[VHRISO] Managed VHR ISO by Veeam setup with multiple IP addresses

[massimiliano.rizzi]

Hello Community and good day,

please consider the scenario below, which specifically refers to a more SMB oriented scenario:

==================================================
1) The primary backup repository hardware is a Veeam Hardened Repository equipped with several network cards
2) The Production vSphere environment as well as the Veeam backup fabric reside in the same VLAN (let's say VLAN 50). This VLAN is behind the firewall in order to better segment and protect the hypervisor environment and the backup infrastructure
3) We need to protect 60+ client computers with the Veeam Agent for Windows. These client computers reside on a different VLAN (let's say VLAN 100) and want to avoid at all costs network traffic between the source and the target Veeam Data Movers (the Veeam Agent computers in VLAN 100 and the Veeam Hardened Repository in VLAN 50 respectively) traversing the firewall
==================================================

From time to time we encounter Network teams or external network and security consultants that are reluctant to introducing a Layer 3 switch and then combine VLAN routing and proper ACLs on the Layer 3 switch, so we are trying to find a way to work around this purely from the Veeam end.

Although it is not the best solution (especially from a security perspective), it is technically possible to configure the network cards of the Veeam Hardened Repository with an IP address on VLAN 50 and an IP address on VLAN 100. But the question is: is it possible to somehow add two separate instances of the Veeam Hardened Repository Linux server with single-use credentials ?

I kind of remember a past webinar with @HannesK discussing a similar scenario but I am not 100% sure on this.

It would be great if someone could kindly advice me on this matter.

Thanks in advance!

Massimiliano

[HannesK]

Hello,
you can do add VLAN tags via the advanced network options / nmtui or during installation. That bypasses the firewall.

I don't understand the idea of adding Hardened Repository twice to anything. If you point the agent jobs to the Hardened Repository, then the backup server will tell the agent all IP addresses and it will connect. If agents and Hardened Repository are in the same subnet, then one can improve performance of the network card selection by setting the Registry key AgentDirectConnectionPriority = 1 (DWORD) in HKLM\SOFTWARE\Veeam\ Veeam Endpoint Backup on the agent machines.


Best regards
Hannes

[massimiliano.rizzi]

Hello,
you can do add VLAN tags via the advanced network options / nmtui or during installation. That bypasses the firewall.

I don't understand the idea of adding Hardened Repository twice to anything. If you point the agent jobs to the Hardened Repository, then the backup server will tell the agent all IP addresses and it will connect. If agents and Hardened Repository are in the same subnet, then one can improve performance of the network card selection by setting the Registry key AgentDirectConnectionPriority = 1 (DWORD) in HKLM\SOFTWARE\Veeam\ Veeam Endpoint Backup on the agent machines.

Hello HannesK,

thank you very much for your prompt reply and for the information. It is very much appreciated.

To be honest I was not aware of the AgentDirectConnectionPriority Registry key you mentioned, but thanks to the information you provided me with now I have a clear understanding of the logic used in this scenario.

Thanks again!

Massimiliano