Question

Best practise Guest processing between VLANS

  • 24 November 2022
  • 8 comments
  • 676 views

Userlevel 4

Hi all,

Our setup is currently as follow: Veeam server in seperated VLAN, guest processing is now running with VIX with the domain\administrator account.

Regarding the KB we must use the administrator account as it has the -500 at the end of the SID.

For safety purpose we want to disable the global domain\administrator account and use another domain admin. Since I change the account, the backup jobs failing because of failing guest processing.

When I test the guest processing, the difference is that administrator successfully can make connection with Guest OS via VIX (after failing over to backup server for guest interaction). Another account fails at this step as well.

I could open 445 between the VLANS’, but I’m not sure that I break security if I do so.

Are there best practise available for this kind of setup? Disabling UAC would not be the best option for us :).

Thank you!


8 comments

Userlevel 7
Badge +20

Morning!

 

You’ve got multiple options here.

 

Firstly, RE firewall rules, you could scope this to ensure that only your guest interaction proxy/proxies can communicate on the RPC ports, to limit abuse.

You could also put a guest interaction proxy within the VLAN if you’re only doing cross-VLAN firewall boundaries.

 

Otherwise I’d consider deploying persistent guest agents for processing, the ports are limited once deployed as you can see on the persistent agent components subsection here:

https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=110#guest-interaction-proxy

Userlevel 7
Badge +7

Morning!

 

Otherwise I’d consider deploying persistent guest agents for processing, the ports are limited once deployed as you can see on the persistent agent components subsection here:

https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=110#guest-interaction-proxy

the best for me, nice move ;)

Userlevel 4

Thank you!

 

I did try the best option for me, the guest processing Proxy. For some reason the job does not take this new added server and tries to take another windows server from another branche office. Even I did select this server in the guest processing proxy, it ignores it.

I did open ports 6190, 6290, 445 and even 135 between back-upserver and guest proxy-server. (Latest is not listed regarding User Ports, but the discovery failed without it.)


Vss proxy host [myguestproxy.domain.local] - IP address [192.168.112.242] is in the same subnet as Vm IP [192.168.113.53] Subnet mask [255.255.254.0]

For some reason it is bypassing my guest proxy and takes another one (backupserver itself as failover)

- - - - Response: Guest interaction proxy resource [id=d7c4ff97-b99b-4d1f-884d-283b7b6b9ee3 : srv name=MYBCKSERVER : access level=DifferentSubnetworkBackupConsole : failover only]

I have no idea what I’m doing wrong :)

 

Userlevel 7
Badge +7

hi @mike.beirens 

in the job did you select the server with the correct FW port openings that does the guest processing?

 

Userlevel 4

Yes, it is selected as the only one.

I did check the firewall log, but there is no communication during the job, so it’s not even trying.

Part of the logging:

[24.11.2022 13:00:00] <37> Info         [VssCredFactory] Getting guest credentials. OsType: windows9_64Guest. OsKind: Windows. WinCreds: True. LinCreds: False

[24.11.2022 13:00:00] <37> Info         Validating guest agent availability for the VM

[24.11.2022 13:00:00] <37> Info         [ScriptInvoker] Script disabled in options

[24.11.2022 13:00:00] <37> Info         [VssProxyHelper] VSS proxy is needed: VSS is enabled

[24.11.2022 13:00:00] <37> Info             Testing vss proxy ip [192.168.112.242], netmask [255.255.254.0]

[24.11.2022 13:00:00] <37> Info                 Testing vm ip [192.168.113.53]

[24.11.2022 13:00:00] <37> Info                 Vss proxy host [guestproxy.domain.local] - IP address [192.168.112.242] is in the same subnet as Vm IP [192.168.113.53]. Subnet mask [255.255.254.0].

[24.11.2022 13:00:00] <37> Info             Testing vss proxy ip [10.112.2.35], netmask [255.255.255.0]

[24.11.2022 13:00:00] <37> Info                 Testing vm ip [192.168.113.53]

[24.11.2022 13:00:00] <37> Info             Testing vss proxy ip [10.112.3.35], netmask [255.255.255.0]

[24.11.2022 13:00:00] <37> Info                 Testing vm ip [192.168.113.53]

[24.11.2022 13:00:00] <37> Info             Testing vss proxy ip [192.168.116.235], netmask [255.255.255.0]

[24.11.2022 13:00:00] <37> Info                 Testing vm ip [192.168.113.53]

[24.11.2022 13:00:00] <37> Info         Vss proxy host MYBCKSRV and Vm are not in the same subnetwork

[24.11.2022 13:00:05] <37> Info         Task group 0be8b8b7-ee1e-412e-a323-127fc2937b2a is ready. Preparing next task group for processing

[24.11.2022 13:00:05] <37> Info         - - Request: VssProxy, proxies: [Guest interaction proxy resource [id=5f35a2ad-e4a1-4b91-a4b0-b914e6f830d6 : srv name=guestproxy.domain.local : access level=SameSubnetworkProxy]],[Guest interaction proxy resource [id=d7c4ff97-b99b-4d1f-884d-283b7b6b9ee3 : srv name=MYBCKSRV : access level=DifferentSubnetworkBackupConsole : failover only]] 

[24.11.2022 13:00:05] <37> Info         - - - - Response: Guest interaction proxy resource [id=d7c4ff97-b99b-4d1f-884d-283b7b6b9ee3 : srv name=MYBCKSRV : access level=DifferentSubnetworkBackupConsole : failover only]

[24.11.2022 13:00:05] <37> Info         Starting guest agent

[24.11.2022 13:00:05] <37> Info         [LocalGuestInstaller] installing via VMwareApi

[24.11.2022 13:00:05]  17148  Info             ==================================================================================

 

Userlevel 7
Badge +20

I’d suggest grabbing the logs from the guest proxy server, as it will always fail back to the VBR server if the proxies defined aren’t successful.

Userlevel 4

Hi,

I did not have any log file at the guest processing during the job.

However: I did remove the Windows Server, re-added, but with the domain\administrator credentials and let it install all components.

I did modify the server to my other credentials and it still works.

I openened port 6162 as well, because firewall was blocking it. The port is not listed as needed.

Strange behaviour, but I hope it stays working :)

Thank you all!

Userlevel 7
Badge +7

Hi,

I did not have any log file at the guest processing during the job.

However: I did remove the Windows Server, re-added, but with the domain\administrator credentials and let it install all components.

I did modify the server to my other credentials and it still works.

I openened port 6162 as well, because firewall was blocking it. The port is not listed as needed.

Strange behaviour, but I hope it stays working :)

Thank you all!

Nice Work @mike.beirens 

tcp port 6162 this:

best regard m8

Comment