Veeam Backup & Replication has different components/toles and not necessary each of them has direct access to the Internet. From a security point of view it could be a good idea segregates all Veeam components as much as possible.
For this reason you may need to configure a HTTP/HTTPS Proxy, but the funny part is that you cannot found any related option from the Veeam Console.
And if you expect that the browser proxy settings are used, you are wrong.
Which component needs Internet access?
At least two Veeam Backup & Replication components need to access some resources on the Internet:
- Veeam Backup: for malware updates, Veeam Update Notification Server, Veeam License Update Server, Certificate verification
- Mount Server: for AntiVirus or Threat Hunter updates and Veeam License Update Server endpoints
- Backup repositories created with the Veeam Hardened Repository ISO: to download security and operating system updates.
Veeam Update Notification Server endpoints requires HTTPS (TCP/443) access to:
- dev.veeam.com
- vbrce.butler.veeam.com
- vbrad.butler.veeam.com
Veeam License Update Server endpoints and Threat Hunter require HTTPS (TCP/443) access to:
- vbr.butler.veeam.com
- autolk.veeam.com
Veeam Threat Hunter Signature Update Server endpoints: require HTTPS (TCP/443) access to:
- avupdate.veeam.com
Certificate verification endpoints requires HTTP (TCP/80) access to:
- *.ss2.us
- *.amazontrust.com
Veeam Update Repository endpoints requires HTTPS (TCP/443) access to:
- repository.veeam.com
Note that OS or other applications may need network access, for example for managing updates.
Configuring a proxy
There is a specific Veeam KB (https://www.veeam.com/kb3090) that explain how to configure WinHTTP Proxy for the different Veeam components based on Windows machines.
It apply not only to Veeam Backup & Replication, but also to other Veeam producs, like Veeam ONE, Veeam Agent for Microsoft Windows and Veeam Cloud Connect.
Note: some connections used by old Veeam products utilize WinInet, which must be configured as documented in KB1975.
Microsoft Windows HTTP Services (WinHTTP) is used by various Veeam software products for network communications. WinHTTP provides developers with an HTTP client application programming interface (API) to send requests through the HTTP protocol to other HTTP servers.
Note: This change is system-wide and will affect all applications that use WinHTTP, including other third-party or Windows services that use WinHTTP (e.g., Windows Update).
Check Current WinHTTP Proxy Settings
This command will display the current WinHTTP settings:
netsh winhttp show proxySet WinHTTP Proxy Settings
This command can be used to set a WinHTTP proxy:
netsh winhttp set proxy proxy-server="<proxy>:<port>"Note: Replace <proxy> and <port> in quotes with the actual proxy server’s hostname or IP and the port it uses.
Reset WinHTTP Proxy
This command can be used to reset the WinHTTP settings back to default (no proxy).
netsh winhttp reset proxyThreat Hunter settings
Starting with Veeam Backup & Replication 12.3.1, Threat Hunter now can use a proxy to download new signature… Also now the scan will not stop if the download is no possible.
- Custom Internet proxy support has been added for downloading updates to the Veeam Threat Hunter threat signatures.
To configure, create the following registry value on the Mount Server:
Key Location: HKLM\ SOFTWARE\Veeam\Veeam Threat Hunter\
Value Name: VTHInternetProxy
Value Type: String Value (REG_SZ)
Value Data: <proxy>:<port>
Note: The system-wide Internet proxy settings are now also respected; see the Resolved Issues section below.
