-
- Service Provider
- Posts: 2
- Liked: never
- Joined: Nov 02, 2009 6:27 pm
- Full Name: Thomas
- Location: Munich, Germany
- Contact:
Veeam Backup 4.0 VSS
Hi,
Veem Backup 4.0 with vStorage API without VSS runs very well. But we want to use VSS and don't have a network connection between the Veeam Backup server and the VMs.
Is it possible to use Veeam VSS without a network connection between the Veeam Backup server and the VMs?
If we realy need a network connection for Veeam VSS backups. Which ports are needed?
Regards,
Thomas
Veem Backup 4.0 with vStorage API without VSS runs very well. But we want to use VSS and don't have a network connection between the Veeam Backup server and the VMs.
Is it possible to use Veeam VSS without a network connection between the Veeam Backup server and the VMs?
If we realy need a network connection for Veeam VSS backups. Which ports are needed?
Regards,
Thomas
-----------------------------------
VCDX, VCP4/3/2, CISA, MCSE
VCDX, VCP4/3/2, CISA, MCSE
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Backup 4.0 VSS
Hello Thomas - yes, the network connection to VM is required for Veeam VSS to function.
As for ports required, please review the following thread:
http://www.veeam.com/forums/viewtopic.p ... orts#p4575
As for ports required, please review the following thread:
http://www.veeam.com/forums/viewtopic.p ... orts#p4575
-
- Service Provider
- Posts: 47
- Liked: never
- Joined: Mar 18, 2009 1:05 am
- Contact:
Re: Veeam Backup 4.0 VSS
Is it possible that you guys may be coming up with a workaround for this, it's going to be a pain for me to try and open connections between all these systems and it'd be nice if I didn't have to. Total isolation is better than partial and means i don't have to worry about routing between VLANs or IP assignments etc.
Really don't want to open rpc, netbios etc, some of those servers don't even have NetBIOS enabled as they run purely on tcp connections.
What about if you have a pre-freeze script in VMTools or such like configured, if that's a possibility what would we use to utilise the Veeam VSS writer?
Cheers
Mark
Really don't want to open rpc, netbios etc, some of those servers don't even have NetBIOS enabled as they run purely on tcp connections.
What about if you have a pre-freeze script in VMTools or such like configured, if that's a possibility what would we use to utilise the Veeam VSS writer?
Cheers
Mark
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Backup 4.0 VSS
We need to investigate if this is something we could implement. So far, it has not been a major problem, but I definitely understand the need for this functionality in some scenarios.
-
- Service Provider
- Posts: 2
- Liked: never
- Joined: Nov 02, 2009 6:27 pm
- Full Name: Thomas
- Location: Munich, Germany
- Contact:
Re: Veeam Backup 4.0 VSS
Hello Anton,
thanks for your reply!
I have also concerns to brake the isolation between the bachup server and VMs in some environments. This will also break the isolation beween all of VMs in different VLANs and network segments.
Especially for our enterprise customers it would be nice to have a workaround for this issue.
Regards,
Thomas
thanks for your reply!
I have also concerns to brake the isolation between the bachup server and VMs in some environments. This will also break the isolation beween all of VMs in different VLANs and network segments.
Especially for our enterprise customers it would be nice to have a workaround for this issue.
Regards,
Thomas
-----------------------------------
VCDX, VCP4/3/2, CISA, MCSE
VCDX, VCP4/3/2, CISA, MCSE
-
- Novice
- Posts: 9
- Liked: never
- Joined: Mar 24, 2009 12:33 am
- Full Name: Frank Jones
- Contact:
Re: Veeam Backup 4.0 VSS
I also would like to see this. Currently we have 15 vlans that are isolated from each other (and more to come). Each has 2-4 vm's and most of these have 1 linux vm and 2-3 windows server vm's. The backup server(s)/network does not have any access to the guests in the vms. Ideally the backup server/veeam would be on the same network as the ESX hosts but be able to backup any guest while being able to do a vss snapshot (to backup exchange, sql server, etc).
Having to open this up probably means that I will have to find another solution.
Having to open this up probably means that I will have to find another solution.
-
- Lurker
- Posts: 1
- Liked: never
- Joined: Nov 03, 2009 5:58 am
- Full Name: Tomi Hakala
- Contact:
Re: Veeam Backup 4.0 VSS
We are outsourcing company and option to have ports open from backup server to customer VMs is out of the question. I second that Veeam VSS integration definitely requires an alternative way to work.
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Backup 4.0 VSS
Other solutions simply do not provide the level of VSS integration Veeam provides. They all rely on VMware Tools VSS integration module, and you can do this with Veeam Backup too. As long as you have this component installed in VMware Tools, it will be used during snapshot creation (if you are not using Veeam VSS, or have VMware quiescence enabled in the advanced job settings).fjones wrote:Having to open this up probably means that I will have to find another solution.
The limitation of VMware VSS is that it does not provide application-aware VSS restores, and only supports Windows 2003 and Windows 2008 (file-level quiescence only on the latter), not other Windows OS (while Veeam Backup support all Windows OS). But still, it is much better than using no quiescence at all, or legacy Vmware quiescence mechanism that uses SYNC driver.
-
- Service Provider
- Posts: 108
- Liked: 14 times
- Joined: Jan 01, 2006 1:01 am
- Full Name: Dag Kvello
- Location: Oslo, Norway
- Contact:
Re: Veeam Backup 4.0 VSS
Hmm, but Veeam dynamically installs/uninstalls its VSS provider on-the-fly, pre-backup and post-backup. That's why the Veeam Backup-server needs access SMB to IPC$ on the target VM's ?
Wouldn't it be possible to do it by proxy ? F.eks. being able to copy the necessary files to the vm's before-hand (put them in a standard place using FTP or any other means available) and using the pre-freeze /post-thaw funcions of the VMware Tools to install/uninstall the Veeam VSS provider ?
Wouldn't it be possible to do it by proxy ? F.eks. being able to copy the necessary files to the vm's before-hand (put them in a standard place using FTP or any other means available) and using the pre-freeze /post-thaw funcions of the VMware Tools to install/uninstall the Veeam VSS provider ?
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Veeam Backup 4.0 VSS
It is quite possible, however we would still require RPC to communicate with our VSS agent... so the network connection will still be required.
-
- Enthusiast
- Posts: 85
- Liked: 2 times
- Joined: Jun 11, 2009 8:39 pm
- Full Name: Franz Glatzer
- Contact:
Re: Veeam Backup 4.0 VSS
agree to the posters above!
in our configuration, we use about 100 vm's, about 15 different networks most of them separated from each other for a reason and currently six esx servers and two veeam backup servers, all this spread over two datacenters.
besides opening up a list of ports to enable veeam backups and VSS results in lifting our security policies, its also a pain to configure rpc on every single vm in order to make VSS backups run.
i think it would be a good idea to redesign the way VSS is used.
if we can get rid of this communication between the backupserver and the vm's by installing the veeams VSS part permanently on the vm's instead of letting the backup job install the required software before each run and remove it afterwards i would be happy to do so.
also the requirement of rpc to initiate some tasks on the vm requires the setup of some registry keys on every single vm! i'm not that deep into the VIAPI, but from what i have seen there are some functions to run programs within the vm. wouldn't it be an option to use this functionality instead of rpc? of course this programs are required to be already located on the vm, but they can be copied to the vm once in advance as mentioned before.
another point to mention is the impossibility to use pre- and postbackup scripts when using veeam VSS. it is not possible to use this scripts anymore! ok, most times it wont be necessary to use such scripts when using VSS, but i would like to have left this decision to the customer. there might be reasons to do some tasks before running a backup job even if VSS is used.
just for info for others stumbling into this, here are the ports i have opened in our environment:
communication between backupserver and virtual center server:
communication between backupserver und esx servers:
communication between backupserver und vm's:
in my examples above, the ports 2500-2510 are used for the actual data transfer during backups. you need to open one port per concurrent backupjob. so if you plan to run 20 concurrent jobs, you will need to open ports 2500-2520.
in order for rpc to work you also need to configure the ports rpc will use on every vm:
the required values are in the key Internet which is located under HKLM\SOFTWARE\Microsoft\Rpc:
Ports = 5000 - 5200
PortsInternetAvailable = Y
UseInternetPorts = Y
rpc ports are used by a wide variety of programs, not only be veeam backup. the range of 5000-5200 for the rpc ports is thus not only used by veeam backup but is used by all programs on the system using rpc functionality. microsoft recommends to open a range of 5000-5100 at minimum. to be safe i opened the range 5000-5200 here. you also need to consider applications already using ports in this range. if you have such applications, simply move the range used by rpc accordingly. we had this on some systems and simply changed rpc ports to 5100 - 5300 there. you can use any ports here as long as they are not used already.
for reference, here is the ms-kb entry: http://support.microsoft.com/kb/154596/en-us
you can use this script to add this key on the vm's
simply save it under any filename but with an extension .reg and run it on the vm.
in our configuration, we use about 100 vm's, about 15 different networks most of them separated from each other for a reason and currently six esx servers and two veeam backup servers, all this spread over two datacenters.
besides opening up a list of ports to enable veeam backups and VSS results in lifting our security policies, its also a pain to configure rpc on every single vm in order to make VSS backups run.
i think it would be a good idea to redesign the way VSS is used.
if we can get rid of this communication between the backupserver and the vm's by installing the veeams VSS part permanently on the vm's instead of letting the backup job install the required software before each run and remove it afterwards i would be happy to do so.
also the requirement of rpc to initiate some tasks on the vm requires the setup of some registry keys on every single vm! i'm not that deep into the VIAPI, but from what i have seen there are some functions to run programs within the vm. wouldn't it be an option to use this functionality instead of rpc? of course this programs are required to be already located on the vm, but they can be copied to the vm once in advance as mentioned before.
another point to mention is the impossibility to use pre- and postbackup scripts when using veeam VSS. it is not possible to use this scripts anymore! ok, most times it wont be necessary to use such scripts when using VSS, but i would like to have left this decision to the customer. there might be reasons to do some tasks before running a backup job even if VSS is used.
just for info for others stumbling into this, here are the ports i have opened in our environment:
communication between backupserver and virtual center server:
Code: Select all
HPPTS 443
communication between backupserver und esx servers:
Code: Select all
SSH 22
HPPTS 443
DATA 2500-2510
communication between backupserver und vm's:
Code: Select all
SSH 22
HPPTS 443
DATA 2500-2510
NETBIOS 137
NETBIOS 138
NETBIOS 139
SMP 445
RPC 135
RPC 5000-5200
in order for rpc to work you also need to configure the ports rpc will use on every vm:
the required values are in the key Internet which is located under HKLM\SOFTWARE\Microsoft\Rpc:
Ports = 5000 - 5200
PortsInternetAvailable = Y
UseInternetPorts = Y
rpc ports are used by a wide variety of programs, not only be veeam backup. the range of 5000-5200 for the rpc ports is thus not only used by veeam backup but is used by all programs on the system using rpc functionality. microsoft recommends to open a range of 5000-5100 at minimum. to be safe i opened the range 5000-5200 here. you also need to consider applications already using ports in this range. if you have such applications, simply move the range used by rpc accordingly. we had this on some systems and simply changed rpc ports to 5100 - 5300 there. you can use any ports here as long as they are not used already.
for reference, here is the ms-kb entry: http://support.microsoft.com/kb/154596/en-us
you can use this script to add this key on the vm's
simply save it under any filename but with an extension .reg and run it on the vm.
Code: Select all
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"Ports"=hex(7):35,00,30,00,30,00,30,00,2d,00,35,00,32,00,30,00,30,00,00,00,00,00
"PortsInternetAvailable"="Y"
"UseInternetPorts"="Y"
-
- Service Provider
- Posts: 47
- Liked: never
- Joined: Mar 18, 2009 1:05 am
- Contact:
Re: Veeam Backup 4.0 VSS
Thanks fgw, nicely put
Who is online
Users browsing this forum: No registered users and 35 guests