4.8 Veeam proxies

In order to receive replication data from a tenant, at least one proxy is needed. This proxy needs to be able to talk with its controlling VBR server, the vCenter server (standalone or connected to vCloud Director) and all the ESXi hosts. To increase the availability of the service, deploy multiple proxy servers. Any service provider should consider carefully how many proxies are necessary based on the specific design of the environment.

PROXY1  
server name proxy1.cloudconnect.local
IP Address 10.10.110.101
Operating System Windows Server 2012 R2
Installed components Veeam Proxy
vCPU 4
RAM 8 Gb
Disk 40 Gb
PROXY2  
server name proxy2.cloudconnect.local
IP Address 10.10.110.102
Operating System Windows Server 2012 R2
Installed components Veeam Proxy
vCPU 4
RAM 8 Gb
Disk 40 Gb

Proxies need to communicate with the different components: ESXi hosts and vCenter, Veeam Backup & Replication server, cloud gateways, WAN accelerators. For this reason, you should add firewall rules between the different networks.

NOTE: Some additional aliases have been added to the central firewall:

Proxies: 10.10.110.101, 10.10.110.102

Proto Source Port Destination Port Description
IPv4 TCP/UDP Proxies * Domain_controllers 53 (DNS) Allow accelerators to use internal dns
IPv4 TCP VBR_Server * Proxies 6160 Veeam Installer from VBR to Proxies
IPv4 TCP VBR_Server * Proxies 6162 Veeam Transport from VBR to Proxies
IPv4 TCP VCC_gateways * Proxies 2500-5000 Gateways transfer data to WAN accelerators
IPv4 TCP VBR_Server * Proxies 2500-5000 VBR transfers data to Proxies
IPv4 TCP VBR_Server * Proxies 49152-65535 Veeam RPC from VBR to Proxies
IPv4 TCP/UDP VBR_Server * WAN_accelerators 137 - 139 Veeam SMB share access from VBR to WAN accelerators

You can disable the last rule and enable it only when a new Veeam component needs to be installed or upgraded because Veeam uses SMB shares to deploy the installer packages into remote Windows servers.

Once all the different firewall rules are in place, service providers can deploy the proxy component on the different proxy servers:

Install a new Veeam proxy

4.24: Install a new Veeam proxy

You should leave all the configuration parameters as the default ones; transport mode specifically should be left as automatic because the proxies are VMs and they will use hotadd mode, which is the preferred mode for a target proxy. However, leaving automatic selection on allows for the usage of network mode as a failover option should something not work for the hotadd mode.

Traffic rules are also left empty, as any bandwidth management is done directly by Veeam Cloud Connect when configuring a tenant.

One last step must be done once the different Veeam proxies have been deployed: By default, the Veeam Backup & Replication server itself is also configured as a proxy.

List of available Veeam proxies

4.25: List of available Veeam proxies

To guarantee that replication traffic follows the designed path from cloud gateways to WAN accelerators and proxies, you have to disable the default proxy role installed in Veeam Backup & Replication server or even choose to remove the role completely.