Solved

Veeam hardened repository behind NAT

  • 21 November 2021
  • 9 comments
  • 1090 views

Userlevel 2

We are trying to commission a new Veeam hardened repository for off-site backups (Backup Copy jobs). we have put the server behind internal NAT (i.e. using a private IP not an internet IP) as we feel this will improve the security. Backup jobs work but Backup Copy jobs do not and I am getting the impression that NAT is the problem. The primary repository is trying to communicate with secondary with its ‘real’ IP rather than the NAT IP.

 

Can this be overcome?

 

 

icon

Best answer by Mildur 21 November 2021, 13:44

View original

9 comments

Userlevel 7
Badge +1

Is the repository added to your backup server? 

We're u facing trouble while adding the repository

Userlevel 7
Badge +12

If you are using a linux backup repo with NAT, you should configure the following setting. Could you check that configuration?


https://helpcenter.veeam.com/docs/backup/vsphere/linux_server_ssh.html?ver=110

[For the Linux server deployed outside NAT] In the Preferred TCP connection role section, select the Run server on this side check box. In the NAT scenario, the outside client cannot initiate a connection to the server on the NAT network. As a result, services that require initiation of the connection from outside can be disrupted. With this option selected, you will be able to overcome this limitation and initiate a ‘server-client’ connection — that is, a connection in the direction of the Linux server.

 

 

 

Userlevel 7
Badge +20

If you are using a linux backup repo with NAT, you should configure the following setting. Could you check that configuration?


https://helpcenter.veeam.com/docs/backup/vsphere/linux_server_ssh.html?ver=110

[For the Linux server deployed outside NAT] In the Preferred TCP connection role section, select the Run server on this side check box. In the NAT scenario, the outside client cannot initiate a connection to the server on the NAT network. As a result, services that require initiation of the connection from outside can be disrupted. With this option selected, you will be able to overcome this limitation and initiate a ‘server-client’ connection — that is, a connection in the direction of the Linux server.

 

 

 

I believe Mildur has the right option here that should fix the NAT problem. Let us know if it does.

Userlevel 2

If you are using a linux backup repo with NAT, you should configure the following setting. Could you check that configuration? ...

 

I believe Mildur has the right option here that should fix the NAT problem. Let us know if it does.

Great, I will try this setting and report back.

Userlevel 7
Badge +12

@dkleeman 

Please do that :-)

Userlevel 7
Badge +13

Interesting topic! Didn’t know this!

Userlevel 7
Badge +9

If you are using a linux backup repo with NAT, you should configure the following setting. Could you check that configuration? ...

 

I believe Mildur has the right option here that should fix the NAT problem. Let us know if it does.

Great, I will try this setting and report back.

Please revert back and I hope this helps! If it does not, then I can suggest possible networking tips to help resolve this issue.

Userlevel 2

If you are using a linux backup repo with NAT, you should configure the following setting. Could you check that configuration?


https://helpcenter.veeam.com/docs/backup/vsphere/linux_server_ssh.html?ver=110

[For the Linux server deployed outside NAT] In the Preferred TCP connection role section, select the Run server on this side check box. In the NAT scenario, the outside client cannot initiate a connection to the server on the NAT network. As a result, services that require initiation of the connection from outside can be disrupted. With this option selected, you will be able to overcome this limitation and initiate a ‘server-client’ connection — that is, a connection in the direction of the Linux server.

 

 

 

Thank you for this. I have carried out this change and restarted the jobs. I think that it is working, and I have also created a firewall rule to allow traffic from the primary repository proxy to the secondary. It was not clear to me that this was needed.

Userlevel 7
Badge +12

@dkleeman 

Your welcome :-)

Thanks for the feedback. 

Comment