Ports

The following tables describe network ports that must be opened to ensure proper communication of Veeam Agent operating in the standalone mode with other backup infrastructure components.

To learn about the ports required to enable proper work of Veeam Agent for Linux managed by Veeam Backup & Replication, see Ports in the Veeam Backup & Replication User Guide.

IMPORTANT

The list of ports required for computers booted from the Veeam Recovery Media is the same as the list of ports required for Veeam Agent computers.

Communication Between Veeam Agent for Linux Components

To ensure proper communication between Veeam Agent for Linux components, you must allow local traffic for the following ports on the Veeam Agent computer:

Protocol	Port	Notes
TCP	2500 to 3000	Default range of ports used locally on the Veeam Agent computer for communication between Veeam Agent for Linux components during data transmission. For every TCP connection that a backup job uses, one port from this range is assigned.
TCP	32768 to 60999	Default range of ephemeral ports used locally on the Veeam Agent computer for communication between Veeam Agent for Linux components during data transmission. For every TCP connection that a backup job uses, one port from this range is assigned.
TCP	10808	Port used locally on the Veeam Agent computer for communication via REST API between Veeam Agent components (such as control panel and command line interface) and Veeam Agent for Linux Service.

Communication with Veeam Backup Servers

To ensure proper communication between Veeam Agent for Linux and Veeam backup server, you must allow network traffic for the following ports:

From	To	Protocol	Port	Notes
Veeam Agent computer	Veeam backup server	TCP	10006	Default port used for communication with the Veeam backup server. Data between the Veeam Agent computer and backup repositories is transferred directly, bypassing Veeam backup servers.
		TCP	443	Port used by Veeam Agent to obtain authentication tokens from Veeam Backup Identity Service.
		TCP	88	Port used for Kerberos authentication.
		TCP	445	Port used for NTLM authentication.
Veeam backup server	Veeam Agent computer	TCP	2500 to 3300, 22	Ports used by Veeam backup server to perform file-level restore launched from Veeam Backup & Replication.

Communication with Veeam Backup & Replication Repositories

To ensure proper communication between Veeam Agent for Linux and Veeam backup repositories, you must allow outgoing network traffic for the following ports:

From	To	Protocol	Port	Notes
Veeam Agent computer	Linux or Microsoft Windows server acting as a backup repository	TCP	6162, 2500 to 3300	Default ports used as data transmission channels.
	Shared folder SMB (CIFS) share	TCP UDP	445, 139, 137, 138	Ports used as a data transmission channel from the Veeam Agent for Linux computer to the target SMB (CIFS) share. Ports 137 to 139 are used by backup infrastructure components to communicate using NetBIOS.
	Shared folder SMB (CIFS) share	TCP	88	Port used for Kerberos authentication.
	Shared folder NFS share	TCP UDP	111, 2049	Standard NFS ports used as a data transmission channel from the Veeam Agent for Linux computer to the target NFS share.

Communication with Veeam Cloud Connect Repositories

To ensure proper communication between Veeam Agent for Linux and Veeam Cloud Connect repositories you must allow outgoing network traffic for the following ports:

From	To	Protocol	Port	Notes
Veeam Agent computer	Cloud gateway	TCP	6180	Port on the cloud gateway used to transport Veeam Agent data to the Veeam Cloud Connect repository.
Certificate Revocation Lists	TCP	80 or 443	Veeam Agent computer needs access to Certificate Revocation Lists (CRLs) of the Certification Authority (CA) who issued a certificate to the Veeam Cloud Connect service provider. Information about certificate verification endpoints (CRL and OCSP server URLs) can be found on the CA website. Certificate verification endpoints are subject to change. The actual list of addresses can be found in the certificate itself.

From

Protocol

Port

Notes

Veeam Agent computer

Cloud gateway

TCP

6180

Port on the cloud gateway used to transport Veeam Agent data to the Veeam Cloud Connect repository.

Certificate Revocation Lists

TCP

80 or 443

Veeam Agent computer needs access to Certificate Revocation Lists (CRLs) of the Certification Authority (CA) who issued a certificate to the Veeam Cloud Connect service provider.

Information about certificate verification endpoints (CRL and OCSP server URLs) can be found on the CA website. Certificate verification endpoints are subject to change. The actual list of addresses can be found in the certificate itself.

Communication with Object Storage

The following table describes network ports that must be opened to ensure proper communication with object storage if you back up data to object storage directly or to object storage added as a Veeam backup repository with the direct connection mode. For more information about object storage connection modes, see Types of Connection to Object Storage in Veeam Backup & Replication.

From	To	Protocol	Port	Notes
Veeam Agent computer	Amazon S3 object storage	TCP	443	Used to communicate with the Amazon S3 object storage through the following endpoints: .amazonaws.com (for both Global and Government regions) .amazonaws.com.cn (for China region) All AWS service endpoints are specified in the AWS documentation.
	Amazon S3 object storage	TCP	80	Used to verify the certificate status through the following endpoints: .amazontrust.com .cloudfront.net Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.
	Microsoft Azure object storage	TCP	443	Used to communicate with the Microsoft Azure object storage through the following endpoints: <storage-account>.blob.core.windows.net (for Global region) <storage-account>.blob.core.chinacloudapi.cn (for China region) <storage-account>.blob.core.usgovcloudapi.net (for Government region) Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal.
	Microsoft Azure object storage	TCP	80	Used to verify the certificate status through the following endpoints: ocsp.digicert.com oneocsp.microsoft.com Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. For more details, see also Microsoft documentation.
	Google Cloud storage	TCP	443	Used to communicate with Google Cloud storage through the following endpoints: storage.googleapis.com All cloud endpoints are specified in this Google article.
	Google Cloud storage	TCP	80	Used to verify the certificate status through the following endpoints: ocsp.pki.goog pki.goog crl.pki.goog Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.
	IBM Cloud object storage	TCP	Depends on device configuration	Used to communicate with IBM Cloud object storage.
	S3 compatible object storage	TCP	Depends on device configuration	Used to communicate with S3 compatible object storage.