I thought I would share with you how to make Veeam Enterprise Manager work between NAT'ed networks over WAN links (Such as between client sites) without the use of VPNs.
I work with a few clients who use Veeam and this has been something I have had to set up and configure a few times - the first of which was an enormous headache
During the communication between Veeam and the Enterprise Server, the Veeam Backup Server will send to the Enterprise Server its own local IP address. If it is behind a NAT firewall, it will basically send its unroutable private IP to the Enterprise Server. The Enterprise Server will then try and communicate with the IP it is given and obviously this will fail if your Enterprise Server is on a different network.
The fix, is to make Veeam send its external FQDN to the Enterprise Server instead of the IP (and then make this FQDN point to the Veeam backup server internally so Veeam still works!).
Create 2 registry strings in the HKLM\Software\Veeam\Veeam Backup and Replication:
"Remoting_UseIPAddress" = "false"
"Remoting_MachineName" = "FQDN" (so backup.company.com)
You must then make a hosts entry on the Veeam server (not the enterprise server) to make backup.company.com match to the internal IP of the Veeam server. You could also add an A record on the internal DNS server if available.
So say you have two networks:
company.com 184.108.40.206 (external IP)
- Veeam Server (Internal) 10.0.0.100
headoffice.com 220.127.116.11 (External IP)
- Enterprise server (Internal) 192.168.0.100
You would set in the Veeam server's registry:
Remoting_UseIpAddress = false
Remoting_MachineName = company.com
And in the Veeam server's Hosts file:
Restart all the relevant services then just tell your headoffice.com Enterprise server to connect to company.com and assuming port forwards are set (9392 is forwarded on the Veeam Server side, 9392 and 9394 are forwarded on the Enterprise Server side) it should work fine.
One thing to be aware of: I suggest creating an A record for backup.company.com, then using that, rather than existing A-Records (for instance mail.company.com) as this will prevent access to services such as email breaking on the Veeam server when you add the hosts entry.
This is a bit of a headache, but works flawlessly once set
Hope this helps a few people out!