DMZ servers backup task.

[SteJw74]

Hi all,

I am currently tasked with getting a couple of servers on our DMZ backed up. After doing a few checks I came across the below quote from here: http://www.v-strange.de/index.php/veeam which pretty much sums up where we're at.

I've been searching this forum and anywhere else on line and there is a kb1104 mentioned a few times but it doesn't appear to be online. What I suppose I'm looking for here is a a bit of help with how to go about setting up VIX to enable DMZ server backups, from a position of start point one.

We are on Veeam9 and Vsphere6.

Any pointers are greatly appreciated!


The customers security requirements deny access for any system from the internal network to the DMZ, especially for the backup server. To have fully consistent backups of VMs running in the DMZ we use Veeam VAAIP agents uploaded to the VMs via VIX because RPC (admin share access via CIFS) is not allowed. This worked perfectly even with Veeam v9 and vSphere 6.

Thanks all,

Steven

[mma]

Hi

Do you have UAC enabled on the DMZ VMs?
If yes - you have to use ".\administrator" or "domain\administrator".
All other accounts will not work with the combination VIX / UAC.

There is no other thing you have to setup as Veeam automativaly switches to VIX if network mode is not possible.
btw, it is possible to switch the default to VIX (https://www.veeam.com/kb1671 --> InverseVssProtocolOrder).
Usefull if you have an isolated backup network



If you have exactly the same Problem as the dude in the blog - he has the solution /workaround

"As a workaround you can use a guest interaction proxy with Veeam 9 that is installed in the DMZ and bag your security guys to open the needed two ports between the backupserver and the guest interaction proxy. If this is not an option, please be careful when upgrading to VMware Tools 10.x

Update 07/06/2016

Coming from a call with Veeam to discuss this problem and it seems this is a known problem with VMware Tools 10.x. Veeam already opened a call covering this problem at VMware in FEBRUARY!!! but still there is no general solution available. A workaround is to downgrade VMware Tools (well, I already mentioned this possibility above) or wait for VMware Tools 10.1 where this issue is addressed. It seems that there is a hotfix available at VMware but hotfixes are published only in severe situations where there is no other way to get things work so it seems it's not that easy to get the patch.

VMware support told me to either bring a real good reason why they should give me the hotfix (probably it can cause more trouble than it can fix....) or wait for version 10.1 scheduled for October 2016."

Regards
Marcel

[SteJw74]

Hi Marcel,

thank you for the comprehensive reply. I haven't had a chance to put any of your advice into practice but will do so asap and let you know how it goes.

thanks again!

Steven

[SteJw74]

Hi,

just to update. I've set the UAC on the DMZ server (win2008R2) to 'never notify'.

I am not sure what is the next step. It is on a different ip range and physical host than our network and VMware/veeam hosts so cannot be seen when setting up any veeam job.

I've read all I can and it seems there is a setting to use VIX rather than network/RDP but I feel I'm missing something fundamental here.

Does the veeam server need to be on the same host as the client?

any help greatly appreciated cheers!

Steven

[mma]

Ok, looks like you need some instructions in "how to Veeam B&R".

To keep ist short, you have to add your ESX Hosts or vCenters in Veeam.
Then you can add the VMs/folders/tags/whatever from your vSphere infra to your Veeam job.

The best will be to contact Veeam sales - they will help you find a partner

Regards
Marcel

[SteJw74]

Thanks again Marcel,

"To keep it short, you have to add your ESX Hosts or vCenters in Veeam."

The host and server are on the DMZ, different (192) network and ip range and therefore cannot be seen by Veeam.

Question is is there any other way to add these DMZ server to a backup job?

I've been using veeam to backup 100 or so servers on our Vsphere cluster nightly so have a bit of experience of Veeam B&R.

Any help greatly appreciated.

Thanks all,

Steven

[mma]

Just to understand it right...

Your ESX hosts are in the same range as the DMZ?

[foggy]

You need to open at least the minimum required ports, so that Veeam B&R could connect to the vCenter server for its tasks (or install Veeam B&R in DMZ).

[SteJw74]

Hi Marcel,

the host cluster that the veeam server is on is on a different range to the standalone dmz host, meaning veeam can't see either the dmz host or server and they cannot be added as they cannot be found.

Hi Foggy,

thanks for that link, I've just done a search within it for VIX, thinking it would be the best way to see what ports need to be open, but the only reference to it I can see is ports in use: (when working over the network, not over VIX API).

Thanks for the replies.

Steven

[foggy]

VIX is used by the proxy server to deploy in-guest run-time components during backup when VM is not accessible over network. Veeam B&R itself needs network access to vCenter server for management tasks.

[SteJw74]

Thanks Foggy,

the server to be backed up, and the standalone host it's on, are in the dmz, so are not visible in any way to the veeam server or host.

I need to know is it possible to back them up and if so how to do this?

I don't really know what else I can say.

thanks again,

Steven

[hyvokar]

Hi!

If your VBR server cannot see the esxi host you cannot backup.

I'd move the esxi host from DMZ to a network that VBR can see and connect and create a DMZ network in esxi for guest VMs.


E: the other option is to install separate vbr server on your esxi host that is on dmz

[SteJw74]

Hello Hyvokar,

I think that's it cleared up ok, thanks for that I can see clearly what my options are before I can progress.

Thanks everyone for the help,

regards,

Steven