Harden Embedded B&R?

[stryker54141]

I just got my new VRO instance up and running. Is it recommended to "harden" the embedded B&R server just like the production B&R server, or will this break something?

[david.domask]

Hi Stryker54141,

What kind of hardening were you imagining? The embedded VBR instance is used in a limited fashion, but it is a full VBR instance so some hardening is appropriate.

If you're referring to the most recent CVE announcement, you can feel free to apply the updater ISO to update the embedded VBR to 12.3.1. Please be aware you likely will face the issue in this KB during the CVE update.

[stryker54141]

Hi David,

Thank you for responding. I was talking about going through all of the steps in the Compliance and Security check that is built into VBR. For example, I don't want to enable MFA if that will break the connection between VRO and VBR.

I guess I'm wondering how much configuration I need to do with the embedded versions of VBR and Veeam One. Is it best practice to leave them alone and let Orchestrator use them as necessary? Also, if I want to use Veeam One, should I put a second instance on its own server?

Thanks again for helping me with my noob questions.

[Alec King]

Hello @stryker54141 !

You can safely execute the VBR hardening script, our QA have checked it and it does not affect any VRO operations.

You can also enable MFA on the VBR server - however you should exclude the VRO service account from MFA as per the user guide.

Regarding Veeam ONE, the ONE server installed on the VRO server is fully-functional, however the VRO setup configures it in an optimal way for VRO use (for example, we turn off performance metric collection).
The best solution if you want to use Veeam ONE in production would be to deploy it on another VM so that you can configure it independently for your purposes.

Hope that helps, any other questions let us know. Thanks!

[stryker54141]

Hi Alec,

Thank you very much!!

David