Can't add org, WinRM / EWS Errors

[shlomip]

First of all, I did open a support case (05608383) and unfortunately they didn't really manage to help me..
Are there any here who is use "Veeam Backup for Microsoft 365" to backup a local exchange server?

Environment: on perm exchange
local domain: domain.corp (Not publicly accessible)
owa: mail.domain.com (publicly accessible)
Veeam Backup for ms365 is installed on 2019 server that is connected to exchange network and added to domain.

So after we got the technical details introduction, the problem is that I just can't our local exchange to Veeam backup for ms365.

Scenario 1
server name: owa url, administrator user & password, connect using ssl and disable any ssl checks.


Error on powershell. exhcnage powershell is enabled with Basic authentication
As you can see in the screenshot, Veeam is trying to connect to Server1 (which is indeed the name of the exchange server)


Scenario 2
server name: local server name, administrator user & password, not connecting using ssl (Veeam fails to connect at all with SSL enabled).


Error on EWS


appreciate any help!

[Mildur]

Hi Shlomi

The case number is from September 2022.
It was closed because there was no response from the customer. Can you please open a new case and provide a fresh log collection?

Could you maybe share with me, why you use VB365 to backup an on premise exchange server? Why not using Veeam Agent or vm backup job to protect the entire application and operating system?

Thank you very much
Fabian

[shlomip]

Hi Mildur.

I would prefer not to have this discussion on a public forum.
But I will just point out that I did not yet receive an reply to the last question on the ticket.

Anyway, to answer your question, we already have an active backup system to backup the OS.
I wanted to add a backup for each mailbox and the VB365 software is light and convenient to use, so I preferred to use it..
Unless the "on prem" option only works in very certain situations.

[Mildur]

Hi Shlomi

Unfortunately, I cannot help you over the forum. This is not a support forum.
Technical analysis is required. Logs must be analyzed. Please create a new support case with fresh logs as suggested.
You can reference to your old case number and ask why you didn't get an answer.

Unless the "on prem" option only works in very certain situations.

You can find the technical requirements in our user guide:
- Supported Microsoft Exchange Organizations

Thanks
Fabian

[Mike Resseler]

Just as a quick test, try to add the server name of Exchange that owns the mailbox server role. Probably that will work better than the OWA public DNS name (I am guessing routing here...)

[shlomip]

Unfortunately, I cannot help you over the forum. This is not a support forum.

Logic says that maybe someone else has come across this and can shed light on the situation..
I tried to open a new case, but the website doesn't allow me because i dont have an active license and trial period has expired (remember, I still can't get this to work, so I'm sure I'm not going to purchase licenses for software that doesn't work yet)

Just as a quick test, try to add the server name of Exchange that owns the mailbox server role. Probably that will work better than the OWA public DNS name (I am guessing routing here...)

This is Exchange 2019 all components of exchange are on one server. and i have tried what you offer in Scenario 2

[shlomip]

In my test environment, I was able to add an organization that the internal domain is a real domain (and not an internal domain like local / corp etc)
So the exchange server has a real SSL.





so the issue is with environments with a domain like .local .corp

[jorgedlcruz]

Hello,
Perhaps you can open the EWS URL on a browser, on the VB365 Server, then download the SSL certificate and import it under Truster Root Certificate Authorities.

I thought that the .local, or any other that is not a valid TLD, were already deprecated and marked as invalid all across the industry:
https://exchangekb.com/tag/invalid-full ... -as-local/
https://www.tbs-certificates.co.uk/FAQ/ ... s_tld.html
https://cabforum.org/wp-content/uploads ... -Names.pdf

I am not aware of any regedit to bypass this .local stuff, but perhaps Support can help better, let me try to see if we can do something with that case you have open.

[shlomip]

This was among the first things I did.. See screenshot below
It doesn't work because (I'm guessing.. here)

1. IIS doesn't use this local self sign SSL. IIS is setup with a trusted certificate because is available to the web.
2. Veeam is ignoring the setting to NOT verify trusted certs.


I do not know if there is a way to set that only in Internal owa url in Exchange to use a different SSL.

[jorgedlcruz]

Good stuff! Glad you were doing the regular troubleshooting.

I found some documentation to review:
https://knowledge.kofax.com/MFD_Product ... connection
https://www.admin-enclave.com/computer/ ... -procedure
https://www.adoclib.com/blog/authentica ... edure.html

But as you said, I think the check on the wizard should bypass this. Perhaps the logs have more information. If you are doing this as a POC, and your Veeam account has expired. Perhaps you can contact your local Veeam Systems Engineer to see if he/she can help a bit with the case.

I am a bit out of ideas, seeing that it works with a normal valid tld.

[shlomip]

It works!!! basic concepts in IIS.
I added a secondary IP address to exchange server and added this IP address to Hosts file on Veeam server (So that Veeam will communicate with exchange through this secondary IP)
In IIS i added in binding to use the self sign cert for the secondary IP.



In summary: the check box in Veeam doesn't work, so I had to do this whole combo.

[jorgedlcruz]

You are fantastic, Shlomi !
Now to give it a big try on the backup and restore, etc. Hope you find the product to match your needs for better RPO for those Exchange servers.

Please let us know.