Guest Interaction and firewall

[patrickds]

Hi,

we are currently in the process of securing our backup solution.
One of the steps was moving the Veeam B&R server and vSphere hosts to a different subnet, to separate them from the business network.
A firewall (pfsense) is between the subnets, set to block any traffic between them.
The idea was: let's block everything, and fix what gets broken by opening only what's required.

Now comes the issue: for some VMs guest processing failed, like we expected, but for others it still worked.
So where do we look to find out how this kept working, when there is no network traffic allowed between the backup server and the VMs?
Which log files?

All VMs have identical guest processing settings.
Those that failed, indicated that the admin share could not be reached, which is logical.
We need to know how for these other VMs the firewall appears to have been somehow bypassed.

[rennerstefan]

Hi Patrick,

if you have a firewall in place and Veeam can't reach the VM via RPC we will try Networkless application-aware guest processing through VMware VIX/vSphere Web Services.
That means we will connect to the vSphere host and use VMware tools to perform the needed tasks.
If that works for some and fails for others it only means that there are some issues with the connection or authentification.
One example would be this KB: https://www.veeam.com/kb1788

You should be able to find details in the relevant Veeam logs for each VM.

Thanks

[patrickds]

After some digging in the logs from the KB, it is clear that failback to VIX is indeed the reason why it works for some of the VMs.
The ones with issues are still running Windows 2012, with outdated VM and tools versions, which is probably why VIX fails on them.
Both are scheduled for replacement, but I'll try getting them updated first, to see if that also fixes the problem.

Which would be the better/more secure option: keep using VIX or creating a Guest Interaction Proxy which is connected to both networks?

[rennerstefan]

Well I’d say that is up to your preference. At the end using VIX doesn’t require another hop in the process where as guest interaction proxy does. On the other hand VIX is a total different process where guest interaction is more what you are used to. In terms of security you can always use your fw to only allow the needed communication for the guest interaction proxy.
Both will work so up to you.

[AndrewAdvnetsol]

We are doing things in a similar manor as Patrick is. After reading through this post I am still a bit confused about the use of RPC or VIX. Since we setup separate subnets and Veeam cannot access the admin share via RPC it uses VIX. Are there any limitations when it comes to restores if application-aware processing was done using VIX? Do I need to make sure Enable VMware Tools quiescence is enable for jobs that use VIX? Should I always just enable VMware Tools quiescence?

[ArturE]

Hi @AndrewAdvnetsol

VIX is just another way for VBR to communicate with the source VM during application-aware processing, when: uploading binaries, sending commands and receiving the results. Other than that, it does not change any functionality of the feature.

Best regards,
Artur