Veeam Backup and VIX libraries: howto backup networkless VMs using VSS

0 Flares Twitter 0 Facebook 0 LinkedIn 0 Email -- 0 Flares ×

Since Microsoft introduced VSS libraries, it’s a smart way of doing backup using them, in order to guarantee a consistent backup of applications supporting them.

Veeam can do backups without the help of permanent agents inside the virtual machines, anyway if you want to do a VSS-based backup, Veeam deployes (and removes when the backup is completed) a small agent in the Windows VM in order to cohordinate VSS tasks. Usually, this is done by connecting to the target VM via network.

But, what happens when for any reason Veeam is in another network of the one used by the virtual machine, or they cannot communicate to each other? For example an IIS webserver in a DMZ network that cannot be reached from the network where Veeam server is connected to?

In these situations we can really appreciate VMware VIX libraries, and the way Veeam decided to use them. I found this quite old article , dated 2008, they noentheless explains in an awesome way what those libraries can do. Basically, they allow for direct interaction between the guest operating system inside a VM using the hypervisor running it, without any need for network connectivity. Among the several activities you can do, you can copy files, start and stop services, and run programs inside the guest VM.

Veeam has taken advantage of these libraries to allow VSS-based backups, even when the VM cannot be reached via network. To show you this, I created a small test in my lab, by deploying a Windows 2008 R2 VM with no network connection at all:

Test VM with no network connections

I then configured a quick backup job in Veeam, without any custom parameter other than the use of VSS libraries, just to see what was going to happen:

Veeam backup a VM with no network connection

The backup was “simply” complteted successfully. To be honest, Veeam first tries to connect as usual via RPC, but right because the VM does not have any IP address, it fails and it then tries to use VIX libraries. You can appreciate the intimate procedure by looking at the relevant log parts:

As you can see, since the RPC connection has failed, Veeam connects to vCenter ( and from here to the VM via VIX, using the same credentials I specified in the job (vix-testadministrator), since the VM is not joined to my lab domain “SKUNKWORKS”. VIX connection is successful, and Veeam is able to install the temporary agent into the VM.

How cool is that?

If you also want to remove the initial error, and save some seconds in the job execution, since Veeam Backup & Replication v6.1 patch 1 (build you can switch the VSS connection order, telling Veeam to try VIX connection first. You can see how to do it in the release notes of that build:

Added new registry value that reverses the sequence of application-aware processing, making jobs try network-less processing mode before network one. HKEY_LOCAL_MACHINESOFTWAREVeeaMVeeam Backup and Replication DWORD: InverseVssProtocolOrder Value = 1 To disable (default behavior), value is 0 (false)

So, after I configured the new registry key as described, I run again the same backup job:

Veeam backup with VIX enabled

First thing you can see, “Preparing guest for hot backup” now lasted 15 seconds instead of 21, meaning something has really changed. But, as before, the detailed log is where you can appreciate the configuration change:

You can see as now Veeam has started first to connect via VIX libraries, without trying first a connection via network.

So, if you have several virtual machines you cannot reach via network, maybe you can configure Veeam to use VIX libraries as its primary backup mode for VSS.

One thought on “Veeam Backup and VIX libraries: howto backup networkless VMs using VSS

  1. Great article, Luca!

    Just a small addition, but important, IMO: using VIX APIs are of course a good way of backing up / replicating Windows VMs in a consistent way with Veeam, without having network access to them.

    But this mode has a limitation that “classic” mode (network-based) doesn’t have: you either need to disable UAC or use exactly the “well-known” administrator accounts (.\ADMINISTRATOR or DOMAIN\ADMINISTRATOR). Other administrative credentials that are not exactly “ADMINISTRATOR” will fail.

    A full description of this issue can be found at:


Comments are closed.