featurerequest: Veeam Agent for windows behind NAT

[nchand]

Ah, it looks like this requires a "Veeam Cloud Connect service provider license". I assume this is something different than the cloud connect license included with my VB&R license?

[Egor Yakovlev]

I guess your reference to "included Cloud Connect" means functionality to add Veeam Cloud Connect service provider to your VBR installation and utilize it as a target for backups\replication - it is free for all Veeam license types!
And yes, you need a special Veeam Cloud Connect provider-type license in order to serve your organization with "cloud-alike" backup services using Veeam Cloud Connect. Feel free to reach out Veeam Sales representatives, they will be glad to discuss in detail process of obtaining one.

/Cheers!

[francovilla75]

Yes, you can.

Contact your prefered Veeam reseller in order to get details how to obtain Veeam Cloud Connect for Enterprise license. No cloud provider will be involved - you will host your own VCC Server, your own access Gateway server for remote agents to use, and your own storage servers.

/Cheers!

Hmmm. We have this same problem, and despite having enterprise licensing, we were denied the Cloud Connect license because according to the answer, they said that this CC Function is only for Service Providers !, that is, the common user is prohibited from using this function and is required to subscribe to the cloud for Remote Backup jobs in private cloud. .
I suppose that the correct scenario is a VPN connection (IPSec) with reserved IP Addressing and with the DNS Correctly configured so that the Veeam Backup agents in remote Users Works Properly.

[Vitaliy S.]

Hmmm. We have this same problem, and despite having enterprise licensing, we were denied the Cloud Connect license because according to the answer, they said that this CC Function is only for Service Providers !, that is, the common user is prohibited from using this function and is required to subscribe to the cloud for Remote Backup jobs in private cloud. .

That's not correct, as there is Veeam Cloud Connect for the Enterprise (certain requirements apply to be eligible for this product). I would recommend contacting a Veeam rep to discuss if you meet these requirements or not.

[demo]

add record to the hosts-file on the clients (to point traffic to the "client side ip" of the firewall handling the portforward)
finally you need to add a secondary ip(client side ip for the firewall) on the network-interface on the repository-server and restart Veeam data mover service.

Hi Experts,

If I understood it right the clients public IP should be added in the client's hosts file. And also add that as a secondary IP on the NIC of repository server?

Thanks!

[Vitaliy S.]

Hi Lokesh,

Based on my understanding, in the client's hosts file you need to set the address of your firewall IP facing the agent network. Once you do this, the traffic should be routed to the repository server that must registered as FQDN.

Thanks!

[hari]

HI
I have installed VBR in AWS Instance(As its for testing I allowed all traffic) - has a static public ip
Installed a Veeam Backup for Windows Agent on a local machine, and created a backup job and pointed to VBR repository's public, Now when I run the job I get the following error

9/2/2022 11:51:39 AM :: Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 172.31.13.205:2500

172.31.13.205 - is my instance private ip not public which is shown in error

[Mildur]

Hi Hari

I moved your question to this topic.

and created a backup job and pointed to VBR repository's public

Agent Backups are not supported to a backup server over NAT.
The backup server will always send his and the private IP address of the repository to the Agent.
You can use routable networks, a VPN between the Agent and the VBR server or Veeam Cloud Connect.

But you can find some unofficial workarounds documented in this post.

Thanks
Fabian

[Kei]

Hi

Currently I use the Backup managed by agent, VBR on AWS EC2 and backup target server on on-premises.
Now, AWS and on-premises are connected using internet VPN, but can I change this connection to simply internet(not using VPN) ?

Best regards.

[Mildur]

Hi Kei

Please see the previous comments in this topic.

Thanks
Fabian

[Kei]

Hi

I have read the this topic, but I have one question.

Veeam Agent(has private IP)--------Firewall(has 1 global IP)-------Internet-----------VBR(has 1 global IP,all in one install)

I understood Veeam agent can send backup data to VBR(including repository) using workaround(not supported by Veeam) in the above situation.
Can VBR manage the backup policy to Veeam agent, e.x. using port forwarding on Firewall ?
If there are multiple Veeam agents, I am thinking that it might be possible to change the port used for communication from VBR to Veeam agent for each Veeam agent.

[Mildur]

Hi

Can VBR manage the backup policy to Veeam agent, e.x. using port forwarding on Firewall ?
If there are multiple Veeam agents, I am thinking that it might be possible to change the port used for communication from VBR to Veeam agent for each Veeam agent.

No, that is not possible. You can't use different ports for each agent.
May I ask, is this design for your own company or are you providing services for your customers?

THanks
Fabian

[Kei]

Hi Fabian

Thank you for your reply.
I understood.

I would like to provide Veeam for our customers as a service.
Basically we would like not to locate Veeam Server on customer on-premises site.
* We would like to provide Veeam Server on AWS.

I understand using the VPN or Direct Connect to customer site is better, but the cost will be high.
So I am considering to use simple internet (not using VPN).

Best regards.

[Mildur]

Hi Kei

Then we have a solution (only supported method).
If you want to provide services for your customers, you have to register yourself as a service provider: https://www.veeam.com/service-providers.html

As a second step, deploy a Veeam Cloud Connect infrastructure with a cloud connect enabled rental license in AWS:
https://www.veeam.com/cloud-connect-ser ... iders.html

The third step is to install the veeam service provider console:
https://www.veeam.com/service-provider- ... nsole.html

The Service Provider Console allows you to manage and monitor backup jobs from customers agent implementations. It works with NAT on the customers and port forwarding on the service provider's site.
Veeam Cloud Connect is required for allowing the agents to connect to the service provider console.
https://helpcenter.veeam.com/docs/vac/p ... tml?ver=60

Also, I want to note, that you can't use your own perpetual or subscription license. And you can't use a free version or community edition to provide services to customers (forbidden by our EULA).
The rental license is the only way for your scenario to make it work (and to be supported).

Thanks
Fabian

[Kei]

Hi Fabian

Thank you for sharing another way.
I will check it.

Best regards.

[Mildur]

You're welcome.
Just to mention it again. It's not another way, it's the only way for your scenario:
- Backup as a Service
- Monitoring
- Using NAT
- correct licensing

Thanks
Fabian

[govi]

Hello and welcome to the community albert.

Thanks. Have you considered using Veeam Cloud Connect for your infrastructure? No only it eliminates the NAT issue but also allows you to perform backup over WAN directly to the backup repository. Thanks!

I used cloud connect service, it did not work as expected due to user side bandwidth limitation. Often takes hours and hours to complete backup.

Somebody might suggest to use cache mode backup but i found issue in uploading cached mode file as well when backup file are too many.

[vrowdy]

Hi

I have read the this topic, but I have one question.

Veeam Agent(has private IP)--------Firewall(has 1 global IP)-------Internet-----------VBR(has 1 global IP,all in one install)

I understood Veeam agent can send backup data to VBR(including repository) using workaround(not supported by Veeam) in the above situation.
Can VBR manage the backup policy to Veeam agent, e.x. using port forwarding on Firewall ?
If there are multiple Veeam agents, I am thinking that it might be possible to change the port used for communication from VBR to Veeam agent for each Veeam agent.

Short intro:
We used a lot of Veeam at my previous work. It always worked great, but it was a 'normal' company with Active Directory and just a local domain, nothing special in that regard so Veeam worked perfectly.
Now, I work at another company that provides all kinds of IT-solutions for other companies.
One of them is backup.
I'd like to switch to Veeam but am unsure if that is possible.

I'm looking for the same kind of solution that Kei asked for.
I read all the replies and I also went through the service provider documentation that was mentioned in this topic.
However, it would seem that an on-premise installation of VBR is required at each and every client. Those on-premise installation can then write their back-up to the repository provided by the Service Provider: us.
But it seems it just some sort of remote storage then, because the documentation also states there is no management of the agents from the service provider console. It's just a 'grand overview' of all VBR-installations we would have to have at all of our clients. Am I correct?

Most of our clients have a couple of workstations (desktops) running Windows 10/11. Some clients have a Windows Server as well, some don't since they have everything in Microsoft 365.
So, we just need to backup several workstations and sometimes a server.
So, it would be great if we could have one VBR-installation (in our own datacenter or cloud-hosted) and have all the agents connect to that instance.
I completely understand Veeam originally wasn't built for this at all (it was built for VMWare of course), but it seems all the components are available for something like this to work.
Of course, we'd need appropriate licensing and everything, that's fine of course.

But is anything like this possible?
Just some agent at some random computer/server (behind NAT of course) connecting to a central VBR-server (with a public IP)?

Thanks!

[Mildur]

Hi Rowdy

Welcome to the forum.

But it seems it just some sort of remote storage then, because the documentation also states there is no management of the agents from the service provider console. It's just a 'grand overview' of all VBR-installations we would have to have at all of our clients. Am I correct?

It can already do a lot more It can deploy and manage Agents without the need of a local Veeam Backup & Replication server on the customers datacenter. And our next release will integrate a web based Restore Portal.

You only require:
- Veeam Cloud Connect with backup storage in the service provider datacenter
- Veeam Service Provider Console in the service provider datacenter connected to the Veeam Cloud Connect Server
- Veeam Agent on workstation or server with access to the internet

Veeam Cloud Connect and Service Provider Console is the way to go for such service offering.

Also please register yourself for the service provider user group. We discuss such request and VCSP related questions in the private subforums. Please follow the steps here:
veeam-backup-replication-f2/applying-to ... 55488.html

Best,
Fabian

[vrowdy]

Hallo Fabian,

Thanks for your quick reply.
It seems then this is exactly what we are looking for!
I did read some documentation (PDF file) yesterday explaining how everything worked, but it said completely different things (like needing a VBR-server a each tenant/end-user location). But I'm glad to hear that's no longer the case and it can work as we would like it to work!
I'll do some more reading then and register at the link you provided and see if we can set-up some kind of trial in the near future!

Thanks!

[backdaFup]

+1 vote for me

Yes i just registered on here so i could vote for this.

With different layers of networks these days for security, i think this is needed.

[sxsx]

Hi, i know NAT is'nt really supported for Veeam agent but for what i can see it's possible with "a few" changes.
The main issue today seemes to be that the first communication back to the VBR server is using fqhn while the communication with the repository is made by ip (trying all available ip's on the repository-server).
If you change the communication from ip to fqhn to the repository-server, it would just be a matter och adding records to hosts-file or dns to get veeam-agent backup behind NAT to work.

To get backup to work with the current design you would first need to add portforward on the firewall on ( TCP 10001,10005,10006, 49152:65535,2500:5000 )
then add record to the hosts-file on the clients (to point traffic to the "client side ip" of the firewall handling the portforward)
finally you need to add a secondary ip(client side ip for the firewall) on the network-interface on the repository-server and restart Veeam data mover service.

my finding should be documented in case 03027245

Hi, I am also facing this problem and I am trying to do what you explained. I have a FORTIGATE 60D FW. Could you please direct me to the exact steps I should take? I will thank you very much. This will solve the problem I have been dealing with for a long time!