[Feature Request] Support for Forward Proxy

[kdwg]

Hey,

we are using encrypted O365 mailboxes due to GDRP requirements. For this case, we use a product named "Eperi Gateway" (https://eperi.com/eperi-gateway/for-microsoft-365/) .

Currently, Veeam directly connects as usual to O365 and takes the mailboxes it gets. The mailboxes are then stored in encrypted state.
Is it possible to let veeam use Gateway as proxy so the gateway will work as forward proxy, so the mailboxes veeam gets are stored in unencrypted state (like give veeam the Proxy Pac).

For outlook clients, we use proxy.pac/wpad.dat :

Code: Select all

function FindProxyForURL(url, host) {
    var proxyServer = "GATEWAY:4711";
    var tenant = "TENANT";

    var useMail = true;
    var useOneDrive = true;
    var useSharePoint = true;
    var useSubstrate = true;

    //Only change below if you know what you are doing.

    //Mail
    var outlook365 = "outlook.office365.com";
    var outlook = "outlook.office.com";
    var attachments = "attachments.office.net";

    var mail = useMail && (dnsDomainIs(host, outlook365)
        || dnsDomainIs(host, outlook)
        || dnsDomainIs(host, attachments));

    //OneDrive
    var oneDriveHost = tenant + "-my.sharepoint.com";

    var oneDrive = useOneDrive && dnsDomainIs(host, oneDriveHost);

    //SharePoint
    var sharePointHost = tenant + ".sharepoint.com";
    var sharePointSpHomeP = "*-sphomep.svc.ms";
    var sharePointMediaP = "*-mediap.svc.ms";

    var sharePoint = useSharePoint && (dnsDomainIs(host, sharePointHost)
        || shExpMatch(host, sharePointSpHomeP)
        || shExpMatch(host, sharePointMediaP));

    //Substrate
    var substrateHost = "substrate.office.com";

    var substrate = useSubstrate && dnsDomainIs(host, substrateHost);

    if (mail || oneDrive || sharePoint || substrate) {
        return "PROXY " + proxyServer;
    }

    return "DIRECT";
}

Through that, outlook can read the mailboxes correctly.
Anyone else facing the same challenges ?

[nikolaj]

Hi Kdwg,

I see that your post was left unanswered.

I skimmed through Eperi's website to see what kind of deployment they offer but it seems like the docs are buried somewhere deep and require registration to access them.

Is it possible to let veeam use Gateway as a proxy so the gateway will work as forwarding proxy, so the mailboxes veeam gets are stored in an unencrypted state (like give veeam the Proxy Pac).

Could you please elaborate on the desired setup here? It's unclear what kind of entity Eperi gateway is. Is it a windows-based server?
One could create an internet proxy in VBO but it's unlikely that its integration with Eperi would work straight away without any customisations from both sides.

Also, please clarify the order in which your data is encrypted. Do you use O365 default encryption? Or all mailboxes are encrypted via Eperi by default?

Thanks

[Switchie_Urs]

hi Nikolaj,

in the presales phase of a customer project I was in touch with what I perceived as Eperi's Swiss representative. I only have limited info but it may help to get an idea what Eperi Gateway is about. From what transpired from the talks and from what I could glean from a test the Eperi Gateway is a device capable of SELECTIVELY encrypt/tokenize/pseudomize data deemed confidential by a customer based on templates created with them.
according to said rep. typically M365 communication is re-directed through that Gateway by virtue of a proxy.pac thus requiring eg. 'road warriors' to VPN in to get behind the perimeter.
in the test this worked and I could verify that eg. subject and body of e-mails were encrypted while other envelope data was not.
as VBO backs up partially encrypted data the challenge would be to strike a balance where a customer gets sensitive data encrypted yet still has sufficient metadata to identify objects to restore when browsing their backup data. in a high volume mailbox already the encryption of subject and body may render the selection of mails to restore tricky.
to restore M365 data to the cloud a way of re-directing VBO restore traffic through the Eperi Gateway would need to be established.

sadly said project did not go through but I think the concept is very interesting and I'd be happy to hear more about Eperi Gateway and the challenges it presents to other VBO customers/service providers.

Cheers,
Urs

[Mike Resseler]

Hey Switchie,

The concept is understood, but without it being proper tested I think it will be difficult to say whether this is fully supported or not. My initial thoughts are that it should work, as long as we use the proxy correctly, but the question is how the eperi gateway handles it. From our side, this would be the first request to support a PAC file, and I wonder if this is actually needed to start with. If we use fixed proxy in the product, shouldn't that be enough?

And a second question... If the backup of the data is encrypted by us (object storage repository) do we still need to pass that proxy? Even from a GDPR compliance reason (which it cannot be, there is no such need in GDPR but probably for another reason) having multiple systems encrypting data seems not needed

[Switchie_Urs]

hey Mike,

I'd be curious about using a conventional internet proxy too. guess it would have to be a rather beefy one for satisfactory performance.

as for the encryption I believe the two serve a totally different purpose: the Eperi could help overcome qualms european customers may have to store data in american-owned M365 platform while the other serves to protect at rest data wherever it may reside. just my 2cts.

Urs

[Mike Resseler]

We already have users that utilize an internet proxy. There is an option to define one: https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=50

the Eperi could help overcome qualms european customers may have to store data in american-owned M365 platform

I agree on this, my question was more whether it is needed to use Eperi also for the download of data for backup purposes which you can store where you want in the case of VBO. You could have a US-based repository for US users and a European one for Europe users...

[Switchie_Urs]

"whether it is needed to use Eperi also for the download of data for backup purposes"

AFAIK the Gateway is not needed for backup nor restore purposes. you pull (partially) encrypted data from M365 and you shove it back up there the same way. the Gateway renders M365 data readable to the clients and encrypts it once it leaves yr premises