This is an archive version of the document. To get the most up-to-date information, see the current version.

Used Ports

In this article

    This section covers typical connection settings for the backup infrastructure components.

    Used Ports Note:

    During installation, Veeam Backup & Replication automatically creates firewall rules for default ports to allow communication for the application components.

    In This Section

    Backup Server Connections

    The following table describes network ports that must be opened to ensure proper communication of the backup server with other infrastructure components.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    vCenter Server

    HTTPS TCP

    443

    Default port used for connections to vCenter Server.

    If you use vCloud Director, make sure you open port 443 on underlying vCenter Servers.

    HTTPS TCP

    10443

    Port used for communication with vCenter Server.

    ESX(i) server

    HTTPS TCP

    443

    Default port used for connections to ESX(i) host.
    Not required if vCenter connection is used.

    Note: When configuring firewalls, consider opening port 443 on ESX(i) hosts even if you add vCenter Server to the backup infrastructure. Port 443 may be required for backup and restore without vCenter Server, for example, if you back up a VM that hosts vCenter Server and restore it when vCenter Server is down.

    TCP

    902

    Port used for data transfer to ESX(i) host.

    TCP

    22

    Port used as a control channel (only for jobs that use an ESX target with the console agent enabled).

    vCloud Director

    HTTPS TCP

    443

    Default port used for connections to vCloud Director.

    Linux server

    TCP

    22

    Port used as a control channel from the console to the target Linux host.

    Microsoft Windows server

    TCP
    UDP

    135, 137 to 139, 445

    Ports required for deploying Veeam Backup & Replication components.

    TCP

    6160

    Default port used by the Veeam Installer Service.

    TCP

    6161

    [For Microsoft Windows servers running the vPower NFS Service] Default port used by the Veeam vPower NFS Service.

    TCP

    6162

    Default port used by the Veeam Data Mover Service.

    TCP,
    UDP

    111, 2049+, 1058+

    [For Microsoft Windows servers running the vPower NFS Service] Standard NFS ports. If ports 2049 and 1058 are occupied, the succeeding port numbers will be used.

    TCP

    49152-65535
    (for Microsoft Windows 2008 and newer)

    Dynamic RPC port range. For more information, see http://support.microsoft.com/kb/929851/en-us.

    Proxy appliance (multi-OS FLR)

    SSH

    22

    Port used as a communication channel from the console to the proxy appliance in the multi-OS file-level recovery process.

    Gateway server

    TCP, UDP

    135, 137 to 139, 445

    Ports required for deploying Veeam Backup & Replication components.

    Microsoft SQL Server hosting the Veeam Backup & Replication configuration database

    TCP

    1433

    Port used for communication with Microsoft SQL Server on which the Veeam Backup & Replication configuration database is deployed (if you use a Microsoft SQL Server default instance).

    Additional ports may need to be open depending on your configuration. For more information, see https://msdn.microsoft.com/en-us/library/cc646023(v=sql.120).aspx#BKMK_ssde.

    DNS server with forward/reverse name resolution of all backup servers

    UDP

    53

    Port used for communication with the DNS Server.

    Veeam Update Notification Server (dev.veeam.com)

    TCP

    80

    Default port used to download information about available updates from the Veeam Update Notification Server over the Internet.

    Veeam License Update Server (autolk.veeam.com)

    TCP

    443

    Default port used for license auto-update.

    Veeam Backup & Replication Console

    Backup server

    TCP

    9392

    Port used by the Veeam Backup & Replication console to connect to the backup server.

    Linux server

    Backup server

    TCP

    2500 to 5000

    Default range of ports used as transmission channels for jobs writing to Linux target. For every TCP connection that a job uses, one port from this range is assigned.

    Microsoft Windows server

    Backup server

    TCP

    2500 to 5000

    Default range of ports used as transmission channels for jobs writing to Microsoft Windows target. For every TCP connection that a job uses, one port from this range is assigned.

    Management client PC (remote access)

    Backup server

    TCP

    3389

    Default port used by the Remote Desktop Services. If you use third-party solutions to connect to the backup server, other ports may need to be open.

     

    Backup Proxy Connections

    The following table describes network ports that must be opened to ensure proper communication of backup proxies with other infrastructure components.

    From

    To

    Protocol

    Port

    Notes

    Communication with VMware Servers

    Backup proxy

    vCenter Server

    HTTPS

    443

    Default VMware web service port that can be customized in vCenter settings.

    ESX(i) server

    TCP

    902

    VMware data mover port.

    HTTPS

    443

    Default VMware web service port that can be customized in ESX host settings. Not required if vCenter connection is used.

    Communication with Backup Repositories

    Backup proxy

    Linux server

    TCP

    22

    Port used as a control channel from the backup proxy to the target Linux host.

    Microsoft Windows server

    TCP

    49152-65535 
    (for Microsoft Windows 2008 and newer)

    Dynamic RPC port range. For more information, see http://support.microsoft.com/kb/929851/en-us.

    Shared folder CIFS (SMB) share

    TCP
    UDP

    135, 137 to 139, 445

    Ports used as a transmission channel from a backup proxy to the target CIFS (SMB) share.

    Traffic goes between a backup proxy and CIFS (SMB) share only if a gateway server is not specified explicitly in CIFS (SMB) backup repository settings (Automatic selection option is used).

    If a gateway server is specified explicitly, traffic goes between a gateway server and CIFS (SMB) share. For more information about required ports, see the Gateway server > Shared folder line below in this table.

     

    Gateway server

    TCP

    49152-65535 
    (for Microsoft Windows 2008 and newer)

    Dynamic RPC port range. For more information, see http://support.microsoft.com/kb/929851/en-us.

    Gateway server
    (if a gateway server is specified explicitly in CIFS (SMB) backup repository settings)

    Shared folder CIFS (SMB) share

    TCP
    UDP

    135, 137 to 139, 445

    Ports used as a transmission channel from a gateway server to the target CIFS (SMB) share.

    Communication with Backup Proxies

    Backup proxy

    Backup proxy

    TCP

    2500 to 5000

    Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

     

    Backup Repository Connections

    From

    To

    Protocol

    Port

    Notes

    Backup proxy

    Linux Server performing the role of the backup repository

    TCP

    2500 to 5000

    Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

    Microsoft Windows Server performing the role of the backup repository

    Backup repository

    Backup proxy

    TCP

    2500 to 5000

    Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

    Source backup repository

    Target backup repository

    TCP

    2500 to 5000

    Default range of ports used as transmission channels for backup copy jobs. For every TCP connection that a job uses, one port from this range is assigned.
    Ports 2500 to 5000 are used for backup copy jobs that do not utilize WAN accelerators. If the backup copy job utilizes WAN accelerators, make sure that ports specific for WAN accelerators are open.

    Microsoft Windows Server Running vPower NFS Service Connections

    Backup repository gateway server working with backup repository

     

    TCP

    2500 to 5000

    Default range of ports used as transmission channels during Instant VM Recovery, SureBackup or Linux file-level recovery.

    For every TCP connection that a job uses, one port from this range is assigned.

    EMC Data Domain System Connections

    From

    To

    Protocol

    Port

    Notes

    Backup server or gateway server

    EMC Data Domain

    TCP

    111

    Port used to assign a random port for the mountd service used by NFS and DDBOOST. Mountd service port can be statically assigned.

    TCP

    2049

    Main port used by NFS. Can be modified via the ‘nfs set server-port’ command. Command requires SE mode.

    TCP

    2052

    Main port used by NFS MOUNTD. Can be modified via the 'nfs set mountd-port' command in SE mode.

    Backup server

    Gateway server

    See Backup Server Connections.

    For more information, see https://community.emc.com/docs/DOC-33258.

    HPE StoreOnce Connection

    From

    To

    Protocol

    Port

    Notes

    Backup server

    HPE StoreOnce

    TCP

    9387

    Default command port used for communication with HPE StoreOnce.

    9388

    Default data port used for communication with HPE StoreOnce.

    Backup server

    Gateway server

    See Backup Server Connections.

    Mount Server Connections

    From

    To

    Protocol

    Port

    Notes

    Mount server
    (or machine running the Veeam Backup & Replication console)

    Backup server

    TCP

    9401

    Port used for communication with the Veeam Backup Service.

    Backup server

    Mount server

    TCP

    6170

    Port used for communication with a local or remote Mount Service.

     

    Microsoft Windows Server Running vPower NFS Service Connections

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Microsoft Windows server running vPower NFS Service

    TCP
    UDP

    1058+, 2049+

    [For Microsoft Windows servers running the vPower NFS Service] Standard NFS ports. If ports 2049 and 1058 are occupied, the succeeding port numbers will be used.

    TCP

    6160

    Default port used by the Veeam Installer Service.

    TCP

    6161

    Default RPC port used by the Veeam vPower NFS Service.

    ESX(i) host

    Microsoft Windows server running vPower NFS Service

    TCP
    UDP

    111

    RPC service port.

    Backup repository or gateway server working with backup repository

    Microsoft Windows server running vPower NFS Service

     

    TCP

    2500-5000

    Default range of ports used as transmission channels during Instant VM Recovery, SureBackup or Linux file-level recovery.

    For every TCP connection that a job uses, one port from this range is assigned.

     

    Proxy Appliance (Multi-OS FLR) Connections

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Proxy appliance

    TCP

    22

    Port used as a communication channel from the backup server to the proxy appliance in the multi-OS file-level recovery process.

    TCP

    2500-5000

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

    VM guest OS

    TCP

    2500-5000

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

    Proxy appliance

    VM guest OS

    TCP

    22

    Port used as a communication channel from the proxy appliance to the Linux guest OS during multi-OS file-level recovery process.

    TCP

    20

    [If FTP option is used] Default port used for data transfer.

    TCP

    2500-5000

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

    VM guest OS

    Proxy appliance

    TCP

    22

    Port used as a communication channel from the proxy appliance to Linux guest OS during multi-OS file-level recovery process.

    TCP

    21

    [If FTP option is used} Default port used for protocol control messages.

    SureReplica Recovery Verification Connections

    From

    To

    Protocol

    Port

    Notes

    Backup server

    vCenter Server

    HTTPS TCP

    443

    Default port used for connections to vCenter Server.

    ESX(i) server

    HTTPS TCP

    443

    Default port used for connections to ESX(i) host.
    Not required if vCenter connection is used.

    TCP

    22

    Port used as a control channel (only for jobs that use an ESX target with the console agent enabled).

    Proxy appliance

    TCP

    443

    Port used for communication with the proxy appliance in the virtual lab.

    22

    Port used for communication with the proxy appliance in the virtual lab.

    Applications on VMs in the virtual lab

    Application-specific ports to perform port probing test. For example, to verify a DC, Veeam Backup & Replication probes port 389 for a response.

    Internet-facing proxy server

    VMs in the virtual lab

    HTTP

    8080

    Port used to let VMs in the virtual lab access the Internet.

     

    WAN Accelerator Connections

    The following table describes network ports that must be opened to ensure proper communication between WAN accelerators used in backup copy jobs.

    From

    To

    Protocol

    Port

    Notes

    Communication with Backup Server

    Backup server

    WAN accelerator
    (source and target)

    TCP

    6160

    Default port used by the Veeam Installer Service.

    TCP

    6162

    Default port used by the Veeam Data Mover Service.

    TCP

    6164

    Controlling port for RPC calls.

    Communication with Backup Repositories

    WAN accelerator
    (source and target)

    Backup repository
    (source and target)

    TCP

    2500 to 5000

    Default range of ports used by the Veeam Data Mover Service for transferring files of a small size such as NVRAM, VMX, VMXF, GuestIndexData.zip and others. A port from the range is selected dynamically.

    Communication Between WAN Accelerators

    WAN accelerator

    WAN accelerator

    TCP

    6164

    Controlling port for RPC calls.

    TCP

    6165

    Default port used for data transfer between WAN accelerators. Ensure this port is open in firewall between sites where WAN accelerators are deployed.

    Tape Server Connections

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Tape server

    TCP

    6166

    Controlling port for RPC calls.

    HPE 3PAR StoreServ Storage Connections

    From

    To

    Protocol

    Port

    Notes

    Backup server

    HPE 3PAR StoreServ
    storage system

    HTTP

    8008

    Default port used for communication with the HPE 3PAR StoreServ storage system over HTTP.

    HTTPS

    8080

    Default port used for communication with the HPE 3PAR StoreServ storage system over HTTPS.

    SSH

    22

    Default command port used for communication with HPE 3PAR StoreServ over SSH.

    Backup proxy

    HPE 3PAR StoreServ
    storage system

    TCP

    3260

    Default iSCSI target port.

    HPE Lefthand Storage Connections

    From

    To

    Protocol

    Port

    Notes

    Backup server

    HP Lefthand storage system

    SSH

    16022

    Default command port used for communication with HP Lefthand.

    Backup proxy

    HP Lefthand storage system

    TCP

    3260

    Default iSCSI target port.

    NetApp Storage Connections

    From

    To

    Protocol

    Port

    Notes

    Backup server

    NetApp storage system

    HTTP

    80

    Default command port used for communication with NetApp over HTTP.

    HTTPS

    443

    Default command port used for communication with NetApp over HTTPS.

    Backup proxy

    NetApp storage system

    TCP, UDP

    2049, 111

    Standard NFS ports. Port 111 is used by the port mapper service.

    TCP

    3260

    Default iSCSI target port.

    EMC VNX(e) Storage Connections

    From

    To

    Protocol

    Port

    Notes

    Backup server

    VNX File

    SSH

    22

    Default command port used for communication with VNX File over SSH.

    VNX Block

    HTTPS

    443

    Default port used for communication with EMC VNX Block.

    VNXe

    HTTPS

    443

    Default port used for communication with EMC VNXe and sending RESTful API calls.

    Backup proxy

    VNX Block

    VNXe

    TCP

    3260

    Default iSCSI target port.

    VNX File

    VNXe

    TCP, UDP

    2049, 111

    Standard NFS ports. Port 111 is used by the port mapper service.

     

    VM Guest OS Connections

    The following table describes network ports that must be opened to ensure proper communication of the backup server with the runtime coordination process deployed inside the VM guest OS for application-aware processing and indexing.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Linux VM guest OS

    TCP

    22

    Default SSH port used as a control channel.

    Guest interaction proxy

    TCP

    6190

    Port used for communication with the guest interaction proxy.

    TCP

    6290

    Port used as a control channel for communication with the guest interaction proxy.

    Guest interaction proxy

    Microsoft Windows VM guest OS

    TCP, UDP

    135, 137-139, 445

    Ports required to deploy the runtime coordination process on the VM guest OS.

    TCP

    49152-65535 (for Microsoft Windows 2008 and newer)

    Dynamic RPC port range used by the runtime process deployed inside the VM for guest OS interaction (when working over the network, not over VIX API).

    For more information, see http://support.microsoft.com/kb/929851/en-us.

    TCP

    6167

    [For Microsoft SQL logs shipping] Port used by the runtime process on the VM guest OS from which Microsoft SQL logs are collected.

    Microsoft Windows VM guest OS

    Guest interaction proxy

    TCP

     

    49152-65535 (for Microsoft Windows 2008 and newer)

    Dynamic RPC port range used by the runtime process deployed inside the VM for guest OS interaction (when working over the network, not over VIX API).

    For more information, see http://support.microsoft.com/kb/929851/en-us.

    * If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports: during setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the “RPC function call failed” error, you need to configure dynamic RPC ports.

    Veeam U-AIR Wizards Connections

    The following table describes network ports that must be opened to ensure proper communication of U-AIR wizards with other components.

    From

    To

    Protocol

    Port

    Notes

    U-AIR wizards

    Veeam Backup Enterprise Manager

    TCP

    9394

    Default port used for communication with Veeam Backup Enterprise Manager. Can be customized during Veeam Backup Enterprise Manager installation.

    Microsoft Active Directory Domain Controller Connections During Application Item Restore

    The following table describes network ports that must be opened to ensure proper communication of the backup server with the Microsoft Active Directory VM during application-item restore.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Microsoft
    Active Directory VM guest OS

    TCP

    135

    Port required for communication between the domain controller and backup server.

    TCP,
    UDP

    389

    LDAP connections.

    TCP

    636, 3268, 3269

    LDAP connections.

    TCP

    49152-65535 (for Microsoft Windows 2008 and newer)

    Dynamic RPC port range used by the runtime coordination process deployed inside the VM guest OS for application-aware processing (when working over the network, not over VIX API).* For more information, see http://support.microsoft.com/kb/929851/en-us.

    Microsoft Exchange Server Connections During Application Item Restore

    The following table describes network ports that must be opened to ensure proper communication of the Veeam backup erver with the Microsoft Exchange Server system during application-item restore.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Microsoft Exchange 2003/2007 CAS Server

    TCP

    80, 443

    WebDAV connections

    Microsoft Exchange 2010/2013 CAS Server

    TCP

    443

    Microsoft Exchange Web Services Connections

     

    Microsoft SQL Server Connections During Application Item Restore

    The following table describes network ports that must be opened to ensure proper communication of the backup server with the VM guest OS system during application-item restore.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Microsoft
    SQL VM guest OS

    TCP

    1433,1434 and other

    Port used for communication with the Microsoft SQL Server installed inside the VM.

    Port numbers depends on configuration of your Microsoft SQL server. For more information, see http://msdn.microsoft.com/en-us/library/cc646023.aspx#BKMK_ssde.

    SMTP Server Connections

    The following table describes network ports that must be opened to ensure proper communication of the backup server with the SMTP server.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    SMTP server

    TCP

    25

    Port used by the SMTP server.

    Port 25 is most commonly used but the actual port number depends on configuration of your environment.

    Veeam Backup Enterprise Manager Connections

    The following table describes network ports that must be opened to ensure proper communication of Veeam Backup Enterprise Manager with other components.

    From

    To

    Protocol

    Port

    Notes

    Veeam Backup Enterprise Manager

    Backup server

    TCP

    9392

    Default port used by Veeam Backup Enterprise Manager for collecting data from backup servers. Can be customized during Veeam Backup & Replication installation.

    TCP

    49152-65535 
    (for Microsoft Windows 2008 and newer)

    Dynamic RPC port range. For more information, see http://support.microsoft.com/kb/929851/en-us.

    TCP

    135

    Default RPC port.

    TCP

    9393

    Default port used by the Veeam Guest Catalog Service for catalog replication. Can be customized during Veeam Backup & Replication installation.

    2500 to 2600

    Ports used by the Veeam Guest Catalog Service for replicating catalog data.

    vCenter Server

    TCP

    443

    Default port used for connection to vCenter Server and deploying Veeam plug-in for VMware vSphere Web Client. Can be customized in Enterprise Manager.

    Active Directory

    TCP

    As listed at http://support.microsoft.com/kb/832017/en-us#method1.

    Ports used by Enterprise Manager Service to communicate to Active Directory; also used when performing Self-Service Restore.

    Microsoft Search Server

    TCP

    9395

    Default port used by the Veeam Backup Search Service integration component. Can be customized during Veeam Backup Search installation.

    Microsoft SQL Server hosting the Veeam Backup Enterprise Manager configuration database

    TCP

    1433

    Port used for communication with Microsoft SQL Server on which the Veeam Backup Enterprise Manager configuration database is deployed (if you use a Microsoft SQL Server default instance).

    Additional ports may need to be open depending on your configuration. For more information, see https://msdn.microsoft.com/en-us/library/cc646023(v=sql.120).aspx#BKMK_ssde.

    Enterprise Manager web site (IIS extension)

    Veeam Backup Enterprise Manager Service

    TCP

    9394

    Default port used by Enterprise Manager web site (IIS extension) to communicate with Enterprise Manager Service. Can be customized during Enterprise Manager installation.

    TCP

    9393

    Default port used to enable file search. Can be customized during Enterprise Manager installation.

    Browser

    Enterprise Manager web site (IIS extension)

    HTTP

    9080

    Default ports used to communicate with the website. Can be customized during Enterprise Manager installation.

    HTTPS

    9443

    Enterprise Manager RestAPI client

    and/or

    VMware vSphere Web Client Plug-In

    Enterprise Manager RESTful API

    HTTP

    9399

    Default ports used to communicate with Veeam Backup Enterprise Manager Web API. Can be customized during Enterprise Manager installation.

    HTTPS

    9398

     

    Veeam Explorers Connections