[V13] Comments on initial deployment

[ashleyw]

Hi, Sorry late to the party on V13. I deployed the V13 appliance yesterday - looks great step forwards!

Got a couple of questions based on my initial deployment.

- Out the box installs can't connect to the update server. We don't use outbound web proxies in our environment, as we typically use Cisco Umbrella for DNS protection along with an array of other security tools. When I try and run the check update option, it gives an error of Failed to retrieve updates with the underlying error of;

Code: Select all

"Curl error (7): Couldn't connect to server for https://repository.veeam.com/rocky/9.2/vbr/13.0/mandatory/repodata/repomd.xml [Failed to connect to repository.veeam.com port 443: No route to host]".

I enabled SSH, and I can see form an ssh prompt that name resolution is working fine. I see there appears to be firewalld running. But I can't elevate privileges from veeamadmin so I can't check what the default rules are;

Code: Select all

sudo firewall-cmd --list-all-zones
[sudo] password for veeamadmin:
veeamadmin is not in the sudoers file.  This incident will be reported.

hopefully the security police won't come knocking at my door so my question is there is outbound URL whitelisting taking place - how do we allow outbound access to specific endpoints? Its probably not going to work just at an IP level as things like Cloudflare appears to be used for the update servers so they will be changing IPs.
- Out the box I can add a proxy. I deploy a fresh Rocky9 VM to act as a proxy and enable ssh password auth just as a test to keep things easy, but the appliance is unable to connect to the proxy so I'm assuming the same thing that is stopping the first thing from working applies to this. From an appliance SSH prompt I'm unable to ssh to the proxy VM.
- Our current system is running Veeam V12 and I need to keep this running for the time being (until we get the approval to go v13 and VUL - sadly bye bye sockets!). Previously I was able to add in a repository on the same Rocky9 OpenZFS based mass storage unit by adding the repository under a different directory. Is this going to be still possible with V13 or will the v13 agent attempt to push and incompatible proxy agent process on the VM which could break our V12 backups or will I need to test this? If there is a way of having both V12 and V13 configs at the same this would be ideal as I can benchmark the performance between Windows Veeam server verses the Linux Appliance under our full load - and I'd be hoping for a "linux for the win" scenario.
- Are there plans to allow for the deployment of virtualised hardened proxy environment that could be deployed directly from the Veeam console? ie. UI asks for which vcentre(or other hypervisor),network settings,proxy host name etc then everything else would be taken care of. this would further improve the security posture of the appliance.
- I'd really like to see the windows appliance client being unnecessary. On our corporate environment, every single executable has to be whitelisted in Threatlocker, so it would be nice if I didn't have to beg for corporate approval and I could instead get the full functionality from the web interface.
- See the appliance appears to be built on Rocky9.2. Are there any plans to track the latest versions of Rocky (currently 9.6 I believe, to help with security on the appliance itself?
- I'm using OpenZFS on V12 repositories with no issues whatsoever. I assume the connection to OpenZFS based repositories will still work (even if there is some tweaking allowed)?
- Many of our linux based based templates have been optimised to use virtualised "NVME controller 0" in VMware. These are backed up fine in V12, did I read that these VMs won't be backed up in V13 or perhaps I misread.

I want to see V13 rocking!
Big shout out to the team and all the hard work that's gone into this.

cheers
Ashley

[Gostev]

Hi, Ashley
1/ Yes, you will need work with your networking folks to ensure VSA can reach veeam.com
2/ Same, this seems like some firewall shenanigans in your environment. Do note however that we recommend using Veeam Infrastructure Appliance instead of BYO Linux for backup infrastructure components.
3/ This is not supported and therefore not tested, but most likely this will not work. But also no point to benchmark, we already did and V13 beat V12 hands down in terms of performance. And it's not Windows vs. Linux situation, as V13 is equally performant on both, as I explained in the sticky FAQ topic.
4/ For hardened backup infrastructure components, we offer Veeam Infrastructure Appliance (see the V13 What's New document for more info).
5/ Me too but understandably it will take us some more time to migrate almost 20 years worth of features to web UI.
6/ I'm not sure what you mean by the term "track". The special extended LTS version of Rocky we use (it's not vanilla 9.2 btw) will keep receiving security updates for 2+ more years, therefore we might end up skipping 9.6 altogether. However, this has not been decided yet simply because there's no pressure to make this decision.
7/ This has not been specifically tested with V13 and unfortunately we will not have QA resources for this testing until after 13.0.1 release.
8/ This does not ring any bells to me, please share what document or post you are referring to.
Have fun with V13!!

[ashleyw]

thanks, I had old duplicate entries for the DNS of the proxies on our DNS server configuration which was causing connectivity issues and causing the proxy deployment failures. I've fixed that but I'll use the appliance deployment method for the proxy OSs to keep things secure.
I'll give some feedback sometime next week assuming I can get V12 and V13 working at the same time (but using different proxies etc).
Sadly I don't have access to a complete parallel infrastructure setup so I'm going to need to be creative on my testing approach.