Making Veeam Enterprise Manager work over a WAN link

[elliott]

Hi Guys,

I thought I would share with you how to make Veeam Enterprise Manager work between NAT'ed networks over WAN links (Such as between client sites) without the use of VPNs.

I work with a few clients who use Veeam and this has been something I have had to set up and configure a few times - the first of which was an enormous headache

During the communication between Veeam and the Enterprise Server, the Veeam Backup Server will send to the Enterprise Server its own local IP address. If it is behind a NAT firewall, it will basically send its unroutable private IP to the Enterprise Server. The Enterprise Server will then try and communicate with the IP it is given and obviously this will fail if your Enterprise Server is on a different network.

The fix, is to make Veeam send its external FQDN to the Enterprise Server instead of the IP (and then make this FQDN point to the Veeam backup server internally so Veeam still works!).

Create 2 registry strings in the HKLM\Software\Veeam\Veeam Backup and Replication:
"Remoting_UseIPAddress" = "false"
"Remoting_MachineName" = "FQDN" (so backup.company.com)

You must then make a hosts entry on the Veeam server (not the enterprise server) to make backup.company.com match to the internal IP of the Veeam server. You could also add an A record on the internal DNS server if available.

So say you have two networks:

company.com 8.8.8.8 (external IP)
- Veeam Server (Internal) 10.0.0.100

headoffice.com 4.4.4.4 (External IP)
- Enterprise server (Internal) 192.168.0.100

You would set in the Veeam server's registry:
Remoting_UseIpAddress = false
Remoting_MachineName = company.com

And in the Veeam server's Hosts file:
10.0.0.100 company.com

Restart all the relevant services then just tell your headoffice.com Enterprise server to connect to company.com and assuming port forwards are set (9392 is forwarded on the Veeam Server side, 9392 and 9394 are forwarded on the Enterprise Server side) it should work fine.

One thing to be aware of: I suggest creating an A record for backup.company.com, then using that, rather than existing A-Records (for instance mail.company.com) as this will prevent access to services such as email breaking on the Veeam server when you add the hosts entry.

This is a bit of a headache, but works flawlessly once set Hope this helps a few people out!

[dxb]

Can I use my local veeam enterprise manager to collect multiple veeam servers across wan ?
We want to monitor customer veeam backups from one console only.

I'm trying but redirecting port 9392 and 9394 seem not enough.

Thank you
Dan.

[veremin]

You have been merged to the existing topic, so, kindly see the answer provided above.

Should any other question arise, don’ t hesitate to let us know. Thanks.

[dxb]

thank you, i will try tomorrow.
Can you do something to implement this workaround ?

[veremin]

Can you do something to implement this workaround ?

Could you elaborate on it? I believe the procedure described above should answer your requirements. So, just follow it.

Thanks.

[dxb]

yes I can, but usually when I install a software i don't play with registry keys and dns record (or host files).
Without this instructions, here in this forum, nobody is able to use this software over wan connection.
Create NAR rules should be the only thing to do.

If I want to connect a remote server over wan, it's must be able to communicate the public ip instead of the private, am I wrong ?
I can follow this instruction all the time, but it still a workaround.

Vladimir please do not reply to your customer with "just follow it", we are paying your wadges.

PS. thank you Elliott.

[veremin]

Hi, Elliott.

I just want to apologize if I sound rude. Under no circumstance did I want it - just tried to point you to a potential workaround that might be helpful in your case. I have to admit that sometimes there might be a certain misunderstanding since English isn’t my native language, etc.

Anyway, for now it seems that the procedure described above is the only option you have.

As to the future actions, please be aware that all of the features are prioritized /implemented in accordance with customers’ demand - the bigger the demand is, the better chances it will be present in the next release. Moreover, every community member is able to submit a feature request, representing to us their ideas/attitudes regarding potential features, etc.

In fact, you’ve already done it (by posting on this forum). So, thank you for your patience and feedback; highly-appreciated.

[tsightler]

Without this instructions, here in this forum, nobody is able to use this software over wan connection.

Well, that's not really true. The software works fine over a WAN or VPN connection with no changes, the problem comes when you attempt to use EM directly between two sites with NAT in between. Network address translation between the source and target systems cause problems because the communications is two way between EM and a B&R server can be initiated from either direction. Normally we attempt to communicate via IP addresses, but NAT messes up this attempt since it changes the address in between while the application has no awareness of this change. The workaround above provides a way to use DNS to overcome the problems caused by NAT for this two way communications.

If you setup a VPN connection to your clients, the recommended and more secure approach, then none of this is required.

[dxb]

can you please resume what I've to do:

1) server with veeam enterprise manager (main site)
2) router settings (main site)
3) remote veeam servers (remote sites)
4) remote router settings (remote site)

I still not understand why a simple port 9392 and 9394 redirection on remote router is not enough (like most of software).

VPN is not an option, we cannot have 50+ vpns just to retrieve Veeam Backup logs.

[tsightler]

The original post in the article explains exactly what you should do to get it to work, I'm not sure that I could explain it any better. The reason that simply redirecting two ports doesn't work is because the communication is "two-way" and the remote B&R server attempts to communicate to the EM via the IP address. Enterprise Manager was never really built with the use case of querying multiple customers across the open internet but was designed to be used within an "enterprise" to manage multiple Veeam servers. It's not that you can't get it to work or use it in this way, but this is why it doesn't just work that way "out-of-the-box"

One thing you might be able to do (haven't tried) is to simply add a secondary IP address on your EM server that's the same as the NAT address on your router. I'll try to play with this when I get a chance, but unfortunately that might be awhile due to a busy schedule this week and over the next several weeks. Otherwise, following the first post covers the steps you need to follow and answers all of your questions.

[dellock6]

Honestly, in my opinion this is a no-brainer: I would never expose a critical system like a backup infrastructure over a public WAN, period.
So,since the only real solution is to use vpn tunnels between me and customers, there will be eventually only routing and no NAT at all.

Luca.

[tzweistein]

The workaround it doesn' t work to me.
We have Enterprise Manager and B&R version 6.5
I carefully followed the instructions from the first post, so I restarted services on B&R server, but get the same error (the installation is in Italian, try to translate):
"Error: Unable to establish connection. Connected party did not properly respond after a period of time or lack of response from the host connected to 192.168.1.50:9392 (System.Net.Sockets.SocketException)"
Obviously, 192.168.1.50 is the internal IP behind NAT.
Any suggestions?
Thank you.

PS: in this case the NAT is not a WAN over Internet. We have a lot of subnets, to workaround same addressing (in different places) we use NAT. in some cases we have double NAT, like a WAN over Internet. We can't change addressing, we can't have a non NAT IP for B&R server or Enterprise Manager server.
Ho to solve this?
Thanks!

[mmartin]

HI Folks,

Anybody seen this not work with Version 7.0 - we have had no issues with 6.5 but version 7 B&R does not start until you remove the registry keys

Remoting_MachineName
Remoting_UseIPAddress:


Anyone else experienced this?

Michael

[rubeng]

I wonder the same as Michael here. Does this work with newer versions? I havent made this work, and currently manage a lot of external Veeam BR servers..

[patrickl78]

Ruben,

This is one of the driving forces on why we built Backup Radar (backupradar.com) a couple of years ago internally. We switched to Veeam and tried everything to centralize our backups for clients. After trying everything from NAT to VPN we decided to build our own solution internally. In addition to Veeam we had other products in the mix as we made the push to put all our virtual systems on Veeam. As an MSP checking, seeing trends and giving clients a central report was a huge pain and mostly manual. Please feel free to register for our Beta at beta@backupradar.com. We plan to have the beta going by the beginning of November at the latest. On a side note we can also support native Microsoft SQL backups as well through email.

Thanks,
Patrick

[Vitaliy S.]

Ruben, yes it does work. Did you choose DWORD or STRING type (required) for these registry keys?

[addicuss]

Why is this not implemented as a standard feature.requiring a regedit for a standard feature is a bit much. This post is 3 years old and unless I'm missing something it's still the only way to centrally manage backup servers. Am I arong?

[Vitaliy S.]

I guess the reason why it didn't make to the defaults, is that only few requests have been received for almost 3 years. BTW, If you want to do central monitoring and reporting you can also use Veeam ONE for that.

[mdiver]

Will Enterprise Manager work with all the connected Veeam B&R instances being situated behind NAT Gateways respectively? I guess if yes, a port forwarding would be needed.
Does anyone have experiences on that?

Thanks and regards,
Mike