veeam agent in dmz environment

[mschwarzer]

Hello @ll,

i have to deploy an agent based SQL backup in a dmz environment. The communication from lan to dmz is no problem, but the paradigma is 'no new connections from outer to inner side (from dmz to lan).
Because the backup server is located in the lan environment i need an exception for the ports 10005 and 10006. My question is: which binary is targeted by these connections and what is these communication used for?

Tia and regards,
Michael

[Dima P.]

Hello Michael.

This range of ports is required to keep the connection between backup agent on the client and repository agent on the gateway host. Basically, this range serves the connection between data blocks 'sender' to data blocks 'receiver'. Cheers!

[mschwarzer]

Hello Dima,

thanks for your answer. I assume you meean the data mover service and in this case VeeamTransportSvc.exe and VeeamAgent.exe, right? But i'm not sure about this.
Situation is, that gateway host and backup repo are located in dmz area and the connection witch is blocked is 'client in dmz' ---> tcp/10005,10006 ---> 'veeam server in lan'
What i try to do is to release the port at fw related to the listener.

[Dima P.]

Michael,

You will need to open these ports (including the dynamic range) otherwise it wont work. There is another solution to backup over single port and it even work for WAN: you can configure Veeam Cloud Connect infrastructure to receive backup from your agents. Such approach eliminates the connectivity requirements between agent and the repository.

[JaySt]

Not sure that qualifies as a solution in this case ...
I ran into this issue myself too recently. Customer had high security standards and was not to happy about the inbound port requirements.

[Dima P.]

Hi JaySt.

Are you referring to Cloud Connect requirements or Veeam B&R port requirements? Thanks!

[JaySt]

sorry for not replying!
I meant requirements of Veeam B&R ports from DMZ to Internal.
This is still a discussion actually. This customer would love to see internal initiated connection instead of DMZ initiated connections.

[Dima P.]

JaySt,

Then the port requirements remain. For DMZ we still recommend using Veeam Cloud Connect as a target, as it can wrap up the requests over the single port - can it work for your customer? Cheers!

[JaySt]

no, cloud connect as a solution for this issue is not an accepted solution. Deploying cloud connect for this isn't a good fit here.

[Dima P.]

Understood, thank you! Then fighting with port requirements seems to be the only option. Let us know if you need any additional help. Cheers!

[JaySt]

well could try a feature request:
Windows servers added to the veeam console have the ability to be configured more as desired i think. I'm talking about the "Preferred TCP connection role". ticking the checkbox for "run server on this side" makes the host in question listen and act as a "server", ready to accept commands from the VBR server. Seems like something you'd want in a DMZ.
https://helpcenter.veeam.com/docs/backu ... l?ver=95u4

to my knowledge, this setting is not available for agents. So would it make sense to make this a feature request so agents can be configured in the same way as mentioned above, thereby being more suitable for DMZ deployments ?

[Dima P.]

Hi Jay,

I'll discuss this feature request with the team. Thank you!

[JaySt]

Great Dmitry. I'd appreciate any feedback / any news from the team about this FR so i can proxy this through. I've got multiple cases running right now with interest in a solution like this.

Did you already have the chance to discus this? Just wondering

[Dima P.]

I've noted an improvement request for next versions but I unfortunately I cannot provide you any ETA. Cheers!

[JaySt]

Hi Dmitry. Any news on the improvement request you can share?

[Dima P.]

Jay,

For now I can only say that it's not going to be a part of next major release.

[JaySt]

Ok, so that will take a while then.
Would love to see it sooner, but good to know what (not) to expect.

Thanks for the update.

[JaySt]

Hi Dmitry,

a few months have passed. any news to share? I have customers asking for news on this subject

[Dima P.]

Hello Jay,

Thanks for pushing but unfortunately it's not going to be addressed soon. Next planned major version is v10 and, as I've shared before, we wont have any improvements related to dmz environments.

Speaking of next version - it will provide ability to setup Cloud Connect repository as a target for all agents managed by backup server. I know that's not a workaround you've been looking for but at least an option to consider.

[JaySt]

That's too bad. i expected that this feature would be requested more often, probably due to Veeam going to more enterprise environments. Guess i need to tune down that assumption a bit.
To be honest, i keep having difficulty to understand why this feature does not get more priority. I really see this one being very well received in (rapidly increasing)security minded infrastructures.
But again, that's coming from some conversations happening in my bubble.

[JaySt]

Quick checkup. Any news on possible improvements related to DMZ environments?

[Dima P.]

Hello Jay,

Unfortunately no updates in v10. Cheers!

[moxom]

Hi,

I'll just give a +1.
I really don't like opening ports from DMZ to internal

[JaySt]

Quick checkup again. Any news on this one?

[JaySt]

another checkup. Any news?

[JaySt]

any news here? i'd like to keep the feature request warm

[Mildur]

No change yet.
Several Ports needs to be opened from Agent to VBR Server and VBR Repo.

https://helpcenter.veeam.com/docs/backu ... ml?ver=110

[JaySt]

i know. The feature request is to have a way to eliminate the need to open ports from agent to other components and have the agent active only in "listen" mode (passive).

[Dima P.]

Hello Jay,

With v11, we've added so called Catch-All protection groups. With this option you can deploy agent manually to any machine from the special installation pack created on the Veeam B&R side (via this new protection group). Once done connection from Veeam B&R to the agent is not required, instead agent will connect to Veeam B&R to update the job settings and stats. Direct connection with the repository is still required.

I wonder if such deployment approach helps to address your goal or at least makes it achievable with certain hacks? Cheers!

[JaySt]

hi. No for agents in DMZ it's actually the direction of agent to VBR/Repo that raises security concerns, not the other way arround to (for example) deploy software. Internal(repo/vbr) to agent is less of a problem. For example, i know one of the competitors have a way for an agent to be active in listen-mode, completely passive, and would send data(perform backup) through a connection that has been setup/initiated by internal components of the backup solution. I think Veeam also has an option to configure a managed Windows Server that's been added to the VBR console to listen for incoming connections instead of initiate connections.
It's documented here, step 3:
https://helpcenter.veeam.com/docs/backu ... ml?ver=110

The agent is missing this type of function to be properly deployed in DMZ.