Skip to main content
  • EN

I have Veeam B&R installed in a lab. I’m trying to find a way to backup/restore remote Linux servers (agents) to the LAN. I want to have a Veeam server on the LAN initiate and pull the data from the remote servers using port 22 (SSH) so that I do not have to open any additional ports on the remote servers or on the LAN.

Is this something that Veeam Cloud Connect can do? I’ve tried doing this with standard Veeam B&R but it just won’t traverse NAT.

All of the videos that I’ve watched seem to indicate that Veeam Cloud Connect is geared towards providing a backup service to other companies. I’m just trying to backup my own servers and I don’t need remote access to the Veeam console.

Also, everything on the LAN is behind a gateway device that provides WAF and SSL termination and I have a reverse proxy running on the LAN that can also terminate SSL.

Yes, Cloud Connect is geared toward service providers, but it can be used by the enterprise as well.

It can be used in the way you describe, only it the agent would connect to your cloud connect gateway on port 6180 and through that gateway it could access the repository server within your internal network. 

@Tommy O'Shea Thanks for replying!

So Cloud Connect cannot do everything through port 22?

Port 6180 would have to be opened on both sides? Would the Cloud Connect server initiate the backup and pull the data from the remote servers or does the agent on each server push the data to the CC gateway?

Same question about restoring a backup. I’m assuming the remote server (agent) will pull the data?

Port 22 is not in the picture at all. You just need to port forward TCP 6180 to the cloud gateway server, and ensure that the agent server can connect outbound on TCP port 6180.

And correct, the agent can restore from the cloud connect repository just like a normal repo. 

Cloud connect has good design to limit communication to one port 6180/tcp as Tommy above mentioned between your VBR and cloud gateway.

Behind cloud gateway has to be backup repository and cloud connect. So between these 3 servers you will need several ports.

To implement that, you need to crete tenant credentials on cloud connect and register them on VBR, where in section service providers, you need to register them and provide cloud gateway fqdn or ip.

yes is possible to change port form 6180 to 22 during cloud gateway adding on cloud connect server

and then by registering cloud gateway on VBR you can specify port 22

Just a security consideration here: Port 22 is a well-known port used for SSH. Yes, you can setup Cloud Connect to use that port but most attackers will scan for those well-known ports first.

6180 is also in the books but way less frequented than 22 or any other default well-known port.

 

Also trying to push everything through a single port may lead to the fact that attackers will also be able to use one single port.

 

Maybe just as a hint.

Best

Lukas

Standalone VBR Server use port 22 to establish an SSH connection from the VBR server to the Veeam Agent for Linux.

 

Veeam Cloud Connect uses Cloud Gateway Server to communicate with the Veeam Agent for Linux using TCP port 6180 by default. No other ports are required between the Linux Agent and the Gateway. All you need is one port open (6180) from the remote Veeam agent to the Veeam Cloud Connect infrastructure for both backup and restore.

 

Using port 22 for Veeam Cloud Connect traffic over NAT is not recommended, as it's a common well-know target and increases the attack surface. 

 

Another important point, SSL/TLS traffic inspection on Cloud Connect traffic is not recommended. We backup over 25,000 agents across WAN using Cloud Connect, and traffic inspections always cause issues with gateway communication and certificate exchange with VBR

 

Comment


Terms & Conditions