Veeam Application Aware Processing Across VLANs

[isolated_1]

Hey Folks,

I feel like this scenario/question has been asked multiple times before but because we are building out a new Veeam environment soon, I want to just reconfirm one more time if this is the only way to go about it.

Problem: Utilizing Veeam Application Aware Processing across multiple domains and VLANs without using DOMAIN\Administrator account
Infrastructure: VMware
Version: vSphere 6.5 with Veeam B&R 9 U4

Scenario: We have clients spread across multiple VLANs with their own internal Windows AD domains. We want to use Application Aware Processing but unfortunately, we do not have in possession the credentials for the default DOMAIN\Administrator account for each domain. However, we do have an account of DOMAIN\User that is a part of the Domain Administrators security group.

Problem: Currently, it would seem that we are not able to use AAP with the DOMAIN\User account. The only way we got it to work was to create a small Windows proxy server that acts as the “guest interaction proxy”. This small server would be dual-homed to have one connection into the client VLAN and another connection back inside our Veeam network. We would enable the Windows Firewall so that the Veeam network connection would not accept incoming traffic from the other connection. This proxy would then be configured as the “Guest interaction proxy” in the Guest Processing tab for that specific client’s backup job. We actually had spoken quite in depth with a Veeam engineer regarding this and after much testing, it would seem that either the DOMAIN\Administrator account would be needed or UAC be turned off within Windows. Both of these scenarios is not possible.

So I humbly ask if any other users out there have had to tackle this issue and how did you solve it. This problem has been bugging us for a long time and this is pretty much the only solution I found that works. It’s not feasible in that many proxies need to be created, although each are small in cpu, ram and disk usage. Also, from a networking perspective, it’s not good as well since we need to future-proof the Veeam environment to make sure it has enough usable IP’s to allocate for each proxy. From a security perspective, it’s never really good to have a dual-homed machine that connects the separate environments back into our Veeam back-end.

If any one has any suggestions, I’m all ears as this has plagued me for a long, long time.

Thanks!

[Andreas Neufert]

You need a member of the local administrator group together with the Guest Interaction proxy if you want to go over the network.

If you want to go through VIX then you need permissions to go through the VMware Tools to the OS. As you said because of the UAC this is only possible with "localserver\Administrator" or "domain\Administrator". Potentially there is an option to tune the local windows that UAC accepts other user in the same way, but I do not know how to do this. It is all a matter of windows rights and policies.

However there is the option to do only VMware Tools quiescense if you only need VSS consistency and not file restore.

See as well:
https://www.veeambp.com/job_configurati ... redentials

[isolated_1]

Thanks Andreas.

Have you ever read or heard of other Veeam customers doing what we've done in creating a dual-homed guest interaction proxy server?

That is one of my main concern. I know we are not going to be able to ask our clients to disable UAC. Everything will go through VIX and since that's not possible when we don't have the .\Administrator or domain\Administrator credentials, the only option I see is creating that dedicated dual-homed proxy machine.

[foggy]

Hi Simon, such setup is not a unique one, but keep in mind that in any case, for application-aware image processing you need administrator privileges on the VM guest OS.