vCentres are accosted via https and so are Proxmox boxes and no doubt many more systems and B&R seems to be using the WinHTTP API. I think B&R should formally configure proxies rather than rely on the default system wide configuration (or lack of it)
My goal is to require all web related traffic (http/s) to go through my web proxy (Squid) so that I can report and audit and filter on URL. I'll use the edge firewall to enforce this policy eventually. Veeam B&R appears to use the modern win http API so it will follow the settings configured with:
Code: Select all
C:\> netsh.exe winhttp set advproxy ....
To get PS 5.1 to pass kerb tickets you need a profile in C:\windows\system32\<somewhere> with one type of config and for PS 6+ it needs to be in C:\Program Files\Powershell etc instead and a different function.
I think that B&R should have a formal proxy configuration for all points where it might be of interest. You already have a formal versions policy, which is pretty modern so you can avoid the really odd stuff from years back.
PS 7 does not automatically use the logged in user credentials (this works for services too that have a named user account). These settings will change that behaviour:
Code: Select all
PS 5.1:
[System.Net.WebRequest]::defaultwebproxy.credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
PS 6+:
[System.Net.Http.HttpClient]::DefaultProxy.Credentials = [System.Net.CredentialCache]::DefaultCredentials
You can deliver those settings via a profile and you can deliver them by copying a file from \\domain.co.uk\NETLOGON\fil.ps1 and a GPO preference file. Do your testing because $PSHOME and $PROFILE are different too.