Link Search Menu Expand Document


Best Practice

  • Static IPv4 for VB365 server
  • Static IPv4 for VB365 proxy/repo server
  • Create A and PTR records in DNS
  • Prefer IPv4 over IPv6
  • Use an as direct as possible internet connection between the proxies and the M365 infrastructure
  • Enable TLS 1.2 and the following cipher suites on the VB365 server and proxies



Working stable communication between the components with working DNS name resolution is key to prevent hard to trace errors.

Direct internet connection

Any kind of proxy or traffic shaping in the connection between the VB365 proxies and the M365 API servers can badly influence performance. A slow proxy can increase the sync time which is required to check for changes on an M365 object during an incremental backup run up to several minutes. Normal sync times for a direct connection are expected to be in the range of 50 to 150 milliseconds.

TLS 1.2 Cipher Suites

Connections to Microsoft 365 require at least TLS 1.2 (see M365 supported cipher suites). Some of the services (including Teams) make use of Azure Front Door to terminate TLS connections. Because of that the list of supported Azure Front Door TLS cipher suites defines the cipher suites which must be enabled for Veeam Backup for Office 365. Enable at least one of the following cipher suites on your VB365 and proxy servers. The suites are already listed in preference for security with the top secure one being on top. The ECDHE key-exchange type suites are available from Windows Server 2016 onwards.


Cipher suites can be enabled via the PowerShell cmdlet Enable-TlsCipherSuite or via Group Policy. Enabled cipher suites can be reviewed via the PowerShell cmdlet Get-TlsCipherSuite.

Customers have also reported success using third party applications such as IISCrypto for updating cipher suites and TLS versions on systems running Windows Server 2012 R2 and older.

Back to top

Copyright © 2019-2022 Solutions Architects, Veeam Software.