Introduction
Now that since version 8 of Veeam Backup for Microsoft 365 you can use Proxy pools to distribute the load over different proxies and where the backup itself will determine depending on the load of each proxy node separately where it will assign the next task already, setting up and adding proxies in a simple way is necessary.
With the “recipe” below you can quickly and easily prepare a Linux machine to install the proxy role on and then add it to a proxy pool.
What is a Veeam Backup for Microsoft 365 proxy ?
A Veeam Backup for Microsoft 365 v8 proxy is a component that acts as an intermediary between the backup infrastructure and Microsoft 365 services, facilitating efficient data transfer and reducing the load on the production environment. It handles tasks such as retrieving data from Microsoft 365 (e.g., Exchange Online, SharePoint, OneDrive), compressing and deduplicating it, and then forwarding it to the backup repository. By offloading processing tasks from the backup server, the proxy improves performance, scalability, and reliability, especially in large-scale deployments or environments with high data volumes. It can be deployed on-premises or in the cloud, depending on the organization's requirements.
What is a Veeam Backup for Microsoft 365 proxy Pool ?
A Veeam Backup for Microsoft 365 v8 Proxy Pool is a collection of
multiple proxy servers grouped together to distribute the workload of
backing up Microsoft 365 data (e.g., Exchange Online, SharePoint,
OneDrive) more efficiently. By leveraging a pool of proxies, the backup
process can scale horizontally, improving performance and reducing the
time required for data retrieval and transfer. The proxy pool
automatically balances tasks across available proxies, ensuring optimal
resource utilization and high availability. This setup is particularly
beneficial in large environments with high data volumes or when multiple
backup jobs run concurrently, as it enhances throughput and minimizes
the risk of bottlenecks.
Ingredients for our instant Linux proxy recipe
At least one, but preferrably more linux machines with a supported operating system.
We use a supported Linux distribution because it requires no additional paying licenses and is easy to maintain with a minimal footprint.
Sufficient bandwidth (add as needed)
The proxy role is the datamover so a high bandwidth connection to either the Microsoft environmentand the attached storage (Object storage) is needed.
SSH access to the linux machine
Preparation method
Connect to the Linux machine via SSH
To make things a little easier for us, we will install the ping utitliy if it is not already present. This will make it easier for us later to perform some connectivity tests from this machine. You can start from a minimal installation.
sudo apt-get install inetutils-ping
You can always edit files with VI, but it's a little easier with nano, so we'll add that as well.
sudo apt-get install nano
The Microsoft .Net runtime must be installed from the Microsoft repository. Indeed, this is one of the prerequisites for a successful installation. When deploying the proxy role, this will be checked. Therefore, we must first add the Microsoft repo.
As a sleight of hand, we first retrieve the OS version in a variable:
# Get OS version info en fill variable $id en $version
source /etc/os-release
Next, we pull in the appropriate repository:
# Download Microsoft signing key and repository
wget https://packages.microsoft.com/config/$ID/$VERSION_ID/packages-microsoft-prod.deb -O packages-microsoft-prod.deb
and install the repository....
# Install Microsoft signing key and repository
sudo dpkg -i packages-microsoft-prod.deb
We will keep our kitchen clean and delete our just downloaded file which we no longer need.
# Clean up
rm packages-microsoft-prod.deb
To know all the recent versions we need to update our repos.
# Update packages
sudo apt update
Now it's time to install our .net runtime from the correct repo.
# Install .Net
sudo apt install aspnetcore-runtime-8.0
sudo apt install dotnet-sdk-8.0
In our quick and easy recipe, we use a Veeam Backup for Microsoft 365 server that is stand-alone and does not have internal DNS services. So we fall back on the good old HOSTS file.
To do this, on the Veeam Backup for M365 server, we'll edit the HOSTS file under:
c:\windows\system32\drivers\etc\
We add the IP address and respective DNS name of each proxy time and check if it is resolved using a ping command.
IMPORTANT: not only the proxies must be able to individually resolve the server, but the proxies must also be able to resolve each other.
If this fails, you will get random errors like the one below:
'Resource temporarily unavailable'
SO IT IS EXTREMELY IMPORTANT THAT MUTUAL DNS RESOLVING BETWEEN PROXIES ALSO WORKS.
Editing the Ubunto hosts file is done via:
cd /
cd etc
sudo nano hosts
A classic error that may come up is:
Error: .NET (`dotnet-`) must be added to the blacklist to prevent unattended upgrades that could impact the availability of the Linux proxy.
This error is described at: https://www.veeam.com/kb4658
The solution for our Ubuntu-based proxy lies in setting up an exception so that this package is not upgraded automatically.
With the following command you can check if the package is on the exclusion list:
apt-config dump | grep 'Unattended-Upgrade::Package-Blacklist:: "dotnet-\?"'
If no results are shown, run the following command to add "dotnet-"; to the /etc/apt/apt.conf.d/50unattended-upgrades file.
sudo sed -i '/^Unattended-Upgrade::Package-Blacklist {/a\ "dotnet-";' /etc/apt/apt.conf.d/50unattended-upgrades
If we run our check back now you will see that the dotnet packages are now blacklisted.
Now everything is ready on the Linux machine to install the proxy role.
Adding a Linux proxy is a simple wizard that you run from the Veeam Backup for M365 server.
Running the Proxy Wizard
Step 1. Launch the New Backup Proxy Wizard
To launch the New Backup Proxy wizard, do the following:
Open the Backup Infrastructure view.
In the inventory pane, select the Backup Proxies node.
Do one of the following:
On the Backup Proxy tab, click Add Proxy on the ribbon.
Right-click the Backup Proxies node and select Add backup proxy.
Step 2. Select Operating System Type
At this step of the wizard, select Linux to assign a role of the backup proxy server to a machine with Linux operating system installed. For more information, see the System Requirements.
Step 3. Specify Backup Proxy Server Address
At this step of the wizard, specify a computer that you want to use as a backup proxy server, its port number and optional description, this is the machine we've been preparing before.
In the Host field, enter a DNS name or IP address of a computer that you want to use as a backup proxy server.
If the specified computer does not have a direct access to the internet, you can configure an internet proxy server for such a computer.
In the Port field, enter a port number to access the specified computer.
In the Description field, enter optional description.
Step 4. Specify SSH Connection Settings
In this step, enter a user account credentials to connect to the prepared machine and configure the SSH connection settings.
To configure the SSH connection settings, do the following:
In the Account field, enter a user name.
In the Password field, enter a password. The password is required in all cases except when you use a user with enabled NOPASSWD:ALL setting in /etc/sudoers.
If you specified credentials for a non-root account that does not have root permissions on a Linux machine, click Advanced to grant the sudo rights to this account. For more information, see Configuring Advanced Settings.
Select the Private key is required for this connection check box if you want to use the Identity / Pubkey authentication method. For more information, see Using Identity / Pubkey Authentication.
Do the following:
In the Private key field, enter a path to the private key or click Browse to select a private key.
In the Passphrase field, specify a passphrase for the private key on the Veeam Backup for M365 server.
In the SSH Port field, specify a number of the SSH port to connect to a Linux machine. By default, port 22 is used.
In the SSH Timeout field, specify the SSH connection timeout. This timeout is used to wait for connection to the specified backup proxy server through SSH. The default value is 30000 milliseconds.
Step 5. Select Service Account
At this step of the wizard, specify an account that will be used to run Veeam Backup for Microsoft 365 Proxy Service on the proxy machine.
To do this, select one of the following options:
veeam365backup account. Select this option to use the default service account created by Veeam Backup for Microsoft 365.
Use the following account. Select this option to use an account that already exists. In the Account field, enter a user name.
Important: You must manually grant this account the required permissions in advance.
Create the following user account locally and assign the required permissions. Select this option to create a new account that Veeam Backup for Microsoft 365 will use as the service account. In the Account field, enter a user name.
Veeam Backup for Microsoft 365 will create a new service account and automatically grant the required permissions to this account.
If all the provided information is correct, Veeam Backup for M365 will connect to the designated machine over SSH and make the necessary installations and registrations and start the proxy role. As from them you can add this proxy to a new or existing pool to optimize load balancing and scale-out.
Icing on the cake
A useful tool to view the load on the network interface when the proxy is in use is to use iftop. Install and run the tool as follows:
# install iftop to monitor interface load
sudo apt install iftop
sudo iftop
