Comprehensive data protection for all workloads
Post Reply
nmdange
Expert
Posts: 472
Liked: 115 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Transaction Log Backups across a firewall

Post by nmdange » Apr 23, 2019 5:56 pm

So our backup servers and backup repositories are in a separate AD forest and firewall zone from some of the guest VMs we need to backup. I created a guest interaction proxy in the same zone as the guest VMs and opened the required ports from the backup server to the guest interaction proxy. I am able to perform application-aware processing, including truncating SQL server transaction logs. However, if I try to enable periodic transaction log shipping, it fails with a connection error. I can see in our firewall logs that the guest interaction proxy is attempting to initiate a connection to the backup repository. However, we don't want to allow any connections from the network that contains the guest VMs to the backup server network since the guest VMs are in an insecure network. Is there a way to get transaction log shipping to work without opening any ports from the guest VM network to the backup repository?

HannesK
Veeam Software
Posts: 4221
Liked: 520 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Transaction Log Backups across a firewall

Post by HannesK » Apr 24, 2019 5:47 am

Hello,
first, what you see is "works as designed". The log shipping server (in your case the guest interaction proxy) is transferring the data to the repository.
Is there a way to get transaction log shipping to work without opening any ports from the guest VM network to the backup repository?
No realistic way. I have seen customers doing accidentally (because firewall was in place) SQL logshipping over VIX but the performance is horrible slow (some hundred KB/s) as VIX interface does not allow higher speed.

Best regards,
Hannes

nmdange
Expert
Posts: 472
Liked: 115 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Transaction Log Backups across a firewall

Post by nmdange » Apr 24, 2019 12:56 pm

So what section in the Firewall Ports document would be relevant here? https://helpcenter.veeam.com/docs/backu ... l?ver=95u4

If I need to open ports, I want to make sure I only cover what is required.

HannesK
Veeam Software
Posts: 4221
Liked: 520 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Transaction Log Backups across a firewall

Post by HannesK » Apr 25, 2019 7:04 am

Hello,
just to make sure: you are using Hyper-V ?

a shorter list only relevant for SQL can be found here

You need at least the "Microsoft Windows Servers Connections" described in this section

Also keep in mind ports for restore

Best regards,
Hannes

nmdange
Expert
Posts: 472
Liked: 115 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Transaction Log Backups across a firewall

Post by nmdange » Apr 25, 2019 1:47 pm

Yes in this case it is Hyper-V, though I assume the ports would be the same regardless. I have the ports listed under "Windows Server Connections" open from the backup server to the guest interaction proxy. For the connections initiated by the guest interaction proxy to the backup repository, would it only be 2500-5000? That's what I see listed under log shipping.

Also I haven't found anything on how to do it, but since it says "Default range of ports used by Veeam data mover service for data transmission over the network", does that mean it's possible to change the port range Veeam uses?

HannesK
Veeam Software
Posts: 4221
Liked: 520 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Transaction Log Backups across a firewall

Post by HannesK » Apr 26, 2019 9:25 am

I'll ask to add the guest interaction proxy to the documentation. But it should be 2500-5000 in both directions and 49152 to 65535 from guest interaction proxy to repository.

Yes, you can change the port range in backup infrastructure -> managed servers -> Microsoft windows -> server -> credentials tab -> ports

nmdange
Expert
Posts: 472
Liked: 115 times
Joined: Aug 20, 2015 9:30 pm
Contact:

Re: Transaction Log Backups across a firewall

Post by nmdange » Apr 26, 2019 9:43 pm

Thanks appreciate the info!

PascalD
Lurker
Posts: 1
Liked: never
Joined: Jun 26, 2019 2:25 pm
Contact:

Re: Transaction Log Backups across a firewall

Post by PascalD » Jun 26, 2019 2:30 pm

When I understand correctly, I need a Logshipping server with a firewall ports configuration mentioned here?

https://helpcenter.veeam.com/docs/backu ... l?ver=95u4

But I can change the port range to our liking? So if I want to use 4995 - 5000 for the log shipping server it can be done.

Is it possible to make transaction log backups without the use for a Logshipping server?

foggy
Veeam Software
Posts: 18359
Liked: 1575 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Transaction Log Backups across a firewall

Post by foggy » Jun 26, 2019 5:04 pm

Yes, you can change the port range. And yes, you can avoid log shipping server and transfer data directly between the VM and repository.

Post Reply

Who is online

Users browsing this forum: No registered users and 27 guests