Comprehensive data protection for all workloads
Post Reply
propeller0
Service Provider
Posts: 2
Liked: never
Joined: Nov 02, 2009 6:27 pm
Full Name: Thomas
Location: Munich, Germany
Contact:

Veeam Backup 4.0 VSS

Post by propeller0 »

Hi,

Veem Backup 4.0 with vStorage API without VSS runs very well. But we want to use VSS and don't have a network connection between the Veeam Backup server and the VMs.

Is it possible to use Veeam VSS without a network connection between the Veeam Backup server and the VMs?

If we realy need a network connection for Veeam VSS backups. Which ports are needed?

Regards,
Thomas
-----------------------------------
VCDX, VCP4/3/2, CISA, MCSE
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Backup 4.0 VSS

Post by Gostev »

Hello Thomas - yes, the network connection to VM is required for Veeam VSS to function.

As for ports required, please review the following thread:
http://www.veeam.com/forums/viewtopic.p ... orts#p4575
fredbloggs
Service Provider
Posts: 47
Liked: never
Joined: Mar 18, 2009 1:05 am
Contact:

Re: Veeam Backup 4.0 VSS

Post by fredbloggs »

Is it possible that you guys may be coming up with a workaround for this, it's going to be a pain for me to try and open connections between all these systems and it'd be nice if I didn't have to. Total isolation is better than partial and means i don't have to worry about routing between VLANs or IP assignments etc.

Really don't want to open rpc, netbios etc, some of those servers don't even have NetBIOS enabled as they run purely on tcp connections.

What about if you have a pre-freeze script in VMTools or such like configured, if that's a possibility what would we use to utilise the Veeam VSS writer?

Cheers

Mark
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Backup 4.0 VSS

Post by Gostev »

We need to investigate if this is something we could implement. So far, it has not been a major problem, but I definitely understand the need for this functionality in some scenarios.
propeller0
Service Provider
Posts: 2
Liked: never
Joined: Nov 02, 2009 6:27 pm
Full Name: Thomas
Location: Munich, Germany
Contact:

Re: Veeam Backup 4.0 VSS

Post by propeller0 »

Hello Anton,

thanks for your reply!
I have also concerns to brake the isolation between the bachup server and VMs in some environments. This will also break the isolation beween all of VMs in different VLANs and network segments.
Especially for our enterprise customers it would be nice to have a workaround for this issue.

Regards,
Thomas
-----------------------------------
VCDX, VCP4/3/2, CISA, MCSE
fjones
Novice
Posts: 9
Liked: never
Joined: Mar 24, 2009 12:33 am
Full Name: Frank Jones
Contact:

Re: Veeam Backup 4.0 VSS

Post by fjones »

I also would like to see this. Currently we have 15 vlans that are isolated from each other (and more to come). Each has 2-4 vm's and most of these have 1 linux vm and 2-3 windows server vm's. The backup server(s)/network does not have any access to the guests in the vms. Ideally the backup server/veeam would be on the same network as the ESX hosts but be able to backup any guest while being able to do a vss snapshot (to backup exchange, sql server, etc).

Having to open this up probably means that I will have to find another solution.
thakala
Lurker
Posts: 1
Liked: never
Joined: Nov 03, 2009 5:58 am
Full Name: Tomi Hakala
Contact:

Re: Veeam Backup 4.0 VSS

Post by thakala »

We are outsourcing company and option to have ports open from backup server to customer VMs is out of the question. I second that Veeam VSS integration definitely requires an alternative way to work.
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Backup 4.0 VSS

Post by Gostev »

fjones wrote:Having to open this up probably means that I will have to find another solution.
Other solutions simply do not provide the level of VSS integration Veeam provides. They all rely on VMware Tools VSS integration module, and you can do this with Veeam Backup too. As long as you have this component installed in VMware Tools, it will be used during snapshot creation (if you are not using Veeam VSS, or have VMware quiescence enabled in the advanced job settings).

The limitation of VMware VSS is that it does not provide application-aware VSS restores, and only supports Windows 2003 and Windows 2008 (file-level quiescence only on the latter), not other Windows OS (while Veeam Backup support all Windows OS). But still, it is much better than using no quiescence at all, or legacy Vmware quiescence mechanism that uses SYNC driver.
dkvello
Service Provider
Posts: 109
Liked: 14 times
Joined: Jan 01, 2006 1:01 am
Full Name: Dag Kvello
Location: Oslo, Norway
Contact:

Re: Veeam Backup 4.0 VSS

Post by dkvello »

Hmm, but Veeam dynamically installs/uninstalls its VSS provider on-the-fly, pre-backup and post-backup. That's why the Veeam Backup-server needs access SMB to IPC$ on the target VM's ?

Wouldn't it be possible to do it by proxy ? F.eks. being able to copy the necessary files to the vm's before-hand (put them in a standard place using FTP or any other means available) and using the pre-freeze /post-thaw funcions of the VMware Tools to install/uninstall the Veeam VSS provider ?
Gostev
Chief Product Officer
Posts: 31457
Liked: 6648 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Veeam Backup 4.0 VSS

Post by Gostev »

It is quite possible, however we would still require RPC to communicate with our VSS agent... so the network connection will still be required.
fgw
Enthusiast
Posts: 84
Liked: 2 times
Joined: Jun 11, 2009 8:39 pm
Full Name: Franz Glatzer
Contact:

Re: Veeam Backup 4.0 VSS

Post by fgw »

agree to the posters above!

in our configuration, we use about 100 vm's, about 15 different networks most of them separated from each other for a reason and currently six esx servers and two veeam backup servers, all this spread over two datacenters.

besides opening up a list of ports to enable veeam backups and VSS results in lifting our security policies, its also a pain to configure rpc on every single vm in order to make VSS backups run.

i think it would be a good idea to redesign the way VSS is used.

if we can get rid of this communication between the backupserver and the vm's by installing the veeams VSS part permanently on the vm's instead of letting the backup job install the required software before each run and remove it afterwards i would be happy to do so.

also the requirement of rpc to initiate some tasks on the vm requires the setup of some registry keys on every single vm! i'm not that deep into the VIAPI, but from what i have seen there are some functions to run programs within the vm. wouldn't it be an option to use this functionality instead of rpc? of course this programs are required to be already located on the vm, but they can be copied to the vm once in advance as mentioned before.

another point to mention is the impossibility to use pre- and postbackup scripts when using veeam VSS. it is not possible to use this scripts anymore! ok, most times it wont be necessary to use such scripts when using VSS, but i would like to have left this decision to the customer. there might be reasons to do some tasks before running a backup job even if VSS is used.


just for info for others stumbling into this, here are the ports i have opened in our environment:


communication between backupserver and virtual center server:

Code: Select all

HPPTS       443


communication between backupserver und esx servers:

Code: Select all

SSH         22 
HPPTS       443 
DATA        2500-2510

communication between backupserver und vm's:

Code: Select all

SSH         22 
HPPTS       443 
DATA        2500-2510
NETBIOS     137 
NETBIOS     138 
NETBIOS     139 
SMP         445 
RPC         135 
RPC         5000-5200 
in my examples above, the ports 2500-2510 are used for the actual data transfer during backups. you need to open one port per concurrent backupjob. so if you plan to run 20 concurrent jobs, you will need to open ports 2500-2520.

in order for rpc to work you also need to configure the ports rpc will use on every vm:

the required values are in the key Internet which is located under HKLM\SOFTWARE\Microsoft\Rpc:
Ports = 5000 - 5200
PortsInternetAvailable = Y
UseInternetPorts = Y

rpc ports are used by a wide variety of programs, not only be veeam backup. the range of 5000-5200 for the rpc ports is thus not only used by veeam backup but is used by all programs on the system using rpc functionality. microsoft recommends to open a range of 5000-5100 at minimum. to be safe i opened the range 5000-5200 here. you also need to consider applications already using ports in this range. if you have such applications, simply move the range used by rpc accordingly. we had this on some systems and simply changed rpc ports to 5100 - 5300 there. you can use any ports here as long as they are not used already.

for reference, here is the ms-kb entry: http://support.microsoft.com/kb/154596/en-us

you can use this script to add this key on the vm's

simply save it under any filename but with an extension .reg and run it on the vm.

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"Ports"=hex(7):35,00,30,00,30,00,30,00,2d,00,35,00,32,00,30,00,30,00,00,00,00,00
"PortsInternetAvailable"="Y"
"UseInternetPorts"="Y"

fredbloggs
Service Provider
Posts: 47
Liked: never
Joined: Mar 18, 2009 1:05 am
Contact:

Re: Veeam Backup 4.0 VSS

Post by fredbloggs »

Thanks fgw, nicely put
Post Reply

Who is online

Users browsing this forum: dnaxy, Ivan239, rweis and 172 guests