Backup of individual Folders on Remote Server

[putana]

Hello,

I'm looking for a safe way to backup individual folders from remote servers to a local repository with Veeam Backup and Replication.
I've been reading the VBR and Windows Agent documentation and testing out a few backup methods but im still uncertain on how to configure this in a safe way.

Requirements:

• The job is supposed to backup individual folders /files from 6 windows Servers for archiving purposes.
• The Servers are all windows and reachable from the internet
• The Storage repository is a NAS the VBR Server has access to
• The archived files should never be restored directly from VBR to the Windows Server

My plan:

• Use Windows Agent in Managed Mode
• Create Firewall rules before Windows Servers to allow connections only from the VBR Server
• Firewall rules on before the VBR server to allow connections only from the public IP-Adresses of the windows servers
• Create Protection groups in VBR and install the Veeam Agents via the VBR Console
• Configure credentials on the windows servers and store them in VBR
• Configure Backup encryption

Concerns and Questions:

1. How is the transmission of SMB credentials from VBR to the Windows Server secured?
2. How is the encrypted communication between VBR and the Windows Servers established?
3. Do the Windows servers need access to the target repository if it is separated from the VBR server?
4. Is there a better method to achieve this backup job that I might have overlooked?

Additionally, I'm encountering issues with the Admin Share:

• The Admin Share reachable directly from the windows server using \\localhost\ or \\Public_IP_Address but not from the VBR Server.
• Im getting the error access denied. Security Audit Logs indicate the login is sucessfull.
• Network profile is currently private

Any advice or recommendations would be greatly appreciated.

Thank you!

[Mildur]

Hello Lilly

- The Servers are all windows and reachable from the internet
- Firewall rules on before the VBR server to allow connections only from the public IP-Adresses of the windows servers

I assume you plan to use NAT when you talk about public IP addresses? Please make sure to use a VPN. Veeam Agent doesn't support NAT.
Direct SMB (Port 445) through the internet may also be blocked by your internet provider. That could be another issue. And I know a few service provider in my region which actively block those ports.

How is the encrypted communication between VBR and the Windows Servers established?

All management traffic between components, agents and backup server is encrypted. Backup traffic encryption can be enabled or disabled: https://helpcenter.veeam.com/docs/backu ... ml?ver=120

If you select backup file encryption in a backup job, all data is encrypted automatically between the agent and backup environment.

Do the Windows servers need access to the target repository if it is separated from the VBR server?

Yes. Agent will connect directly to the backup repositories. Check our port table: https://helpcenter.veeam.com/docs/backu ... positories

Is there a better method to achieve this backup job that I might have overlooked?

Not through the internet. Agents are not supported.
With VPN, you can decided between Agent or FileShare backup jobs. A file share backup job can protect the files directly from the machine through SMB without installing any agent.

The Admin Share reachable directly from the windows server using \\localhost\ or \\Public_IP_Address but not from the VBR Server.
Im getting the error access denied. Security Audit Logs indicate the login is sucessfull.
Network profile is currently private

You may have to disable Remote UAC to get it working with a different user than the build in administrator:

Code: Select all

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
LocalAccountTokenFilterPolicy = 1 (DWORD)

Please contact our customer support team if it still doesn't work. We cannot provide troubleshooting in this forum.
Before contacting them, make sure to run a support environment (no NAT).

Best,
Fabian

[putana]

Hello Mildur,

thanks for your helpful reply.

I assume you plan to use NAT when you talk about public IP addresses? Please make sure to use a VPN. Veeam Agent doesn't support NAT.
Direct SMB (Port 445) through the internet may also be blocked by your internet provider. That could be another issue. And I know a few service provider in my region which actively block those ports.

Yes i was planning to use NAT but apparently only VPN is supported for remote servers with agents.
More Info here: https://helpcenter.veeam.com/docs/backu ... at&ver=120

Best regards,
Putana

[JeroenL]

Don't use NAS storage, use Wasabi S3.

Create a bucket for each location and configure a repository on your central Veeam B&R server for each location.
Add a computer group for central management of the
Windows Agents and an Agent backup job for each location.

This way you have central control of backups to reliable immutable storage.
NAS backups over VPN don't offer great performance and don't provide immutability.

The agent installation and management requires a VPN and regular HTTPS port 443 to internet for all backup traffic.