Ports

The following tables describe network ports that must be opened to ensure proper communication of components in the Veeam Agent management infrastructure.

Communication Between Veeam Backup & Replication Components

For general requirements for ports that must be opened to ensure proper communication of the backup server with backup infrastructure components, see the Ports section in the Veeam Backup & Replication User Guide.

For general requirements for ports that must be opened to ensure proper communication of the backup server with Veeam Cloud Connect infrastructure components, see the Ports section in the Veeam Cloud Connect Guide.

In addition to general port requirements applicable to a backup server, the following network ports that must be opened to enable proper communication between Veeam Backup & Replication components.

From

To

Protocol

Port

Notes

Veeam Backup Server

Veeam Agent Computer (Microsoft Windows)

TCP

6184+

Default port used for communication with the Veeam Agent for Microsoft Windows Service.

If port 6184 is already in use, Veeam Agent for Microsoft Windows Service tries to use the next port number in the allocated range (6184 to 6194). Once the service takes the next available port, it makes it the default port for all subsequent connections.

TCP
UDP

135,
137 to 139,
445,
6160,
11731

Default ports used for communication with the Veeam Installer Service.

Port 135 is used for WMI queries. WMI queries are mandatory to back up failover clusters and perform file-level restore and optional to provide faster Veeam Agent deployment.

Ports 137 to 139 are used by backup infrastructure components to communicate using NetBIOS if you use NetBIOS in your infrastructure.

Ports 137 to 139 and 445 are used in the following cases:

  • deployment of Veeam Installer Service
  • restore started from the Veeam Backup & Replication console

Ports 6160 and 11731 are used to deploy Veeam Agent on the computer and to perform restore.

If the backup repository server role and the mount server role are assigned to different servers in your infrastructure, you must open ports described in the Mount Server Connections section in the Veeam Backup & Replication User Guide.

TCP

2500 to 3300

[For Microsoft SQL logs shipping] Ports used to collect Microsoft SQL logs from the Veeam Agent computer.

TCP

6167,
2500 to 3300

[For Microsoft SQL logs shipping] Ports used to collect Microsoft SQL logs from the Veeam Agent computer operating as part of a failover cluster with SQL Server AlwaysOn Availability Groups.

TCP

6211

[For storage snapshots support] Port used for communication with the hardware VSS provider. For more information, see Storage Snapshots Support.

TCP

6160,
11731

Port used for the volume-level restore.

TCP

6162

Default port used by the Veeam Data Mover.

Veeam Agent Computer (Linux)

TCP

22,
6160,
6162

Port 22 is used to establish an SSH connection from the Veeam Backup Server to the Veeam Agent computer.

Ports 6160 and 6162 are used for default connection to the Veeam Agent computer using Veeam Deployer Service and Veeam Transport Service.

Note: Starting from Veeam Backup & Replication version 12.1, you can customize ports 6160 and 6162 using registry keys. To learn more, see this Veeam KB article.

TCP

6162

Default port used by the Veeam Data Mover.

Note: Starting from Veeam Backup & Replication version 12.1, you can customize port 6162 using registry keys. To learn more, see this Veeam KB article.

TCP

2500 to 3300

Default range of ports used for communication between Veeam Agent components during data transmission. For every TCP connection that a backup job uses, one port from this range is assigned.

Distribution Server

TCP
UDP

135,
137 to 139,
445,
6160,
11731

Ports on a Microsoft Windows server used for deploying the Distribution Server component.

Port 135 is optional. This port is used to provide faster Veeam Agent deployment.

Ports 137 to 139 are used by backup infrastructure components to communicate using NetBIOS if you use NetBIOS in your infrastructure.

Ports 6160 and 11731 are used by the Veeam Installer Service. These ports together with port 445 are mandatory to deploy the Distribution Server component.

Note: Starting from Veeam Backup & Replication version 12.1, you can customize port 6160 using registry keys. To learn more, see this Veeam KB article.

TCP

49152 to 65535

Dynamic RPC port range. For more information, see this Microsoft KB article.

TCP

9380

Default port used for communication with the Veeam Distribution Service.

Backup Proxy

TCP

6211

[For storage snapshots support] Port used for communication with the hardware VSS provider. For more information, see Storage Snapshots Support.

Distribution Server

Veeam Agent Computer (Microsoft Windows)

TCP

49152 to 65535

Dynamic RPC port range. For more information, see this Microsoft KB article.

The port range is required for communication with the Veeam Installer Service.

TCP
UDP

6160,
11731

Ports on the Veeam Agent computer used for deploying Veeam Agent.

Veeam Agent Computer (Linux)

TCP

22,
6160,
6162

Port 22 is used to establish an SSH connection for Veeam Agent packages transmission and deployment control.

After Veeam Agent is deployed, ports 6160 and 6162 are used for default connection to Veeam Agent computer using Veeam Deployer Service and Veeam Transport Service.

Note: Starting from Veeam Backup & Replication version 12.1, you can customize ports 6160 and 6162 using registry keys. To learn more, see this Veeam KB article.

Veeam Agent Computer (Microsoft Windows)

Veeam Backup Server

TCP

10005

Default port used by Veeam Agent for Microsoft Windows operating in the managed mode for communication with the Veeam Backup server.

Data between the Veeam Agent computer and backup repositories is transferred directly, bypassing Veeam backup servers.

TCP

10001

Port used by Veeam Agent for direct connection to the Veeam backup server using credentials. For example, during bare metal restore from a backup created by Veeam Agent operating in the managed mode.

TCP

2500 to 3300

Default range of ports used to publish the ransomware index. For every TCP connection that a backup job uses, one port from this range is assigned.

Veeam Agent Computer (Linux)

Veeam Backup Server

TCP

10002, 10006

Default ports used for communication with the Veeam Backup server.

Data between the Veeam Agent computer and backup repositories is transferred directly, bypassing Veeam backup servers.

TCP

6160,
6162

Default ports used by Veeam Deployer Service (6160) and Veeam Transport Service (6162) for communication between Veeam Agent computer and Veeam backup server.

Note: Starting from Veeam Agent for Linux version 6.1, you can change the default ports 6160 and 6162 in the respective services' configuration files. To learn more, see this Veeam KB article.

Veeam Agent Computer (Unix, macOS)

Veeam Backup Server

TCP

10006

Default port used for communication with the Veeam Backup server.

Data between the Veeam Agent computer and backup repositories is transferred directly, bypassing Veeam backup servers.

Communication Between Veeam Agent Components

The following table describes network ports that must be opened to enable proper communication between Veeam Agent components.

From

To

Protocol

Port

Notes

Veeam Agent Computer (Microsoft Windows)

Veeam Agent Computer (Microsoft Windows)

TCP

9395+, 6183+

Ports used locally on the Veeam Agent computer for communication between Veeam Agent components and Veeam Agent for Microsoft Windows Service.

If port 9395 or 6183 is already in use, Veeam Agent for Microsoft Windows Service will try to use the next port number.

Veeam Agent Computer (Linux, Unix, macOS)

Veeam Agent Computer (Linux, Unix, macOS)

TCP

2500 to 3300

Default range of ports used locally for communication between Veeam Agent components during data transmission. For every TCP connection that a backup job uses, one port from this range is assigned.

Communication with Veeam Backup Repositories

The following table describes network ports that must be opened to ensure proper communication between Veeam Agent and Veeam backup repositories.

From

To

Protocol

Port

Notes

Veeam Agent Computer

Linux server performing the role of a backup repository

TCP

2500 to 3300

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Microsoft Windows server performing the role of a backup repository

TCP

49152 to 65535
(for Microsoft Windows 2008 and newer)

Dynamic RPC port range. For more information, see this Microsoft KB article.

TCP

2500 to 3300

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Shared folder SMB (CIFS) share

TCP
UDP

137 to 139,
445

Ports used as a transmission channel from the Veeam Agent computer to the target SMB (CIFS) share.

Ports 137 to 139 are used by backup infrastructure components to communicate using NetBIOS if you use NetBIOS in your infrastructure.

Gateway Microsoft Windows server

TCP
UDP

137 to 139,
445

If an SMB (CIFS) share is used as a backup repository and a Microsoft Windows server is selected as a gateway server for this CIFS share, these ports must be opened on the gateway Microsoft Windows server.

Ports 137 to 139 are used by backup infrastructure components to communicate using NetBIOS if you use NetBIOS in your infrastructure.

TCP

49152 to 65535

Dynamic RPC port range. For more information, see this Microsoft KB article.

TCP

2500 to 3300

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Communication with Veeam Cloud Connect Repositories

The following table describes network ports that must be opened to ensure proper communication between Veeam Agents and Veeam Cloud Connect repositories.

From

To

Protocol

Port

Notes

Veeam Agent Computer (Microsoft Windows, Linux, macOS)

Cloud gateway

TCP

6180

Port on the cloud gateway used to transport Veeam Agent data to the Veeam Cloud Connect repository.

Certificate Revocation Lists

TCP

80 or 443 (most popular)

Veeam Agent computer needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the Veeam Cloud Connect service provider.

Generally, information about CRL locations can be found on the CA website.

Communication with Object Storage

The following table describes network ports that must be opened to ensure proper communication with object storage if you back up data to object storage that Veeam Agent accesses directly. For more information about object storage connection modes, see Backup to Object Storage.

From

To

Protocol

Port

Notes

Gateway server or backup server

Amazon S3 object storage

TCP

443

Used to communicate with the Amazon S3 object storage through the following endpoints:

  • *.amazonaws.com (for both Global and Government regions)
  • *.amazonaws.com.cn (for China region)

All AWS service endpoints are specified in the AWS documentation.

80

Used to verify the certificate status through the following endpoints:

  • *.amazontrust.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

Microsoft Azure object storage

TCP

443

Used to communicate with the Microsoft Azure object storage through the following endpoints:

  • xxx.blob.core.windows.net (for Global region)
  • xxx.blob.core.chinacloudapi.cn (for China region)
  • xxx.blob.core.usgovcloudapi.net (for Government region)

Consider that the <xxx> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal.

80

Used to verify the certificate status through the following endpoints:

  • ocsp.digicert.com
  • ocsp.msocsp.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. For more details, see also Microsoft documentation.

Google Cloud storage

TCP

443

Used to communicate with Google Cloud storage through the following endpoints:

  • storage.googleapis.com

All cloud endpoints are specified in this Google article.

80

Used to verify the certificate status through the following endpoints:

  • ocsp.pki.goog
  • pki.goog
  • crl.pki.goog

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

IBM Cloud object storage

TCP

Depends on device configuration

Used to communicate with IBM Cloud object storage.

S3 compatible object storage

TCP

Depends on device configuration

Used to communicate with S3 compatible object storage.

Communication with Cloud Machines

The following table describes network ports that must be opened to ensure proper communication between Veeam Backup & Replication and Veeam Agents installed on Amazon EC2 instances or Microsoft Azure virtual machines (both objects can be also referred to as cloud machines).

From

To

Protocol

Port/Endpoint

Notes

Veeam Backup & Replication,
Amazon EC2 instance with Veeam Agent

Amazon cloud

TCP

443

Port and endpoints used for communication from Veeam Backup & Replication and Amazon EC2 instance to the Amazon cloud where the instance is located.

HTTPS

AWS service endpoints:

  • *.amazonaws.com (for Global and Government regions)
  • *.amazonaws.com.cn (for China region)

A complete list of connection endpoints can be found in AWS Documentation.

TCP

80

Port and endpoints used to verify the certificate status.

Keep in mind that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

HTTP

Certificate verification endpoints:

  • *.amazontrust.com

Veeam Backup & Replication, Microsoft Azure virtual machine with Veeam Agent

Microsoft Azure cloud

TCP

443

Port and endpoints used for communication from Veeam Backup & Replication and Microsoft Azure virtual machine to the Microsoft Azure cloud where the virtual machine is located.

Keep in mind that the <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Azure management portal.

HTTPS

Global region endpoints:

  • management.core.windows.net
  • xxx.blob.core.windows.net
  • xxx.queue.core.windows.net
  • core.windows.net

China region endpoints:

  • management.core.chinacloudapi.cn
  • xxx.blob.core.chinacloudapi.cn
  • xxx.queue.core.chinacloudapi.cn
  • core.chinacloudapi.cn

Government region endpoints:

  • management.core.usgovcloudapi.net
  • xxx.blob.core.usgovcloudapi.net
  • xxx.queue.core.usgovcloudapi.net
  • core.usgovcloudapi.net

TCP

80

Port and endpoints used to verify the certificate status.

Keep in mind that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

HTTP

Certificate verification endpoints:

  • *.digicert.com
  • *.digicert.cn (for China region)
  • ocsp.msocsp.com

Communication with 3rd Party Components

The following table describes network ports that must be opened to ensure proper communication between Veeam backup server and 3rd party infrastructure components.

From

To

Protocol

Port

Notes

Backup server

 

Microsoft Active Directory

TCP
UDP

389

LDAP connections.

TCP

636

LDAP connections.

DNS server with forward/reverse name resolution of all backup servers

UDP

53

Port used for communication with the DNS Server.