Discussions specific to the VMware vSphere hypervisor
Post Reply
pkelly_sts
Expert
Posts: 568
Liked: 62 times
Joined: Jun 13, 2013 10:08 am
Full Name: Paul Kelly
Contact:

VM behind firewall so can't upload agent?

Post by pkelly_sts » Aug 21, 2014 9:17 am

We have a few VMs that MUST be behind a restricted double-bastion firewall for security purposes so our B&R server can't access the administrative share to upload the "agentless agent".

Ordinarily I'd consider pushing for FW rules to allow it but in this case I'm now also switching replication to be "pulled" from a B&R box we have at the DR site (as opposed to being pushed by the HQ site) so would also need to open the Fw to this remote site as well which really isn't going to happen for various reasons.

What options am I left with to get as clean a backup/replication as possible of these VMs?

Regards,

Paul

foggy
Veeam Software
Posts: 18024
Liked: 1530 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VM behind firewall so can't upload agent?

Post by foggy » Aug 21, 2014 9:23 am

Leaving the firewall between the sites aside, there's actually no need for the backed up VM to be accessible over network at all, as in this case the job will fail over to VMware Tools (VIX) API to perform all the required activity.

pkelly_sts
Expert
Posts: 568
Liked: 62 times
Joined: Jun 13, 2013 10:08 am
Full Name: Paul Kelly
Contact:

Re: VM behind firewall so can't upload agent?

Post by pkelly_sts » Aug 21, 2014 10:06 am

That's what I thought, but I always get the following error:

Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: 'Cannot connect to the host's administrative share. Host: [x.x.x.x]. Account: []. Win32 error:The network path was not found. Code: 53 '
'
So what should I be doing differently to get it to quietly fail over to VIX?

foggy
Veeam Software
Posts: 18024
Liked: 1530 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VM behind firewall so can't upload agent?

Post by foggy » Aug 21, 2014 10:22 am

You can try to set the InverseVssProtocolOrder (DWORD) registry key to 1 so that the job always try network-less processing (VIX) mode before trying to access via network. If that doesn't help, check the VMware Tools status for this VM.

Probably contacting support will be more effective in addressing this.

pkelly_sts
Expert
Posts: 568
Liked: 62 times
Joined: Jun 13, 2013 10:08 am
Full Name: Paul Kelly
Contact:

Re: VM behind firewall so can't upload agent?

Post by pkelly_sts » Aug 21, 2014 11:09 am

VMWare tools status is current/running & I'd rather not force all jobs to use VIX if I can avoid it. Will take your advice & give support a shout if I find it bothering me too much but at least I don't feel like I'm doing something obviously wrong, thanks.

foggy
Veeam Software
Posts: 18024
Liked: 1530 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VM behind firewall so can't upload agent?

Post by foggy » Aug 21, 2014 11:16 am

You can also double-check the credentials used by the job, make sure to specify an account with local administrator privileges on this VM.

pkelly_sts
Expert
Posts: 568
Liked: 62 times
Joined: Jun 13, 2013 10:08 am
Full Name: Paul Kelly
Contact:

Re: VM behind firewall so can't upload agent?

Post by pkelly_sts » Aug 21, 2014 12:26 pm

I did exactly that after my last post & I actually think it's the credentials now, will find out tomorrow when I let the job run another time...

Gostev
SVP, Product Management
Posts: 24416
Liked: 3402 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: VM behind firewall so can't upload agent?

Post by Gostev » Aug 21, 2014 8:44 pm

foggy wrote:specify an account with local administrator privileges on this VM
This is not enough. Network-less interaction with Microsoft Windows guests with UAC enabled (Vista or later) requires that Local Administrator (MACHINE\Administrator) or Domain Administrator (DOMAIN\Administrator) account is provided on Guest Processing step.

pkelly_sts
Expert
Posts: 568
Liked: 62 times
Joined: Jun 13, 2013 10:08 am
Full Name: Paul Kelly
Contact:

Re: VM behind firewall so can't upload agent?

Post by pkelly_sts » Aug 29, 2014 1:31 pm

That's interesting Gostev - I was just coming back here to confirm that configuring the job with the correct local admin account (an account which is a member of the local administrators group) solved the problem after all. This is how I have our backups mostly configured, using a service-specific user account - using even the actual local admin account for such things should very much be frowned upon IMHO, never mind the Domain Admin account which should *never* be used for such things in my opinion!

foggy
Veeam Software
Posts: 18024
Liked: 1530 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: VM behind firewall so can't upload agent?

Post by foggy » Aug 29, 2014 1:58 pm

Do you have UAC enabled on that VM?

pkelly_sts
Expert
Posts: 568
Liked: 62 times
Joined: Jun 13, 2013 10:08 am
Full Name: Paul Kelly
Contact:

Re: VM behind firewall so can't upload agent?

Post by pkelly_sts » Aug 29, 2014 2:45 pm

We do as default on all our 2008 VMs

Post Reply

Who is online

Users browsing this forum: No registered users and 9 guests