Host-based backup of VMware vSphere VMs.
Post Reply
patrickds
Enthusiast
Posts: 29
Liked: 5 times
Joined: Feb 24, 2010 11:58 am
Full Name: Patrick De Smedt
Contact:

Guest Interaction and firewall

Post by patrickds »

Hi,

we are currently in the process of securing our backup solution.
One of the steps was moving the Veeam B&R server and vSphere hosts to a different subnet, to separate them from the business network.
A firewall (pfsense) is between the subnets, set to block any traffic between them.
The idea was: let's block everything, and fix what gets broken by opening only what's required.

Now comes the issue: for some VMs guest processing failed, like we expected, but for others it still worked.
So where do we look to find out how this kept working, when there is no network traffic allowed between the backup server and the VMs?
Which log files?

All VMs have identical guest processing settings.
Those that failed, indicated that the admin share could not be reached, which is logical.
We need to know how for these other VMs the firewall appears to have been somehow bypassed.
rennerstefan
Veeam Software
Posts: 688
Liked: 150 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Guest Interaction and firewall

Post by rennerstefan »

Hi Patrick,

if you have a firewall in place and Veeam can't reach the VM via RPC we will try Networkless application-aware guest processing through VMware VIX/vSphere Web Services.
That means we will connect to the vSphere host and use VMware tools to perform the needed tasks.
If that works for some and fails for others it only means that there are some issues with the connection or authentification.
One example would be this KB: https://www.veeam.com/kb1788

You should be able to find details in the relevant Veeam logs for each VM.

Thanks
Stefan Renner

Veeam PMA
patrickds
Enthusiast
Posts: 29
Liked: 5 times
Joined: Feb 24, 2010 11:58 am
Full Name: Patrick De Smedt
Contact:

Re: Guest Interaction and firewall

Post by patrickds »

After some digging in the logs from the KB, it is clear that failback to VIX is indeed the reason why it works for some of the VMs.
The ones with issues are still running Windows 2012, with outdated VM and tools versions, which is probably why VIX fails on them.
Both are scheduled for replacement, but I'll try getting them updated first, to see if that also fixes the problem.

Which would be the better/more secure option: keep using VIX or creating a Guest Interaction Proxy which is connected to both networks?
rennerstefan
Veeam Software
Posts: 688
Liked: 150 times
Joined: Jan 22, 2015 2:39 pm
Full Name: Stefan Renner
Location: Germany
Contact:

Re: Guest Interaction and firewall

Post by rennerstefan »

Well I’d say that is up to your preference. At the end using VIX doesn’t require another hop in the process where as guest interaction proxy does. On the other hand VIX is a total different process where guest interaction is more what you are used to. In terms of security you can always use your fw to only allow the needed communication for the guest interaction proxy.
Both will work so up to you.
Stefan Renner

Veeam PMA
AndrewAdvnetsol
Service Provider
Posts: 23
Liked: 2 times
Joined: Jan 24, 2020 6:06 pm
Full Name: Andrew Carmichael
Contact:

Re: Guest Interaction and firewall

Post by AndrewAdvnetsol »

We are doing things in a similar manor as Patrick is. After reading through this post I am still a bit confused about the use of RPC or VIX. Since we setup separate subnets and Veeam cannot access the admin share via RPC it uses VIX. Are there any limitations when it comes to restores if application-aware processing was done using VIX? Do I need to make sure Enable VMware Tools quiescence is enable for jobs that use VIX? Should I always just enable VMware Tools quiescence?
ArturE
Veeam Software
Posts: 7
Liked: 4 times
Joined: Jan 26, 2023 2:30 pm
Contact:

Re: Guest Interaction and firewall

Post by ArturE » 1 person likes this post

Hi @AndrewAdvnetsol

VIX is just another way for VBR to communicate with the source VM during application-aware processing, when: uploading binaries, sending commands and receiving the results. Other than that, it does not change any functionality of the feature.

Best regards,
Artur
Post Reply

Who is online

Users browsing this forum: Semrush [Bot] and 54 guests