Comprehensive data protection for all workloads
Post Reply
chadtandy
Enthusiast
Posts: 36
Liked: never
Joined: Feb 09, 2010 8:26 pm
Full Name: Chad
Contact:

Veeam in a VERY secure multi-vLAN environment

Post by chadtandy » Mar 26, 2012 3:16 pm

Hi all, we are in the middle of a Veeam v6 deployment and we have a very secure multi-vLAN environment (8 or so vLANs) with very restricted access between vLANs via firewalls. We've ran into several snags, most of which we missed due to a misconfiguration in our dev environment during our testing that didn't adequately reflect our production environment.

The biggest snag we are on now is issuing VSS commands to servers in all 8 vLANs. We have 2 Veeam Backup servers, one in our PCI vLAN and one in our main production vLAN, so in these zones VSS commands obviously works. Our dilemma is how to issue VSS commands to SQL/Exchange/Sharepoint servers in other vLANs without opening CIFS and NetBIOS ports to 40-50 individual servers which our security guys don't like. We tried putting Veeam proxies in the other vLANs but it appears the VSS commands and VMWare snapshot commands still come from the Veeam Backup servers and aren't routed through the Veeam proxies.

Any one else implement Veeam in a multi-vLAN environment?

Any suggestions?

Thanks,
-Chad

tsightler
VP, Product Management
Posts: 5448
Liked: 2264 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Veeam in a VERY secure multi-vLAN environment

Post by tsightler » Mar 26, 2012 4:14 pm

Assuming VMware tools are installed in these VMs Veeam does not require a direct connection from the Veeam server to the Windows system to perform VSS freeze. In cases where direct connections are not available Veeam falls back to "connectionless" method via VMware tools.

chadtandy
Enthusiast
Posts: 36
Liked: never
Joined: Feb 09, 2010 8:26 pm
Full Name: Chad
Contact:

Re: Veeam in a VERY secure multi-vLAN environment

Post by chadtandy » Mar 26, 2012 5:33 pm

I'd prefer the Veeam VSS which is application aware...

Is Surebackup and U-AIR available when backups are done with VMWare Tools VSS?

-Chad

tsightler
VP, Product Management
Posts: 5448
Liked: 2264 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Veeam in a VERY secure multi-vLAN environment

Post by tsightler » Mar 26, 2012 5:49 pm

This is exactly the one that I am referring to. Veeam VSS application aware processing can use connectionless mode via VMware Tools if direct connectivity is not available. This has been a feature since at least the 5.0 versions (although some enhancement came with 5.0.2).

chadtandy
Enthusiast
Posts: 36
Liked: never
Joined: Feb 09, 2010 8:26 pm
Full Name: Chad
Contact:

Re: Veeam in a VERY secure multi-vLAN environment

Post by chadtandy » Mar 26, 2012 5:53 pm

What config do I need for this? When I select enable Application aware processing without direct network access I get failures. I thought I had read about the connectionless mode, guess I'm just missing how to configure it.

Thanks,
-Chad

tsightler
VP, Product Management
Posts: 5448
Liked: 2264 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Veeam in a VERY secure multi-vLAN environment

Post by tsightler » Mar 26, 2012 6:18 pm

There actually sound be nothing to configure. It should try network mode, and if it fails, fall back to connectionless mode. I've used this for DMZ backup quite a bit so I know it should work, assuming permissions are set correctly in vCenter for the Veeam service account. Do you happen to be using granular permissions in vCenter? You might want to open a support ticket.

sthurlow
Influencer
Posts: 10
Liked: never
Joined: Jun 25, 2010 2:01 am
Full Name: Symon Thurlow
Contact:

Re: Veeam in a VERY secure multi-vLAN environment

Post by sthurlow » Mar 26, 2012 7:48 pm

Our experience in a similar context is that it works most of the time. Could never get it to work with Exchange 2010 however, and had to enable network connectivity between the backup server and the source server, which instantly fixed it.

You will also need to do this to enable 1 click restores.

We have rationalised that we must have individual Veeam backup servers in isolated DMZ's (1 per customer) pushing back to a common repository. Seems to work OK so far, as long as you have decent IOPS.

chadtandy
Enthusiast
Posts: 36
Liked: never
Joined: Feb 09, 2010 8:26 pm
Full Name: Chad
Contact:

Re: Veeam in a VERY secure multi-vLAN environment

Post by chadtandy » Mar 26, 2012 8:31 pm

Tom, you were right it was a combination of permissions. Unfortunately what sent us down this rabbit trail was the error message of not being able to connect to the admin$ share and the advice of Veeam tech support that said we needed to have direct network access when we contacted support.

Thanks,
-Chad

tsightler
VP, Product Management
Posts: 5448
Liked: 2264 times
Joined: Jun 05, 2009 12:57 pm
Full Name: Tom Sightler
Contact:

Re: Veeam in a VERY secure multi-vLAN environment

Post by tsightler » Mar 27, 2012 12:51 am

Well, technically we still use the "admin$" share, we just access it locally after pushing the guest tools via the VMware tools interface rather than directly from the Veeam server. Glad you got it working.

Post Reply

Who is online

Users browsing this forum: Bing [Bot], Google [Bot] and 18 guests