Question regarding Guest Processing in VMware

[chaos]

Hi everyone,
I’ve got a question regarding Guest Processing on Windows servers and need some sanity check, if I’ve understood it correctly

To circumvent the hassle with VIX with different credentials for hundreds of machines, in multiple domains and deploying the non-persistent components every time a job runs – my resolution would be a persistent agent.
As I want to have as little as possible opened ports in our firewalls, my way to go would be the deployment kit, with certificate based authentication, which would be installed by our automation tool – which also would streamline the process for non domain joined systems.

After looking through the ports list (https://helpcenter.veeam.com/docs/vbr/u ... components) am I correct I only need to open Port tcp/6173 between my GIP and the Windows VM – at least for file indexing?
The ports tcp/6160,11731 are also listed, but only for the Veeam Installer Service, which I wouldn’t use because the deployment kit is already installed on the systems.

Thanks in advance.

[Brad.Barker]

First, I'd like to call out that part of the installation of the deployment kit it will install the installer service. So would you end up targeting removal of the installer service after the fact?

After that, I do want to call out that the Installer Service is actually what is utilized as an initial communication point to identify connectivity with the guest. In the processing work flow there is a failover to VMware API option, but it looks to me like you are actively trying to remove those from the equation. See the diagram here: https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13

Finally, the Installer Service is what is utilized for managing self signed TLS certificates issued by Veeam Backup and Replication which is how the persistent guest processing agent securely communicates with Veeam. So with all that said, I think you will want to plan around having the installer service installed as well as port 6160 opened for communication. Port 11731 is a failover port in the event that a local application already utilizes port 6160, so you may or may not need that port. For info on the cert handling from the installer service see: https://helpcenter.veeam.com/docs/vbr/u ... tml?ver=13

[chaos]

I‘d love to use VIX, but it isn’t feasible. We use LAPS, so the password changes frequently. Disabling UAC also isn’t an option. And using the built in or another domain administrator, which should never be used on non tier0 system, forbids itself…

We‘re a service provider with dozens of domains/forests and probably aren’t the first to stumble over this, so how is everybody else solving it?

[Brad.Barker]

I have persistent guest set up in my lab, and the credentials specified were not used.

I had an off domain Windows VM with the persistent agent installed via deployment kit (this means it included the installer service and the the persistent agent), and then I created a job that used a different local account I have on my Veeam Software Appliance for the creds in the Guest Processing section. This account since it's a local VSA account would be a linux account, and I'm working with a windows VM, so it would never be capable of authenticating with the server. I then Job ran and it processed just fine while utilizing application aware process because it's utilizing the certificate based authentication. The real hang up in your original plan is that you'll have to include the installer service installation as part of your design, otherwise the guest processing process fails over to trying to establish communication via VIX.