vCloud director integration with Veeam self service portal v10

[srmvel]

Hi Team,

I asked this question with Veeam & VMware support Engineer but no answer yet.

Let me explain my environment:

Our ESXi/VM management subnet is 10.128.1.0.
All the VMs(vcenter server.NSX,vCloud director,vCloud director database,Veeam backup VM etc..) are in the same subnet "10.128.1.0".
vSphere version is 6.7 U1
Veeam version is v10

We have configured the self service portal plugin in vCloud director provider portal as well as configured this self service portal to my vCloud director tenants.No issue at all while access the Veeam self service from vCloud director tenant URL via private VPN.

NAT comes in to picture here:-

When we try to access the "Veeam self service portal" from vCloud director tenant portal from public internet,its not loading(self service portal).I dont know why? When we inspect the page from chrome browser,its coming,


a39ad7f4-fd8b-4163-961f-c9e5dbcfb302 (Veeam Self-Service Portal)] Registering route: plugins/VmVlYW0=/veeam
register-external-extension-routes.step.ts:28 [a39ad7f4-fd8b-4163-961f-c9e5dbcfb302 (Veeam Self-Service Portal)] Registerd route
bootstrap-extension-points.step.ts:27 [a39ad7f4-fd8b-4163-961f-c9e5dbcfb302 (Veeam Self-Service Portal)] Bootstrapping 0 extension point(s)
external-extension.loader.ts:68 [a39ad7f4-fd8b-4163-961f-c9e5dbcfb302] Successfully activated
bundle.js:1 Tenant: routing to Veeam Portal
bundle.js:1 Organization Administrator: true
bundle.js:1 Logged in to VSSP: false
zone.js:2969 POST https://globalveeamlab.xx.com:9443/vClo ... VkaWthZygw net::ERR_CONNECTION_TIMED_OUT



After configuring the NAT( Pointed to Veeam VM) with port 9443 from Network end,It started working from public internet(self service portal from vCloud director tenant) and able to see the backup jobs from "Veeam self service portal"

Im not sure,Why NAT is required for Veeam server with port 9443 when we access from public internet ?It should work without NAT because the VCD,VCD DB VM & Veeam backup VM are in the same subnet.

Note:- If we access the Veeam self service portal from vCloud director tenant either from public internet or private intranet,it should talk locally(without NAT) because all the VMs are in the same subnet.


Any one has any ideas?



Thanks,

Manivel RR

[HannesK]

Hello,
can you please post the case number to check what support said?

I'm guessing that it has something to do with your DNS settings.

Best regards,
Hannes

[srmvel]

Hi Hannes,
This is the case no 04042509 .Veeam support engineer asked us to engage a call with VMware.

All the mentioned VMs(VCD,veeam) DNS records are in my local private DNS server.

Public URL for VCD:-We have configured NAT IP for vCloud director(to access from internet)and configured the public URL.This DNS record is in my public DNS server.

DNS issue ? which means,in vCloud director VM,I need to create a IPtables for IP forward? I mean,whatever the request comes in for 9443,it should be routed to Veeam server ?

like this,

!/bin/sh
IPTABLES="/sbin/iptables"

$IPTABLES -t nat -A OUTPUT -d 204.8.XXX.6 -s 10.30.XXX.0/XX -j DNAT --to-destination 10.30.XXX.6
$IPTABLES -t nat -A OUTPUT -d 204.8.XXX.7 -s 10.30.XXX.0/XX -j DNAT --to-destination 10.30.XXX.7
...


Thanks,
Manivel R

[HannesK]

Hello,
if I understand the case emails correctly, then it's about the community supported vCloud director plugin. So yes, support cannot really help with that one. @chris.arceneaux do you maybe have some hints?

When I look at the picture, it looks like that the end user needs to have access to the enterprise manager (port 9443) https://veeamhub.github.io/veeam-plugin ... setup.html

I don't think that anything should go to the Veeam backup server from the internet. Only to the Enterprise Manager server (well, if it is the same server, then backup server, yes).

Let's wait what the author of the plugin says.

Best reagards,
Hannes

[chris.arceneaux]

Hi Rajamanivel,

The Veeam Plugin for vCD doesn't change the architecture/design of the VSSP (Veeam Self-Service Portal).

This means the Web UI port (default 9443) must be exposed publicly to the internet. I also highly recommend, like Hannes, that you install Veeam Backup & Replication and Enterprise Manager on separate servers in this scenario.

Notice the picture Hannes referenced below shows the tenant at the top accessing both vCD and the VSSP. Both vCD Web UI and VSSP Web UI are publicly exposed to the internet. The only back-end communication you see here is for authentication against vcd and backup and restore operations. The plugin simply takes the public VSSP URL and opens an iFrame to that URL within vCD.



You do not need to add IP forwards on your vCD cell VMs for either the plugin or the VSSP. To expose the VSSP publicly, NATs on your edge router/firewall are typically used. It seems you might have this already in place.

My recommendation is for you to fully setup/configure the VSSP without the vCD plugin. Make sure it's working properly and is publicly accessible. Veeam support can help you with issues for the VSSP.

Once VSSP configuration is complete and working, you can proceed with the vCD plugin.

[srmvel]

Hi Chris,

Thanks for the update.This is by design.
I thought, from internet only 443 port(VCD UI)should be exposed to internet not 9443(VSSP).
When the tenant try to access the VSSP(after logging in to VCD tenant),everything will be local(tenant will locally forward the request to VSSP).I thought like this.

We need to use like from internet.

Example:- We need to configure NAT like this so that both the traffic will pass inside.

209.200.200.11 to 10.128.1.11 port 443(VCD VM)
209.200.200.11 to 10.128.1.15 port 9443(Veeam EM)

Thanks,
Manivel R

[chris.arceneaux]

Hi Manivel,

That's correct. Please don't hesitate to reach out if you have further questions.

Thanks,
Chris

[srmvel]

Sure. Thank you Chris.