2.1 Veeam Backup & Replication server

As in every Veeam Backup & Replication deployment, this is the central component. Veeam Backup & Replication holds the main Veeam backup service, which manages all configurations and saves them into the back-end Microsoft SQL Server. You can manage it using the standalone console, which is installed locally on the same Windows server or in a remote Windows machine. You can also use either PowerShell or RESTful API to manage Veeam Backup & Replication.

Veeam Backup & Replication requires a 64-bit Windows operating system.

NOTE: It is required to deploy a dedicated Veeam Backup & Replication instance for Cloud Connect services, and avoid if possible mixing with other Veeam-powered services.

If you are only using Veeam Cloud Connect backup, Veeam Backup & Replication does not involve local activities on the service provider’s hypervisor hosts. Instead, it only receives backups from customers that are already processed at the customer’s sites. For this reason, the requirements for its installation are lower than usual: A simple VM with 4 vCPU and 8 GB of RAM will suffice to hold both the Veeam backup service and Microsoft SQL Server. This value is obviously a starting point: more detailed information about sizing Veeam Cloud Connect servers will be described in chapter 3.3, when we will deploy the server hosting VCC.

Regarding the SQL Server, the default Microsoft SQL Server Express can be enough unless the Veeam Cloud Connect infrastructure will host a very large amount of customers, because activity logs can fill the maximum size of an Express database (10 GB). If this is the case, you should plan to use a regular SQL installation (Standard or Enterprise) either in the same machine or in a dedicated one.

However, if you are going to deploy Veeam Cloud Connect for DRaaS also, the Veeam Backup & Replication service is going to manage a proper virtualized environment with many virtual machines belonging to all the different hosted customers. In this case, please refer to Veeam best practices to properly size the Windows server hosting the service, and plan on using at least Microsoft SQL Standard.

Service account

Security best practices suggest using a dedicated account to run the different Veeam services. This is usually referred as a service account because it is a user that will not be used for interactive logins, but rather only to run the different Veeam services.

The use of a service account has some advantages that providers should consider:

  • The account can be configured with a very complex password, which only the minimum amount of administrators that will manage the service will know;
  • User accounts can follow security rules about changing their passwords regularly, without the risk to stop any service because the service account can use a dedicated user ID with an exception to the password expiration policy;
  • It is easier to trace and log activities for the different services over the network, both for debugging and for auditing purposes. For example, instead of seeing the same “administrator” account in every log, a service provider can create a service account as veeam-service, and whenever a log will report this user, administrators will know that the traced activity is related to Veeam services.

By default, the installation wizard of Veeam Backup & Replication Server uses LOCALSYSTEM as the service account to execute the service.

It is better to create and use a dedicated account to run the services. Once the account has been created, either as a local account or an Active Directory account, service providers need to add this user to the local administrators of the server that will host the Veeam Backup & Replication server. Then, they can use the account during the installation by selecting Let me specify different settings:

Specify different settings during Veeam Backup & Replication Setup

2.1: Specify different settings during Veeam Backup & Replication setup

In the following step of the wizard, administrators need to specify the service account:

Specify a Service Account for Veeam Backup & Replication

2.2: Specify a service account for Veeam Backup & Replication

Remember that this user needs to be part of the local Administrators of the Veeam Backup server.

The service account is also used for the authentication in SQL Server, as we select to use Windows authentication (SQL Server authentication is equally supported):

Specify SQL server settings

2.3: Specify SQL server settings

In the last step of the Setup wizard, before the installation begins, administrators will see a recap of the selection options, and the checkbox Check for updates once the product is installed and periodically:

Check for updates once the product is installed and periodically

2.4: Check for updates once the product is installed and periodically

This option allows the Veeam Backup & Replication server to connect to the Veeam update notification server (http://dev.veeam.com), so that it will notify administrators about the availability of updates for the software. See the later chapter Regular maintenance of the components for additional details.

Firewall

Once deployed, Veeam Backup & Replication has different services, listening over different TCP ports:

Port Service name Description
111 VeeamNFSSvc.exe  
1063 VeeamNFSSvc.exe  
2049 VeeamNFSSvc.exe  
6160 VeeamDeploymentSvc.exe  
6161 VeeamNFSSvc.exe  
6162 VeeamTransportSvc.exe  
6169 Veeam.Backup.CloudService.exe Veeam Cloud Connect Service
6170 Veeam.Backup.MountService.exe  
6190 Veeam.Guest.Interaction.Proxy.exe  
6210 VeeamFilesysVssSvc.exe  
6290 Veeam.Guest.Interaction.Proxy.exe  
8190 VeeamNetworkRedirector.exe  
8191 VeeamNetworkRedirector.exe  
9380 Veeam.Backup.Agent.ConfigurationService.exe  
9381 Veeam.Backup.Agent.ConfigurationService.exe  
9392 Veeam.Backup.Service.exe Veeam Backup Service
9393 Veeam.Backup.CatalogDataService.exe Catalog Service
9396 Veeam.Backup.UIServer.exe  
9401 Veeam.Backup.Service.exe Veeam Backup Service over SSL
9402 Veeam.CloudBackup.PlatformService.exe  
9501 Veeam.Backup.BrokerService.exe  
9509 Veeam.Backup.Cdp.Service.exe  
10001 Veeam.Backup.Service.exe  
10002 Veeam.Backup.Service.exe  
10003 Veeam.Backup.CloudService.exe  
10005 Veeam.Backup.Service.exe  
10006 Veeam.Backup.Service.exe  
11731 VeeamDeploymentSvc.exe  
20443 Veeam.Azure.PlatformSvc.exe  

This list is remarkable. Not every service needs to be used in a Cloud Connect deployment, and not all of them has to be listening over the network. But the UI and the different services relies on various services and we cannot plan for when one of them one will be used. If we disable some of these services, this will result in a hanging UI or a timeout error.

For this reason, we officially recommend to leave all services up and running, and work with firewall rules to allow remote communications only for the services that are needed in a Cloud Connect environment. A reduced list of services that have to be listening over the network is this:

Port Service name Description
6160 VeeamDeploymentSvc.exe  
6162 VeeamTransportSvc.exe  
6169 Veeam.Backup.CloudService.exe Veeam Cloud Connect Service
8190 VeeamNetworkRedirector.exe  
8191 VeeamNetworkRedirector.exe  
9380 Veeam.Backup.Agent.ConfigurationService.exe  
9381 Veeam.Backup.Agent.ConfigurationService.exe  
9392 Veeam.Backup.Service.exe Veeam Backup Service
9396 Veeam.Backup.UIServer.exe  
9401 Veeam.Backup.Service.exe Veeam Backup Service over SSL
9402 Veeam.CloudBackup.PlatformService.exe  
9501 Veeam.Backup.BrokerService.exe  
10001 Veeam.Backup.Service.exe  
10002 Veeam.Backup.Service.exe  
10003 Veeam.Backup.CloudService.exe  
10005 Veeam.Backup.Service.exe  
10006 Veeam.Backup.Service.exe  
11731 VeeamDeploymentSvc.exe  

Monitoring

Once deployed, Veeam Backup & Replication Server has different services installed in the Windows machine that you should monitored to guarantee the best Availability for the service:

Name DisplayName
MSSQL$VEEAMSQL2016 SQL Server (VEEAMSQL2016)
VeeamBackupSvc Veeam Backup Service
VeeamBrokerSvc Veeam Broker Service
VeeamCloudSvc Veeam Cloud Connect Service
VeeamDeploySvc Veeam Installer Service
VeeamDistributionSvc Veeam Distribution Service

There are additional Veeam services deployed as part of the default installation. They are not in this list because they are not involved in a Veeam Cloud Connect infrastructure.

Protection

This machine is the most important piece of the environment. Since it cannot be installed in multiple instances, providers need to put a special care to guarantee both its availability and recoverability. For higher availability, a good solution is to run it as a VM and then rely on the underlying hypervisor for High Availability. Features like VMware vSphere HA or Hyper-V Failover Clustering can protect it and guarantee quick recovery times if the single hypervisor node where the VM is running fails. For recoverability, service providers can and should use Veeam configuration backup in order to back up the overall configuration of the Cloud Connect environment, and plan to have a restore plan if anything happens to this machine like corruption, malware encryption or problems to the underlying Windows OS.