Proxy Servers for Agent Backups

[segfault]

For virtual infrastructure based systems I can specify the proxy server to pull the data from the virtual platform, is there an equivalent for physical servers?

We have a physical server we would like to backup. However, we see the following error:
3/5/2019 10:39:49 PM :: Error: A connection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond 172.XX.XX.XX:2502

The IP listed above is that of our repository that is on an fire-walled network that we in no way ever want to expose to our running servers. So it makes sense that the physical host and repository can't communicate. This is by design.

Is there a way to setup a gateway server or proxy server that we can funnel all of the physical agent backups through? I see documentation on how to do this for virtual based targets but nothing for physical targets. We can't even find a location to specify a guest interaction proxy the way we can with the VMWare Backup targets.

Thanks,

--john

[Dima P.]

Hello John,

Agent require direct connection with the repository (or gateway server). Have you looked into Veeam Cloud Connect as a possible option? Thanks!

[segfault]

Are there any plans to remove this limitation in a future release?

[Dima P.]

John,

May I ask if you would like to use proxies for agent to speed up data transfer over network or mainly because of the issue described above (i.e. to let agents connect to Veeam repository over specified server)? Thanks!

[rreich]

I'd would like this feature as well to utilize SAN storage, mainly for StoreOnce catalyst stores.

[Dima P.]

Hello Rick,

Would it be enough to let agents backup to StoreOnce Catalyst store via gateway server (like in vm backup jobs)? Thank you!

[rreich]

Dima,

Yes, that would work as well since the Proxy and Gateway roles can be on the same server. I apologize, I didn't intend to hijack segfault's post. Their request appeared to be similar to mine.

[segfault]

May I ask if you would like to use proxies for agent to speed up data transfer over network or mainly because of the issue described above (i.e. to let agents connect to Veeam repository over specified server)? Thanks!

I see it as more of a security goal of ours: we like to protect the repos from direct contact with the servers that they are backing up. I hope to be able completely block any traffic between our storage/backup/management network from the production server network in the near future.

With the virtual side of the house we can do this via proxy servers (both for guest interaction and data moving) or having the data pulled directly from the SAN. We can't do this on the physical side.

--john

[segfault]

Just as a follow up, this is also one of Veeam's best practices to isolate the backup network. See the recent discussion at veeam-backup-replication-f2/security-us ... 57953.html

[tedsteenvoorden]

We are now two years further. Are there any plans to add a proxy function for the veeam agent backups? We have the same security requirment: we like to protect the repos from direct contact with the servers that they are backing up and isolate them on the network.

[Dima P.]

Hello Ted,

Unfortunately it's not planned for the v12, but we keep collecting the feedback to set the correct priorities for the next versions. Thank you for updating this thread, I've added your vote to this feature request.

[tedsteenvoorden]

Hello Dima, would it work if we create a share on our windows repository server and configure an additional NAS/SMB repository pointing to this share? This way we could use a dedicated gateway servers which functions as the proxy for all Windows agents.

[Dima P.]

Ted, that would work but you must have the gateway server set up locally as well (you can specify it in the SMB/NFS repository settings). Access to Veeam B&R server will be required to authenticate agents to the repository, but backup traffic will be isolated between agent - gateway server - SMB/NFS share.

[tedsteenvoorden]

Thanx for the feedback Dima!

[Helge.T]

+1 for agents being able to utilize a "proxy".

In my case the customer runs backups over a dedicated backup network and the agent backups were never able to utilize this and get back to the repository. The findings of the support case led the customer to ask for a FR for putting in a "proxy" as an intermediate for sending backups to the repository.

[sabicao]

+1 for this request. An intermediation between agents and the repo would be great.

[Dima P.]

Fernando,

If you are worried about backup traffic - you can created a dedicated repository for Veeam agents and assign a gateway server somewhere on-site with the client machines. Yes, agents will authenticate via Veeam B&R (so management connection to Veeam B&R is still required), but backup traffic will be isolated within the site where agents, gateway server and repository are configured. Hope it helps!

[nathano]

Are we any closer to having proxies for agents? IMO having agents direct access to the repo seems like a bad idea from a security point of view.

[Dima P.]

Hello Nathan,

It's not planned for v12. By the way, for repositories where gateway server is required (i.e. SMB/NFS/Deduplication storage devices) agents connect via the set gateway and not directly. Thanks!

[lahey]

+1 from Atea Group on this one. We need to see functionality that allows the agent in vbr to use a defined proxy/data mover to send traffic through for agents so we don't have to utilize our cloud connect for our IaaS infrastructure.

The reasoning behind this is that all IaaS managed backup (both virtual and physical) is managed through VBR, and SQL/Oracle/Exchange is part of an IaaS application management portfolio.
We don't want to (but right now, we have to) expose the transport ports on repo servers in order to get it working.
Me and my colleagues would like to see functionality in the agent (primarily server agent) that allows a data mover in-between the agent and the repo just like log-shipping servers.
Another plus to this is that it would make the design more flexible in regards to firewall limitations.

[Dima P.]

Hello Patrick,

Thank you for the feedback, added to the feature request!

[Virtuollie]

+1 from me for utilization of proxies with Agent backups. I have an actual use case where I cannot open ports directly between physical machines and Veeam server/repository server.

[zd14a]

+1

Exposing the repos to the agents is imho against the Veeam best practises and it would be great if the agents could communicate with the proxies instead.

[lxzndr]

+1

currently have to use dedicated repository servers for agent backups. would love to be able to reduce the number of repository servers by being able to use a proxy for workstation agents.

[david23267]

+1

Whenever possible, our VBR, and repositories are completely isolated, with hardened machines acting as a proxy.

[benbzh]

+1 for use Veeam proxies for agents, and avoid direct connexion to repositories.

[Shunx239]

Fernando,

If you are worried about backup traffic - you can created a dedicated repository for Veeam agents and assign a gateway server somewhere on-site with the client machines. Yes, agents will authenticate via Veeam B&R (so management connection to Veeam B&R is still required), but backup traffic will be isolated within the site where agents, gateway server and repository are configured. Hope it helps!

Hi Dima,
Since the Protection Group can be configured with separate distribution server, it would be appreciated if the backup job managed by backup server can function the same way, proxying connection to the agent.

So, no management connection to Veeam B&R but a proxied one from Veeam B&R.

I understand that direct connection to the repository server is probably inevitable, with ports restricted and documented.

These days major concern is network security and isolation.

[rnldnkp]

+1

"What’s New in Veeam Data Platform?
Achieve radical resilience that can only come from complete confidence in your protection, response and recovery. Built on the principles of Data Security, Data Recovery, and Data Freedom—Veeam Data Platform provides the confidence you need to take a stand against cyberattacks with the New 12.1 Release."

It states on the website. "Principles of Data Security"... "Cyberattack"...

But in 2024 release 12.1.2 we still need direct connection to VBR and/or repo's to use agents and/or application aware restores like Active Directory or Database Servers.
Not done in an Enterprise/MSP environment. So +1 for a proxy or gateway in between like Cloud Connect!