-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Backing up virtual machines in DMZ
I have my Veeam B&R Sever and Veeam Proxy servers in my Production VLAN, where vCenter is also located.
I have a couple of virtual machines in different DMZ networks that are behing firewalls. What options do I have to backup these virtual machines if I want to enable Application-aware processing? Do I need to open firewall ports?
Thanks
I have a couple of virtual machines in different DMZ networks that are behing firewalls. What options do I have to backup these virtual machines if I want to enable Application-aware processing? Do I need to open firewall ports?
Thanks
-
- Chief Product Officer
- Posts: 31814
- Liked: 7302 times
- Joined: Jan 01, 2006 1:01 am
- Location: Baar, Switzerland
- Contact:
Re: Backing up virtual machines in DMZ
Direct network connection to the guest is not a requirement with Veeam, as backup server can talk to it via ESXi host as well. Thanks!
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Backing up virtual machines in DMZ
Ok but I notice if I enable Application-aware processing for the virtual machines in the DMZ network, then I get an error about VIX
-
- Product Manager
- Posts: 20413
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Backing up virtual machines in DMZ
What specific issue you got? What kind of account is specified for application processing of this VM?
-
- VeeaMVP
- Posts: 6166
- Liked: 1971 times
- Joined: Jul 26, 2009 3:39 pm
- Full Name: Luca Dell'Oca
- Location: Varese, Italy
- Contact:
Re: Backing up virtual machines in DMZ
be careful on VIX you either have to disable UAC or use the native administrator account, otherwise indeed you are going to face errors.
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software
@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
Principal EMEA Cloud Architect @ Veeam Software
@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Backing up virtual machines in DMZ
If I add a VM to my backup job, that has application-aware processing enabled, and I click on test credentials, it says:
Connecting to guest OS via RPC, user Administrator - (this is the correct credentials btw, I have double checked)
Cannot connect to the host's administrative share
So do I need to open firewall ports?
Connecting to guest OS via RPC, user Administrator - (this is the correct credentials btw, I have double checked)
Cannot connect to the host's administrative share
So do I need to open firewall ports?
-
- VeeaMVP
- Posts: 6166
- Liked: 1971 times
- Joined: Jul 26, 2009 3:39 pm
- Full Name: Luca Dell'Oca
- Location: Varese, Italy
- Contact:
Re: Backing up virtual machines in DMZ
Only if you want to use network as a connection, but as said before you can leverage VIX processing that uses the ESXi libraries to access the vm over the hypervisor stack, so you can keep your DMZ closed as before.
The test should actually test both type of connections, haven't you seen the result also of the VIX test?
The test should actually test both type of connections, haven't you seen the result also of the VIX test?
Luca Dell'Oca
Principal EMEA Cloud Architect @ Veeam Software
@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
Principal EMEA Cloud Architect @ Veeam Software
@dellock6
https://www.virtualtothecore.com/
vExpert 2011 -> 2022
Veeam VMCE #1
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Backing up virtual machines in DMZ
The Transport Mode is set to Automatic, with the failver to network option selected. So is it just doing a network test by default and then stopping? I don't see other tests after that. I have application-aware processing checked along with vSphere Guest quiescence.dellock6 wrote:Only if you want to use network as a connection, but as said before you can leverage VIX processing that uses the ESXi libraries to access the vm over the hypervisor stack, so you can keep your DMZ closed as before.
The test should actually test both type of connections, haven't you seen the result also of the VIX test?
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Backing up virtual machines in DMZ
There should be a record for the VIX test, right after the RPC lines (or before them, if the registry setting for protocol order inversion is specified). If you do not see them, please contact technical support.
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Backing up virtual machines in DMZ
I created a new job, with application-aware processing checked along with vSphere Guest quiescence:
Connection to guest OS via RPC failed
Cannot connect to host's Administrative share
Then I get a pass for VIX tests.
So what does this mean, it will use VMware's own vSphere Guest quiescence to take the backup?
Connection to guest OS via RPC failed
Cannot connect to host's Administrative share
Then I get a pass for VIX tests.
So what does this mean, it will use VMware's own vSphere Guest quiescence to take the backup?
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Backing up virtual machines in DMZ
You can still use AAIP without having direct network connection to the backed up VMs. Just make sure you have VMware Tools up and running in these VMs. Please refer to this thread for requirements.So what does this mean, it will use VMware's own vSphere Guest quiescence to take the backup?
Thank you.
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Backing up virtual machines in DMZ
Ok, thanks for the info.
If I decide to open the ports, which ports do I need to open specifically? I've had a look here but it's very confusing: http://helpcenter.veeam.com/backup/80/v ... ports.html
Which section do I need to look at?
If I decide to open the ports, which ports do I need to open specifically? I've had a look here but it's very confusing: http://helpcenter.veeam.com/backup/80/v ... ports.html
Which section do I need to look at?
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Backing up virtual machines in DMZ
If you mean Guest OS ports then please refer to "VM Guest OS Connections" section of that guide.If I decide to open the ports, which ports do I need to open specifically?
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Backing up virtual machines in DMZ
OK thank you, that's alot of ports!
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Backing up virtual machines in DMZ
That's why in case of DMZ it's better to stick with VIX. There is an article from our Evangelist, please take a look as it might be helpful.That's alot of ports!
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Backing up virtual machines in DMZ
VM Guest OS Connections section.btmaus wrote:Which section do I need to look at?
-
- Enthusiast
- Posts: 95
- Liked: 5 times
- Joined: Oct 17, 2015 3:32 pm
- Full Name: Stuart Little
- Location: Canada
- Contact:
[MERGED] Guest Processing - through a firewall
Guys, our environment has some domain controllers in the DMZ.
We want to enable Guest Processing to back them up using a Service Account in the DMZ.
Currently it fails as there is no authentication through the firewall to allow the service account to reach the DMZ from the backup server.
Is anyone doing this successfully? What ports did you need to open on the firewall.
Thoughts??
We want to enable Guest Processing to back them up using a Service Account in the DMZ.
Currently it fails as there is no authentication through the firewall to allow the service account to reach the DMZ from the backup server.
Is anyone doing this successfully? What ports did you need to open on the firewall.
Thoughts??
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Backing up virtual machines in DMZ
What message do you see on the job failure? Actually, direct network connection is not required for guest processing, see details above.
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Backing up virtual machines in DMZ
@Jack1874 ... I use the VIX method now for the VMs in my DMZ, as suggested earlier in this thread.
@foggy ... One DMZ VM in particular keeps on producing this warning (with VIX enabled):
Idea's?
'
@foggy ... One DMZ VM in particular keeps on producing this warning (with VIX enabled):
Code: Select all
Failed to prepare guest for hot backup. Details: Failed to connect to guest agent. Errors:
'Cannot connect to the host's administrative share. Host: [xyz.xyz.xyz.xyz]. Account: [Administrator].
Win32 error:The trust relationship between this workstation and the primary domain failed.
Code: 1789
'
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Backing up virtual machines in DMZ
Glenn, check whether UAC is disabled on the VM and whether you're using Domain Administrator account, since one of those is required to perform application-aware image processing work over VIX.
-
- Product Manager
- Posts: 20413
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Backing up virtual machines in DMZ
Also, you can choose a VM sitting in DMZ as guest interaction proxy and let it push run-time process to the required VMs there. Thanks.
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Backing up virtual machines in DMZ
@foggy ... it's using the Local Administrator account to backup the VM.
So if I place a Guest Interaction Proxy in the DMZ, then I can backup all my DMZ VMs using application-aware processing (which I can't at the moment)?
So if I place a Guest Interaction Proxy in the DMZ, then I can backup all my DMZ VMs using application-aware processing (which I can't at the moment)?
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Backing up virtual machines in DMZ
Please make sure that you can connect to the admin share (for example, \\Server Name\admin$) with the same credentials as provided to Veeam Backup & Replication for guest processing.foggy ... it's using the Local Administrator account to backup the VM
Yes, but you'll have to provide a two-way communication between guest proxy and VBR.So if I place a Guest Interaction Proxy in the DMZ, then I can backup all my DMZ VMs using application-aware processing (which I can't at the moment)?
Thank you.
-
- Product Manager
- Posts: 20413
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Backing up virtual machines in DMZ
Correct, but be aware to open TCP 6190 between backup server and guest interaction proxy.Thanks.btmaus wrote:So if I place a Guest Interaction Proxy in the DMZ, then I can backup all my DMZ VMs using application-aware processing (which I can't at the moment)?
-
- Expert
- Posts: 138
- Liked: 10 times
- Joined: Jul 17, 2015 9:02 am
- Full Name: Glenn L
- Contact:
Re: Backing up virtual machines in DMZ
It can't, as it's in the DMZ and doesn't have all those ports open. I have the options ticked to use both application-aware and vSphere quiesce, from reading the documentation I thought it should failover to using vSphere (no need for connection to admin share)? Or am I wrong?PTide wrote:Please make sure that you can connect to the admin share (for example, \\Server Name\admin$) with the same credentials as provided to Veeam Backup & Replication for guest processing.
Thanks, might have to look into this.Would the Guest Interaction proxy still need a connection back to the vCentre though? Not sure I want to open all those ports from my DMZ.Yes, but you'll have to provide a two-way communication between guest proxy and VBR.
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Backing up virtual machines in DMZ
You're absolutely right, it slipped out from my mind that your VM is in DMZ. I recommend contacting support. Normally the job should attempt using VIX after being unable to connect via network.it should failover to using vSphere (no need for connection to admin share)? Or am I wrong?
It must have a LAN or VIX connection to the VM that will be backed up or replicated.Would the Guest Interaction proxy still need a connection back to the vCentre though
Thank you.
-
- Product Manager
- Posts: 20413
- Liked: 2302 times
- Joined: Oct 26, 2012 3:28 pm
- Full Name: Vladimir Eremin
- Contact:
Re: Backing up virtual machines in DMZ
Nope, it wouldn't. All required ports are mentioned in the referenced section of our User Guide. Thanks.Would the Guest Interaction proxy still need a connection back to the vCentre though?
-
- Novice
- Posts: 4
- Liked: never
- Joined: Apr 05, 2016 7:31 am
- Full Name: Kris Woodward
- Contact:
[MERGED] Backup Workgroup DMZ Servers
Hi All
We'd like to backup certain servers within our DMZ which are in a workgroup. Possibly silly question but is it possible to do this without using Administrator credentials for the guest OS but while also leaving remote UAC enabled?
Cheers
We'd like to backup certain servers within our DMZ which are in a workgroup. Possibly silly question but is it possible to do this without using Administrator credentials for the guest OS but while also leaving remote UAC enabled?
Cheers
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Backing up virtual machines in DMZ
Kris, either Domain Administrator account or disabled UAC is required, please see the thread above.
Who is online
Users browsing this forum: Semrush [Bot] and 22 guests