Instant recipe for Veeam Backup for M365 Linux Proxies

Introduction

Now that since version 8 of Veeam Backup for Microsoft 365 you can use Proxy pools to distribute the load over different proxies and where the backup itself will determine depending on the load of each proxy node separately where it will assign the next task already, setting up and adding proxies in a simple way is necessary.

With the “recipe” below you can quickly and easily prepare a Linux machine to install the proxy role on and then add it to a proxy pool.

What is a Veeam Backup for Microsoft 365 proxy ?

A Veeam Backup for Microsoft 365 v8 proxy is a component that acts as an intermediary between the backup infrastructure and Microsoft 365 services, facilitating efficient data transfer and reducing the load on the production environment. It handles tasks such as retrieving data from Microsoft 365 (e.g., Exchange Online, SharePoint, OneDrive), compressing and deduplicating it, and then forwarding it to the backup repository. By offloading processing tasks from the backup server, the proxy improves performance, scalability, and reliability, especially in large-scale deployments or environments with high data volumes. It can be deployed on-premises or in the cloud, depending on the organization's requirements.

What is a Veeam Backup for Microsoft 365 proxy Pool ?

A Veeam Backup for Microsoft 365 v8 Proxy Pool is a collection of multiple proxy servers grouped together to distribute the workload of backing up Microsoft 365 data (e.g., Exchange Online, SharePoint, OneDrive) more efficiently. By leveraging a pool of proxies, the backup process can scale horizontally, improving performance and reducing the time required for data retrieval and transfer. The proxy pool automatically balances tasks across available proxies, ensuring optimal resource utilization and high availability. This setup is particularly beneficial in large environments with high data volumes or when multiple backup jobs run concurrently, as it enhances throughput and minimizes the risk of bottlenecks.

Ingredients for our instant Linux proxy recipe

• At least one, but preferrably more linux machines with a supported operating system.

  We use a supported Linux distribution because it requires no additional paying licenses and is easy to maintain with a minimal footprint.

• Sufficient bandwidth (add as needed)

  The proxy role is the datamover so a high bandwidth connection to either the Microsoft environmentand the attached storage (Object storage) is needed.

• SSH access to the linux machine

Preparation method

Connect to the Linux machine via SSH

To make things a little easier for us, we will install the ping utitliy if it is not already present. This will make it easier for us later to perform some connectivity tests from this machine. You can start from a minimal installation.

sudo apt-get install inetutils-ping 

You can always edit files with VI, but it's a little easier with nano, so we'll add that as well.  

sudo apt-get install nano 

The Microsoft .Net runtime must be installed from the Microsoft repository. Indeed, this is one of the prerequisites for a successful installation. When deploying the proxy role, this will be checked. Therefore, we must first add the Microsoft repo.

As a sleight of hand, we first retrieve the OS version in a variable:

 
# Get OS version info en fill variable $id en $version
source /etc/os-release
 

Next, we pull in the appropriate repository:

 
# Download Microsoft signing key and repository
wget https://packages.microsoft.com/config/$ID/$VERSION_ID/packages-microsoft-prod.deb -O packages-microsoft-prod.deb

and install the repository....

# Install Microsoft signing key and repository
sudo dpkg -i packages-microsoft-prod.deb 

We will keep our kitchen clean and delete our just downloaded file which we no longer need.

# Clean up
rm packages-microsoft-prod.deb

To know all the recent versions we need to update our repos.

# Update packages
sudo apt update 

Now it's time to install our .net runtime from the correct repo.

# Install .Net
sudo apt install aspnetcore-runtime-8.0
sudo apt install dotnet-sdk-8.0



In our quick and easy recipe, we use a Veeam Backup for Microsoft 365 server that is stand-alone and does not have internal DNS services. So we fall back on the good old HOSTS file.

To do this, on the Veeam Backup for M365 server, we'll edit the HOSTS file under:

c:\windows\system32\drivers\etc\

We add the IP address and respective DNS name of each proxy time and check if it is resolved using a ping command.

 

Also in the other direction, the Veeam Backup for M365 server must be reachable by DNS name.

IMPORTANT: not only the proxies must be able to individually resolve the server, but the proxies must also be able to resolve each other.

If this fails, you will get random errors like the one below:

'Resource temporarily unavailable' 

SO IT IS EXTREMELY IMPORTANT THAT MUTUAL DNS RESOLVING BETWEEN PROXIES ALSO WORKS.

 

Editing the Ubunto hosts file is done via:

 cd /
cd etc
sudo nano hosts

Basically, everything is now ready to add the proxy via the Veeam Backup for M365 server, however, it performs some additional checks.

A classic error that may come up is:

Error: .NET (`dotnet-`) must be added to the blacklist to prevent unattended upgrades that could impact the availability of the Linux proxy.

 

This error is described at: https://www.veeam.com/kb4658

The solution for our Ubuntu-based proxy lies in setting up an exception so that this package is not upgraded automatically.

With the following command you can check if the package is on the exclusion list:

apt-config dump | grep 'Unattended-Upgrade::Package-Blacklist:: "dotnet-\?"'

If no results are shown, run the following command to add "dotnet-"; to the /etc/apt/apt.conf.d/50unattended-upgrades file.

sudo sed -i '/^Unattended-Upgrade::Package-Blacklist {/a\ "dotnet-";' /etc/apt/apt.conf.d/50unattended-upgrades


If we run our check back now you will see that the dotnet packages are now blacklisted.

 

Now everything is ready on the Linux machine to install the proxy role.
Adding a Linux proxy is a simple wizard that you run from the Veeam Backup for M365 server.

Running the Proxy Wizard

Step 1. Launch the New Backup Proxy Wizard

To launch the New Backup Proxy wizard, do the following:

1. Open the Backup Infrastructure view.

2. In the inventory pane, select the Backup Proxies node.

3. Do one of the following:

• On the Backup Proxy tab, click Add Proxy on the ribbon.

• Right-click the Backup Proxies node and select Add backup proxy.

 

Step 2. Select Operating System Type

At this step of the wizard, select Linux to assign a role of the backup proxy server to a machine with Linux operating system installed. For more information, see the System Requirements.

Step 3. Specify Backup Proxy Server Address

At this step of the wizard, specify a computer that you want to use as a backup proxy server, its port number and optional description, this is the machine we've been preparing before.

1. In the Host field, enter a DNS name or IP address of a computer that you want to use as a backup proxy server.

If the specified computer does not have a direct access to the internet, you can configure an internet proxy server for such a computer.

2. In the Port field, enter a port number to access the specified computer.

3. In the Description field, enter optional description.

Step 4. Specify SSH Connection Settings

In this step, enter a user account credentials to connect to the prepared machine and configure the SSH connection settings.

To configure the SSH connection settings, do the following:

1. In the Account field, enter a user name.

2. In the Password field, enter a password. The password is required in all cases except when you use a user with enabled NOPASSWD:ALL setting in /etc/sudoers.

3. If you specified credentials for a non-root account that does not have root permissions on a Linux machine, click Advanced to grant the sudo rights to this account. For more information, see Configuring Advanced Settings.

4. Select the Private key is required for this connection check box if you want to use the Identity / Pubkey authentication method. For more information, see Using Identity / Pubkey Authentication.

            Do the following:

1. In the Private key field, enter a path to the private key or click Browse to select a private key.

2. In the Passphrase field, specify a passphrase for the private key on the Veeam Backup for M365 server.

5. In the SSH Port field, specify a number of the SSH port to connect to a Linux machine. By default, port 22 is used.

6. In the SSH Timeout field, specify the SSH connection timeout. This timeout is used to wait for connection to the specified backup proxy server through SSH. The default value is 30000 milliseconds.

 

Step 5. Select Service Account

At this step of the wizard, specify an account that will be used to run Veeam Backup for Microsoft 365 Proxy Service on the proxy machine.

To do this, select one of the following options:

• veeam365backup account. Select this option to use the default service account created by Veeam Backup for Microsoft 365.

• Use the following account. Select this option to use an account that already exists. In the Account field, enter a user name.

Important: You must manually grant this account the required permissions in advance.

• Create the following user account locally and assign the required permissions. Select this option to create a new account that Veeam Backup for Microsoft 365 will use as the service account. In the Account field, enter a user name.

Veeam Backup for Microsoft 365 will create a new service account and automatically grant the required permissions to this account.

 

 If all the provided information is correct, Veeam Backup for M365 will connect to the designated machine over SSH and make the necessary installations and registrations and start the proxy role. As from them you can add this proxy to a new or existing pool to optimize load balancing and scale-out.

Icing on the cake

A useful tool to view the load on the network interface when the proxy is in use is to use iftop. Install and run the tool as follows:

# install iftop to monitor interface load


sudo apt install iftop
sudo iftop

Backups with a Twist: Adding Emoji Spice to Your Job Names

Backups with a Twist: Adding Emoji Spice to Your Job Names

Backups are serious business. They’re the safety net that saves us from a world of pain when the data hits the fan. But let’s face it—backup job names are often duller than an accountant’s Christmas party. “BackupJob01” or “DailyIncremental” might get the job done, but they won’t win any awards for creativity. Enter emojis: the little digital sprinkles that can transform a backup job name from a snooze-fest into a masterpiece of expression. 🎉

Why Add Emojis to Backup Job Names?

1. Because You Can: Many modern backup platforms now support Unicode, which means emojis are fair game! It’s like discovering that your boring sandwich can be a gourmet burger with the right toppings.

2. Instant Recognition: Instead of trying to remember if “Backup_Week1” is for your critical systems or just a test run, a 🌐 or 💡 in the name makes it instantly clear.

3. Fun Factor: Who says IT can’t have a little whimsy? Let your backups reflect your mood, your mission, or even your favorite snack. 🍩

4. Support Shenanigans: Let’s not underestimate the joy of telling a support engineer over the phone, “The job name is ‘🛡‘Fort Knox Full’” and hearing them pause, wondering if they’re being punked.

How to do it ?

When in the edit job wizard, in step one, just enter Windows key + period (.) or 

Windows key + semicolon (;)

All available icons will then be shown, and off you go !

 

 Emoji-Inspired Naming Ideas

1. 🚀 RocketScience: For those jobs that power your mission-critical databases.

2. 💀 ApocalypseProof: Because these backups will survive anything short of an asteroid.

3. 🌞 SunnySideUp: Your cheerful morning backups.

4. 🍆 EggPlant’sCritical”: For those NSFW (Not-Safe-for-Wiping) backups.

5. 🤔 ThinkingHat_Test: For experimental backups you’re not 100% sure will work… yet.

What Could Go Wrong?

Of course, there’s a line between creativity and chaos. Here are a few tips to keep things manageable:

• Keep it Professional-ish: A “👻Boo’sData” might be cute, but you might regret explaining that in a high-stakes meeting.

• Standardize: If you’re going emoji-crazy, have a system. Use 🔒 for secure data, 🌐 for internet-related backups, and ✨ for high-priority tasks.

• Check Compatibility: Not all systems display emojis the same way. What’s a happy 😄 on one platform might turn into a sad square box on another.

The Support Call Scenario

Imagine opening a support ticket for a failed backup job:

Support Engineer: Can you tell me the name of the backup job?

You: Yes, it’s “🕵‍♂️Sherlock_Backup”.

Support Engineer: …Could you spell that for me?

You: S-H-E-R-L-O-C-K… and, oh, there’s a detective emoji in front of it.

Cue laughter, confusion, and a memorable support interaction. Who knows, you might even make the engineer’s day. 😂

Ready to Emoji-fy Your Backups?

Adding emojis to your backup job names is a harmless way to inject personality into an otherwise mundane task. Just remember to strike a balance between fun and functionality. Whether you’re backing up the office karaoke machine recordings or mission-critical data, an emoji or two can make the process a little less boring—and a lot more colorful. 🌟

Object First OOTBI teardown: PART 1: hardware & installation

Object First OOTBI teardown: PART 1: hardware & installation

Hi all, in this blogpost, I'll share you my experiences with Object Storage and more specific, OOTBI, best storage for Veeam as they call themselves.

PS. OOTBI stands for: "Out Of The Box Immutability", a welcome feature on your backup repository to protect it from malware.

First of all a big shoutout too the Object First team and fellow Veeam Vanguard  Geoff Burke to give us the opportunity to test the device ourselves in our own environment. A true review is a review where we can play ourselves with the hardware and software for a descent amount of time and to perform several tests and potential hacks.

As Object First mentions, this should be 'The best storage for Veeam'. How do they achieve this ?

First of all we have to say that Object Storage (aka S3-compatible storage) has become the go-to solution for scalable repositories. Especially when you're looking to a storage that grows with your needs, definitely have a look at S3 compatible storage. 

S3 object storage is based on the S3 standard, but as a famous XKCD comic says, if you have 14 competing standards and your want to create an universal one, you'll end up with 15.

So there are a lot of 'dialects' and modifications on the S3 standard. So is the OOTBI device.

Before we dive into the SOS (Smart Object Storage) API which is an extension on the existing S3 standard, let's see what's Object Storage is really about.

What is object storage and how does it work ?

What is Object Storage?

Object storage is a type of data storage architecture that manages and manipulates data as objects. Unlike traditional file systems (which organize data into a hierarchy of directories and files) or block storage (which divides data into fixed-size blocks), object storage treats each piece of data as an independent object. Each object contains the data itself, metadata, and a unique identifier.

This architecture is ideal for storing large amounts of unstructured data like multimedia files, backups, documents, and archives.

Key Concepts of Object Storage:

• Object: The basic unit of storage, consisting of:
• Data: The actual data being stored (like an image, video, or file).
• Metadata: Information about the data (such as file type, creation date, permissions).
• Unique Identifier: A globally unique identifier (GUID or UUID) that allows for quick retrieval of the object without needing a directory path or filename.

   

Flat Namespace: 

Unlike hierarchical file systems with directories and sub-directories, object storage uses a flat structure. Each object is stored in a bucket (or container), and the unique identifier is used to retrieve it, removing the need for a directory structure.

Scalability: 

Object storage can scale horizontally, meaning it can manage petabytes or even exabytes of data across distributed nodes. This is especially useful for large-scale cloud environments.
 

Durability and Redundancy: 

Many object storage systems are designed with data redundancy in mind. Data is often replicated across multiple locations, making it highly durable and fault-tolerant.

Access via APIs: 

Object storage is typically accessed through APIs, like RESTful interfaces (HTTP-based), rather than through traditional file system protocols. This allows easier integration with web-based applications and services.

How Object Storage Works:

Data Upload: 

When a file (data) is uploaded to an object storage system, it is stored as an object. The system generates a unique identifier for this object, which can later be used to retrieve it.
   

Metadata: 

As part of the object, metadata (information about the file, such as its size, type, or permissions) is stored alongside the data itself. This metadata can be customized by the user to store additional information.

Storage in Buckets or Containers: 

Objects are stored within "buckets" or "containers". These containers hold a collection of objects but do not enforce a hierarchical structure like directories in a file system.

Redundancy and Replication: 

Object storage systems often replicate objects across multiple locations or data centers to ensure durability. For example, if one node fails, copies of the objects are available on other nodes or regions, minimizing data loss.

Retrieval: 

When an object is requested (using its unique identifier), the system retrieves the object, including its data and metadata, from wherever it is stored. This might involve fetching it from multiple locations if redundancy is in place.

Use Cases for Object Storage:

Cloud Storage: Object storage is widely used by cloud service providers, like AWS S3, Google Cloud Storage, and Azure Blob Storage, to store massive amounts of data.
Backups and Archives: Its scalability and cost-effectiveness make it ideal for storing backups, logs, and archives.

Media Hosting: Ideal for storing and delivering large unstructured data like videos, images, and audio files.

Big Data Analytics: Large datasets can be stored and analyzed using object storage due to its ability to handle massive volumes of unstructured data.

Content Distribution: Content delivery networks (CDNs) use object storage to cache and deliver media quickly across the globe.

Advantages:

• Scalability: Can handle vast amounts of data without performance degradation.
• Durability: Data replication ensures high availability and protection against hardware failures.
• Cost-Effective: It is generally more affordable, especially for cold storage or long-term retention.
• API-driven: Allows easy access and integration with modern applications through APIs.

Disadvantages:

• Latency: Typically slower compared to block or file storage for frequent, real-time access. OOTBI's SOS API will improve this !
  
• Not Ideal for Transactional Data: Object storage is not well-suited for use cases requiring frequent updates or low-latency data transactions, like databases.

So when it seems that object storage is quite suitable for backup data which are generally large chunks of data. This backup data is divided into blocks. The size is these blocks is already a first important parameter that potential could have a huge impact on the performance of the storage.

We're using Veeam Backup & Replication to write to the OOTBI. In a standard backup job, you can select the block size for your backup. Standard sizes are 4MB, 1MB, 512 KB and 256 KB. Know that via a registry key you can configure 8MB blocks if necessary.

Important things to know about block-size;

• Larger block sizes result in bigger incremental backups, especially with 8MB blocks.
• These considerations apply before de-duplication and compression are applied.
• The final size of objects on disk can vary significantly based on de-duplication and compression.
• Increasing the block size reduces the number of API calls. (positive impact on performance !)

So, now we know high level something about object storage, let's look in detail to the Object First device.

The storage appliance comes in different sizes.

You can choose between 64Tb, 128Tb and recently the 192Tb nodes.

The nodes can be clustered with 4 which allows you to create clusters of 256Tb, 512Tb or 768Tb

Nico front, but what's inside the box ?

 

The appliance is made of a Supermicro chassis and motherboard. (sys-6029P-WTRT ) 

• Dual socket P (LGA 3647) supports Intel Xeon Scalable Processors, Dual UPI up to 10.4GT/s
• Up to 1.5TB ECC 3DS LRDIMM, up to DDR4-2666MHz; 12 DIMM slots
• 1 PCI-E 3.0 x16 (FHHL) slots, 2 PCI-E 3.0 x8 (FHHL) slots, 2 PCI-E 3.0 x8 (LP) slots, 1 PCI-E 3.0 x16 for Add-on-Module, 1 PCI-E M.2 SSD slot
• 12 Hot-swap 3.5" SAS/SATA drive bays (4 NVMe/SAS3/SATA3 hybrid drive bays)
• 2x 10GBase-T ports via Intel C622
• 1 VGA, 4 USB 3.0 (rear)
• 1200W Redundant Power Supplies Titanium Level (96% Efficiency)

 

Inside we find 10 classic SAS hard-drives in a RAID-6 configuration. To allow quick recovery of the redundancy in case of a problem, a hot space is available.

At the back of the server, you'll find 2 SATA SSD drives in mirror (RAID 1) which hold the operating system.

For performance reasons a cache disk allocated the latest slot. This is an Intel 1.6Tb NVMe drive.

That's all for disks and cache.

CPU / memory

 

The horsepower in this box d by a dual-cpu setup Intel Xeon Silver 4215R @ 3.2Ghz and 256 Gb of RAM, divided in 8 modules of 32 Gb each.

 

The appliance comes with an easy to follow installation sheet, and you should be up-and-running in 15 minutes.

According to the datasheet, you only need:

• 3 available IP's (two physical and one virtual IP for the S3 endpoint)
• A username
• A password
• MFA setup (authenticator app)

As soon as we booted up the device (with local keyboard, mouse and VGA screen attached), after the boot sequence the License Agreement was shown:

 

 

After we accept the EULA, we select Setup New Cluster from a screen that looks very familiar to an ESXi interface. 😉

 

Other options are useful when you want to join or remove the box from and existing cluster.

You can also setup a proxy for internet access, update the application, check the network status, start the replace disk procedure, check the telemetry service, lookup the system info or license agreement and finally reset the complete node or enter the command shell.

 

 

So we select Setup New Cluster and in the next screen, the configuration wizard asks for the IP configuration on the interfaces.

Keep attention on the NIC names to ensure you're putting the right IP's to the corresponding interfaces.

 

 

As soon as the interfaces are configured, you must enter a hostname. (we choose OOTBI to be very original)

When the node sniffs internet access, he'll check if a new version is available and updates right away.

 

 

Updating to latest version during initial configuration:

 

 

 

We got an error during the setup of the cluster admin. Firmware crash dump is not available

 

Take care of the complexity of your admin password. It must have at least 12 characters and contain at least one uppercase letter, one lowercase letter, one digit and one symbol.

 

 

After the configuration of the interface, the update and the configuration of the admin password, the configuration can be finalized. From this step, the web interface is available for the setup of the first bucket.

 

 

 

 

 

In a next blog post we'll go deeper on the web interface and the actual configuration of some buckets, immutability and the integration with Veeam Backup & Recovery