Monitoring and reporting for Veeam Backup & Replication, VMware vSphere and Microsoft Hyper-V
Post Reply
Henrik.Grevelund
Service Provider
Posts: 128
Liked: 16 times
Joined: Feb 13, 2017 2:56 pm
Full Name: Henrik Grevelund
Contact:

Hardened Repository with Veeam ONE

Post by Henrik.Grevelund »

Hi,

The documentation states that Veeam ONE has to use port 22(SSH) to a Linux repository.
https://helpcenter.veeam.com/docs/one/d ... ml?ver=110

But best practice for a Hardened Repository is to shutdown SSH.
Any planes for shifting to using Veeam ports for this ?
Have nice day,
Henrik

Vitaliy S.
Product Manager
Posts: 26019
Liked: 2457 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Hardened Repository with Veeam ONE

Post by Vitaliy S. »

Hi Henrik,

It appears that Veeam ONE does not need SSH port to the repository at all. I'm double-checking it with the QA team now.

Thanks!

Henrik.Grevelund
Service Provider
Posts: 128
Liked: 16 times
Joined: Feb 13, 2017 2:56 pm
Full Name: Henrik Grevelund
Contact:

Re: Hardened Repository with Veeam ONE

Post by Henrik.Grevelund »

Hi Vitaliy,

Did you manage to get an answer from the QA team ?
Have nice day,
Henrik

Vitaliy S.
Product Manager
Posts: 26019
Liked: 2457 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: Hardened Repository with Veeam ONE

Post by Vitaliy S. » 2 people like this post

Hi Henrik,

Yes, just got the answer from the QA team. SSH port is not needed and we will adjust it in our documentation.

Thanks!

exarchbcn
Novice
Posts: 5
Liked: never
Joined: Sep 27, 2022 8:21 am
Full Name: Llorenc
Contact:

Re: Hardened Repository with Veeam ONE

Post by exarchbcn »

Hello,

Could you please details the ports needed to open for Veeam ONE to be able to monitor a Linux Repository? For Windows is documented but I don't see any reference here: https://helpcenter.veeam.com/docs/one/d ... ml?ver=110

Thanks in advance

Mildur
Veeam Software
Posts: 4375
Liked: 1348 times
Joined: May 13, 2017 4:51 pm
Full Name: Fabian K.
Location: St. Gallen, Switzerland
Contact:

Re: Hardened Repository with Veeam ONE

Post by Mildur » 1 person likes this post

Hi Llorenc

You don't have to open any ports. Veeam One does not communicate directly with a Linux repository.
Monitoring data of Linux repositories is pulled from the VBR server.

Thanks
Fabian
Product Management Analyst @ Veeam Software

exarchbcn
Novice
Posts: 5
Liked: never
Joined: Sep 27, 2022 8:21 am
Full Name: Llorenc
Contact:

Re: Hardened Repository with Veeam ONE

Post by exarchbcn »

Thanks for the prompt response.

Best Regards,

Llorenç

kaffeine
Influencer
Posts: 18
Liked: 7 times
Joined: Jun 04, 2018 8:03 am
Full Name: Espresso Doppio
Location: Austria
Contact:

Re: Hardened Repository with Veeam ONE

Post by kaffeine »

Hello,

we're deploying a new hardened linux repo based on SLES 15 SP3 (IP ending with .52), which itself is a SOBR extent (the only extent at the moment). We followed the official guide regarding the needed ports:

Image

Everything worked as planed, the (physical) B&R Backup Server (IP ending with .50) was able to install everything through SSH (which was later disabled) and deploy the needed components.

We then setup Veeam ONE (client and server) on a different physical server and point it to the B&R Backup Server, with unrestricted TCP communication (Veeam ONE --> B&R). As Mildur points out, Veeam ONE does not connect directly to the Linux Repos, but instead pulls the needed data from B&R.

Veeam ONE is able to fully collect everything from the B&R Server itself, but it triggers a warning regarding the SOBR, a generic "Backup Repository Connection Failure". Our SLES repo has only a minimal set of allowed traffic, and while checking the logs for denied traffic we saw the following:

Image

So it seems that every few minutes the B&R Server tries to fetch data through UDP 137 from the SLES Repo. This denied traffic only started appearing AFTER we installed Veeam ONE, so I suppose these UDP calls are originated on Veeam ONE.

According to the official guide, the port 137 is used only between ONE client and ONE Server, NOT between Veeam ONE and Veeam B&R.

My question: has anyone seen a similar behaviour? Are these UPD 137 requests as expected or is something wrong with our setup?

Regards

kaffeine
Influencer
Posts: 18
Liked: 7 times
Joined: Jun 04, 2018 8:03 am
Full Name: Espresso Doppio
Location: Austria
Contact:

Re: Hardened Repository with Veeam ONE

Post by kaffeine »

PS: it seems the connection error between B&R and the SLES Repo was caused by something else, and the 137-138 UDP packets were coincidentally in the network traffic as NetBIOS "background noise" at the same time Veeam ONE was deployed. So I can also attest to the fact that there's no direct data flow between Veeam ONE and the Repo :)

Regards

RomanK
Veeam Software
Posts: 254
Liked: 80 times
Joined: Nov 01, 2016 11:26 am
Contact:

Re: Hardened Repository with Veeam ONE

Post by RomanK » 1 person likes this post

Hello kaffeine,

That is true, there is no data flow between the Veeam ONE and the repository.

If you open the "Backup Repository Connection Failure" alarm in the Veeam ONE client, on the rule type you would see "State". The states are collected from the WMI on a backup server. There is no need for a direct connection to the repository.

Having that, there could be some records in the VBR logs which could help to troubleshoot the connection. You may contact the support team and let them review the logs to find out the cause of the issue.

Thanks

Post Reply

Who is online

Users browsing this forum: No registered users and 4 guests