Failed to open deployer service management port

[FrancWest]

Hi,

Case # 07053128

When changing settings our immutable repository we get the following warnings:

Warning Failed to open deployer service management port
Warning Failed to close deployer service management port

According to support this is because we don't have a firewall installed on the repository server and this is a new pre-requisite of V12.1. We don't have a firewall on the repo-server itself, since we have a hardware firewall in front of it and the repo server is in it's own zone.
The documentation about this new pre-requisite doesn't mention this because it's still in the process of being updated. However, in my opinion, Veeam shouldn't raise this warning if it doesn't detect a firewall installed on the repository server.

Also, the Security & Compliance analyzer doesn't have a check for the missing firewall on the Linux repository.

So is it really true that you must have a firewall (uwf or iptables) installed on the immutable repository server, or is this a product glitch and we can safely ignore this warning for now?

[FrancWest]

update: just installing the ufw package without activating and configuring it removes the warning when modifying the setting of the immutable repository.

Now it reports:
Opening deployer service management port
Closing deployer service management port

So this looks like a glitch in VBR to me since opening and closing the port on an inactive UFW firewall doesn't have any effect

[guillaumedb]

Same error here when trying to change the mount server

[rovshan.pashayev]

Hello guillaumedb,

Could you share the steps you're taking to change the mount server?
Knowing the process will assist in pinpointing where the error is occurring.

Rovshan.

[guillaumedb]

Hello
Going to Backup repository, my harened repository, "mount server" in the left panel, and changing parameter to veeam server (was on host before)

[Mildur]

Hi @FrancWest, @guillaumedb

We will check this internally and come back with an answer. If a firewall is mandatory in v12.1, we will update the user guide and release notes.

Now it reports:
Opening deployer service management port
Closing deployer service management port

So this looks like a glitch in VBR to me since opening and closing the port on an inactive UFW firewall doesn't have any effect

Indeed. Thanks for reporting


Best,
Fabian

[guillaumedb]

No more warning after installing UFW on repository

[HannesK]

Hello,
first: there seems to be a misunderstanding somewhere. The "warning" is not a "system requirement". We implemented the warning to show customers, that the automatic setting of firewall rules did not work. In most cases, that's no problem, because Linux admins in most cases know what they do So you can simply ignore the warning.

An alternative workaround is disabling firewall management globally

On the backup server set the following to keys (HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication, DWORD)

LocalLinuxAutoOpenPortsOnThisHost = 0
LinuxAutoOpenPorts = 0


Best regards,
Hannes

[FrancWest]

Hi,

thanks, but why not first detect if a firewall is installed on the repository and then raise a warning if something went wrong? Now you raise a warning for something that will never work because the required package is not installed.

Please don't go down the road that warnings are being raised which can be ignored if they aren't applicable.

Franc.

[HannesK]

Hello,
well, if a customer is using nftables for example, then the warning would be useful. Writing a "green" message with "iptables / ufw / firewall-cmd not found" would be an alternative that might be overlooked (vs. a warning which is more likely to be read). In any case, we will discuss internally about improvements in this area. Thanks for bringing it up!

Best regards,
Hannes