Veeam Backup 4.0 VSS

[propeller0]

Hi,

Veem Backup 4.0 with vStorage API without VSS runs very well. But we want to use VSS and don't have a network connection between the Veeam Backup server and the VMs.

Is it possible to use Veeam VSS without a network connection between the Veeam Backup server and the VMs?

If we realy need a network connection for Veeam VSS backups. Which ports are needed?

Regards,
Thomas

[Gostev]

Hello Thomas - yes, the network connection to VM is required for Veeam VSS to function.

As for ports required, please review the following thread:
http://www.veeam.com/forums/viewtopic.p ... orts#p4575

[fredbloggs]

Is it possible that you guys may be coming up with a workaround for this, it's going to be a pain for me to try and open connections between all these systems and it'd be nice if I didn't have to. Total isolation is better than partial and means i don't have to worry about routing between VLANs or IP assignments etc.

Really don't want to open rpc, netbios etc, some of those servers don't even have NetBIOS enabled as they run purely on tcp connections.

What about if you have a pre-freeze script in VMTools or such like configured, if that's a possibility what would we use to utilise the Veeam VSS writer?

Cheers

Mark

[Gostev]

We need to investigate if this is something we could implement. So far, it has not been a major problem, but I definitely understand the need for this functionality in some scenarios.

[propeller0]

Hello Anton,

thanks for your reply!
I have also concerns to brake the isolation between the bachup server and VMs in some environments. This will also break the isolation beween all of VMs in different VLANs and network segments.
Especially for our enterprise customers it would be nice to have a workaround for this issue.

Regards,
Thomas

[fjones]

I also would like to see this. Currently we have 15 vlans that are isolated from each other (and more to come). Each has 2-4 vm's and most of these have 1 linux vm and 2-3 windows server vm's. The backup server(s)/network does not have any access to the guests in the vms. Ideally the backup server/veeam would be on the same network as the ESX hosts but be able to backup any guest while being able to do a vss snapshot (to backup exchange, sql server, etc).

Having to open this up probably means that I will have to find another solution.

[thakala]

We are outsourcing company and option to have ports open from backup server to customer VMs is out of the question. I second that Veeam VSS integration definitely requires an alternative way to work.

[Gostev]

Having to open this up probably means that I will have to find another solution.

Other solutions simply do not provide the level of VSS integration Veeam provides. They all rely on VMware Tools VSS integration module, and you can do this with Veeam Backup too. As long as you have this component installed in VMware Tools, it will be used during snapshot creation (if you are not using Veeam VSS, or have VMware quiescence enabled in the advanced job settings).

The limitation of VMware VSS is that it does not provide application-aware VSS restores, and only supports Windows 2003 and Windows 2008 (file-level quiescence only on the latter), not other Windows OS (while Veeam Backup support all Windows OS). But still, it is much better than using no quiescence at all, or legacy Vmware quiescence mechanism that uses SYNC driver.

[dkvello]

Hmm, but Veeam dynamically installs/uninstalls its VSS provider on-the-fly, pre-backup and post-backup. That's why the Veeam Backup-server needs access SMB to IPC$ on the target VM's ?

Wouldn't it be possible to do it by proxy ? F.eks. being able to copy the necessary files to the vm's before-hand (put them in a standard place using FTP or any other means available) and using the pre-freeze /post-thaw funcions of the VMware Tools to install/uninstall the Veeam VSS provider ?

[Gostev]

It is quite possible, however we would still require RPC to communicate with our VSS agent... so the network connection will still be required.

[fgw]

agree to the posters above!

in our configuration, we use about 100 vm's, about 15 different networks most of them separated from each other for a reason and currently six esx servers and two veeam backup servers, all this spread over two datacenters.

besides opening up a list of ports to enable veeam backups and VSS results in lifting our security policies, its also a pain to configure rpc on every single vm in order to make VSS backups run.

i think it would be a good idea to redesign the way VSS is used.

if we can get rid of this communication between the backupserver and the vm's by installing the veeams VSS part permanently on the vm's instead of letting the backup job install the required software before each run and remove it afterwards i would be happy to do so.

also the requirement of rpc to initiate some tasks on the vm requires the setup of some registry keys on every single vm! i'm not that deep into the VIAPI, but from what i have seen there are some functions to run programs within the vm. wouldn't it be an option to use this functionality instead of rpc? of course this programs are required to be already located on the vm, but they can be copied to the vm once in advance as mentioned before.

another point to mention is the impossibility to use pre- and postbackup scripts when using veeam VSS. it is not possible to use this scripts anymore! ok, most times it wont be necessary to use such scripts when using VSS, but i would like to have left this decision to the customer. there might be reasons to do some tasks before running a backup job even if VSS is used.


just for info for others stumbling into this, here are the ports i have opened in our environment:


communication between backupserver and virtual center server:

Code: Select all

HPPTS       443

communication between backupserver und esx servers:

Code: Select all

SSH         22 
HPPTS       443 
DATA        2500-2510

communication between backupserver und vm's:

Code: Select all

SSH         22 
HPPTS       443 
DATA        2500-2510
NETBIOS     137 
NETBIOS     138 
NETBIOS     139 
SMP         445 
RPC         135 
RPC         5000-5200 

in my examples above, the ports 2500-2510 are used for the actual data transfer during backups. you need to open one port per concurrent backupjob. so if you plan to run 20 concurrent jobs, you will need to open ports 2500-2520.

in order for rpc to work you also need to configure the ports rpc will use on every vm:

the required values are in the key Internet which is located under HKLM\SOFTWARE\Microsoft\Rpc:
Ports = 5000 - 5200
PortsInternetAvailable = Y
UseInternetPorts = Y

rpc ports are used by a wide variety of programs, not only be veeam backup. the range of 5000-5200 for the rpc ports is thus not only used by veeam backup but is used by all programs on the system using rpc functionality. microsoft recommends to open a range of 5000-5100 at minimum. to be safe i opened the range 5000-5200 here. you also need to consider applications already using ports in this range. if you have such applications, simply move the range used by rpc accordingly. we had this on some systems and simply changed rpc ports to 5100 - 5300 there. you can use any ports here as long as they are not used already.

for reference, here is the ms-kb entry: http://support.microsoft.com/kb/154596/en-us

you can use this script to add this key on the vm's

simply save it under any filename but with an extension .reg and run it on the vm.

Code: Select all

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
"Ports"=hex(7):35,00,30,00,30,00,30,00,2d,00,35,00,32,00,30,00,30,00,00,00,00,00
"PortsInternetAvailable"="Y"
"UseInternetPorts"="Y"

[fredbloggs]

Thanks fgw, nicely put