VeeamOne vCenter Connection Issue

[david.brunner]

Dear forum members!

I try to install a new physical server, along with migrating from B&R v11 and Veeam One v11 to the respective v12 install.
In this setup I want to use restricted users with only the permissions needed. Also, the server is NOT part of the domain anymore.

for Veeam One I created a vsphere.local user "VeeamOne" and cloned the "Read-only" role into a new role also named "VeeamOne"
This role has the following additional privileges:

Global
Global tag
Licenses
Manage custom attributes
Set custom attribute
Host
CIM
CIM interaction
Configuration
Connection
vSphere Tagging
Assign or Unassign vSphere Tag
Assign or Unassign vSphere Tag on Object
Create vSphere Tag
Create vSphere Tag Category
Delete vSphere Tag
Delete vSphere Tag Category
Virtual machine
Interaction
Answer question
Console interaction
Snapshot management
Remove snapshot

as listed here:
https://helpcenter.veeam.com/docs/one/d ... ml?ver=120

I can login with the user in the WebGUI

but when I try to add the vsphere environment in VeeamOne v12 I only get:

Code: Select all

Type:errorTime:23.05.2023 17:09:11Name:VeeamNoHostConnectionEvent	
Description
Unable to connect to xxxxxxx.domain. Starten des Servers fehlgeschlagen . This is the last record for this event. All other entries will be suppressed according to error reporting policy.

I also tried some steps listed here:
https://www.veeam.com/kb2266

I also tried disabling windows Firewall and restarting the service.

what am I missing?

thanks and best regards!

[RomanK]

Hello David,

When you're adding some Virtual Servers in Veeam ONE for monitoring, they must be configured to allow remote connections.
To reach the WMI data via DCOM remote connections, we must allow the target server to receive the incoming connections. There are some tricks that are possible if the connection goes not inside the same domain but between different ones, with or without trusts, or even outside the domains.

The ports and Firewall Rules below must be configured at the Windows Server machine to allow the remote connection from Veeam ONE:

Veeam B&R

• Veeam B&R Server machine

• Veeam Backup Proxy machines

• Veeam Backup Repository machines (Windows-based)

• Veeam Backup WAN Accelerator machines (Windows-based)

• + other Windows-based remote servers

VMware vSphere

• Virtual Machines (with Windows OS) for: Guest Processes and Services monitoring (ALM)

Hyper-V

• SCVMM machine

• Hyper-V Host machines (for performance monitoring)

• Virtual Machines (with Windows OS) for: Guest Disk information obtaining and Guest Processes and Services monitoring (ALM)

The ports and Firewall Rules should be set following the Deployment Gude port requirements.

It is also possible to set up the same using PowerShell.
Check rules:

Code: Select all

Get-NetFireWallRule | Where {$_.Name -eq 'RemoteEventLogSvc-NP-In-TCP'}
Get-NetFireWallRule | Where {$_.Name -eq 'RemoteEventLogSvc-In-TCP'}
Get-NetFireWallRule | Where {$_.Name -eq 'RemoteEventLogSvc-RPCSS-In-TCP'}
Get-NetFireWallRule | Where {$_.Name -eq 'ComPlusNetworkAccess-DCOM-In'}

Enable rules:

Code: Select all

Set-NetFirewallRule -Name 'RemoteEventLogSvc-NP-In-TCP' -Enabled True
Set-NetFirewallRule -Name 'RemoteEventLogSvc-In-TCP' -Enabled True
Set-NetFirewallRule -Name 'RemoteEventLogSvc-RPCSS-In-TCP' -Enabled True
Set-NetFirewallRule -Name 'ComPlusNetworkAccess-DCOM-In' -Enabled True

If nothing will change after that, please open a support case and provide case ID in this thread so we could collect all the additional details and investigate it accordingly.

Thanks

[david.brunner]

Hi Roman,

thank you very much for your answer.

Executing the 4 Get-NetFireWallRule Cmdlets reports for all:
Enabled : True
Profile : Any

Also, I tried with with completely DISABLED Firewall for all 3 profiles (since I am only starting installation now)


But I am thinking I need to re-evaluate my plan anyway. Since the B&R server should be in separate network, it makes it more difficult having VeeamOne on the same machine while monitoring the devices in the main network.
I guess I will install VeeamOne 2 times - once on the backup server, only monitoring the entities on backup network and one separate server in main network, where the connection to vsphere goes.
This should resolve it, I guess.

If not, I will open a support case.