Persistent Agent in hardened Windows environment

[Regnor]

We're currently having problems with implementing the persistent agent in a hardened/secure Windows environment.
Veeam support is working on this problem since 2 weeks; #04913774.

Scenario:
The backup server is at a different site.
On-site we've deployed a dedicated guest interaction proxy.
On the VMs the Veeam Installer Service has been installed manually.
Some of the VMs are domain-joined, some are not.
The VMs are all configured according to the Microsoft Security baseline, but this shouldn't be anything special.

Regardless of what we try, the Guest Interaction proxy isn't able to connect to the persistent agent.

Failed to inject guest runtime using guest interaction proxy, failing over to backup server
Failed to inventory guest system: Veeam Guest Agent is not started

We have:

• Disabled Windows Firewall (some VMs are in the same network as the Proxy)
• Disabled UAC
• Removed any hardening (besides LSA protection)
• Did use local and domain accounts with administrative permissions
• Ports are reachable and the service is running

Support is still working on the problem, but until now hasn't found the reason why the connection is failing.
Because of security reasons we need to use the persistent agent, so I can't go with the non-persistent way.
I'm only thinking about switching to Veeam Agent backups, as they shouldn't depend on the guest processing.

Are there any other requirements in order to being able to connect/use to the persistent agent?
Has anyone experienced any similar problems with the persistent agent and a secure environment?

[HannesK]

Hello,
"failing over to backup server" sounds like a connection issue between guest interaction proxy and the VM.

As you say that the firewall is disabled and same subnet is used, that sounds strange. I assume that you already tested the connection manually (telnet, powershell or something similar) as you say the ports are reachable.

Is "test credentials" working with any of the modes? I would start testing with domain joined machines.

Best regards,
Hannes

[Regnor]

Hi Hannes,
does test credentials use the guest interaction proxy or will it try the connection from the backup server?
At the least the check says, that the persistent guest agent is reachable:

Connecting to guest OS via Persistent Guest Agent
Testing host accessibility via Persistent Guest Agent
Testing guest OS connectivity via Persistent Guest Agent

For the system which we're looking at with the support even all checks succeed (RPC, persistent agent, VIX).

[HannesK]

Hello,
if "test" works and the job still fails, that's strange. Please continue with support.

The guest interaction proxy is used first. If it is not available (I just connected the network cable in my test), then it fails over to the backup server. You can see it by filtering on tcp port 6160 on the target VM in wireshark.

Best regards,
Hannes

[Regnor]

Hi Hannes,
Thanks for clarifying; so it's even more odd...
I hope that support will find the cause on Monday or I'll setup an alternative.

[Regnor]

It looks like there's a bug within the guest interaction proxy which should be resolved with the next patch/update.

[allankjaer]

I have a problem with using the Persistent Agent it still tries to use RPC.

Is there a way to force it to only use Persistent Agent, or get it to try that first?

[Regnor]

If you enable the persistent agent in the guest processing options for your VMs, then it should be used first and will only failover to RPC if it doesn't work.

To you see any errors or did you have support check on it? We're currently working on a similar problem:
veeam-backup-replication-f2/persistent- ... 75755.html

[Natalia Lupacheva]

Hi folks,

moved your posts to the existing thread to keep similar issues together.
Allan, I would also recommend you to open a Support ticket.

Thanks!

[Regnor]

@allankjaer: I'm not sure if you also use the guest interaction proxy in your case.
It looks like there's a bug and we've already received a hotfix, which did solve one problem but the connection still fails.
If you open a support ticket you could refer to our case and request the hotfix for your environment.

[allankjaer]

I have created a support case now. #04947868

[Regnor]

Support has been able to solve our problem. It probably wasn't the bug with guest interaction proxy, but with the user account. I had entered just the username to setup the managed server for the guest and backup proxy, which did work for everything; just not for connecting to the persistent agent as it looks. After changing the username to hostname\username (local/workgroup account) Veeam was able to connect to the persistent agents.

[Gostev]

Thanks for sharing the solution.

[allankjaer]

My problem has been escalated to T2, and they are looking at it now.