How to deploy and integrate VHR with VBR

Posted on Christian By Christian No Comments on How to deploy and integrate VHR with VBR
integrate VHR with VBR

OOTBI (Object First Out-Of-the-Box Immutability) is an alternative solution to Veeam Hardened Repository (VHR). Since I have covered OOTBI extensively in the past, I will now focus on VHR. Please, see Best Storage for Veeam: Comparing OOTBI by ObjectFirst to VHR. Therefore, in this article, we shall be discussing how to deploy and integrate VHR with VBR. Also, see Create a bootable USB on Mac: Proxmox VE Setup, and how to Generate CSR and Request a Certificate from Herica CA.

The Veeam Hardened Repository is a native solution to Veeam and it provides trusted immutability for backups of Veeam Backup and Replication on a Linux server. This solutions requires that you have some basic Linux skills to configure and administer the Veeam Hardened Repository. Because of this, you may want to deploy OOTBI’s out-of-the-box immutability. Please, see how to setup Veeam Software Appliance v13.

Note: For test purposes, I will be installing VHR on a virtual machine (VM). Installing Veeam Linux Hardened Repository on a Virtual Machine defeats the purpose of adequate data protection as the VM itself can be deleted. Therefore, installing the hardened repository on a physical box is advisable and ensures adequate physical security.

Also, see how to Harden your Veeam Backup Server with Microsoft AppLocker, How to Configure Object First OOTBI Appliance, and How to update Object First OOTBI Cluster.

Download Veeam Hardened Repository ISO

There are different ways to deploy a Hardened Linux Repository, such as using Ubuntu Server or Red Hat Enterprise Linux Server. In this guide, I will be using the VHR ISO.

The Veeam Hardened Repository ISO is delivered as bootable ISO which can be downloaded here. You can use a remote console or create a bootable USB stick from the ISO as you wish.

Upon login, you can find the ISO download in the Extension and Other section of your My Account > Products area. To Download or get access to trial products and the License Management portal, please add your business email address to your profile.

Access Veeam Account
Shortly, the download should start automatically upon login. Otherwise, you will be required to click on a link manually

Ensure to save the iso to your desired location as shown below.

Save VHR ISO Downloaded

Here is a guide on “An account with the same name exists in Active Directory: Re-using the account was blocked by a security policy“. Also, see Configure WebLAPS to manage Microsoft LAPS, and How to Shrink and Compact Virtual Hard Disks in Hyper-V.

Upload ISO to Proxmox

In order for you to follow along, here is how to install Proxmox on your server or Mini PC. This article completes the one shared above ‘Install Proxmox VE on a Beelink EQ12 Mini PC“.

To create a VM on Proxmox, navigate to the URL of your Proxmox instance. Log in with your root or admin user credentials.

Note: Before creating a VM, you need to upload the ISO image. In Proxmox Web UI, navigate to Datacenter, and select a storage location. Select ISO images and click on upload. Choose the ISO file and upload it.

Upload ISO to Proxmox

As you can see, we have uploaded our ISO to Proxmox.

ISO Uploaded

Note: After upload and the creation of the VHR, the ISO MUST not be removed. Else,the VM will not start and you will be prompted with a similar error “TASK ERROR: volume “local:iso/VeeamHardenedRepository_2.0.0.8_20250117.iso’ does not exist”

Create a New VM to host VHR

Click “Create VM” at the top-right or right click the node and select “create vm’ as shown below.

Create VM on Proxmox

Enter VM name. The ID is automatically generated in this case and click next to proceed.

Enter VM name

Under the OS, please specify the storage location and ISO image to use and click next.

Select ISO

UEFI is a requirement to using VHR. Therefore, I will select OVMF (UEFI). Please select all options as shown below.

Bios-UEFI settings

If the Disk size is below 100, the VHR installation will fail. The minimum requirement is 100GB for the Operating System Volume.

OS Volume
Internal or direct attached storage volumes must be used. The server must have at least two storage volumes

For the data volume, I will select 110 as this is just a lab environment. If you specify same size for the OS and data volume, the installation will fail as well. The data volume is expected to be higher in size.

Note: The ISO will automatically re-format your disk storage where the smallest volume will be used for the Operating System (OS) while the other volume will be used for the backup files.

Data volume
At least one additional volume for data. All additional data volumes must be larger than the operating system volume.

I am fine with 2 CPU Sockets and Cores. For optimal performance, you can assign 4 or more vCPUs depending on the size of your backup infrastructure and the load on the repository.

CPU
CPU speed is also relevant as Veeam uses the very fast LZ4 compression per default

I will assign 4GB. 4 GB of RAM is the minimum recommended for a basic Veeam Hardened Repository setup and click next to proceed.

RAM Size

Click on next on the Network tab as shown below. Kindly take networwking seriously by using untagged switchports. That means, one configures the IP addresses directly without any VLANs in Linux.

Network

Confirm VM creation and click on VM

Finish VM creation

Install Veeam Hardened Repository (VHR)

To install VHR, there are various ways to start the VM as shown below. Select the VM and click on start as you wish. You can click on console to open a new browser window.

Start VM

Or select the VM and click on console. This way, you are within the Proxmox console as well.

VM console

Select “Install Hardened Repository (Delete all data).

Install VHR

The system will load from the ISO as shown below

Loading ISO

Note (optional step): The image below shows that you can remodify your VM settings as you wish should in case the installation fails due to system requirements etc.

Hardware requirements must be met - 100 min

If there are no errors during the boot time, the installation wizard start as shown below. Please configure the Keyboard, Time and Date and Network & hostname.

Installation Summary
Rocky Linux most closely emulates the stable version of Red Hat Enterprise Linux (RHEL). It is a community-driven, downstream rebuild of RHEL, designed to be fully binary-compatibility.

For the keyboard, I will select German. Time zone as well “berlin”. I will have to manually configure the IPv4 parameters in other to do away with the automatic DHCP assignment. Do not forget to specify the search domain if you wish

Network parameters

As you can see from the installation summary, everything is fine. I will click on “Begin Installation”.

Begin VHR Installation

I will click yes to continue

confirm reboot

As you can see, the VHR installation is in progress.

Installation progress

Now that the installation is complete. Please reboot the system.

reboot system

select Rocky Linux and hit the Enter button on your keyboard.

Rocky Linux

Please, see how to fix Veeam Agent for AIX: Initial Deploy/UUID Error, and . Backup and Restore Proxmox VE virtual machines with Veeam. Also, see how to Protect your Windows Devices with MFA with SystoLOCK.

Login and Change VHR Password

After the system reboots. You will need to enter the default credentials vhradmin/vhradmin. Also, you will be required to change the default passwords.

VHR default password

Accept the license agreement and hit enter on you keyboard.

Accept license

Start the SSH service as shown below by selecting and hitting the enter button. This will create a single-use SSH password for VBR integration.

Start SSH

Kindly take note of the username and password as we will use this very shortly. We can now integrate (add) the VHR to VBR.

single-use SSH credential

You can logout if you wish

logout

After the setup finishes, you can logout or reboot your server. Afterwards, you go navigate to your VBR server to launch the console.

Please see Mitigate Veeam Threat Hunter Service Scanning Interference, How to upgrade Veeam Backup and Replication 12.3, and Veeam Backup Deployment options for Microsoft 365 Data.

Add the Hardened Backup Repository to VBR

To do this, navigate to the Veeam Console and select Backup Infrastructure. Right click on Backup Repository and select Add Repository

Add backup Repo

Choose Direct attached storage.

Direct attached storage

Then, Linux (Hardened Repository).

Linux (VHR)

Enter the Repository name and description

Backup name

Add the Repository server by clicking the Add New button

Add Server

Specify the DNS name or IP address of the REPO and click next

DNS or IP Address

Here, you will enter the credential generated during the VHR configuration step. When done, click on OK.

Single use credential

Veeam Backup & Replication uses single-use credentials only once to deploy Veeam Data Mover or transport service when adding a Linux server to the backup infrastructure. It does not store these credentials, preventing attackers from retrieving them even if the backup server is compromised.

Click next to proceed

Proceed to check SSH connection

Verify that the SSH key fingerprint matches that provided by the VHR. Click yes to confirm that you trust the server and click next to proceed.

Trust this server

As you can see below, the following components will be installed. Click on Apply to continue.

Apply components

After the required components are installed, click Next to proceed as shown below

components installed

On the summary window, click on Finish.

Finish Configuration

On the Server Repository wizard, click Populate. Choose the Path the backup will be saved to and click on Next.

Choose path

Click on populate to reveal the capacity and free space available.  Ensure that “Use fast cloning on XFS volumes (recommended)” is selected. I am fine with the other defaults. Therefore, I will click on next.

fast cloning on XFS volumes

The system will check to see if the XFS Fast clone requirements are met. When don, click next to proceed.

system checks

Specify the right mount server and click on next.

specify mount server

Click on Apply to finalize the repository configuration as shown below.

review or apply componnents

Click on next

Proceed with the VHR configuration

Select Finish to complete the repository configuration.

Complete VHR

As you can see below, we now have a new VHR repository in our environment.

available repos

Stop SSH

According to Veeam documentation, SSH connection is necessary only for the deployment of Veeam Data Mover. For security purposes, after you add the hardened repository, disable SSH connection for the user account you use to connect to the Linux server.

Note: If you can work with the server from the console, disable SSH connection for the server itself. To do this, login to the VHR and select “Stop SSH”.

Stop SSH

Click on Yes to stop and disable SSH

Confirm stopping and disabling SSH

Click on OK and logout.

SSH stopped and disabled

Create a Backup Job to the Veeam Hardened Repository

To do this, launch the Veeam Backup & Replication Console. In the Home tab, click on “Backup Job” and select “Virtual Machine”

Create backup job

Enter the job name and click next

Backup Job name

Select the VMs you wish to back up to this new VHR repository and click add.

Select DCs

In the storage area, ensure you specify the right backup repository and the retention period and click next.

Select Repository - storage

Since, these are Domain Controllers (DCs’). I will select Enable Application aware processing. Please, see How to integrate ObjectFirst OOTBI Appliance with VBR, and how to Achieve 3-2-1 rule with SOBR on Synology or OOTBI and Wasabi.

You may want to test network connectivity and credentials for the selected VMs. Click on text now

Guest processing

As you can see, the first test has completed and I can guarantee connectivity and am sure the credentials are correct. I will close or stop the test now.

Network connectivity and credential verification

On the schedule, I will click on “Apply”.

Aply backup job

On the summary page, I will click on Finish.

run the backup job

As you can see, the backup job is in progress

backup job is running
Backup job progress

The backup jobs have completed successfully as shown below.

Backup job completed

Testing Immutability by simulating VM deletion

When you add a hardened repository, you specify the time period during which backup files must remain immutable. During this period, the repository prevents backup files from being moved, modified, or deleted, but allows them to be copied.

To do this, navigate to the Backups from the Home menu, and click on Disk as shown below. Select the VM you wish to delete. In this case, I will be selecting one of the VMs I have backed up to VHR. Right click and select delete from Disk. On the prompt, select Yes.

delete from disk

As you can see below, the object (VM) could not be deleted as expected due to immutability configured.

deletion not possible
Immutability is achieved by leveraging the XFS file system immutability bit in the file

Please see How to update Veeam Backup and Replication [VBR], Cybersecurity Tips to Secure Synology NAS against Ransomware, and Raise or Downgrade AD Domain and Forest Functional Level.

Protecting your Physical VHR Server

If you have VHR installed onto a physical server and use Out-of-band-management such as  (IPMI, HPE iLO, Cisco CIMC, Dell iDRAC, Lenovo XCC etc.). Please keep in mind that multi-factor authentication does not protect against some security issues for out of band management systems.

Accroding to Hask, from Veeam “He sees no reason why you should not use it! He went further to say, some customers tend to avoid  them due to inherit security reasons should incase an attacker becomes an administrator on the out of band management. Then they can delete everything of the Hardened Repository without touching the operating system.

To mitigate this concern, placing a firewall in front of the management port and only allow outgoing communication might be helpful in preventing such attacks. That will allow to send email notifications if a disk fails etc. But an attacker cannot attack/log into the management interface because the firewall blocks all incoming connections.

I hope you found this article very useful on how to deploy and integrate VHR with VBR. Please feel free to leave a comment below.

5/5 - (1 vote)
Backup, Linux

Related Posts

More Related Articles

OOTBI virtual appliance setup on Proxmox How to set up the OOTBI Virtual Appliance on Proxmox VE Backup
zoom feature How to install Zoom video conference software on Linux System Linux
How to Migrate Windows Servers from Hyper V to Proxmox Correctly Migrate Windows Servers from Hyper V to Proxmox Correctly Backup
sdfdghjk How to fix “Job for Mattermost service failed” error Linux
MicrosoftOneDrive32 Microsoft OneDrive Setup: Files On-Demand & Key Features Backup
featuredpkg How to solve /var/lib/dpkg/lock Error in Ubuntu Linux Linux

Leave a Reply