For security reasons, our backup proxies should not be domain servers. Can anyone tell me if and how I can add a non-domain server as a backup proxy? Both the server and the proxy are VMs and in the same networks.
Userlevel 7
+20
Hi, when you add the proxy, you just add the credentials as HOSTNAME\Username.
Be aware if you’ve got UAC enabled on the proxies and you aren’t using the default administrator account, you’ll have issues pushing out components. KB4185: "Access is Denied." When Using a Local Account to Add a Windows Machine to Veeam Backup & Replication will help resolve that
Userlevel 7
+6
Hello
Yes, you can. No problem
Userlevel 3
I have use HOSTNAME\localAdminAccount as credentials, have also set up any/any in the local firewall as a test, but the error : Network path not found, or invalid credentials supplied appears when adding the proxy.
Userlevel 7
+17
Hi
Also, even if using a local admin account, you may still need to perform the steps of the article Michael shared above. And don't forget to disable UAC on the Proxy server.
Userlevel 7
+8
Hi
Veeam_Security_Best_Practices_2022
Hardening Veeam 12 Server: the definitive checklist | Veeam Community Resource Hub
regards
Userlevel 7
+20
I have use HOSTNAME\localAdminAccount as credentials, have also set up any/any in the local firewall as a test, but the error : Network path not found, or invalid credentials supplied appears when adding the proxy.
You’ve said localadminaccount so I assume that it’s not the explicit ‘Administrator’ account? Called that or renamed to something else? If so I’m 99% confident your issues are UAC, check the KB article I sent you. You can test by disabling UAC on the proxy server and if it works, you can amend some registry keys to allow UAC to be enabled and still allow access to the ADMIN$ share.
Userlevel 3
Thank you all for the tipps.
Does something have to be pre-installed on the backup proxy?
I have use for a test now the windows local admin account.
Userlevel 7
+20
Not from a Veeam binaries perspective, it pushes everything out when you add it as a backup proxy, there are system requirements however as detailed on helpcenter.veeam.com such as minimum .Net versions though.
Userlevel 7
+11
Remembering that you can use Linux server for proxys on your environment too.
You can see this here: Implementing Linux Veeam Proxies | Veeam Community Resource Hub
Userlevel 7
+20
Also be sure that your VBR server and resolve the hostname and you may need to add this to your hosts file since it is non-domain. Also, the other things posted to check are good as well.
Userlevel 7
+6
Remembering that you can use Linux server for proxys on your environment too.
You can see this here: Implementing Linux Veeam Proxies | Veeam Community Resource Hub
This. If you’re using a non-domain joined machine as a proxy, I’d suggest using a Linux box for a more lightweight machine and less Microsoft tax.
Userlevel 7
+8
Remembering that you can use Linux server for proxys on your environment too.
You can see this here: Implementing Linux Veeam Proxies | Veeam Community Resource Hub
remember Linux proxy limitation
Requirements and Limitations for VMware Backup Proxies - User Guide for VMware vSphere (veeam.com)
Userlevel 7
+20
Remembering that you can use Linux server for proxys on your environment too.
You can see this here: Implementing Linux Veeam Proxies | Veeam Community Resource Hub
remember Linux proxy limitation
Requirements and Limitations for VMware Backup Proxies - User Guide for VMware vSphere (veeam.com)
Also, you need to disable multipathing as well - KB4460: Failed to get guest OS path for newly attached disk there are 2 new disks with uuid (veeam.com)
Userlevel 7
+11
Userlevel 3
Hello everyone,
thanks for your help!
It worked, due to the hardening of the systems (Hardening Kitty) some things had to be considered and adjusted.
My wish is that the VEEAM server is also not in the domain, would that also work without problems?
The jobs themselves would then have to run via a local account that is identical to the one on the server on all proxies, right?
Userlevel 7
+8
Hi
the best practice advises not to domain join the veeam infrastructure.
Local accounts must have grants to perform their roles.
Userlevel 7
+6
Hi
the best practice advises not to domain join the veeam infrastructure.
Local accounts must have grants to perform their roles.
Exactly! For reference:
Best Practice
For the most secure deployment add the Veeam components to a management domain that resides in a separate Active Directory Forest and protect the administrative accounts with two-factor authentication mechanics. This way the Veeam Availability Infrastructure does not rely on the environment it is meant to protect.
Workgroup or Domain ? - Veeam Backup & Replication Security Best Practice Guide
Userlevel 3
Hello everyone, unfortunately no backup job works via my non-domain proxies.
I have also not yet understood whether I have to activate something under "Guest Processing" and enter something there under "Guest interaction proxy" and "guest OS credentials". As a test, I selected one of my proxies there and entered the credentials of a local account on this proxy with administrative access (LUA is disabled). Unfortunately, it doesn't work, regardless of whether I activate "Enable application-aware processing" or leave it completely deactivated. The error " NFC storage connection is unavailable. The proxies themselves are hardened with Hardening Kitty.
Userlevel 7
+17
A non-domain setup can be buggy imo. You have to create a good hosts file on every Veeam component. You have to create local user accounts. You have to be weary of Windows firewall rules. You have to verify network communication between components. You have to use correct user credential format (LOCALHOST/username, for ex.), etc.
Userlevel 7
+8
Hello everyone, unfortunately no backup job works via my non-domain proxies.
I have also not yet understood whether I have to activate something under "Guest Processing" and enter something there under "Guest interaction proxy" and "guest OS credentials". As a test, I selected one of my proxies there and entered the credentials of a local account on this proxy with administrative access (LUA is disabled). Unfortunately, it doesn't work, regardless of whether I activate "Enable application-aware processing" or leave it completely deactivated. The error " NFC storage connection is unavailable. The proxies themselves are hardened with Hardening Kitty.
hi
It seems that the proxy does not solve the esxi\vcenter\storage.
check this KB
The causes of most NFC errors fall into 4 main categories:
Check this;
DNS
(The proxy or Veeam server cannot resolve the ESXi host)
Port (902)
(The proxy can resolve the IP, but port 902 is blocked)
Permissions*
(The account specified in [Backup Infrastructure] for the vCenter does not have permissions)
Blocked file
(The file that Veeam is trying to read is locked in the vSphere environment)
Check the following logs
%programdata%\Veeam\Backup
Open the folder corresponding to the name of the problem job.
Within this folder, you need to find the agent log for the specific virtual machine.
For a backup job:
Agent.<JobName>.Source.<VMName>.log
regards
Comment
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.