Hey markmu,
First: Welcome to the forums
Second: Yes, it is possible through Firewalls etc. All the ports are listed here:
https://helpcenter.veeam.com/docs/backu ... tml?ver=95
Now to answer your question: Will isolating the Veeam server, data store and an AD server behind an internal firewall prevent access... It will certainly secure it much more and will block certain types of ransomware, but not all. And it also doesn't block it from "internal user mistakes".
As you can read in this thread, and in other threads, securing your backups is not a matter of inserting one layer of defense, it is a matter of adding multiple layers. Offline backups is still the only way we know where you have 100% guarantee that it can't be encrypted. While other layers give you a very high percentage of security... There is always this little change...
For example, many people start to think about putting their backups in the cloud and see it as offline / air-gapped. It is close, but once a "bad guy" gets access to your cloud account... Well
