EN 
06.10.2024 Hanuš WELCOME IN MY WORLD

This website is originally written in the Czech language. Only part of the content is machine (AI) translated into English. The translation may not be exact and may contain errors.

Tento článek si můžete zobrazit v originální české verzi. You can view this article in the original Czech version.
Veeam ONE - základní instalace a zprovoznění

Veeam ONE - basic installation and commissioning

| Petr Bouška - Samuraj |
Veeam ONE is a solution for monitoring and analyzing the Veeam Backup & Replication backup solution, but also the entire virtual infrastructure on the VMware vSphere or Microsoft Hyper-V platform. We will describe basic installation and configuration, connection to Veeam Backup & Replication Server, VMware vCenter Server and System Center Virtual Machine Manager Server. Installation is simple and not much configuration is required to make the product work. But some things are good to know.
displayed: 2 136x (2 047 CZ, 89 EN) | Comments [1]

Note: The description in the article is based on Veeam ONE 12.1.

Introduction to Veeam ONE

The Veeam company is best known for its product Veeam Backup & Replication. But for a very long time (Build Numbers and Versions of Veeam ONE), it has also had the Veeam ONE tool for monitoring virtual environments and data protection (backup) environments using Veeam Backup & Replication.

Note: There is also a Veeam ONE Community Edition which is provided for free. It includes 10 instances (backed up objects) and limited functionality for monitoring virtual environments with unlimited number of VMs (License Types and Packages). This free tool provides many useful features.

Documentation

What is Veeam ONE

Veeam ONE is a solution for monitoring virtual environments and data protection environments. It enables monitoring, analysis, reporting, and capacity planning. It continuously collects, analyzes, and visually represents information about objects in our infrastructure.

The current version contains more than 340 pre-configured alarms and 150 pre-built reports.

  • Alarms can be customized and notification settings configured. They contain advice (Knowledge Base) for resolving problems. We can set up remedial actions that automatically perform certain operations.
  • Reports provide information from many areas of backup and VMware and Hyper-V infrastructure. They also include capacity planning, chargeback and billing, compliance monitoring, and change tracking and auditing.

Business View allows us to categorize objects (workloads) into groups based on various parameters. Veeam ONE includes a job calendar on the backup server, which clearly shows when backups are running and how they are interconnected.

In the latest versions of Veeam ONE, it also detects anomalies that could indicate a ransomware attack. It includes a new Veeam Threat Center dashboard (in the web client).

Veeam ONE Client - pohled Veeam Backup & Replication

Integration and Support for

Veeam ONE enables monitoring and reporting for

  • Veeam Backup & Replication (from version 10a)
  • Veeam Backup for Microsoft 365 (from version 7)
  • VMware vSphere (vCenter Server 6.x to 8.0, ESXi 6.x to 8.0, VMware Cloud on AWS)
  • Microsoft Hyper-V (SCVMM Server 2012 SP1 to 2022, Hyper-V host 2012 to 2022, Failover cluster)
  • VMware Cloud Director (version 10.1 to 10.5)

It also includes support for

  • Veeam Backup for Public Clouds (Microsoft Azure, Amazon Web Services, and Google Cloud)
  • Veeam Backup for Nutanix AHV, Veeam Backup for Red Hat Virtualization, Veeam Backup for Oracle Linux KVM
  • Veeam Agent (Windows, Linux, Mac, IBM AIX, Oracle Solaris)
  • NAS Backup (Fileshare)

Licensing

Veeam now sells packages called Veeam Data Platform, which contain certain features based on the included products.

  • Foundation - Veeam Backup & Replication
  • Advanced - Veeam Backup & Replication, Veeam ONE
  • Premium - Veeam Backup & Replication, Veeam ONE, Veeam Recovery Orchestrator

For these, the portable Veeam Universal License (VUL) is used (primarily) on a subscription basis. We license each instance (instance) or workload.

One VUL license can cover:

  • 1 virtual machine (VM)?
  • 1 cloud instance/VM?
  • 1 physical server
  • 1 database or application
  • 3 workstations (endpoints)
  • 500 GB of unstructured data (NAS/File share)

Note: CPU Socket-based licenses were discontinued in 2023. The documentation License Types and Packages also describes Per socket licenses, which can apparently no longer be purchased. Another option is to rent through VCSP.

In the case of Veeam ONE, an instance is assigned to each managed object. A backed up VM on a monitored Veeam Backup & Replication server and the same monitored VM within the virtual infrastructure consume one instance.

Note: I think it's quite a common situation where we only back up (protect) a part of the infrastructure. But we would like to monitor the entire virtual infrastructure. If we purchase VUL licenses for the Veeam Data Platform Advanced for the backed-up VMs and other objects, they will not cover all the VMs for monitoring. To be in compliance with the license, we need to limit the scope of monitoring in Veeam ONE. From the documentation, I didn't understand that it would be possible to purchase additional licenses only for Veeam ONE, but I haven't researched it further yet.

Architecture and Components

Note: The entire architecture and installation are described in detail in the official documentation. The description in this article contains a summary of the key points and practical experience.

Control using Clients

Two clients with a shared configuration are used to work with Veeam ONE:

  • Veeam ONE Client - the primary tool (application) for monitoring the virtual environment and data protection (backup), allows you to manage Veeam ONE settings, view components of the virtual and backup infrastructure (performance, efficiency), work with alarms and monitoring data, is installed along with the server, can be installed separately on a workstation
  • Veeam ONE Web Client - a web console that provides a set of dashboards and reports, which allow you to verify configuration issues, optimize resources, track changes, plan capacity, etc.
Veeam ONE Web Client - Jobs Calendar

Veeam ONE Components

  • Veeam ONE Server - the core component that collects data and stores it in the database
  • Veeam ONE Web Services - enables web access and generates reports
  • Veeam ONE Client - allows access to the Veeam ONE Server, locally or remotely
  • Veeam ONE Database - database on Microsoft SQL Server, locally or remotely
  • Veeam ONE Agent - enables communication with the Veeam Backup & Replication server, it is recommended to install the agent on the Veeam Backup & Replication server

Deployment and Installation

Deployment

For deploying Veeam ONE in a small or medium-sized environment, we install all components on a single virtual or physical server with a Windows OS. This is called an All-in-One Deployment. In this case, we can also use a remote Microsoft SQL Server and install the Veeam ONE Client on administrators' computers.

Requirements and Prerequisites

The official documentation lists the system requirements (System Requirements) and supported platforms (Supported Virtualization Platforms). The server for All-in-One Deployment requires at least 4 CPU cores and 8 GB of RAM. It supports 64-bit Windows 10/11, Windows Server 2012 to 2022.

Veeam ONE requires various Microsoft components (such as Microsoft .NET Framework or Microsoft XML 6.0 Parser and SDK), but these are automatically installed during the installation.

Just like in the case of Veeam Backup & Replication, to be able to connect the SCVMM (System Center Virtual Machine Manager) server to Veeam ONE, we must install the Virtual Machine Manager Console. The version must exactly match the one on the SCVMM server.

Ports and Communication

A detailed overview is provided in the documentation Ports. The basic connection is to the Veeam ONE Server, where the following is used:

  • Veeam ONE Client - TCP port 139, 445, UDP port 137
  • Veeam ONE Web Client (web browser) - default TCP port 1239, HTTPS communication to Veeam ONE Web Services, e.g., https://veeamone.company.com:1239/

Permissions and Accounts

For Veeam ONE to function correctly and access the virtualization and Veeam Backup & Replication servers, it requires sufficient permissions. A detailed description is in the documentation Permissions.

During the installation, we must enter a domain account, under which the services on the server will run, that is, a service account. It is advisable to create a special account for Veeam ONE, a Domain Users group is sufficient. On the Veeam ONE server, the account must have local administrator permissions.

During the installation of Veeam ONE, the local groups Veeam ONE Administrators, Veeam ONE Power Users, and Veeam ONE Read-Only Users are created on the server. The user under whom the installation is taking place and the service account for the services are automatically included in the administrators. Every user who needs to access Veeam ONE functions (using the Veeam ONE Client or Web Client) must be added to one of the groups. Additionally, they must have the Allow log on locally permission, which local administrators have by default.

Similar to Veeam Backup & Replication, the Veeam ONE has a Credentials Manager in the main menu. Here we can create and manage login credentials (Credentials) for connecting to components in the virtual and backup infrastructure.

I'm considering that we're trying to secure the backup infrastructure as much as possible. We perform Hardening on the Veeam Backup & Replication server. So that an attacker cannot steal the backups, which usually contain the most important data of the company. Or encrypt them with ransomware. I haven't come across recommendations for securing Veeam ONE yet. However, there are accesses and stored accounts to the backup infrastructure.

Server Certificate

During the installation, a self-signed certificate can be generated. If we want to use our own TLS certificate, maybe from an internal CA, we need to issue it in advance to the local computer certificate store. During the installation, we just select it.

Installation Files

We can download from My Veeam - Products, where the installation files are located according to our license. It can be Veeam Data Platform Advanced, where the currently downloaded file is VeeamDataPlatformAdvanced_v12.1_20240228.zip. It contains the ISO for Veeam Backup & Replication VeeamBackup&Replication_12.1.1.56_20240220.iso and for Veeam ONE VeeamONE_12.1.0.3208_20231130.iso with a size of 2.5 GB.

The Release History for Veeam ONE 12.1 might also be useful.

Veeam ONE Database

Part of the Veeam ONE installation is Microsoft SQL Server 2017 Express Edition. We can use this database for free, but in practice we will probably encounter the 10 GB size limit. To estimate the database size for a specific environment, we can use the Veeam ONE Database Estimator calculator.

For production use, it is recommended to use the Standard or higher edition on a dedicated server. Microsoft SQL Server versions from 2012 to 2022 are supported.

All-in-one Installation with Separate SQL Server

  • mount the installation ISO
  • run setup.exe
  • select Install and Install Veeam ONE
Instalace Veeam ONE - volba komponent
  • accept the license terms
  • in the license settings, we can load the license file or sign in with a Veeam account, we can choose Update license automatically
Instalace Veeam ONE - licence
  • enter the prepared service account
  • a system configuration check is performed, and any missing components are automatically enabled
  • the configuration with which the installation will be performed is displayed, click Install
  • if we want to use a custom SQL server or set up a certificate, we click on Customize Settings
  • let all components be installed
Instalace Veeam ONE - instalované komponenty
  • if we want to use an existing SQL Server, we choose Use existing instance of SQL Server
    • search for or enter the server name (do not specify the default instance)
    • we can modify the database name that will be created during the installation
    • specify the login credentials to be used to access SQL, the easiest is to use the service account under which the service runs, but we need to set the required permissions for it (Connection to Microsoft SQL Server)
    • higher permissions are required for the installation, which we can later remove or create the DB in advance using a script if the account does not have sufficient permissions, otherwise an error Failed to connect to SQL Server is displayed
Instalace Veeam ONE - instalované komponenty
  • we can leave the default data location paths
  • if we want to monitor Veeam backup and virtual infrastructure performance, we use Veeam backup data and virtual infrastructure performance monitoring
Instalace Veeam ONE - typ sběru dat
  • we can leave the default ports for the individual components, if we have prepared our own certificate, we select it
Instalace Veeam ONE - nastavení portů a certifikátu
  • the configuration summary is displayed again, click Install to start the installation
  • the installation goes through 4 steps (installation of individual components) and in a few minutes it should display Successfully installed
Instalace Veeam ONE - instalace krok 2
  • when we click Finish, a dialog appears asking if we want to log out, as a new login is required for our account to be added to the new group that grants Veeam ONE login permissions
Instalace Veeam ONE - dokončení

Note: If we encounter problems during the installation, the installation log can be helpful. For example, C:\ProgramData\Veeam\Setup\Temp\VeeamONE_06_05_2024_10_37_06.log

Basic Configuration and Adding Servers

Configuring Notifications

When we first run the Veeam ONE Client, the Notification Settings wizard appears. We can always open it again from the main menu under Notifications or Settings - Server Settings. We can set up email notifications, SNMP, Syslog, ServiceNow.

Note: When we set up email notifications right at the beginning, we will probably start receiving a lot of messages after connecting the infrastructure. It is necessary to first adjust the settings and threshold values.

Connecting Veeam Backup & Replication Infrastructure

We can connect either a standalone Veeam Backup & Replication server or a Veeam Backup Enterprise Manager to oversee all the servers it manages.

  • in the main menu, select Add Server - Veeam Backup & Replication
  • (if we don't have any server connected, the Veeam Backup & Replication view has an Add Backup Server button)
  • enter the server address, its role, it is recommended to leave the agent to be installed on the Veeam Backup & Replication server, we can enable Veeam ONE dashboard integration into the Veeam Backup & Replication Console 12.1 (the Analytics view will be added)
Veeam ONE - připojení Veeam Backup & Replication infrastruktury
  • we must select / add the login credentials (Credentials) for connecting to the server
Veeam ONE - připojení Veeam Backup & Replication infrastruktury 2
  • complete the wizard by clicking Finish, the server will connect and the configuration and performance data of the backup server and infrastructure components will start synchronizing, all historical data stored on the server will be imported, the process typically takes tens of minutes

Account for Connection

The login credentials that we enter during the server connection are important. They will be used to connect to the backup server and all managed servers in the backup infrastructure (such as proxy, repository, etc.).

The permissions required for this account are listed in Connection to Veeam Backup & Replication Servers. It must have the Veeam Backup Administrator role, in some cases local administrator permissions on the server, WMI access and network permissions (Configuring Permissions to Remotely Access WMI). The account must not have MFA enabled for connection to Veeam Backup & Replication.

According to the recommendation, a Firewall is running on the Veeam Backup & Replication server, which can block WMI. On the Windows Firewall, we must allow Remote Event Log Management (see instructions in Preconfigure a Machine to Collect Remote Windows Events).

Different Account for Selected Components

In practice, we often encounter a situation where we use different accounts on various components. Connection to these components will fail and Veeam ONE will display an error. On these components, we need to set the correct account.

  • right-click on the component and select Connection Settings
  • choose Use custom credentials and select / add the login credentials (Credentials)
Veeam ONE - nastavení účtu pro připojení ke komponentě

Connecting VMware vSphere Infrastructure

We can connect a vCenter Server or a standalone ESXi server.

  • in the main menu, select Add Server - VMware vSphere
  • (if we don't have any server connected, the Virtual Infrastructure view has an Add Server button)
Veeam ONE - připojení serveru
  • enter the server address and its role
  • we must select / add the login credentials (Credentials) to connect to the server, we can also change the port
  • Veeam ONE stores the TLS certificate thumbprint, if the certificate is not trusted, we must confirm it
  • complete the wizard by clicking Finish, the server will connect and data collection will begin

The account we use to connect to vCenter and ESXi servers must have sufficient permissions. The list is provided in the Connection to Virtualization Servers.

Guest OS Credentials

Veeam ONE uses Guest OS Credentials to collect data from and control the hosted Windows OS (VMs). We can set the default login credentials in the main menu - Settings - Server Settings - Guest OS Credentials. Or we can specify an account on the VMware infrastructure elements (right-click, choose Guest OS Credentials). If we don't provide the credentials, the ones used for the VMware connection will be used.

Connecting Microsoft Hyper-V Infrastructure

We can connect an SCVMM Server, a Failover cluster, or a standalone Hyper-V server. If we want to connect an SCVMM server, the Veeam ONE server must have the SCVMM Admin Console installed (otherwise, an error will be displayed that the console is missing).

  • in the main menu, choose Add Server - Microsoft Hyper-V
  • (if we don't have any server connected, the Virtual Infrastructure view has an Add Server button)
  • enter the server address and its role
Veeam ONE - připojení Hyper-V
  • we must select / add login credentials (Credentials) to connect to the server, or change the port
  • complete the wizard by clicking Finish, the server will connect, and data collection will begin

The account we use to connect to Hyper-V servers must have sufficient permissions. The list is provided in the Connection to Virtualization Servers.

Just like for VMware, Guest OS Credentials are used. When adding the first server, the Server Settings configuration will automatically open.

Selecting Objects to Monitor and Report On

When we connect a virtualization server, Veeam ONE will automatically start collecting data about all VMs and VM containers (hosts, clusters, datastores, etc.). Each such VM will consume 1 license (instance). If we don't have a license for all VMs in the infrastructure, we must set rules for including or excluding VMs from the data collection scope. We can also use this to monitor only selected VMs.

Veeam ONE includes a default rule for including all VMs and VM containers on the connected servers (VM monitoring inclusion rule). This can (must) be deactivated.

Note: Veeam ONE apparently has a limitation that allows adding twice as many VMs to monitoring as the license covers (at this point, however, we are exceeding the license). If we have more VMs in the infrastructure, it will create an Automatic exclusion rule, which we cannot turn off and which contains a list of VMs that are excluded.

Configuration is done

  • in the main menu, choose Settings - Server Settings
  • switch to the Monitored VMs tab
  • here we can manage existing and create new Inclusion rules and Exclusion rules
Veeam ONE - výběr VM k monitorování

Creating a Rule

  • click on Create New
  • enter a name and an optional description
  • define the scope of the infrastructure to which the rule should apply (Apply Rule to), selecting containers (including subordinate objects) either from the Infrastructure View, Business View, or VMware Cloud Director View
Veeam ONE - monitorovací pravidlo
  • choose the VM selection criteria (VM Selection)
    • By infrastructure location - will include all VMs from the hierarchy defined in the previous step
    • By object name - will allow defining conditions (Conditions) on the VM name for inclusion in the rule (we can use wildcard characters * and ?)

Monitoring Only Backed-up VMs

If we have licenses bought for the purpose of backup, and they don't cover all VMs, we can set a rule to monitor only the backed-up VMs. We can use the Business View for this, where under Virtual Machines and the platform, there is a container (category) called Last Backup Date. There may be a No backup group and then others containing backed-up VMs based on the last backup date.

We can therefore create a VM monitoring inclusion rule where in the

  • Apply Rule to we add the path Virtual Machines - vSphere/Hyper-V - Last Backup Date - Within the last 24 hours from the Business View
  • for VM Selection, we choose By infrastructure location

Note: We can create and edit the categories in the Business View. We can view the rule / expression used for grouping. Right-click on the category and choose Edit Category.

Veeam ONE - Business View - Edit Category
Author:

Related articles:

Backup

Articles dedicated to backup (Backup), replication (Replication) and restoration (Restore) of data. That is, data protection (Data Protection) using backup copies and recovery after a crash (Disaster Recovery).

Virtualization

Articles from popular topics about virtualization of servers and workstations.

If you want write something about this article use comments.

Comments
  1. [1] Honza

    Škoda, že nelze použít PostgeSQL namísto MS SQL, tak jako tomu je u VBR :-(

    Friday, 31.05.2024 21:00 | answer
Add comment

Insert tag: strong em link

Insert Smiley: :-) ;-) :-( :-O

Help:
  • maximum length of comment is 2000 characters
  • HTML tags are not allowed (they will be removed), you can use only the special tags listed above the input field
  • new line (ENTER) ends paragraph and start new one
  • when you respond to a comment, put the original comment number in squar brackets at the beginning of the paragraph (line)