2.3 Enterprise Manager
Veeam Enterprise Manager is the service responsible for exposing to users the web interface of Veeam Backup & Replication, and the endpoint for consuming Veeam RESTful API. In a Veeam Cloud Connect environment, the latter is an important component if the service provider plans to develop and offer to users a custom portal for managing their Veeam Cloud Connect subscriptions. Also, when Replication services are offered, The Failover Portal is a sub-site of the Enterprise Manager.
2.8: Veeam Enterprise Manager
Veeam Enterprise Manager is a Windows Service; Veeam requires a modern 64-bit OS, like Windows Server 2008 R2 and above. It can be deployed on the same machine as Veeam backup service or on a dedicated machine. The choice to create and operate a separated machine for Veeam Enterprise Manager involves scalability considerations: If many users are going to interact with Veeam Cloud Connect via RESTful API, a service provider should plan to have a dedicated machine.
Furthermore, a dedicated machine is an additional effective layer of security: Because an optional custom portal will only connect to Veeam Enterprise Manager, a service provider can have additional firewall rules for the communications between Veeam Enterprise Manager itself and the Veeam backup server. When offering DRaaS services, the Cloud Portal is installed as an additional component of Veeam Enterprise Manager and exposed to internet so Veeam customers can reach it. Having this server separated from the Veeam Backup & Replication server can increase the overall security. If the provider plans to offer Replication services, he should install the portal during the overall installation of the Enterprise Manager:
2.9: Veeam Enterprise Manager
If a service provider chooses a dedicated machine for Enterprise Manager, it should also have a dedicated Microsoft SQL Server locally installed to manage data stored by Veeam Enterprise Manager itself; it's better to have Veeam Backup & Replication and Enterprise Manager have their own SQL servers, unless a common SQL Server Standard or Enterprise is chosen. Because of the light load created by Veeam Cloud Connect, the default SQL Express installation is fine to use. However, you should carefully evaluate the amount of expected data to decide which edition of Microsoft SQL Server (Express, Standard or Enterprise) is best suited for Veeam Enterprise Manager.
Service Account
By default, the installation wizard of Veeam Enterprise Manager uses LOCALSYSTEM as the service account to execute the service. As explained in the previous chapter, it's better to create and use a dedicated account to run the services.
Once the account has been created — either a local account or an Active Directory account — service providers need to add this user to the local administrators of the server that will host Veeam Enterprise Manager. Then, they can use the account during the installation by selecting Let me specify different settings:
2.10: Specify custom configuration settings during Veeam Enterprise Manager installation
In the following step of the wizard, administrators will need to specify the service account:
2.11: Specify a service account for Veeam Enterprise Manager
The service account is also used for the authentication in the locally installed SQL Server Express.
Firewall
Once deployed, Veeam Enterprise Manager has different components, listening over different TCP ports:
Service | Port |
---|---|
Catalog Service | 9393 |
Enterprise Manager Service | 9394 |
Web UI over http | 9080 |
Web UI over https | 9443 |
RESTFul API over http | 9399 |
RESTful API over https | 9398 |
Cloud Connect Portal | 6443 |
For maximum security, you should enable only the HTTPS connections on the firewall and not the unprotected HTTP ones. Veeam Cloud Connect will not need the catalog service because there is no local backup activity that stores file information in Veeam Enterprise Manager.
In the table, you can see the suggested ports to open in bold.
Monitoring
Once deployed, Veeam Enterprise Manager has different services installed in the Windows machine that you should monitor to guarantee the best Availability of the service:
Service Display name | Service Name | Startup Type | Log On as |
---|---|---|---|
SQL Server (VEEAMSQL2012) | MSSQL$VEEAMSQL2012 | Automatic | Local System |
Veeam Backup Enterprise Manager | VeeamEnterpriseManagerSvc | Automatic (Delayed Start) | CLOUDCONNECT\svc-em |
Veeam Guest Catalog Service | VeeamCatalogSvc | Automatic (Delayed Start) | CLOUDCONNECT\svc-em |
Veeam RESTful API Service | VeeamRESTSvc | Automatic (Delayed Start) | CLOUDCONNECT\svc-em |
World Wide Web Publishing Service | W3SVC | Automatic | Local System |
Web service
In the list of services, there is the World Wide Web Publishing Service, better known as IIS (Internet Information Services). This is the native Windows web server, and Veeam Enterprise Manager uses it to publish two web interfaces:
2.12: Enterprise Manager and Cloud Portal are published via IIS
For any additional configuration of these two web sites, service providers can use IIS-native options.
Protection
Veeam Enterprise Manager does not hold any Veeam Cloud Connect information, and only communicates to Veeam Backup Service. If anything happens to the latter, Veeam Enterprise Manager cannot operate. You should have Veeam Enterprise Manager running on a VM, protected with an image-level backup of the entire VM. What needs protection is the underlying SQL database, plus optional customization done to the websites.