Application Processing
Do you need Application Processing ?
For the vast majority of protected assets, crash consistency can be considered as sufficient.
Application Aware Processing requires the Veeam Backup and Replication infrastructure to log into production servers to interact with OSes ans Applications. While it allows for the applications and filesystem to be consistent at the time of backup, it may be considered as a risk as any provided credentials will be stored in Veaam Backup and Replication configuration database.
Alternative solutions would be:
- backup assets without Application Processing, i.e. do crash consistent backups.
- use gMSA (Groupe Managed Service Accounts) if you use VBR v12 or later
- use Agents to backup you assets
Note: Granular application Items still can be restored from a non application aware backup through the explorers. For this, launch a “Guest file” restore, and from the explorer force an Application Item restore.
gMSA
Even though not fully secured, if you feel the need to delegate password management to Microsoft gMSA you must think that the guest interacton proxy server will then have to be part of the domain.
Active Directory backup
Consistent backup of Active Directory requires Built-in Administrator credentials on the guest.
To avoid storing these credentials in Veeam Database, it is a good practice to backup the Active Driectory servers using an unmanaged agent against a Veeam repository. This way, the Administrator account will stay protected, and the Active Directory items restore using explorer will request proper login at restore time.
gMSA can also be considered if the unmanaged agent can not be used (if AD server is deployed on Microsoft Windows Core for example)
Guest Interaction Proxy placement
Guest interaction proxies make it possible to interact with Microsoft Windows guests in less secure zones without exposing the backup server in these zones. Using the guest interaction proxy will drastically limit the exposure of the Veeam Backup and Replication Server. Guest interaction processing necessary ports are available in the user’s guide.
Console for Explorers placement
Deployment of the Veeam Console in isolated zones will be helpful when it comes to restoration of guest items, as it will allow for operation without the need of opening the microsoft RPC dynamic port range from the management zone to the isolated zone. The console may be deployed on the guest interaction proxy that should already sit in that zone.
Restore credentials
At time of restoration, when using Veeam Explorers, authentication against the destination server is made using Guest Interaction Credentials configured in the backup job. Changing the credentials in the job configuration will change the account used at time of restoration. Removal of the guest interaction configuration will incur interactive input of credentials at the time of restore.