us know if the performance becomes better after this and we will decide what should be the next steps.

I hope it helps. Please let me know if you have any questions or additional comments.

Regards,
Fedor

[D@ni]

Hi there

It is me again

In the meantime, we did an update of Veeam MP for MSC to Version 9. However, there are still some questions we have.

- It looks like NTLM is still required to run Veeam MP properly. Are there any plans to have full (and only) Kerberos Support in the future? (By Default NTLM is disabled on all our Windows Member Servers due to Security reasons/concerns)
- Latest Version (9.0.0.2861) was released almost 3 years ago. What does Veeam attend to do with this product in the future?
- Documentation are not updated properly. For us it is not clear if SCOM 2022 is now supported or not. In the "Introduction and Architecture Overview" Documentation SCOM 2022 is not mentioned at all, but is in the "Installation Guide".
- What about the Support for vSphere 8.0, which is GA since more than 6 months now? Are there any plans to have this Version supported with Veeam MP 9.0?

Thank you in advance for a short feedback.

Best Regards
Daniel

[Vitaliy S.]

Hi Daniel,

- It looks like NTLM is still required to run Veeam MP properly. Are there any plans to have full (and only) Kerberos Support in the future? (By Default NTLM is disabled on all our Windows Member Servers due to Security reasons/concerns)

There is no ETA for this FR yet.

- Latest Version (9.0.0.2861) was released almost 3 years ago. What does Veeam attend to do with this product in the future?

We are planning to keep developing this product and provide compatibility support for the latest platform updates, such as SCOM, vSphere, Hyper-V and Veeam B&R.

- Documentation are not updated properly. For us it is not clear if SCOM 2022 is now supported or not. In the "Introduction and Architecture Overview" Documentation SCOM 2022 is not mentioned at all, but is in the "Installation Guide".

I will pass this feedback to our TW team.

- What about the Support for vSphere 8.0, which is GA since more than 6 months now? Are there any plans to have this Version supported with Veeam MP 9.0?

Yes, we are working on the update for Veeam MP that will bring support for vSphere 8.0.

Thanks!

[D@ni]

Hello Vitaly

Thank you for your quick and detailed answer - much appreciated. It is nice to hear that Veeam is still commited to maintain and update Veeam MP.

Another thing that I wrote three years ago: Are there any plans to use custom ports and HTTPS support for VES UI in the future? As long as HTTPS is not supported, we cannot allow to access the UI from another system due to security reasons.. Thus, we have to login locally on the machine to access the UI.

Thank you!
Daniel

[Vitaliy S.]

Hey Daniel,

While it does not come out of the box, the HTTPs can be set even now, just configure it manually for the website, no need to wait for future releases.

As to the ports question, not sure I'm following you here. You can set custom ports during setup, please take a look at this screenshot > https://helpcenter.veeam.com/docs/mp/vm ... _ports.png

Thanks!

[D@ni]

Hi guys

Already a year gone since my last post
I would like to check with staff from Veeam what are the plans for Veeam MP for SCOM? Since 9a there is no new version, NTLM is still required and there is still no user guide to change Port-setting of Veeam UI after installation or to configure SSL.

So what are the plans of this product? Is Veeam still commited to support/develop this product? I do not see any improvements for years now and while our VMware vSphere infrastructure has grown in the last years, it looks like Veeam MP for SCOM is not able to handle the scaling. We have cases open for long time with no solution regarding performance and false-positive alerts.

Thank you in advance for your feedback!

[Vitaliy S.]

Hi Daniel,

Yes, we are still committed to making it compatible with the latest platform releases (vSphere, Veeam B&R) and releasing new versions if this compatibility is broken. Do you have any case IDs for me to take a look at, as this is the first time I hear there are scalability issues?

Thanks!

[D@ni]

Hi Vitaliy

I sent you some case IDs to have a look at. The open ones are regarding performance and false-positives, while the closed ones are related to Kerberos/NTLM authentication. On Jan 31, 2020, "wishr" mentioned that "We definitely consider Kerberos support for the next versions". 4 years since then and still no Kerberos support

Please let me know if you need any further information.

Best Regards
Daniel

[D@ni]

btw:
We have around 3000 VMs accross 160 ESXi Hosts and 4 Collector Servers installed. The Collector Servers frequently report that they are overloaded and some old Alerts are not cleared correctly. When doing maintenance on ESXi Hosts (like installing ESXi patches) we receive the alert that "VMware connection is unavailable" - despite vCenter Server is working fine. This is what I meant regarding scaling issues.

[Vitaliy S.]

Hey Daniel,

Yes, Kerberos is still in the plans, but no ETA for now. We need to understand where Microsoft is going to with the SCOM offering, and then I will be able to add more color to my reply.

As for the scalability/false positives, I will review the tickets and share my findings with the QA team for further review.

Thanks!

[Vitaliy S.]

Hi Daniel,

I reviewed the cases you provided, and I'm not sure they are scalability-related; most likely, they have something to do with the configuration itself. I see that the case is assigned to the RnD team at the moment, so let's wait for their research results.

Thanks!