Veeam in a VERY secure multi-vLAN environment

[chadtandy]

Hi all, we are in the middle of a Veeam v6 deployment and we have a very secure multi-vLAN environment (8 or so vLANs) with very restricted access between vLANs via firewalls. We've ran into several snags, most of which we missed due to a misconfiguration in our dev environment during our testing that didn't adequately reflect our production environment.

The biggest snag we are on now is issuing VSS commands to servers in all 8 vLANs. We have 2 Veeam Backup servers, one in our PCI vLAN and one in our main production vLAN, so in these zones VSS commands obviously works. Our dilemma is how to issue VSS commands to SQL/Exchange/Sharepoint servers in other vLANs without opening CIFS and NetBIOS ports to 40-50 individual servers which our security guys don't like. We tried putting Veeam proxies in the other vLANs but it appears the VSS commands and VMWare snapshot commands still come from the Veeam Backup servers and aren't routed through the Veeam proxies.

Any one else implement Veeam in a multi-vLAN environment?

Any suggestions?

Thanks,
-Chad

[tsightler]

Assuming VMware tools are installed in these VMs Veeam does not require a direct connection from the Veeam server to the Windows system to perform VSS freeze. In cases where direct connections are not available Veeam falls back to "connectionless" method via VMware tools.

[chadtandy]

I'd prefer the Veeam VSS which is application aware...

Is Surebackup and U-AIR available when backups are done with VMWare Tools VSS?

-Chad

[tsightler]

This is exactly the one that I am referring to. Veeam VSS application aware processing can use connectionless mode via VMware Tools if direct connectivity is not available. This has been a feature since at least the 5.0 versions (although some enhancement came with 5.0.2).

[chadtandy]

What config do I need for this? When I select enable Application aware processing without direct network access I get failures. I thought I had read about the connectionless mode, guess I'm just missing how to configure it.

Thanks,
-Chad

[tsightler]

There actually sound be nothing to configure. It should try network mode, and if it fails, fall back to connectionless mode. I've used this for DMZ backup quite a bit so I know it should work, assuming permissions are set correctly in vCenter for the Veeam service account. Do you happen to be using granular permissions in vCenter? You might want to open a support ticket.

[sthurlow]

Our experience in a similar context is that it works most of the time. Could never get it to work with Exchange 2010 however, and had to enable network connectivity between the backup server and the source server, which instantly fixed it.

You will also need to do this to enable 1 click restores.

We have rationalised that we must have individual Veeam backup servers in isolated DMZ's (1 per customer) pushing back to a common repository. Seems to work OK so far, as long as you have decent IOPS.

[chadtandy]

Tom, you were right it was a combination of permissions. Unfortunately what sent us down this rabbit trail was the error message of not being able to connect to the admin$ share and the advice of Veeam tech support that said we needed to have direct network access when we contacted support.

Thanks,
-Chad

[tsightler]

Well, technically we still use the "admin$" share, we just access it locally after pushing the guest tools via the VMware tools interface rather than directly from the Veeam server. Glad you got it working.