I've been playing around with reverse publishing of the Veeam ONE web site on port 1239 and I think I've got a solution that now works great!
Basically I need to change the SSRS report URL in the registry, and then change the IIS bindings for the VeeamReporter site to port 443 and move the self signed Veeam cert to the new binding.
I tried to do this in script so I can have a repeatable set of build notes for myself, without loads of screen shots
Once all the stuff is in place and the server rebooted, I then create an haroxy mapping on an haproxy instance with an internal URL;
So in the haproxy front end I have;
Code: Select all
use_backend be-veeamone if { hdr(host) -i veeamone.customsite.com }
Code: Select all
backend be-veeamone
mode http
option forwardfor
server veeamone.customsite.com a.b.c.d:443 ssl verify none sni str(veeamone.customsite.com)
Doing things this way means the reporting service reporting URLs get generated correctly with the right domain names rather than the local machine name.
More importantly for me is that I can push the SSL offloading to haproxy - that way I can integrate Lets Encrypt certs easily into haproxy and then the site will be publishing with real certs thereby preventing warnings with the browsers making things easier to use.
On the VeeamONE server itself I have a local host file for 127.0.0.1 to point to veeamone.customsite.com in-case there are any local call backs on the software referring to the machine itself.
All of this is working great and makes things a lot easier, so this brings me onto a simple request.
Please can there be a configuration item in VeeamONE for "Presentation URL" so that any hard-coded absolute links get generated correctly (e.g. the reporting services URLs), and an option for which port the site should be published on as this would make things easier to reverse publish. The values could default to the machine name and port 1239 to avoid a change in behavior for most people.
Using VeeamONE like this lets us treat the VeeamONE installation (on Windows Server 2025) more like an appliance - which suits us well as we don't need people to RDP to the monitoring server.
cheers
Ashley
Code: Select all
# Set the SSRS URL to match the externalisation URL
Set-ItemProperty -Path "HKLM:\SOFTWARE\Veeam\Reporter Enterprise" -Name "ReportViewerUri" -Value "https://veeamone.customsite.com"
# Change bindings from port 1239 to port 443 in IIS for the VeeamReporter site and move the self signed cert to the new binding.
Import-Module WebAdministration
# Define variables
$siteName = "VeeamReporter"
$certName= "Veeam ONE Website self-signed certificate"
$oldPort = 1239
$newPort = 443
# Remove the old binding
Remove-WebBinding -Name $siteName -Protocol https -Port $oldPort
# Add the new binding
New-WebBinding -Name $siteName -Protocol https -Port $newPort
# Geyt latest cert fingerprint for the cert (incase multiple certs have been loaded into the cert store)
$latestcert= (Get-ChildItem Cert:\LocalMachine\My |
Where-Object {$_.FriendlyName.Contains($certName)}|
Sort-Object -Descending {[System.DateTime]::Parse($_.GetExpirationDateString())} |
Select-Object -First 1)
$certThumbprint=$latestcert.Thumbprint
# Assign cert fingerprint to the new binding
$appId = [guid]::NewGuid()
netsh http add sslcert ipport=0.0.0.0:443 certhash=$certThumbprint appid=$appId