Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
ICHAPMAN
Novice
Posts: 3
Liked: never
Joined: Jun 09, 2011 1:50 pm
Full Name: Iain Chapman
Contact:

V3 - Restrict VPN connections and Cisco AnyConnect

Post by ICHAPMAN » Feb 03, 2019 9:08 pm

Hi,

I've updated the latest V3 product mainly in the hope that I could 'control' it better when using a VPN connection.

After upgrading I've activated the "Restrict VPN connections usage" option, thinking that when I was using a VPN connection no backup would run. Yet when using our Cisco AnyConnect VPN service, my backup continues to take place just as it did in the V2 product.

Is my understanding of the "Restrict VPN connections usage" wrong?. Should this option be able to detect a VPN when using Cisco AnyConnect?.

Thank you

Iain .

HannesK
Veeam Software
Posts: 4299
Liked: 538 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by HannesK » Feb 04, 2019 8:02 am

Hello,
Let me check how we detect VPN connections and whether it would help to create a support case.

As a workaround my customers used in the past: they just did not allow connections the backup-server in the VPN configuration or added a rule in the windows firewall.

Best regards,
Hannes

ICHAPMAN
Novice
Posts: 3
Liked: never
Joined: Jun 09, 2011 1:50 pm
Full Name: Iain Chapman
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by ICHAPMAN » Feb 04, 2019 8:09 am

Hello Hannes,

Thank you for the reply. We have also previously blocked access to the IP of the backup unit to work around this issue. I was just hoping that this would be a better solution, which would perhaps prevent the "failed" backup notice that we currently experience in this situation.

Thanks

Iain.

Dima P.
Product Manager
Posts: 10704
Liked: 880 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Dima P. » Feb 04, 2019 5:41 pm

Hello Iain,

I am afraid some implementations of VPN wont work as we mostly reply on MS Windows APIs to detect if that's VPN or not . To be absolutely sure I'll check it with RnD team and update this thread with investigation results. Thank!

Gostev
SVP, Product Management
Posts: 25082
Liked: 3668 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Gostev » Feb 05, 2019 10:36 pm 1 person likes this post

Dima, if this is confirmed - let's consider detecting top 3 market-leading corporate VPN implementations, such as Cisco AnyConnect. Otherwise, this whole feature is going to be quite useless for the majority of customers. Thanks!

wayne7215
Influencer
Posts: 17
Liked: 2 times
Joined: Oct 07, 2016 8:37 am
Location: Switzerland
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by wayne7215 » Feb 13, 2019 2:40 pm

OMG! We waited as well until V3 and get this "Restrict VPN connections usage" functionality, but hey, who the hell is using the Microsoft VPN? In our case it's Fortinet, so do we have to wait until V7 to get such a basic function, no backup through WAN connections? :shock:
Most important Veeam is changing the license model to Instances to earn more money, sometimes it would also be nice to get the product improved :roll:

Dima P.
Product Manager
Posts: 10704
Liked: 880 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Dima P. » Feb 13, 2019 9:50 pm

I was not correct with my last post, sorry for that. We perform a check of assigned NIC, specifically - Network Interface Type. Based on the check result we detect if that's VPN connection or not.

If you see that your VPN is not being detected (backup job works when you are connected over VPN despite 'Restrict VPN connections usage' being checked) please:

1. Open a support case and share the case ID as we want to be completely sure about the root cause of your issue and most likely we will need debug logs anyway.
2. Name your VPN client
3. If possible execute the following PowerShell script on the affected machine and share the output

Code: Select all

[System.Net.NetworkInformation.NetworkInterface]::GetAllNetworkInterfaces() | ? {$_.name -eq “InterfaceName”} | Select -Property NetworkInterfaceType

Gostev
SVP, Product Management
Posts: 25082
Liked: 3668 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Gostev » Feb 14, 2019 9:43 pm

wayne7215 wrote:
Feb 13, 2019 2:40 pm
Most important Veeam is changing the license model to Instances to earn more money
This is somehow the biggest misconception about U4. License model did not change, nor subscription pricing - which remained the same as when it was first introduced a few years ago. The ONLY change is how license counters look (and the fact that instance license file is portable and can be used with any Veeam product).

ICHAPMAN
Novice
Posts: 3
Liked: never
Joined: Jun 09, 2011 1:50 pm
Full Name: Iain Chapman
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by ICHAPMAN » Oct 27, 2019 9:45 pm

Hello Gostav / Dima P,

Sorry to come back to this older conversation.

As you suggest I have now opened a support case to advise that 3.0.2.1170 still backups up over a VPN connection when used with the Cisco AnyConnect client. This is case number 03833172.

I could now workout the Powershell command that you posted, but below is the information that I believe you were looking for:

Id : {D59E37A7-FD27-4203-8955-0792A57EBCE4}
Name : Ethernet 2
Description : Cisco AnyConnect Secure Mobility Client Virtual Miniport Adapter for Windows x64
NetworkInterfaceType : Ethernet
OperationalStatus : Up
Speed : 862366500
IsReceiveOnly : False
SupportsMulticast : True

I have included this with the support case.

Hopefully this can help you blocked backups from occurring when the Cisco AnyConnect VPN client is used in a later release.

Thank you

Iain

Dima P.
Product Manager
Posts: 10704
Liked: 880 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: V3 - Restrict VPN connections and Cisco AnyConnect

Post by Dima P. » Oct 30, 2019 1:38 pm

Hello Iain,

Thank you for sharing the results. I've added your notes to the improvement request to support Cisco AnyConnect VPN. Cheers!

Post Reply

Who is online

Users browsing this forum: No registered users and 10 guests