Now for my questions:
1. I know that the data is not encrypted in transit but how usable would it be anyway?
2. Does anyone have a good suggestion on how to add encryption?
3. Is this a bad idea?

Ok, I give in and forget about PAT (I wasn’t fond of the idea anyway)dellock6 wrote:If you are going to have proxy only on source site, and you do not want to use a VPN, how are you going to connect the remote ESXi host??? Exposing ESXi via PAT onto internet??? forget it!
A single proxy for wan replication is a bad idea, just like natting instead of a VPN. Out of curiosity, why do you want to avoid VPN between the two sites? Also, you really need to deploy a second proxy on the remote site...
Luca.
It’s complicated to explain but there is multiple partners who uses the same ESX server on the remote site and we want to shield these users from accessing our production LAN. Therefore, we need the filtering to apply at our end of the VPN tunnel. If we apply an “established” one-way rule, that allow traffic to be initiated from our end and only allow “return-traffic” it would accomplish that, but I don’t know if this is compatible with the way veeam proxy works. That’s why I’m asking about traffic flow and direction.dellock6 wrote:Søren, even if it's a shared environment, I should think the hosting provider gave you dedicated VLANs for your hostes servers. This is a first line of network segregation. From here, you can also configure the firewall managing the VPN to allow connection only coming from the remote Veeam proxy, and the other services you need to connect to in the remote site itself.
Luca.
Don't forget that both proxies need access to the backup server also. Here is the thread discussing all the required connections in case of offsite replica.Sorenemig wrote:Rustam, okay this might do the trick. Is it only the two proxy roles that needs to be able to communicate between the sites?
But, Isn't that one of the changes in veeam 6.5?foggy wrote: Don't forget that both proxies need access to the backup server also. Here is the thread discussing all the required connections in case of offsite replica.
Connection to agents is initiated from the backup server side.Sorenemig wrote:If the target proxy is initiating the connection to the backup server I could allow some specific ports, but I'm not happy about it. If I dont trust the target network, would this be ok?
Users browsing this forum: JeroenL and 54 guests