-
- Veeam Software
- Posts: 75
- Liked: 16 times
- Joined: Apr 07, 2013 10:36 pm
- Full Name: Rhys Hammond
- Location: Brisbane , Australia
- Contact:
restricting veeam console
Hey Everyone,
In an effort to harden a customers Veeam environment, we're attempting to restrict the Veeam Console to a single machine.
This single machine can be considered the 'management' server where the Veeam Console will be installed, MFA will be required to access this management server.
So we're trying to restrict Veeam Console access by blocking port 9392 (Veeam Console port) to the VBR server from all sources except for the management server IP address.
The challenge we're facing at the moment is we're unable to block this 9392 connection, creating a dedicated windows firewall rule to block 9392 appears to be ineffective.
Launching the Veeam Console from any workstation will result in a successful connection to VBR.
Does Veeam create any rule besides the 'Veeam Traffic Redirector (Veeam Backup & Replication console) (In)" firewall rule which allows incoming 9392 connections?
Regards
In an effort to harden a customers Veeam environment, we're attempting to restrict the Veeam Console to a single machine.
This single machine can be considered the 'management' server where the Veeam Console will be installed, MFA will be required to access this management server.
So we're trying to restrict Veeam Console access by blocking port 9392 (Veeam Console port) to the VBR server from all sources except for the management server IP address.
The challenge we're facing at the moment is we're unable to block this 9392 connection, creating a dedicated windows firewall rule to block 9392 appears to be ineffective.
Launching the Veeam Console from any workstation will result in a successful connection to VBR.
Does Veeam create any rule besides the 'Veeam Traffic Redirector (Veeam Backup & Replication console) (In)" firewall rule which allows incoming 9392 connections?
Regards
Veeam Certified Architect | Author of http://rhyshammond.com | Veeam Vanguard | vExpert
-
- Product Manager
- Posts: 14844
- Liked: 3086 times
- Joined: Sep 01, 2014 11:46 am
- Full Name: Hannes Kasparick
- Location: Austria
- Contact:
Re: restricting veeam console
Hello,
could you please describe a little bit more what you mean with "unable to block this 9392 connection".
The way firewalls are used normally is the other way round: block everything and allow only connections that are required.
Please refer to the user guide which ports are required.
Best regards,
Hannes
could you please describe a little bit more what you mean with "unable to block this 9392 connection".
The way firewalls are used normally is the other way round: block everything and allow only connections that are required.
Please refer to the user guide which ports are required.
Best regards,
Hannes
-
- Veeam Software
- Posts: 75
- Liked: 16 times
- Joined: Apr 07, 2013 10:36 pm
- Full Name: Rhys Hammond
- Location: Brisbane , Australia
- Contact:
Re: restricting veeam console
TCP 9392 is the Port used by the Veeam Backup & Replication console to connect to the backup server.
We're trying to blocking this connection to prevent unwanted Veeam consoles connecting to the VBR server.
We're not having much luck blocking TCP 9392 with windows firewall. We create a rule to block this connection but Veeam consoles on other machines are still able to connect.
I'd like to verify if there is a windows firewall rule created during the veeam installation that allows this traffic?
'Veeam Traffic Redirector (Veeam Backup & Replication console) (In)' appears to be the obvious rule but even if we disable this rule it doesn't prevent Veeam console running from other machines on the network successfully connecting to the VBR server.
We're trying to blocking this connection to prevent unwanted Veeam consoles connecting to the VBR server.
We're not having much luck blocking TCP 9392 with windows firewall. We create a rule to block this connection but Veeam consoles on other machines are still able to connect.
I'd like to verify if there is a windows firewall rule created during the veeam installation that allows this traffic?
'Veeam Traffic Redirector (Veeam Backup & Replication console) (In)' appears to be the obvious rule but even if we disable this rule it doesn't prevent Veeam console running from other machines on the network successfully connecting to the VBR server.
Veeam Certified Architect | Author of http://rhyshammond.com | Veeam Vanguard | vExpert
-
- Veeam Software
- Posts: 75
- Liked: 16 times
- Joined: Apr 07, 2013 10:36 pm
- Full Name: Rhys Hammond
- Location: Brisbane , Australia
- Contact:
Re: restricting veeam console
Further testing has highlighted two default rules created by Veeam that the console is allowed through,
1)'Veeam Traffic Redirector (Veeam Backup & Replication console) (In)' - c:\program files\veeam\backup and replication\console\veeamnetworkredirector.exe
2) Veeam Backup Management Service (In) - c:\program files\veeam\backup and replication\backup\veeam.backup.service.exe
Testing was performed using PowerShell from a machine that should be blocked from connecting via Veeam Console to the VBR.
$socket = new-object system.net.sockets.tcpclient ("VBR IP Address", 9392)
We simply enabled windows firewall auditing on the VBR server, then searched for connections incoming from the test machine.
We found entries for the veeam.backup.service.exe application permitting 9392 through the Windows Filtering Platform (firewall).
So we're confident that disabling the 'Veeam Traffic Redirector (Veeam Backup & Replication console) (In)' rule won't break anything but
we're not sure if disabling the 'Veeam Backup Management Service (In)' rule will break the Veeam environment or not?
1)'Veeam Traffic Redirector (Veeam Backup & Replication console) (In)' - c:\program files\veeam\backup and replication\console\veeamnetworkredirector.exe
2) Veeam Backup Management Service (In) - c:\program files\veeam\backup and replication\backup\veeam.backup.service.exe
Testing was performed using PowerShell from a machine that should be blocked from connecting via Veeam Console to the VBR.
$socket = new-object system.net.sockets.tcpclient ("VBR IP Address", 9392)
We simply enabled windows firewall auditing on the VBR server, then searched for connections incoming from the test machine.
We found entries for the veeam.backup.service.exe application permitting 9392 through the Windows Filtering Platform (firewall).
So we're confident that disabling the 'Veeam Traffic Redirector (Veeam Backup & Replication console) (In)' rule won't break anything but
we're not sure if disabling the 'Veeam Backup Management Service (In)' rule will break the Veeam environment or not?
Veeam Certified Architect | Author of http://rhyshammond.com | Veeam Vanguard | vExpert
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: restricting veeam console
You do not need to disable any Veeam rules, your blocking rule should have precedence over them. The only guess I have is that you have some other allowing rule with the 'Override block rules' flag set. What are the blocking rule settings, btw?
-
- Veeam Software
- Posts: 75
- Liked: 16 times
- Joined: Apr 07, 2013 10:36 pm
- Full Name: Rhys Hammond
- Location: Brisbane , Australia
- Contact:
Re: restricting veeam console
Hey Foggy,
No custom fw rules have been created on the production vbr server, to confirm this we've provisioned a brand new VBR instance in a test environment.
The following inbound firewall rule was created on the test VBR, using the 'new inbound rule wizard' in windows firewall. Port - TCP - 9392 - Block the Connection - Domain/Private/Public.
Testing Veeam console access from a workstation still results in a successful Veeam console connection.
So far, the only way we've managed to block access to Veeam console is by disabling the below rules,
1)'Veeam Traffic Redirector (Veeam Backup & Replication console) (In)' - c:\program files\veeam\backup and replication\console\veeamnetworkredirector.exe
2) Veeam Backup Management Service (In) - c:\program files\veeam\backup and replication\backup\veeam.backup.service.exe
No custom fw rules have been created on the production vbr server, to confirm this we've provisioned a brand new VBR instance in a test environment.
The following inbound firewall rule was created on the test VBR, using the 'new inbound rule wizard' in windows firewall. Port - TCP - 9392 - Block the Connection - Domain/Private/Public.
Testing Veeam console access from a workstation still results in a successful Veeam console connection.
So far, the only way we've managed to block access to Veeam console is by disabling the below rules,
1)'Veeam Traffic Redirector (Veeam Backup & Replication console) (In)' - c:\program files\veeam\backup and replication\console\veeamnetworkredirector.exe
2) Veeam Backup Management Service (In) - c:\program files\veeam\backup and replication\backup\veeam.backup.service.exe
Veeam Certified Architect | Author of http://rhyshammond.com | Veeam Vanguard | vExpert
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: restricting veeam console
Just to confirm, you're specifying the local port 9392 to be blocked, right?
-
- Veeam Software
- Posts: 75
- Liked: 16 times
- Joined: Apr 07, 2013 10:36 pm
- Full Name: Rhys Hammond
- Location: Brisbane , Australia
- Contact:
Re: restricting veeam console
Yep, we specified the local port of 9392 to be blocked.
The 'new firewall rule' used the following settings,
- local port configured with '9392'
- remote port configure with 'All Ports'
We've recreated this in two Veeam environments with the same results.
The 'new firewall rule' used the following settings,
- local port configured with '9392'
- remote port configure with 'All Ports'
We've recreated this in two Veeam environments with the same results.
Veeam Certified Architect | Author of http://rhyshammond.com | Veeam Vanguard | vExpert
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: restricting veeam console
Rhys, I recommend asking our engineers to take a closer look at your setup since to my understanding this rule should work as you expect.
-
- Veeam Software
- Posts: 75
- Liked: 16 times
- Joined: Apr 07, 2013 10:36 pm
- Full Name: Rhys Hammond
- Location: Brisbane , Australia
- Contact:
Re: restricting veeam console
Hey Foggy,
I did open a veeam support ticket but it was closed because support deemed it a problem with the infrastructure, not the veeam components....
I'm currently working with a Veeam SE based in Sydney, we got the same results in the veeam labs as what I discussed in my previous posts.
I'm going to test this against more labs to ensure this isn't some fluke issue creating this issue.
I did open a veeam support ticket but it was closed because support deemed it a problem with the infrastructure, not the veeam components....
I'm currently working with a Veeam SE based in Sydney, we got the same results in the veeam labs as what I discussed in my previous posts.
I'm going to test this against more labs to ensure this isn't some fluke issue creating this issue.
Veeam Certified Architect | Author of http://rhyshammond.com | Veeam Vanguard | vExpert
-
- Veeam Software
- Posts: 75
- Liked: 16 times
- Joined: Apr 07, 2013 10:36 pm
- Full Name: Rhys Hammond
- Location: Brisbane , Australia
- Contact:
Re: restricting veeam console
Ok got it working,
Our biggest problem was our attempt to create two rules, a blanket rule to block all on port 9329 and a separate rule to allow port 9392 from the 'management server with VBR console' installed.
so what worked for us was the following,
Leave the VBR default rules untouched (as told)
Create two rules,
Block TCP 9392 - remote address 1.1.1.1 -> IP address of designated management server with VBR console
Block TCP 9392 - IP address of designated management server with VBR console -> 255.255.255.255
Now that it's working we need to install MFA on the designated management server with the VBR console, remove the VBR console from the VBR server and create a group policy rule to prevent the VBR console from being installed on domain-joined machines. We'll also need to look at restricting remote PowerShell access eventually.
Our biggest problem was our attempt to create two rules, a blanket rule to block all on port 9329 and a separate rule to allow port 9392 from the 'management server with VBR console' installed.
so what worked for us was the following,
Leave the VBR default rules untouched (as told)
Create two rules,
Block TCP 9392 - remote address 1.1.1.1 -> IP address of designated management server with VBR console
Block TCP 9392 - IP address of designated management server with VBR console -> 255.255.255.255
Now that it's working we need to install MFA on the designated management server with the VBR console, remove the VBR console from the VBR server and create a group policy rule to prevent the VBR console from being installed on domain-joined machines. We'll also need to look at restricting remote PowerShell access eventually.
Veeam Certified Architect | Author of http://rhyshammond.com | Veeam Vanguard | vExpert
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: restricting veeam console
Thanks, Rhys, glad you were able to resolve it. But could you please explain a bit, I just cannot get how two blocking rules could help here? Shouldn't one of them allow the connection? Also, I think what could work for you is using a rule with the 'Allow the connection if it is secure' option and specifying the address of the management server. Thanks!
-
- Veeam Software
- Posts: 75
- Liked: 16 times
- Joined: Apr 07, 2013 10:36 pm
- Full Name: Rhys Hammond
- Location: Brisbane , Australia
- Contact:
Re: restricting veeam console
Hey Foggy,
You're right, I have a typo in my post.
After tweaking the rules further, we found the following worked best for the customer.
Create a single rule, blocking all incoming port 9392, within the rule modify the exceptions to allow a single IP (the centralised management server) to bypass the rule.
The centralised management server and the VBR server were configured with MFA with offline access (in the event of the internet being down).
The end result was the console allowing working if ran from the VBR server itself or the centralised management server and the MFA request during RDP access to either VBR or centralised management server.
In the event of a major DR, the customer could simply disable the firewall rule, allowing veeam console access from any device that can reach the VBR server.
You're right, I have a typo in my post.
After tweaking the rules further, we found the following worked best for the customer.
Create a single rule, blocking all incoming port 9392, within the rule modify the exceptions to allow a single IP (the centralised management server) to bypass the rule.
The centralised management server and the VBR server were configured with MFA with offline access (in the event of the internet being down).
The end result was the console allowing working if ran from the VBR server itself or the centralised management server and the MFA request during RDP access to either VBR or centralised management server.
In the event of a major DR, the customer could simply disable the firewall rule, allowing veeam console access from any device that can reach the VBR server.
Veeam Certified Architect | Author of http://rhyshammond.com | Veeam Vanguard | vExpert
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: restricting veeam console
Hi Rhys, thanks for getting back to resolve my confusion after all.
-
- Service Provider
- Posts: 14
- Liked: never
- Joined: Dec 19, 2017 7:48 pm
- Full Name: S.Pythoud
- Location: Switzerland
- Contact:
Re: restricting veeam console
Hi guys.
Is there an option, in the same idea of this thread, to map port 9392 only to a particular management network interface, and avoid connections to this port from other veeam client subnets ?
thx.
Is there an option, in the same idea of this thread, to map port 9392 only to a particular management network interface, and avoid connections to this port from other veeam client subnets ?
thx.
Who is online
Users browsing this forum: Amazon [Bot] and 119 guests