Last week, I explained how to manually connect standalone computers to Veeam Availability Console. This time we will try to automate this process as much as possible.
The use case
Why we need to have a fully automated installation? Well, if you have looked at how the default installation process works, the management agent doesn’t ask for any configuration during the installation process. The three information we need (dns name of the VAC system, username and password) are asked when the agent is first configured. But this could be both a difficult task for basic users, and cumbersome (and error prone) even for IT people.
Imagine when we are onboarding a new customer, that has only individual computers not connected to any Windows domain: we have no option to use GPO rules or discovery methods, we need to send to each user the package and ask to install it. We have a high risk that user will ask for assistance during the configuration phase. So, it’s better to create a fully automated installation.
For my example, I’m using wy wife’s computer: the goal here is to pass her the package and see if she can arrive to the very end without my intervention.
NOTE: part of these instructions are available in the VAC official guide here. As they are designed more for distribution via GPO, I’ve adapted and extended them.
Create the unattended install
There are two ways to pass configuration parameters to the VAC Agent installer: via MST transform files, or using the command line. For our needs, we will use the latter. The former can still be a nice choice if we also want to customize the MSI package, for example to create custom packages for a service provider with a different logo, text and so on.
First, we need to obtain the VAC agent. As we have seen in the previous post, it can be obtained directly from the web interface. But there’s even a better place: if we go into the filesystem at C:\Program Files\Veeam\Availability Console\ApplicationServer\AgentPackage we can find the two versions of the installer, for x86 and x64 systems. Be careful if there’s a Upgrade folder, in that case go there and pick the version that’s there, it may be a newer version of the agent, so that we don’t have to upgrade it just after we installed it.
Together with the MSI file, we need a BAT file that will execute a command line. The string we need to use at a minimum needs to have these parameters:
msiexec.exe /qn /i VAC.CommunicationAgent.x64.msi ACCEPT_THIRDPARTY_LICENSES=”1″ ACCEPT_EULA=”1″ VAC_TENANT=”company\tenant” VAC_TENANT_PASSWORD=”tenant_account_password” CC_GATEWAY=”cloud_gateway_address”
A few notes here:
1- The official guide also suggest to add VAC_CERT_THUMBPRINT, that is the thumbprint of a certificate that is installed on the Veeam Availability Console server, and used to secure traffic between the service provider and clients. This property is optional and I actually suggest to NOT use it: especially if you use solutions like Let’s Encrypt certificates that are refresh monthly, the only outcome is that we will have to recreate the configuration file every time.
2- Even if VAC allows to have different users and roles, what we need here is a username that can authenticate via the underlying Cloud Connect. So, ignore any VAC user they you may have, we need to configure here the Company Owner (the tenant in VCC) or a sub-tenant.
I know, you are already screaming that we have a password in cleat text in this batch. And I agree, but we can fix it later. Let’s focus first on the command line. After some editing, the .bat file is ready to be tested. We place it in the same folder where we extracted the MSI file, we copy it into the test computer, and we run it by simply double-clicking it. After a few seconds, the VAC Agent icon appears in the tray icon, and if all it’s correct, we should have the agent correctly connected to VAC:
Perfect, this is what we wanted. People can just run the bat file and the installation would complete automatically, and we will have our computers registered into VAC, as in the case of my test virtual machine:
Securing the installation
As we said before, this method has a security issue: anyone can open the BAT file and see username and password of the credentials that can access VAC. We can fix a bit this problem however.
As a first step, we can compile the BAT file into an EXE file; this is not absolute security by any mean, and many tools can still open the file, but still it’s a first good step. To do so, since I have no programming skills, I searched for different tools around, and after some tests and failuers, I finally went for Bat to EXE Converter; it’s been a bit hard to find, so I’m only posting here the About screen instead of some link:
Once we open the software, we can load our BAT file and also edit some of the properties that the EXE file will have:
Together with the BAT command in fact, we can also configure the EXE format, the extraction target, and even things like a custom icon and Version information. Once we are ready, we hit the command Convert to obtain our EXE file. Now we have the small EXE and the Veeam MSI package.
Then, instead of sending both files to the user, we can package them into a Self-Extrating EXE file. To do so, I used this blog post, for which I say thanks to his author. These are the needed steps:
- create a c:\install folder for simplicity
- select the VAC msi and the newly created EXE file, right click and choose 7-Zip -> Add to Archive, giving it a name like vac_install.tz
- copy installer.tz into the c:\install folder
- download and extract the extra archive, find 7zS.sfx and copy it to c:\Install
- create a new config.txt file in the Install directory using Notepad++, encode it using UTF-8 and put in it a text like this:;!@Install@!UTF-8!Title=”Veeam Management Agent Installer”
BeginPrompt=”Do you want to install Veeam Management Agent?”
RunProgram=”vac_install.exe”
;!@InstallEnd@!
- open the install folder with CMD and run: copy /b 7zS.sfx + config.txt + vac_install.7z VAC_Installer.exe
we have our executable!
As said at the beginning, the final test has been to pass it to an end user, my wife, and see if her laptop would finally appear in VAC. First, when you run the program, Windows gives you a security warning (the computer is using Italian language), that is expected since my program is not digitally signed:
By hitting Yes (Sì), we get the message that we configured in the configuration file:
Hitting Yes again, the software is silently installed, the VAC icon appears in the tray icon, at first with the warning sign, but after a few seconds the connection to VAC is completed, and we see the succesful connection from the Agent itself:
But even more importantly, the additional computer is now visible in the VAC console:
We can now distribute the self-installer to all the computers we may want to add to our console!
Final Note: if VAC is using a self-signed certificate, the agent will install but it will be in an error state until the user will manually accept the certificate. It’s better to use properly signed certificate, like explained here: https://dellock6.github.io/vac-book/8-ssl.html .