Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
mschwarzer
Influencer
Posts: 11
Liked: never
Joined: Oct 22, 2018 8:31 am
Full Name: Michael Schwarzer
Contact:

veeam agent in dmz environment

Post by mschwarzer » Oct 22, 2018 8:43 am

Hello @ll,

i have to deploy an agent based SQL backup in a dmz environment. The communication from lan to dmz is no problem, but the paradigma is 'no new connections from outer to inner side (from dmz to lan).
Because the backup server is located in the lan environment i need an exception for the ports 10005 and 10006. My question is: which binary is targeted by these connections and what is these communication used for?

Tia and regards,
Michael

Dima P.
Product Manager
Posts: 10306
Liked: 836 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: veeam agent in dmz environment

Post by Dima P. » Oct 22, 2018 10:44 am

Hello Michael.

This range of ports is required to keep the connection between backup agent on the client and repository agent on the gateway host. Basically, this range serves the connection between data blocks 'sender' to data blocks 'receiver'. Cheers!

mschwarzer
Influencer
Posts: 11
Liked: never
Joined: Oct 22, 2018 8:31 am
Full Name: Michael Schwarzer
Contact:

Re: veeam agent in dmz environment

Post by mschwarzer » Oct 25, 2018 1:00 pm

Hello Dima,

thanks for your answer. I assume you meean the data mover service and in this case VeeamTransportSvc.exe and VeeamAgent.exe, right? But i'm not sure about this.
Situation is, that gateway host and backup repo are located in dmz area and the connection witch is blocked is 'client in dmz' ---> tcp/10005,10006 ---> 'veeam server in lan'
What i try to do is to release the port at fw related to the listener.

Dima P.
Product Manager
Posts: 10306
Liked: 836 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: veeam agent in dmz environment

Post by Dima P. » Oct 30, 2018 7:40 pm

Michael,

You will need to open these ports (including the dynamic range) otherwise it wont work. There is another solution to backup over single port and it even work for WAN: you can configure Veeam Cloud Connect infrastructure to receive backup from your agents. Such approach eliminates the connectivity requirements between agent and the repository.

JaySt
Service Provider
Posts: 154
Liked: 24 times
Joined: Jun 09, 2015 7:08 pm
Full Name: JaySt
Contact:

Re: veeam agent in dmz environment

Post by JaySt » Nov 05, 2018 9:53 pm

Not sure that qualifies as a solution in this case ...
I ran into this issue myself too recently. Customer had high security standards and was not to happy about the inbound port requirements.
Veeam Certified Engineer

Dima P.
Product Manager
Posts: 10306
Liked: 836 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: veeam agent in dmz environment

Post by Dima P. » Nov 06, 2018 12:55 pm

Hi JaySt.

Are you referring to Cloud Connect requirements or Veeam B&R port requirements? Thanks!

JaySt
Service Provider
Posts: 154
Liked: 24 times
Joined: Jun 09, 2015 7:08 pm
Full Name: JaySt
Contact:

Re: veeam agent in dmz environment

Post by JaySt » Feb 05, 2019 8:56 pm

sorry for not replying!
I meant requirements of Veeam B&R ports from DMZ to Internal.
This is still a discussion actually. This customer would love to see internal initiated connection instead of DMZ initiated connections.
Veeam Certified Engineer

Dima P.
Product Manager
Posts: 10306
Liked: 836 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: veeam agent in dmz environment

Post by Dima P. » Feb 12, 2019 3:01 pm

JaySt,

Then the port requirements remain. For DMZ we still recommend using Veeam Cloud Connect as a target, as it can wrap up the requests over the single port - can it work for your customer? Cheers!

JaySt
Service Provider
Posts: 154
Liked: 24 times
Joined: Jun 09, 2015 7:08 pm
Full Name: JaySt
Contact:

Re: veeam agent in dmz environment

Post by JaySt » Feb 19, 2019 12:29 pm

no, cloud connect as a solution for this issue is not an accepted solution. Deploying cloud connect for this isn't a good fit here.
Veeam Certified Engineer

Dima P.
Product Manager
Posts: 10306
Liked: 836 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: veeam agent in dmz environment

Post by Dima P. » Feb 21, 2019 6:55 pm

Understood, thank you! Then fighting with port requirements seems to be the only option. Let us know if you need any additional help. Cheers!

JaySt
Service Provider
Posts: 154
Liked: 24 times
Joined: Jun 09, 2015 7:08 pm
Full Name: JaySt
Contact:

Re: veeam agent in dmz environment

Post by JaySt » Mar 01, 2019 12:39 pm

well could try a feature request:
Windows servers added to the veeam console have the ability to be configured more as desired i think. I'm talking about the "Preferred TCP connection role". ticking the checkbox for "run server on this side" makes the host in question listen and act as a "server", ready to accept commands from the VBR server. Seems like something you'd want in a DMZ.
https://helpcenter.veeam.com/docs/backu ... l?ver=95u4

to my knowledge, this setting is not available for agents. So would it make sense to make this a feature request so agents can be configured in the same way as mentioned above, thereby being more suitable for DMZ deployments ?
Veeam Certified Engineer

Dima P.
Product Manager
Posts: 10306
Liked: 836 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: veeam agent in dmz environment

Post by Dima P. » Mar 01, 2019 7:55 pm

Hi Jay,

I'll discuss this feature request with the team. Thank you!

JaySt
Service Provider
Posts: 154
Liked: 24 times
Joined: Jun 09, 2015 7:08 pm
Full Name: JaySt
Contact:

Re: veeam agent in dmz environment

Post by JaySt » Mar 05, 2019 1:12 pm

Great Dmitry. I'd appreciate any feedback / any news from the team about this FR so i can proxy this through. I've got multiple cases running right now with interest in a solution like this.

Did you already have the chance to discus this? Just wondering :)
Veeam Certified Engineer

Dima P.
Product Manager
Posts: 10306
Liked: 836 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: veeam agent in dmz environment

Post by Dima P. » Mar 26, 2019 7:10 pm

I've noted an improvement request for next versions but I unfortunately I cannot provide you any ETA. Cheers!

JaySt
Service Provider
Posts: 154
Liked: 24 times
Joined: Jun 09, 2015 7:08 pm
Full Name: JaySt
Contact:

Re: veeam agent in dmz environment

Post by JaySt » May 22, 2019 6:57 pm

Hi Dmitry. Any news on the improvement request you can share?
Veeam Certified Engineer

Dima P.
Product Manager
Posts: 10306
Liked: 836 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: veeam agent in dmz environment

Post by Dima P. » May 29, 2019 3:47 pm

Jay,

For now I can only say that it's not going to be a part of next major release.

JaySt
Service Provider
Posts: 154
Liked: 24 times
Joined: Jun 09, 2015 7:08 pm
Full Name: JaySt
Contact:

Re: veeam agent in dmz environment

Post by JaySt » May 30, 2019 7:49 am

Ok, so that will take a while then.
Would love to see it sooner, but good to know what (not) to expect.

Thanks for the update.
Veeam Certified Engineer

Post Reply

Who is online

Users browsing this forum: No registered users and 13 guests