Comprehensive data protection for all workloads
Post Reply
josby
Novice
Posts: 3
Liked: never
Joined: Mar 07, 2012 3:44 pm
Contact:

Remote proxy not possible across raw internet connection?

Post by josby »

I'm setting up a new Veeam Backup & Replication setup. I have a production site with a server running vCenter and Veeam on it, plus an ESX server. Then I have a remote DR site with an ESX server not connected in any way to the production site, other than that both are on the internet.

Initially I just installed Veeam and set up a replication job. That worked, but was horrendously slow - the job averaged about 100Kb/sec when our internet connections are 5mbps at both ends (and lightly utilized).

I contacted Veeam support on this and they said it's because I only had one proxy server: the one on the Veeam/vCenter box at the production site. They said to add a proxy at the DR site. I have a spare Windows box at the DR site, so I installed a proxy server onto it. I then reconfigured my job to use the local proxy for the source and the remote proxy for the target. But, now the job won't work.

The error it gives me is "Error: Client error: No such host is known".

When I look in the Target log file on the proxy server at the DR site, it says "Connecting to the server agent with the following parameters: [10.8.3.30;This server,2501]. Failed."

10.8.3.30 is the LAN IP of my Veeam server. I'm guessing this is the remote proxy trying to talk to the local proxy (I would think the connection would just be local->remote, but maybe not). But, it will never be able to reach back into our local network using a LAN IP. If I could get it to use a DNS name instead, I could do a trick with the hosts file to make it connect to the WAN IP of my local site. But, I can't see any way to do this.

It seems that the only way this will work is a VPN tunnel or an MPLS network or something like that. However, I never saw anything in the Veeam system requirements detailing any requirements for the type of connectivity required between source and target.

Any ideas? Anyone been able to use a remote proxy via a raw internet connection?

dellock6
Veeam Software
Posts: 5926
Liked: 1743 times
Joined: Jul 26, 2009 3:39 pm
Full Name: Luca Dell'Oca
Location: Varese, Italy
Contact:

Re: Remote proxy not possible across raw internet connection

Post by dellock6 »

You cannot route private IPs like 10.8.3.30 on the internet, how can you make two server inside two lans connect to each other without a VPN? It would be maybe possible publishing the TCP ports needed by Veeam proxies to talk to each other, but it NOT definitely a good choice to expose any internal server on the internet.

VPN (or any other sort of direct connection) between the two sites is the way to go.

I'm confused when you say that it was working with only one server, how did you setup the two sites' internet connections?
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software

@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2020
Veeam VMCE #1

tsightler
VP, Product Management
Posts: 5675
Liked: 2486 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Remote proxy not possible across raw internet connection

Post by tsightler »

The thing I'm most confused about is how this worked at all. Is your remote ESXi host directly on the Internet, or are you port forwarding TCP/443 and 902 to the ESXi host? I think the users guide probably assumes that remote connectivity between the two sites exists. Most customers are not replicating directly over the Internet as the replication data itself is not encrypted in any way.

A simple VPN connection between the two proxies is generally very easy. Something like OpenVPN or Tinc works perfectly, uses simple certificates for authentication, and requires only a single port forwarded on the firewall on one side.

TommyTheKid
Novice
Posts: 9
Liked: never
Joined: Feb 28, 2012 7:39 am
Full Name: Tommy McNeely
Location: Broomfield, CO, USA
Contact:

Re: Remote proxy not possible across raw internet connection

Post by TommyTheKid »

just fought this same issue:
Back up Over NAT with the new version

josby
Novice
Posts: 3
Liked: never
Joined: Mar 07, 2012 3:44 pm
Contact:

Re: Remote proxy not possible across raw internet connection

Post by josby »

Yes, the way it worked with just one proxy is that I am port forwarding 22, 443 and 902 (and I added 2500-2510 for the proxy too). Of course my firewall only allows these connections from the external IP of the production site. I was assuming the actual data transfer used SSH (as it does in the competing product we used to use, Double-Take) so that would take care of encryption...although honestly I am not that worried about that, as this data isn't remotely close to being valuable enough for to justify all the work it would take to intercept and reconstruct it.

Tommy's solution looks like exactly what I need, except my remote machine running the proxy is a Windows box, and as far as I know there's not a Windows equivalent to iptables. I know there's the Windows Firewall, but I'm fairly sure it can't do complicated packet manipulation like iptables can.

We do have the same model router at both sites so fortunately I think setting up a VPN tunnel between them will be pretty easy. I do wish the docs would've made this clear, though...especially since this bit in the help file led me to believe it wasn't necessary:

"If the Windows server is deployed outside NAT, select the Run the server on this side check box in the Preferred TCP connection role section. In the NAT scenario, the outside client cannot initiate a connection with the server on the NAT network. Therefore, services that require the initiation of connection from outside can be disrupted. With this option selected, you will be able to overcome this limitation and initiate a ‘server-client’ connection, that is, a connection in the direction of the Windows server."

Post Reply

Who is online

Users browsing this forum: No registered users and 33 guests