Virtual LAB question (Windows Firewall driving me crazy)

[vmtech123]

Ping test fails. Common issue in the virtual lab world as I have seen due to Windows Firewall.

After troubleshooting, I find that yes, the firewall is enabled, and if I turn it off, I can ping the VM, RDP and the lab works as expected.

What do you guys do so windows doesn't see a new MAC and convince itself it's a new network every time you start the lab?

I don't want to have to specify manual MAC addresses in VMware.

And to confirm, Domain, Public, and Private Firewall are all disabled. but when Veaam boots it up, it enables it and the ping test will never succeed.

[PetrM]

Hello,

The SureBackup does not perform any additional configurations steps at the level of guest OS, it just mounts a VM from backup with the same configuration as the VM has on production. But I'm not sure that I'm getting what do you mean by "Windows doesn't see a new MAC"? Maybe, the issue is related to the fact that incoming connection goes from a different network where Veeam B&R is located?

Thanks!

[Regnor]

I've never seen the Windows firewall getting re-enabled in a Surebackup. Also the network profile normally stays the same; is it a domain server and have you also added a DC to your application group?

In general, if Windows firewall blocks Ping I create a rule/exception in the production VM.

[vmtech123]

Hmmm...

DC is in application group. what rule would I create on production VM? firewall is already disabled on VM.. I feel like when VMware boots it back up, I dont' know if it is because it's on a new network, or gets a new mac address, but it causes it to turn the firewall on.

I'd assume there has to be other people here who use Veeam Labs and VMware, so if they are having no issues without setting static mac addresses in VMware i'd just like to not go down the wrong path looking into something that isn't an issue.

Sure backup doesn't preform any extra steps, but when it boots up a VM with a new MAC address (because of VMware) this usually will cause windows fire wall to enable.

I have also seen other threads on these forums with similar issues, but no resolutions.

[Regnor]

I don't think that it's related to the MAC address change; this shouldn't enable the Windows firewall. If a domain computer comes up without a DC it will belive that it is in a new network and so have a different network profile. But as you say the firewall is disabled in your production VM so this shouldn't matter at all.
So, I'm not really sure where you're problem could come from.

[PetrM]

I worked with many different issues related to SureBackup configuration but I don't remember any case related to automatic firewall enabling. Just out of curiosity: what if you simply reboot the production VM? Also, maybe this thread could give some ideas for research.

Thanks!

[vmtech123]

So, to anyone at Veeam, or people searching this is FINALLY solved. Been fighting it close to 2 years.

It was a firewall setting, that when the VM would come up in the lab, the new MAC address would shift it to a private network or domain network but think it was a new adapter from what it really seems like. Regardless, changing it to static would not make sense, nor would it work to have VMware hosting multiple VM's with the same MAC I'd assume.

The trick for us was to create a GPO allowing inbound from our internal networks on the private as well as domain networks. We really only needed the domain as they are all domain joined and it works fine in production. Ping tests failing, able to RDP to Veeam Lab machines.

[albertwt]

Wow, that's great, thank you vmtech123 for sharing.