Agent-based backups for Windows and Linux, centralized agent management
Post Reply
segfault
Enthusiast
Posts: 43
Liked: 17 times
Joined: Dec 14, 2017 8:07 pm
Full Name: John Garner
Contact:

Proxy Servers for Agent Backups

Post by segfault »

For virtual infrastructure based systems I can specify the proxy server to pull the data from the virtual platform, is there an equivalent for physical servers?

We have a physical server we would like to backup. However, we see the following error:
3/5/2019 10:39:49 PM :: Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 172.XX.XX.XX:2502

The IP listed above is that of our repository that is on an fire-walled network that we in no way ever want to expose to our running servers. So it makes sense that the physical host and repository can't communicate. This is by design.

Is there a way to setup a gateway server or proxy server that we can funnel all of the physical agent backups through? I see documentation on how to do this for virtual based targets but nothing for physical targets. We can't even find a location to specify a guest interaction proxy the way we can with the VMWare Backup targets.

Thanks,

--john

Dima P.
Product Manager
Posts: 13485
Liked: 1316 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Proxy Servers for Agent Backups

Post by Dima P. »

Hello John,

Agent require direct connection with the repository (or gateway server). Have you looked into Veeam Cloud Connect as a possible option? Thanks!

segfault
Enthusiast
Posts: 43
Liked: 17 times
Joined: Dec 14, 2017 8:07 pm
Full Name: John Garner
Contact:

Re: Proxy Servers for Agent Backups

Post by segfault »

Are there any plans to remove this limitation in a future release?

Dima P.
Product Manager
Posts: 13485
Liked: 1316 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Proxy Servers for Agent Backups

Post by Dima P. »

John,

May I ask if you would like to use proxies for agent to speed up data transfer over network or mainly because of the issue described above (i.e. to let agents connect to Veeam repository over specified server)? Thanks!

rreich
Novice
Posts: 8
Liked: 1 time
Joined: Mar 13, 2019 4:36 pm
Full Name: Rick Reich
Contact:

Re: Proxy Servers for Agent Backups

Post by rreich »

I'd would like this feature as well to utilize SAN storage, mainly for StoreOnce catalyst stores.

Dima P.
Product Manager
Posts: 13485
Liked: 1316 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Proxy Servers for Agent Backups

Post by Dima P. »

Hello Rick,

Would it be enough to let agents backup to StoreOnce Catalyst store via gateway server (like in vm backup jobs)? Thank you!

rreich
Novice
Posts: 8
Liked: 1 time
Joined: Mar 13, 2019 4:36 pm
Full Name: Rick Reich
Contact:

Re: Proxy Servers for Agent Backups

Post by rreich »

Dima,

Yes, that would work as well since the Proxy and Gateway roles can be on the same server. I apologize, I didn't intend to hijack segfault's post. Their request appeared to be similar to mine.

segfault
Enthusiast
Posts: 43
Liked: 17 times
Joined: Dec 14, 2017 8:07 pm
Full Name: John Garner
Contact:

Re: Proxy Servers for Agent Backups

Post by segfault »

Dima P. wrote: Mar 13, 2019 2:14 pm May I ask if you would like to use proxies for agent to speed up data transfer over network or mainly because of the issue described above (i.e. to let agents connect to Veeam repository over specified server)? Thanks!
I see it as more of a security goal of ours: we like to protect the repos from direct contact with the servers that they are backing up. I hope to be able completely block any traffic between our storage/backup/management network from the production server network in the near future.

With the virtual side of the house we can do this via proxy servers (both for guest interaction and data moving) or having the data pulled directly from the SAN. We can't do this on the physical side.

--john

segfault
Enthusiast
Posts: 43
Liked: 17 times
Joined: Dec 14, 2017 8:07 pm
Full Name: John Garner
Contact:

Re: Proxy Servers for Agent Backups

Post by segfault » 1 person likes this post

Just as a follow up, this is also one of Veeam's best practices to isolate the backup network. See the recent discussion at veeam-backup-replication-f2/security-us ... 57953.html

tedsteenvoorden
Enthusiast
Posts: 70
Liked: 3 times
Joined: Apr 21, 2011 4:53 pm
Full Name: Ted
Contact:

Re: Proxy Servers for Agent Backups

Post by tedsteenvoorden »

We are now two years further. Are there any plans to add a proxy function for the veeam agent backups? We have the same security requirment: we like to protect the repos from direct contact with the servers that they are backing up and isolate them on the network.

Dima P.
Product Manager
Posts: 13485
Liked: 1316 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Proxy Servers for Agent Backups

Post by Dima P. »

Hello Ted,

Unfortunately it's not planned for the v12, but we keep collecting the feedback to set the correct priorities for the next versions. Thank you for updating this thread, I've added your vote to this feature request.

tedsteenvoorden
Enthusiast
Posts: 70
Liked: 3 times
Joined: Apr 21, 2011 4:53 pm
Full Name: Ted
Contact:

Re: Proxy Servers for Agent Backups

Post by tedsteenvoorden »

Hello Dima, would it work if we create a share on our windows repository server and configure an additional NAS/SMB repository pointing to this share? This way we could use a dedicated gateway servers which functions as the proxy for all Windows agents.

Dima P.
Product Manager
Posts: 13485
Liked: 1316 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Proxy Servers for Agent Backups

Post by Dima P. »

Ted, that would work but you must have the gateway server set up locally as well (you can specify it in the SMB/NFS repository settings). Access to Veeam B&R server will be required to authenticate agents to the repository, but backup traffic will be isolated between agent - gateway server - SMB/NFS share.

tedsteenvoorden
Enthusiast
Posts: 70
Liked: 3 times
Joined: Apr 21, 2011 4:53 pm
Full Name: Ted
Contact:

Re: Proxy Servers for Agent Backups

Post by tedsteenvoorden »

Thanx for the feedback Dima!

Helge.T
Veeam Software
Posts: 127
Liked: 12 times
Joined: Dec 09, 2019 12:22 pm
Full Name: Helge Tengstedt
Contact:

Re: Proxy Servers for Agent Backups

Post by Helge.T »

+1 for agents being able to utilize a "proxy".

In my case the customer runs backups over a dedicated backup network and the agent backups were never able to utilize this and get back to the repository. The findings of the support case led the customer to ask for a FR for putting in a "proxy" as an intermediate for sending backups to the repository.

sabicao
Lurker
Posts: 2
Liked: never
Joined: Nov 05, 2015 2:34 pm
Full Name: Fernando Gomes
Contact:

Re: Proxy Servers for Agent Backups

Post by sabicao »

+1 for this request. An intermediation between agents and the repo would be great.

Dima P.
Product Manager
Posts: 13485
Liked: 1316 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Proxy Servers for Agent Backups

Post by Dima P. »

Fernando,

If you are worried about backup traffic - you can created a dedicated repository for Veeam agents and assign a gateway server somewhere on-site with the client machines. Yes, agents will authenticate via Veeam B&R (so management connection to Veeam B&R is still required), but backup traffic will be isolated within the site where agents, gateway server and repository are configured. Hope it helps!

nathano
Enthusiast
Posts: 95
Liked: 5 times
Joined: Sep 05, 2016 5:08 am
Full Name: Nathan Oldfield
Contact:

Re: Proxy Servers for Agent Backups

Post by nathano »

Are we any closer to having proxies for agents? IMO having agents direct access to the repo seems like a bad idea from a security point of view.

Dima P.
Product Manager
Posts: 13485
Liked: 1316 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Proxy Servers for Agent Backups

Post by Dima P. »

Hello Nathan,

It's not planned for v12. By the way, for repositories where gateway server is required (i.e. SMB/NFS/Deduplication storage devices) agents connect via the set gateway and not directly. Thanks!

lahey
Service Provider
Posts: 11
Liked: 5 times
Joined: May 04, 2020 8:34 am
Full Name: Patrick Kvaksrud
Contact:

Re: Proxy Servers for Agent Backups

Post by lahey »

+1 from Atea Group on this one. We need to see functionality that allows the agent in vbr to use a defined proxy/data mover to send traffic through for agents so we don't have to utilize our cloud connect for our IaaS infrastructure.

The reasoning behind this is that all IaaS managed backup (both virtual and physical) is managed through VBR, and SQL/Oracle/Exchange is part of an IaaS application management portfolio.
We don't want to (but right now, we have to) expose the transport ports on repo servers in order to get it working.
Me and my colleagues would like to see functionality in the agent (primarily server agent) that allows a data mover in-between the agent and the repo just like log-shipping servers.
Another plus to this is that it would make the design more flexible in regards to firewall limitations.
Patrick Kvaksrud
Backup and storage architect & SA

Atea AS, a part of Atea Group
We build the future with IT
Smarter ways to work and grow: achieve your goals with information technology from Atea.

Dima P.
Product Manager
Posts: 13485
Liked: 1316 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: Proxy Servers for Agent Backups

Post by Dima P. »

Hello Patrick,

Thank you for the feedback, added to the feature request!

Post Reply

Who is online

Users browsing this forum: Baidu [Spider] and 6 guests