Protect Any Workload from Ransomware with the Veeam Agent and Secure BaaS

In today’s mobile and multi-cloud world, the need to be able to protect any workload running anywhere with a single solution has never been more important. In this post, I’ll cover how you can protect your workloads with Green Cloud’s Secure BaaS service using the Veeam Agent and the Veeam Service Provider Console (VSPC). I’ll focus on protecting workloads running in Green Cloud’s IaaS infrastructure, but the process can apply to any workload running anywhere.

The focus will be on deploying, configuring and managing the Veeam agent using the Veeam Service Provider Console. If you have questions on access to the VSPC console, please reach out to Green Cloud’s support team. If you want to signup for Green Cloud’s Secure BaaS solution, please reach out to our sales team.

Before we get started on protecting workloads, first lets review Green Cloud’s Secure BaaS offering. This solution is powered by Veeam and Cloudian delivering ransomware protection for Veeam backups. Veeam and Cloudian created the industries first solution leveraging the S3 object lock feature to make backups immutable. This makes the backup unchangeable by anything. As a result, they cannot be encrypted by ransomware. With this solution, you can now offer ransomware protection to any workload running anywhere.

Assumptions / Requirements

• Secure BaaS Service
• Access to the Green Cloud Veeam Service Provider Console
  • Reseller credentials will be needed
  • Company (end user) credentials will be needed
• Access to your vCloud Director Organization
• Sufficient bandwidth on source to transfer backups across the WAN
• Free space on the local disk for a local cache of backup data.
• Administrative access to the source workloads

In this demo scenario, all workloads reside in Green Cloud’s IaaS infrastructure powered by VMware Cloud Director. I’m going to follow the Veeam recommended method for agent deployment using discovery rules. This will be done by logging into the VSPC as the partner or ‘Reseller’. For information on managing the Veeam agents as a partner or ‘Reseller’, please refer to the VSPC reseller Veeam documentation.

Source Workload Overview

Before beginning the process of protecting my workloads, I’d like to provide a brief overview of the source environment. I previously built a small Remote Desktop Services environment. There are 5 total servers spread across a LAN and DMZ. The NSX Edge is providing network firewalling while the Windows firewall is also enabled. Below is a screen shot of the virtual machines that will be protected by the end of this post.

Deploy VSPC Management Agent

The first step in the process is to deploy a master management agent. This agent will be used to ‘discover’ other workloads running in your environment.

Requirements:

• VSPC Reseller account information
• Secure BaaS gateway URL and port
• End customer Secure BaaS username and password

Log into VSPC

From the workload designated to be the master, log into the VSPC with your reseller credentials. These credentials can be retrieved / set in the Green Cloud partner portal or by contacting support. The format of the login is <Reseller><Reseller Admin> / <password>.

 

 

 

 

 

Download the Management Agent

Once signed in, navigate to Discovery in the left navigation pane. Then locate Discovered Computers on the tab across the top. Finally, click the Download Agent link. Save the file to the local system.

Install the Management Agent

Once the download completes, run the installer as administrator. Accept the EULA and click Next through the menus to complete the installation.

Configure the Management Agent

With the installation completed, the next step is to configure the management agent to communicate with the VSPC. Locate the management agent icon in the system tray, right-click and click Agent Settings.

 

 

 

This will open a window where you will enter the company (end user) account information. This information was provided during provisioning. Should you need this information please contact support.

 

 

 

 

 

 

 

 

 

• In the Cloud Gateway field, type FQDN or IP address of a cloud gateway.
• In the Port field, specify the port on the cloud gateway that is used to transfer data to Veeam Service Provider Console.
  • In the Username and Password fields, type user credentials of a Company Owner.

The user name must be provided in the <Company NameUser> format.

• Click Apply
• Should you be presented with any certificate warnings, click Save to save the certificate.
  • Finally, Restart the management agent
    

 

 

 

 

• • The Agent should now show Connected
    
    
    

 

 

Configure Discovery Rule(s)

With the management agent successfully communicating, we can now shift our focus to discovering the workloads so we can automatically deploy the Veeam Backup Agent. Discovery can be done via one of the following methods: Active Directory or network (IP). Optionally, you can also import a list from a CSV. For the this post, I will focus on Active Directory discovery.

Requirements

• For AD discovery, the master agent should be installed on a domain joined system.
• The master agent system must have internet access and network access to the workloads you wish to discover and protect
• Local admin rights to the workloads you wish to discover and protect.
• Proper Local firewall configuration to allow discovery and agent installation

Configure (Windows) Firewall

In the demo environment, the Window firewall is enabled. As such, I need configure it to allow the management agent to discover systems and push the Veeam Backup Agent installation. For the sake of this post, I have pre-configured the firewall. Below is a list of the port requirements for successful discovery and Veeam Backup Agent installation.

• Remote Scheduled Tasks Management (RPC and RPC-EPMAP) (for discovery)
• Windows Management Instrumentation (WMI-In) (for desktop operating systems)
• File and Printer Sharing (SMB-In) (for Veeam Backup Agent installation)

Create a Discovery Rule

In the VSPC, navigate to Discovery in the left navigation pane. Locate Rules using the tabs across the top and click New to create a new discovery rule.

 

 

 

 

 

 

 

 

 

In the pop-up, go through the items. In this example, I will be going through Active Directory based discovery since the demo environment is an Active Directory domain. For the sake of time, I have pre-configured an Active Directory account that has been applied as a local administrator to each workload via Group Policy.

• Enter a rule name
• Select a company to apply the discovery rule
  • NOTE: As a Reseller, it’s likely you will have multiple companies from which to chose. A discovery can apply to one or more companies.
• Select a Discovery method (this post is Active Directory)
• Select the Active Discovery Method
  • In this post, I will target specific OUs

 

 

 

 

 

 

 

 

 

 

 

• Enter the account to be used for discovery and Veeam Backup Agent installation
  • This can be a pre-defined local account or a domain account.
  • In this post, I am using a domain account. I have added this domain account as a local admin to each workload using group policy.

Be sure to clear the check box for using the account defined in the master agent. This is because we did not specify an account in the master agent setup.

• Organizational Unit selection
  • click Select Location…
    • NOTE: Locations can be leveraged when you have a client with multiple locations. In this post, I will be using the default location.
      
  • In the next window, click on Select Unit…
    

 

 

 

 

• • • Pick the OUs where the protected workload Active Directory computer accounts are located
      

 

 

 

 

 

 

 

• • • Click OK twice to return to the configuration menu and click Next

• Optionally, set any discovery filters
  • Discovery filters can be set by OS, Application or platform. These can be used individually or combined for greater granularity.
• Optionally, enable email notification.
  • This requires that you have configured your VSPC SMTP settings.
  • The email notification will send you notifications of discovery rule results.
• Veeam Backup Agent deployment
  • Select the option to discovery the system and install the Veeam Backup Agent.
  • For the sake of this post, I will use the default Servers policy. For more information on backup policies see the Veeam documentation. If you want to see the settings for the default servers policy click Show
  • Enable Read-only mode
    • This will restrict local users from changing backup job settings while still allowing them to perform tasks such as restoring individual files. For more on read-only mode see the Veeam documentation.
      

• • Click Configure to adjust the default settings for the Veeam Backup Agent
    • Select the setting shown in the screen shot below. For more on these settings please refer to the Veeam documentation.
      

 

 

 

 

 

 

 

 

 

 

• • • Be sure to set the appropriate bandwidth based on the source. In the demo environment, there is 50Mbps available. To backup as fast as possible yet still leave room for other communication, I set the limit to 40Mbps.
    • Click Apply then Next

• • Summary
    • Review the summary of the settings
    • Check the box to Launch the discovery rule when I click finish.
      

• • • Click Finish

In the VSPC, navigate to Discovery in the left navigation pane. Locate Rules using the tabs across the top and verify your rule is running.

 

 

 

 

 

 

 

 

 

The deployment process will take a few minutes or more depending on the size and scope of the discovery rule. You can check the status by navigating to Discovery in the left navigation pane and locate Discovered Computers across the top. Here you will see the discovered computes and the status of the Veeam Backup Agent installation.

 

The two most common reasons for failed agent installations are:

1.  A firewall is preventing the installation. Confirm you have all the necessary ports open on your firewall.
2.  The account specified in the discovery rule does not have local administrative rights to the discovered system.

To check the status of the Veeam Backup Agent and view what policy is applied, navigating to Discovery in the left navigation pane and locate Discovered Backup Agents across the top.

 

Alternatively you can log into the protected workload and launch the Veeam Backup Agent. Using the Start Menu, locate the Veeam folder and the Veeam Agent for Microsoft Windows. At the top of the Agent application, you will see the VSPC reseller name and the backup policy applied.

 

 

 

 

 

 

 

 

 

 

At this point you have successfully setup the Veeam Backup Agent to protect your workloads by backing up to a Green Cloud Secure BaaS repository. This was done using the Veeam Service Provider Console. Through this console you can centrally manage and monitor the backups of your workloads. If you are an existing partner interested in protecting your customers workloads with Green Cloud’s Secure BaaS service please reach out to your channel manager. If you are interested in becoming a Green Cloud partner, please complete the form on our contact us webpage.

Final Thoughts

Today’s biggest challenge is data security. Ransomware (as well as other security threats) is on the rise as the workforce has been dispersed due to the global pandemic. Empowering IT with the a solution protect data on any workload running anywhere is priceless. And it can all be managed through the Veeam Service Provider console.