Preparation for Scanning Veeam Backup & Replication (VBR)
StorageGuard collects configuration data from Veeam Backup & Replication (VBR) using read-only REST API and PowerShell commands.
The following table lists the requirements for scanning VBR:
| # | Description |
| 1 | Provide the network name or IP address of the VBR server. |
| 2 | Provide an OS user with remote management privileges on the VBR server. |
| 3 | Assign the user with the "Veeam Backup Administrator" role. |
| 4 | The user should be enabled to run REST API GET requests (default port 9419). REST API Examples:
|
| 5 | The user should be enabled to run read-only Veeam PowerShell cmdlets. Cmdlet Examples:
|
| 6 | Ensure that Windows PowerShell version 5.1 or above is installed on the VBR server. |
| 7 | Make sure that IP connectivity through WinRM (80, 5985) and CIFS (445) is available between the StorageGuard server and the Veeam server. If WinRM is not used by your organization, make sure that IP connectivity is permitted through WMI on all TCP ports and UDP ports 135, 137, 138, and 139. |
Notes:
- It is possible to use a user with the "Veeam Backup Viewer" role. However, currently this role is limited and does not provide access to all required configuration data for complete security analysis.
- Currently the REST API alone is insufficient for full visibility. PowerShell (CLI) access is required to complete the configuration scan and apply all relevant security checks.
- As part of the configuration scan, StorageGuard will run Veeam's Compliance and Security analyzer.
Creating a User Account for Scanning VBR
The following suggested method can be used to create a user account with appropriate privileges:
- Create a user named sguard.
- Grant the user the Remote Management role on the VBR server.
- On the Veeam server, run the following command to grant the user with permission to Veeam: Add-VBRUserRoleAssignment -Name sguard -Role BackupAdmin
Comments
0 comments
Please sign in to leave a comment.