[What (else) is new in v11 - VII] Persistent guest agent


Userlevel 7
Badge +7
  • Veeam Legend, Veeam Vanguard
  • 1217 comments

Default behavior in VBR (incl. v11!): When a VM gets application-aware backed up, runtime components gets installed at start of job and are removed at the end. With v11 we have the option to install them persistent!

 

 

This increases security! No Admin-Share and VIX-access is necessary any more. But it is required to deploy the Veeam Installer Service on the VMs you want to use persistent components.

 

 

This can be done by manual installation, Group policy roll-out, or by adding the VM to managed Servers.

 

When everything works fine, components are installed persistently:

 

 

If you enable this feature and something does not work (as installer is not deployed, ..), VBR tries to run non-persistent components.


43 comments

Userlevel 6
Badge +1

I think this is only a temporary plan? After it is announced on February 24 and waiting for the official document to confirm, thank you @vNote42, @MicoolPaul  and @regnor for your help. :blush:

Userlevel 7
Badge +6

So, today support came to the conclusion that it's a bug withing the guest interaction proxy and not directly with the persistent guest agent. We're waiting for the hotfix/patch now.

Userlevel 7
Badge +7

@vnote42 and @regnor , if this server is not domain joined, perhaps following registry-key will solve your problem (already had to do that if not having access to admin$ for a non domain joined server) : 

LocalAccountTokenFilterPolicy (DWORD) put on 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

 

More info : Can't access ADMIN$ share using a local user or LAPS account – Support (pdq.com)

Thanks for this input, Nico! The access to admin$ shouldn’t be necessary with persistent guest agent → agent is already running in VM.

Userlevel 6
Badge +1

Thank you @vNote42 for sharing, could you please let me want to know the use of this component, and where is it used?

Userlevel 7
Badge +3

Awesome share @vNote42 , thank you i hadn’t read that in the release notes

Userlevel 7
Badge +6

Thank you @vNote42 for sharing, could you please let me want to know the use of this component, and where is it used?


It is used if you enable application aware processing for a windows VM; that way Veeam will prepare the VM/application and do additional tasks. This process is always removed from the VM afterwards. With the persistent agent Veeam doesn't have to deploy it for every job run; less firewall configuration and better security.

Awesome share @vNote42 , thank you i hadn’t read that in the release notes

Have the release notes already been published?
 

Userlevel 7
Badge +8

Thank you @vNote42 for sharing, could you please let me want to know the use of this component, and where is it used?


It is used if you enable application aware processing for a windows VM; that way Veeam will prepare the VM/application and do additional tasks. This process is always removed from the VM afterwards. With the persistent agent Veeam doesn't have to deploy it for every job run; less firewall configuration and better security.

Awesome share @vNote42 , thank you i hadn’t read that in the release notes

Have the release notes already been published?
 

Nope any available documentation (the sharing of which is prohibited at present) indicates as it’s not GA yet it’s subject to change still. Not long now!

Userlevel 7
Badge +7

Thank you @vNote42 for sharing, could you please let me want to know the use of this component, and where is it used?


It is used if you enable application aware processing for a windows VM; that way Veeam will prepare the VM/application and do additional tasks. This process is always removed from the VM afterwards. With the persistent agent Veeam doesn't have to deploy it for every job run; less firewall configuration and better security.

Awesome share @vNote42 , thank you i hadn’t read that in the release notes

Have the release notes already been published?
 

Nope any available documentation (the sharing of which is prohibited at present) indicates as it’s not GA yet it’s subject to change still. Not long now!

I am waiting for the “what’s new” document as well :grin:

Userlevel 7
Badge +6

I think you'll see in the GUI that the persistent agent isn't reachable. At least the logs show which way is used.

In our case we see the following:

Failed to inject guest runtime using guest interaction proxy, failing over to backup server
Failed to inventory guest system: Veeam Guest Agent is not started

The non-persistent way is also not working as the Admin Shares aren't available.

Ah, I see. The first Failed-message I know. It is green-marked. I guess the second is red?

Yes it is. The backup server itself can't connect to the guest VM, so finally guest processing is falling.

I hope to receive a solution on Monday or else I'll setup an alternative.

Userlevel 7
Badge +8

I think you'll see in the GUI that the persistent agent isn't reachable. At least the logs show which way is used.

In our case we see the following:

Failed to inject guest runtime using guest interaction proxy, failing over to backup server
Failed to inventory guest system: Veeam Guest Agent is not started

The non-persistent way is also not working as the Admin Shares aren't available.

Ah, I see. The first Failed-message I know. It is green-marked. I guess the second is red?

Yes it is. The backup server itself can't connect to the guest VM, so finally guest processing is falling.

I hope to receive a solution on Monday or else I'll setup an alternative.

Hey guys, have either of you done a packet capture on this yet? I’d expect this to be a firewall issue. Be good to validate the port we see Veeam connect to is as expected and the endpoint’s firewall is permitting it and we see the traffic on that device.

Userlevel 7
Badge +7

Did anyone in the community already try the new persistent guest agents? I’m currently setting them up for a customer, but during the backup Veeam always fails over to the non-persistent way, which then fails because of missing access to Admin$ and blocked firewall ports. The logs aren’t that detailed about whats happening with the persistent guest agent or within the guest itself.

You probably know this: https://helpcenter.veeam.com/docs/backup/vsphere/runtime_process.html?ver=110#persistent-agent-components. There you find the flow chart to use persistent agent.

Did not see this up to now.

Userlevel 7
Badge +4

I will use it soon, in august for approx 50 Windows Agents.

Userlevel 7
Badge +5

@vnote42 and @regnor , if this server is not domain joined, perhaps following registry-key will solve your problem (already had to do that if not having access to admin$ for a non domain joined server) : 

LocalAccountTokenFilterPolicy (DWORD) put on 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

 

More info : Can't access ADMIN$ share using a local user or LAPS account – Support (pdq.com)

Userlevel 7
Badge +7

@vNote42Unfortunately it is still not working and support is still investigating.

@Nico LosschaertThanks for asking. We've tried this key and even completely disabled UAC, but still the connection is failing.

How did you see backup failed over to non-persistent agent? I did not see in GUI-log what agent the job uses.

Userlevel 7
Badge +6

I think you'll see in the GUI that the persistent agent isn't reachable. At least the logs show which way is used.

In our case we see the following:

Failed to inject guest runtime using guest interaction proxy, failing over to backup server
Failed to inventory guest system: Veeam Guest Agent is not started

The non-persistent way is also not working as the Admin Shares aren't available.

Userlevel 7
Badge +6

@MicoolPaul I've created a Wireshark capture for Veeam Support from both the proxy and the guest. It doesn't look like they've found the cause in those captures as we have a new remote session on Monday. 

The necessary ports are reachable which we have verify via powershell. And you can also see in the logs that the proxy is able to connect to the guest, it starts uploading all other Helper files and then it just fails.

Userlevel 7
Badge +8

What antivirus is being used? 🙂

Userlevel 7
Badge +6

None, except for Windows Defender 😉

I've also posted it in the forums: https://forums.veeam.com/post424005.html?sid=d92af730896c5f80f565449959eb3704#p424005

Userlevel 7
Badge +6

I think the primary reason why we need administrative permissions is, that Veeam needs to (temporarily) install its helper services or runtime processes. The persistent guest agent only changes the way how those are deployed, but it's not a full agent component. I'm sure this will change in future releases as many organizations request limited permissions, but for now we'll have to work with it that way.

Veeam Agent for Windows would probably be more comparable with other solutions, like Quest. It's a full-blown agent and does all the processing without special permissions.

Userlevel 7
Badge +6

Did anyone in the community already try the new persistent guest agents? I’m currently setting them up for a customer, but during the backup Veeam always fails over to the non-persistent way, which then fails because of missing access to Admin$ and blocked firewall ports. The logs aren’t that detailed about whats happening with the persistent guest agent or within the guest itself.

Userlevel 7
Badge +6

Yes, I've already checked that article. So far everything looks good and the components are getting deployed according to the logs. But at the final step Veeam goes back to the traditional way without a detailed error.

I've opened a case and will see what support can find.

Userlevel 7
Badge +7

Yes, I've already checked that article. So far everything looks good and the components are getting deployed according to the logs. But at the final step Veeam goes back to the traditional way without a detailed error.

I've opened a case and will see what support can find.

Hi, @regnor ! Any news about this issue? I would be very interested!

Userlevel 7
Badge +6

@vNote42 Unfortunately it is still not working and support is still investigating.

@Nico Losschaert Thanks for asking. We've tried this key and even completely disabled UAC, but still the connection is failing.

Userlevel 7
Badge +7

I think you'll see in the GUI that the persistent agent isn't reachable. At least the logs show which way is used.

In our case we see the following:

Failed to inject guest runtime using guest interaction proxy, failing over to backup server
Failed to inventory guest system: Veeam Guest Agent is not started

The non-persistent way is also not working as the Admin Shares aren't available.

Ah, I see. The first Failed-message I know. It is green-marked. I guess the second is red?

Userlevel 7
Badge +8

This will make things much easier for our clients definitely.  Looking forward to this one. :sunglasses:

Comment