Using Veeam FastSCP for Microsoft Azure with Azure Resource Manager

When Veeam released Veeam FastSCP for Microsoft Azure a couple of months ago, we still deployed our VMs (virtual machines) in the classic ASM (Azure Service Management) model. Microsoft recently released a new model called ARM (Azure Resource Manager). I’m not going into depth about the differences between the two models, but I did want to point out that a VM deployed in the ASM model is deployed differently in the ARM model.

Microsoft views the ARM model as the future to deploy new compute resources. Unfortunately, because of the differences in deployment, Veeam FastSCP for Microsoft Azure doesn’t work anymore out-of-the-box. For this reason, you’ll need to make some changes inside the VM to get it working again.

Here is the procedure to take advantage of Veeam FastSCP for Microsoft Azure with Microsoft ARM-deployed VMs.

Create firewall rules

In the classic model, firewall rules were called endpoints, and they needed to be created per VM. In the ARM model, you can create a security group that you can use to create firewall rules for all VMs in that resource group.

In my example, I have a resource group called Veeam-VMBP and I created a network security group with the exact same name. Here, you’ll want to add an inbound rule to make sure that your traffic is from the computer where you are running FastSCP to the VM on port 5986 (default HTTPS Windows Remote Management).

Veeam VMBP - network security group

As an example, see the below rule that I created:

Add inbound security rule

Install or create a (self-signed) certificate and enable PowerShell remoting

In the classic model, when you deploy a VM, PowerShell remoting is configured for you. In the new model it is not, so you will need to do it yourself.

NOTE: This process will vary, depending on whether you use a publicly signed o self-signed certificate. Since most cases are with a self-signed certificate, I will discuss this variation. When you want to use a publicly signed certificate, the process is much easier because you only need Set-WSManQuickConfig –UseSSL to get things working.

Below you will see the PowerShell one-liners I used to configure my deployed Windows Server 2012 R2:

  • $Cert = New-SelfSignedCertificate -CertstoreLocation Cert:\LocalMachine\My -DnsName "FastSCP-Server"
  • Export-Certificate -Cert $Cert -FilePath C:\temp\cert
  • Enable-PSRemoting -SkipNetworkProfileCheck –Force
  • New-Item -Path WSMan:\LocalHost\Listener -Transport HTTPS -Address * -CertificateThumbPrint $Cert.Thumbprint –Force
  • New-NetFirewallRule -DisplayName "Windows Remote Management (HTTPS-In)" -Name "Windows Remote Management (HTTPS-In)" -Profile Any -LocalPort 5986 -Protocol TCP

Some explanation:

  • The first line creates a self-signed certificate with the DNS name of my server (in this case, FastSCP-Server). It then stores it in the certificate store.

NOTE: Add the certificate details to a variable called $Cert to use it further.

  • The second line exports the certificate to a location (in this case C:\temp\). If you have an error on this line, note that the directory has to exist upfront, it will not be created.
  • Third line will enable PowerShell remoting. I used the -Force to skip the user prompts and -SkipNetworkProfileCheck to ensure that PowerShell doesn’t complain when your network connection type is public (which it probably will be)
  • The fourth line creates the HTTPS listener, which won’t be created automatically, only the HTTP listener and connects the certificate to it
  • Finally, the fifth line creates a new Windows Firewall rule that opens Windows Remote Management over HTTPS

And Poof! You can once again use Veeam FastSCP for Microsoft Azure.

Connecting to the server

Below you can see that I can connect to my server again and I have access to the data on my VM.

Veeam FastSCP for Microsoft Azure


Veeam FastSCP for Microsoft Azure works out-of-the-box when used with a Microsoft Azure VM deployed in the classic model. However, when you deploy a VM in the Azure Resource Manager model, things are a bit different and Remote PowerShell is not configured anymore. To be able to take advantage of Veeam’s solution, you will first need to take a few quick steps to manually enable it.

Get weekly blog updates
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
Cheers for trusting us with the spot in your mailbox!
Now you’re less likely to miss what’s been brewing in our blog with this weekly digest.

Eliminate Data Loss
Eliminate Ransomware

#1 Backup and Recovery


  • Amie Colbert says:

    Valuable post . my business this month located to import pdf ! It’s relatively straightforward to use and it’s practically peanuts . I heard they have a 30 day promotion currently

  • lakshantha peiris says:

    Hi Mike,

    I’m in the process of setting and test environment and following your documentation,
    under Create Firewall Rules section, when setting up the network security group it requires associating it with a Resource Group ( I’m lost there)

    Do i create a new Resource Group (if so what steps) or Associate it with a existing one?

    Appreciate your help on this.


  • Hi,
    You can create a network security group and associate that with the same resource group where your VM is running. A resource group “groups” all the different building blocks together. So a VM is a building block, an external IP, a network security group and so on… So best would be to associate it with the same resource group that holds your VM
    Hope it helps

  • daniejlucas says:

    Hi Mike, this is exactly what I needed. When I use the second command, Export-Certificate, I get Access is denied shown below. Ran PS as Administrator and made sure permissions on the destination folder were wide open. This is in the Direct Restore for Azure virtual appliance deployed with ARM. Also checked to make sure the certificate was actually created and it was.

  • I see what happened… You are trying to export it as name “FastSCP-Server” which won’t work. As you can see in the blog, I expert a variable $cert and that variable is filled with the certificate information, which is not just a name but contains many different data such as thumbprint and other relevant information. Best you can do now is run a command like this: $cert = (Get-ChildItem –Path cert:LocalMachineMyDE53B1272E43C14545A448FB892F7C07A217A765) where the strange letters you see is the Thumbprint. You can find that one by going into your certificate store and open the properties of the created certificate.
    Hope it helps

  • Wilm Thys says:

    When I try to make a connection from my on-premise Veeam & Replication server to the Azure hosted FastSCP server, i get an error: “Connection to remote server x.x.x.x failed with the following error message: Access is denied”. Any idea’s?

  • Wilm, access is denied can be because of firewall issues (see what I described above) or a wrong username / password. If you can’t find what is wrong, please go to and add some additional information so we can have a look over there. It is also possible that we will ask you to create a support call but that will be easier on our forums than over here.


  • Polina Vasileva says:

    Hi Ford Mustang,
    Your issue requires a more thorough examination. So, as Mike recommended earlier, please ask your question on, or create a new support case.

  • Michael Keen says:

    after following your steps, I’m still receiving the following message:

    I have double checked the NSG Inbound rules for the Resource Group in Azure. I have double-checked the Windows Firewall Rules and those all seem ok. Any ideas here Mike?

  • Michael Keen says:

    Update. I just added the necessary information pertaining to the setup above, but added the Inbound rule to an existing NSG that I had already created for the VM. I did change the Service to reflect WinRM thinking that this would correct the above issue. It did. Now receiving the “Access is Denied” message.

  • Michael Keen says:

    Update: I changed the “Service” to be “Custom” and tried the connection again. Success, I am now connected to the VM and was able to transfer a file to the machine.

  • Fantastic news! Thanks for keeping us up-to-date and providing the additional information

  • Wes Chang says:

    Hi Mike,

    Just a quick feedback since this is such an awesome free tool – please update your email template and add a link to this blog post to the existing one for classic deployment. I was stuck at setting up FastSCP under ARM for a while until I came across your comment in that other blog post that redirected me to here. I think nowadays most people would prefer ARM deployments over the classic one. Thanks!

  • Hi Wes, what email template are you talking about? Thanks! Mike

  • Wes Chang says:

    After downloading FastSCP, I got an email from Veeam Team ( with the subject “How to easily setup Veeam FastSCP for Microsoft Azure”. The link in the email is pointing to the blog post on classic deployments. I’d suggest adding another link to this blog post since many (if not most) people are doing ARM deployments nowadays. :)

    Hi Wesley Chang,
    With your recent download of Veeam® FastSCP™ for Microsoft Azure, we want to let you know about a blog post that can help you take the first steps with your new tool, namely:
    1. Connecting to your VMs
    2. Starting a copy job
    3. Creating scheduled, recurring jobs

    _Read the blog post_ and get started!

    Have questions about your new tool? Ask Veeam gurus and your colleagues on the FastSCP forum.

    Veeam Team

    Upgrade to Availability | Get more free tools

  • Thanks Wes, I will ask to make the adjustments! Much appreciated, cheers Mike

  • DarienA says:

    Why do you export the cert to the temp folder?

  • Hi DarienA, I only exported it to use it later for something else. For this specific purpose you don’t really need to export it. So good question and you are right :-)

  • DarienA says:

    It might be worth adding a sentence or two to just say this really isn’t needed but if you want to use the cert for something else, run this command…

  • Calendar says:

    traffic is from the computer where you are running FastSCP to the VM on port 5986 (default HTTPS Windows Remote Management).

Leave a Reply

Your email address will not be published.