Feature Request: reduce firewall sprawl

Availability for the Always-On Enterprise

Feature Request: reduce firewall sprawl

Veeam Logoby mikeely » Fri Jun 23, 2017 10:37 pm 9 people like this post

The official "Used Ports" page is... daunting. There are a LOT of edge cases requiring a LOT of holes poked through firewalls. Some of that surely makes sense - weird storage arrays etc. But to highlight where I believe most of the problem is, look at the sections labeled "Backup Server -> Linux Server" and compare that to "Backup Server -> Windows Server."

Put differently, when Veeam wants to control a Linux box it logs in via SSH and gets work done. When Veeam wants to control a Windows box it lazily expects a kazillion various NetBIOS and RPC ports to be open and ready to roll, and from what I've been experiencing, Veeam fails miserably when one of those ports isn't in the right state. When you're a sysadmin working with a networking team and constantly have to go hat in hand to beg for yet another large number of firewall rules to be poked, this is a huge time sink and a major drag.

What I propose is that Veeam develop some sort of runtime middleware that spawns on the Windows box (using the same install method as the Transport service perhaps) that only requires one control port open to the management server, guest interaction proxy, etc.

Note: I'm not complaining about the port range for Data Mover. That is at least consistent across platforms. I am complaining about needing to poke TCP 111, 135, 137-139, 445, 1058+ 2049+, 6060-6162, 49152-65535 and UDP 111, 135, 137-139, 445, 1058+, 2049+ for each and every Windows box out there versus TCP 22 for each Linux box.

Really, control data should be limited to SOAP over 443, SSH on 22, and some single Windows port. Please Veeam, you gotta do something about all this sprawl.
Unless otherwise specified, I am asking about something pertaining to Linux. We use Windows as infrequently as possible, and enthusiastically seek ways to reduce that usage further.
mikeely
Enthusiast
 
Posts: 51
Liked: 10 times
Joined: Mon Nov 07, 2016 7:39 pm
Full Name: Mike Ely

Re: Feature Request: reduce firewall sprawl

Veeam Logoby Andreas Neufert » Sun Jun 25, 2017 7:15 pm 4 people like this post

Agree that Veeam uses a wide range of ports. I do not want to argue with you, as I agree that it is sometimes hard to discuss this with the security department and I feel as well that there is need for a solution like you had described. But really you do do not need all of those ports. Let me explain a bit.

As Veeam is agentless, the only real way to interact with any kind of Windows box is by standard installed things.
This is Windows RPC. As Microsoft had designed this protocol with a high port count useage, we can not do something against this.
It means you need the following ports for RPC: DCE, NetBios, CIFS, Dynamic RPC HighPorts => TCP, UDP 135, 137-139, 445, and the dynamic range of 49152-65535 by default. It can be different if you have Exchange, modified the range manually or use Windows 2003.
For Guest processing (consistency at backup) and File Restore there are 2 alternatives to avoid those ports at all. This is Guest Interaction by VMware VIX or in case of Hyper-V 2016 with Win2016 VMs we can use "PowerShell Direct". We use both as fallback automatically, if we can not speak with the VM over RPC. You can as well reverse the order and process those protocolls first before RPC.

As we interact at restore with specific applications directly (again instead of installing Agents on your systems), we need the ports of the applications as well.
An easy one is Exchange and Sharepoint. There we need only port 443 (and in some older versions of the applications TCP port 80).

For AD restore we need the LDAP ports.

SQL restore (and SQL Log Shipping) is a bit more complex.
At Log Backup we start a Veeam service to do so. This need an extra port 6167 and the Veeam Standard Transport Ports TCP2500-5000. For any parallel connection we use one of those ports. That means in most of the cases you need only TCP2500-2501 (maybe use TCP2500-2505 to have some spare ports).
At restore we use a iSCSI connection to the Veeam server to access the SQL backups instantly. This uses some additional ports and a management port (installer) TCP6160.


111, 2049+, 1058+, not used in Guest Interaction... only in the backend of the Veeam Servers.
6060-6162 is a wide range with huge amount of ports not used at all from Veeam. If you mean 6160-6162... then some of them are only used in the backend not in Guest Interaction like 6161 for our NFS Service and 6162 for our WAN accelerator... see above for TCP6160.

So you see that the ports are used that way, because of our agentless approach and the demand to use the from Microsoft given ports.

Would you prefer to install a "Agent Helper Proxy" that work on a single port to allow us to interact with the VM, instead of the agentless approach? Maybe as optional component?
Andreas Neufert
Veeam Software
 
Posts: 2289
Liked: 384 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: Feature Request: reduce firewall sprawl

Veeam Logoby Ejdesgaard » Mon Jun 26, 2017 12:42 am

What about TCP/5986 - WinRM ?
Ejdesgaard
Influencer
 
Posts: 17
Liked: 5 times
Joined: Fri Aug 24, 2012 11:59 am

Re: Feature Request: reduce firewall sprawl

Veeam Logoby Andreas Neufert » Mon Jun 26, 2017 8:38 am

Hi, I think we donĀ“t use WinRM.

If you asking for Veeam usage of WinRM instead of RPC, it is not enabled by default in many installations and the protocol was built for something else.
Andreas Neufert
Veeam Software
 
Posts: 2289
Liked: 384 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: Feature Request: reduce firewall sprawl

Veeam Logoby StephanF » Mon Jun 26, 2017 9:31 am 1 person likes this post

Hi,

I wanted to add +1 for this Feature Request.

Let me explain our use case that is a little bit different to the one of the thread owner:
We have some endpoints in our production environment that are located in separate LAN segments behind a firewall for security purpose. We use Veeam Agent for Windows to backup those clients.

To access the backup repository (Windows server) we need to open a lot of ports (RPC port range, etc.). This could be a security issue. At least there is a bad taste. A kind of "port proxy" that reduces the number of ports would be helpful.
StephanF
Enthusiast
 
Posts: 42
Liked: 8 times
Joined: Thu Mar 26, 2015 1:15 pm

Re: Feature Request: reduce firewall sprawl

Veeam Logoby cbc-tgschultz » Mon Jun 26, 2017 2:46 pm 1 person likes this post

As a possible workaround, you can configure Windows such that when two hosts communicate to each other they do so using an ESP tunnel. This should get your firewall rules down to just allowing IP protocol #50 (ESP) between Veeam and the servers, and you can deploy it using GPO.

This guide should get you started: https://blogs.technet.microsoft.com/ask ... ity-rules/

In my opinion, we can file this whole issue under problems-that-could-have-been-solved-20-years-ago-if-Microsoft-wasn't-actively-hostile-to-standards.

If you're really ambitious, you could setup a Linux server on each side of the firewall that create a layer 3 tunnel to each other using a tun interface and SSH, then configure them to route between Veeam and the Server(s) over that tunnel, then add a static route entry on each server pointing to the appropriate Linux server.

Though at that point one really has to wonder why you don't just allow all IP traffic between the IP addresses of Veeam and each server.
cbc-tgschultz
Enthusiast
 
Posts: 46
Liked: 9 times
Joined: Fri May 13, 2016 1:48 pm
Full Name: Tanner Schultz

Re: Feature Request: reduce firewall sprawl

Veeam Logoby voyager529 » Mon Jun 26, 2017 3:40 pm 1 person likes this post

Andreas Neufert wrote:Would you prefer to install a "Agent Helper Proxy" that work on a single port to allow us to interact with the VM, instead of the agentless approach? Maybe as optional component?

I think having both as an option makes sense. Agentless is helpful in certain circumstances, single-port traffic would be helpful in others. Also, a simple UI saying the name of the server managing it, the date of last successful backup, and a "can you successfully talk to the server" button would be super helpful in those cases (I'm fine with a CLI-only interface for this purpose). By contrast, the agentless method is helpful in other cases, especially where firewalls don't come into play.

So yes, I'll formally put in a request for a small proxy application to assist with corner cases where firewall soup is a problem. Admittedly this isn't an issue with Veeam, so much as the unfortunate and infuriating hell that is "having to configure a dozen firewall and NAT rules in a Sonicwall".

Thank you!
voyager529
Influencer
 
Posts: 12
Liked: 2 times
Joined: Thu May 14, 2015 8:41 pm
Full Name: Joey Famiglietti

Re: Feature Request: reduce firewall sprawl

Veeam Logoby mikeely » Mon Jun 26, 2017 9:22 pm

voyager529 wrote:So yes, I'll formally put in a request for a small proxy application to assist with corner cases where firewall soup is a problem.

Seconded.
Unless otherwise specified, I am asking about something pertaining to Linux. We use Windows as infrequently as possible, and enthusiastically seek ways to reduce that usage further.
mikeely
Enthusiast
 
Posts: 51
Liked: 10 times
Joined: Mon Nov 07, 2016 7:39 pm
Full Name: Mike Ely

Re: Feature Request: reduce firewall sprawl

Veeam Logoby mikeely » Mon Jun 26, 2017 9:25 pm

Andreas Neufert wrote:Let me explain a bit.

I'd say you've explained more than a bit. Thank you for the detailed reply - I'll refer back to it as I deal with the various people who manage different network segments here.

I do like the option to have a proxying agent manage all this if needed.
Unless otherwise specified, I am asking about something pertaining to Linux. We use Windows as infrequently as possible, and enthusiastically seek ways to reduce that usage further.
mikeely
Enthusiast
 
Posts: 51
Liked: 10 times
Joined: Mon Nov 07, 2016 7:39 pm
Full Name: Mike Ely

Re: Feature Request: reduce firewall sprawl

Veeam Logoby Andreas Neufert » Tue Jun 27, 2017 9:00 am

Oh, and let me mention, that some of our customer place the Guest Interaction components in a separate firewall zone to manage access to VMs and backend Infrastructure separately.

In case of RPC communication, we can provide the Veeam RPC UUIDs so that you can use RPC UUID filtering in the firewalls if available.
Andreas Neufert
Veeam Software
 
Posts: 2289
Liked: 384 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM

Re: Feature Request: reduce firewall sprawl

Veeam Logoby jo_strasser » Thu Jul 27, 2017 11:40 am

Hi,

+1 for this Feature Request.

We are running a very complex firewall infrastructure and it is not possible to open so much dynamic ports (security policy --> not allowed).

In our case a helper agent will be preferred.

Is there a complete UUID list available to configure firewalls?

We want to backup windows, sql and active directory.

Thanks JO
jo_strasser
Lurker
 
Posts: 1
Liked: never
Joined: Thu Jul 27, 2017 11:30 am
Full Name: Johannes Strasser

Re: Feature Request: reduce firewall sprawl

Veeam Logoby Andreas Neufert » Mon Jul 31, 2017 8:45 am

VSS
FA8573FC-2445-4EF5-82F1-30E34E7A07C7 GuestHelperCtrl
D9D20617-05AA-4142-96C0-9D68034A2C46 LogShipper

Agent
844D6366-6A97-4eb5-8345-B88E8276C20D HvIntegrationSvc
D107C6E0-FC35-49ba-BA03-3E192DE6797D DeploymentSvc
D1C2C07A-D989-48cc-A423-B73ECD518D40 Common RpcInvoker

Potenitally you need some additional ones from Windows iteself. Best would be to open these and test all functionallity. If you monitoring shows additional ones, you can look them up in google => You will find them as Microsoft services and can add them as well.

Example: 367abb81-9844-35f1-ad32-98f038001003 => RPC Server
Andreas Neufert
Veeam Software
 
Posts: 2289
Liked: 384 times
Joined: Wed May 04, 2011 8:36 am
Location: Germany
Full Name: @AndyandtheVMs Veeam PM


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Bing [Bot], Google Feedfetcher, ManuelRighi and 1 guest