In the previous post of this series, we registered a remote Veeam Backup & Replication and started to monitor it. VAC can do a lot of things, but when monitoring and the operations that can be done via VAC are not enough, it’s time to learn what other options are available.
Remote Access Console: the “reverse tunnel” of Veeam Cloud Connect
In its essence, Veeam Cloud Connect is a tunnel created over the Internet to allow a remote Veeam component to talk with the components installed at the Service Provider, regardless we are talking about Cloud Connect itself, or the new Veeam Availability Console. But exactly like in Linux SSH can be used as a “reverse tunnel” to flip the source and destination of a connection, the same has been done in Veeam Cloud Connect.
With the release of Veeam Backup & Replication 9.5 Update 2, one super cool (in my opinion) feature has been added: the Remote Access Console. This is not to be confused with the Remote Console: the latter is the standalone console that, starting from 9.5, can be installed in any windows computer of the local network, like the Admin computer, and connect to a Veeam Backup & Replication Server. Remote Access Console is a little bit different, because it works in a different way:
By using the tunnel created by Cloud Connect, two Network Redirectors are started, one at each site; these Remote Access Console can connect back to the remote Veeam Backup Server, so that a Service Provider can actually manage the installation as it was a local one. This console is dedicated to this type of connections, in fact upon opening it asks for a Cloud Connect server to use:
Connections can happen both directly to the VBR server running Cloud Connect (for administrators working in the premises of the Service Provider) but also from another location, through the Cloud Gateway connection (like an administrator working from home). In both cases, once the connection has been configured, this is what administrators may see:
The software already filters out any tenant without the remote connection option availalable, and then shows for each of them which VBR servers are available. The administrator inputs then username and password of the remotesystem, and the console connects to it. The end result is the same exact console that an administrator would have on premises, without any need for Remote Desktop or a VPN:
As I anticipated in the previous post of the series, one of the possible uses of this tecnology is to remotely update the license of a Veeam Server, as it’s reminded to the service provider in this example as soon as he connects to the tenant installation. And since this special console is running in the provider computer, the Open File dialog box can browse his filesystem, so the license file doesn’t even need to be stored into the remote machine, and the license can be updated immediately.
Obviously, this is not even the main use case of this feature: any operation that requires the VBR console can be executed with the Remote Access Console. Create a new backup job, modify it, execute a restore operation, all can be done from a remote location. And if something more needs to be done (or following the previous example, if there’s Veeam Enterprise Manager managing the license, so the console is not enough to renew the license itself…) the solution allows to open a complete Remote Desktop on the Microsoft Windows machine where Veeam Backup & Replication is installed. From the VBR console, in the lists of tenants, we only need to select the other option:
We briefly see that RDP is connecting to localhost:6119. With a quick search in the system using netstat and task manager, we discover that the process using TCP port 6119 is, no surprise, VeeamNetworkRedirector.exe, that is the process connecting the two side of the Cloud Connect tunnel.