Ports / Componentes B&R and Agent for Windows Backup

[agrob]

Good Day

We have a running VBR Installation. We have a separate network with older Win7 Clients. We now have the need to backup those clients with our central VBR Installation.

Question:
I have seen the list with needed Ports for Veeam Agent for Windows <> VBR. (https://helpcenter.veeam.com/docs/agent ... tml?ver=50)
-> What i'm not sure about, what ports and in which direction are needed to install / update Veeam Agent on the clients with VBR? (So that i can mange them centraly with the vbr server). I want to install the Dstribution Server on an already exisiting Proxy VM so that the Win7 clients are communicating with this Distribution Server and not with the VBR Server itself (security)

Thanks in advance

[Mildur]

Hi Andre

> What i'm not sure about, what ports and in which direction are needed to install / update Veeam Agent on the clients with VBR? (So that i can mange them centraly with the vbr server)

The required ports for Agent Management are documented here:
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

So i think about to use a VM which we already use as Backup Proxy. Extend this vm with the Repo Role and connect an iSCSI LUN from a NAS System as Backup Repo to this VM. So far so good

Using a NAS device as backup storage is not the best practice solution, but it works and is supported.
Just make sure to use a backup copy job to copy the backups to another location. Always consider the 3-2-1 (3-2-1-1-0) rule.

Can i also use this "Proxy and Repo VM" to install/update the Agents on the Windows 7 Clients so that this update is not done over the "central" VBR Server? What kind of Role is needed for the Agent Update? is it the gw server or which component?

The role responsible to deploy the agent package is the distribution server. If the proxy/repo VM is a windows machine, you can use it also as a distribution server.
If you combine this roles, make sure to give the VM enough resources.

Thanks
Fabian

[agrob]

Hi Fabian

Thanks for the fast reply. Then i had found the wrong Port list first...

About the NAS as Backup Repo. I know it is not the best option. But i thought the Problem with NAS is, if we use it with CIFS/SMB Share. It should be fine if we peresent a Block Volume with iSCSI connectin, right? (Our main backup repo is a Apollo Server, but for this case we would use cheaper storage....) As it is only required to backup once a week, it should be fine.

Best Regards
André

[Mildur]

Hi Andre

Your welcome.

Of course, most NAS devices are running fine for years. I use one myself at home.
The likelihood of backup chains going corrupt is higher with this cheap nas devices compared to general purpose servers with enterprise raid controllers and local disks like your Apollo. That's because I recommended to have a backup copy job. Just to make sure that you have a second copy in case your NAS has issues someday.

It should be fine if we present a Block Volume with iSCSI connecting, right?

I would also prefer a iSCSI connection instead of SMB. But just as a note, if you use reFS with it, then it's probably not supported by Microsoft.

Thanks
Fabian

[agrob]

Thanks, We will use a QNAP SMB (not entry Level) 8 Bay NAS.
About ReFS, i once asked QNAP Support if it is fine to Format a iSCSI Lun from QNAP NAS with ReFS. They confirmed it is ok.... So i thought if they say its fine, it should also be supported by MS. But i will check it again in the link you provided. Otherwise i would go with NTFS. (in older Posts from 2020 Veeam suggested to use REFS for iSCSI Luns... )

[Mildur]

I would also go with ReFS. With NTFS, you will loose the FastClone feature.

Just wanted to mention that Microsoft has a note about supported reFS implementations:

All ReFS supported configurations must use Windows Server Catalog certified hardware and meet application requirements.

[agrob]

Yes i understand, thanks for that. I checked the compatibility list and just the NAS i preffered is not in the ReFS Supported list. So i'm pretty sure it would work, but as long as it is not in the supported list, i won't go for that. so i have to search for another one thanks for the hint!

[agrob]

One more Question about the ports.
Veeam Agent need to connect to the VBR Server (which is also the Backup Repo) and in that case it needs dynamic TCP Ports 49152-65535
Is there any way we can limit those Ports? I mean if i have a DMZ and want to backup to a Backup Repo inside the LAN, it is not very secure to open all those ports... Or what is the recommendation here?

Thanks

[Mildur]

Hi Andre

I moved the topic to another sub forum. Makes more sense here

Your Agents only require access to their primary backup repository. If that's the backup server, then you have to open this ports.
You can adjust the allowed port range for the dynamic TCP Ports. But that's a configuration in the windows OS itself. I'm not sure, if we ever have tested it with a smaller RPC Port range. Give it a try and see if it's working,

Thanks
Fabian

[agrob]

Another question, again

The Problem are the Dynamic Ports (49152 to 65535) which need to be open from VAW (DMZ) to the server acting as Repository Server (LAN). I'm pretty sure this will not be acceptable because of security reasons.
Just for my understanding, if i configure the Backup Policy for VAW Clients to backup to a SMB Folder (i know, not recommended but supported), then only Ports 137 to 139 and 445 are needed between VAW and SMB Share? No need to open Dynamic Ports to the Backup Server? From VAW to LAN (Backup Server) in this case only TCP 10005 is needed. Or did i miss something here?

LAN to DMZ is not that cirtical and should be fine

Thanks
André

[Mildur]

Hi Andre

Is it direct backup to SMB or is it a SMB Backup Repository connected to the VBR Server?
In the first case, no need for the dynamic ports. In second case, the agent will still communicate with the Veeam server (gateway server) and dynamic ports are required.

And direct backup to SMB over internet will most likely not work, because I know from different provider that they are blocking port 445 over internet without a VPN.

Thanks
Fabian

[agrob]

Thanks for your reply Fabian.
Yes direct to the SMB Share, not as SMB Repo connectet to VBR Server (because of the dynamic Ports).
Preffered would be the "normal" Repo but dynamic ports....

Do you know if there are any plans to change this behaviour with dynamic ports? it is a no go with dmz or similar configurations. i know that there are other posts regariding simillar topics.
i also used other backup sw for years and there it was possible to configure port ranges and limit them to very few ports....

[Dima P.]

Hello,

Do you know if there are any plans to change this behaviour with dynamic ports? it is a no go with dmz or similar configurations. i know that there are other posts regariding simillar topics.

Unfortunately to plans to change it in the upcoming version.

Yes direct to the SMB Share, not as SMB Repo connectet to VBR Server (because of the dynamic Ports).

Have you considered using Veeam Cloud Connect to bypass the mentioned limitations? You can aim agent at cloud repo and bypass possible issues with port range? Thanks!

[agrob]

Thanks, but cloud connect is not an option as we don't want to write those date to an external provider.
Best Regards