Ports

This section covers typical Veeam Backup Enterprise Manager connections and default ports required for communication between Enterprise Manager components. The ports must be open on the target machine for inbound connections.

 

Note

For more information on ports specific for Veeam Backup & Replication infrastructure components, see the Ports section of the Veeam Backup & Replication User Guide.

Veeam Backup Enterprise Manager Connections

The following ports must be opened to ensure proper operation of Veeam Backup Enterprise Manager and communication between components.

From

To

Protocol

Port

Notes

Veeam Backup Enterprise Manager server

Backup server

TCP

9405

Default certificate port used by Enterprise Manager for collecting data from backup servers that have Veeam Backup & Replication 12 or later installed.

You can customize the port when you add a backup server. For more information, see Adding Backup Servers.

9392

Default port required for initial connection to a backup server (no matter what version it has).

The port is also used by Enterprise Manager for collecting data from backup servers that have Veeam Backup & Replication 11a or earlier installed.

You can customize the port when you add a backup server. For more information, see Adding Backup Servers.

9393

Default port used by the Veeam Guest Catalog service for catalog replication. Can be customized during Veeam Backup & Replication installation.

2500 to 2600

Ports used by the Veeam Guest Catalog service for replicating catalog data.

49152 to 65535 (for Microsoft Windows Server 2012 and later)

Dynamic RPC port range. For more information, see this Microsoft KB article.

PostgreSQL hosting the Enterprise Manager configuration database

TCP

5432

Default port used for communication with PostgreSQL hosting the Enterprise Manager configuration database.

Microsoft SQL Server hosting the Enterprise Manager configuration database

TCP

1433

Default port used for communication with Microsoft SQL Server hosting the Enterprise Manager configuration database.

Additional ports may be needed depending on your configuration. For more information, see the Microsoft SQL Docs Configure the Windows Firewall to Allow SQL Server Access article.

VMware vCenter Server

TCP

443

Default port used for connection to a vCenter Server and deploying the Veeam Plug-in for vSphere Client. Can be customized during Enterprise Manager installation. For more information, see Specify Service Ports.

DNS server with forward/reverse name resolution of all backup servers

UDP

53

Port used for communication with the DNS Server.

Active Directory domain controller

TCP, UDP

389

Port used by Enterprise Manager service to communicate with Active Directory over the LDAP protocol.

TCP

636

Port used by Enterprise Manager service to communicate with Active Directory over the LDAPS (LDAP over TLS/SSL) protocol.

TCP

3268

Port used by Enterprise Manager service to communicate with LDAP Global Catalog.

TCP

3269

Port used by Enterprise Manager service to communicate with LDAP Global Catalog over TLS/SSL.

TCP

49152 to 65535 (for Microsoft Windows 2008 and later)

Ports used by Enterprise Manager service to communicate with Active Directory. These ports are also used during restore through Veeam Self-Service File Restore Portal. This is a default dynamic port range. For more information, see Microsoft Support KB 832017.

Veeam License Update Server

TCP

443

Default port used to automatically update license from the Veeam License Update Server over HTTPS.

Veeam License Update Server endpoints:

  • vbr.butler.veeam.com
  • autolk.veeam.com

80

Required for certificate validation when Enterprise Manager connects to Veeam License Update Server to check if the new license is available and download it.

Certificate verification endpoints:

  • *.ss2.us
  • *.amazontrust.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

Veeam Backup Enterprise Manager
website (IIS extension)

Veeam Backup Enterprise Manager service

TCP

9394

Default port used by IIS extension to communicate with Veeam Backup Enterprise Manager. Can be customized during Veeam Backup Enterprise Manager installation. For more information, see Specify Service Ports.

Veeam Cloud Connect Portal
website (IIS extension)

Veeam Backup Enterprise Manager service

TCP

9397

Default port used by IIS extension to communicate with Veeam Backup Enterprise Manager. This port value is built-in and cannot be customized during installation.

Browser

Veeam Backup Enterprise Manager website (IIS extension)

HTTP

9080

Default ports used to communicate with the website. Can be customized during Veeam Backup Enterprise Manager installation. For more information, see Specify Service Ports.

When you work with Veeam Self-Service Backup Portal (accessed by the portal URL or from the native VMware Cloud Director environment) and vSphere Self-Service Backup Portal, your browser also communicates with the Veeam Backup Enterprise Manager website over this port.

HTTPS

9443

Veeam Cloud Connect Portal website (IIS extension)

HTTPS

6443

Default ports used to communicate with the website. Can be customized during Veeam Backup Enterprise Manager installation. For more information, see Specify Service Ports.

Veeam Backup Enterprise Manager REST API client
and VMware vSphere Client
plug-in

Veeam Backup Enterprise Manager REST API

HTTP

9399

Default ports used to communicate with Veeam Backup Enterprise Manager REST API. Can be customized during Veeam Backup Enterprise Manager installation. For more information, see Specify Service Ports.

HTTPS

9398

Veeam ONE Server
(optional)

Veeam Backup Enterprise Manager server

TCP

Dynamically assigned ports

If you add the Veeam Backup Enterprise Manager server to the Veeam ONE monitoring scope, you must open ports required to gather data through WMI. For more information on enabling and disabling WMI traffic, see the Connecting to WMI Remotely with VBScript and Setting up a Remote WMI Connection articles of the Microsoft Windows Dev Center.

 

Note

Consider the following:

  • For communication between the Veeam Backup Enterprise Manager server and backup servers, Kerberos authentication is used by default.
  • During installation, Veeam Backup & Replication automatically creates firewall rules for default ports to allow communication for the application components.
  • For more information on Enterprise Manager network connectivity, refer to the Enterprise Manager article of the Veeam Backup and Replication Best Practices documentation.

 

Ports for Restore Operations

Guest OS File Restore (Windows)

From

To

Protocol

Port

Notes

Veeam Backup Enterprise Manager server

Mount server associated with backup repository

TCP

2500 to 6000

Ports used for file download.

Guest OS File Restore (non-Windows)

From

To

Protocol

Port

Notes

Veeam Backup Enterprise Manager server

Mount server (helper host or helper appliance)

TCP

2500 to 6000

Ports used for file download. For more information on the mount server, see Preparing for File Search and Restore (non-Windows machines).

 

Note

Consider the following:

  • For more information on the list of ports used by the mount server associated with the backup repository during file-level restore, see the Mount Server Connections section of the Veeam Backup & Replication User Guide.
  • For more information on the list of ports used by the components involved in 1-Click Restore to Original Location, see the Ports section of the Veeam Backup & Replication User Guide.

 

Microsoft SQL Server Database Restore

From

To

Protocol

Port

Notes

Target remote Microsoft SQL Server

Mount server associated with backup repository

TCP

3260 to 3270

Ports used for transfer of iSCSI traffic during database restore to the original Microsoft SQL Server. These ports are used during the restore process only.

Oracle Database Restore (1-Click)

From

To

Protocol

Port

Notes

Target remote machine to which application items are restored

Machine running mount service1

TCP

3260 to 3270

Ports used by Veeam Backup and Replication for iSCSI traffic. Ports are open only during the application item restore session.

1 Mount server associated with the repository (if restoring from backup), or a backup server (if restoring from replica).

 

Note

For more information on 1-Click Database Restore to the original Oracle server machine (remote machine), see 1-Click Restore to Original Location.

 

Oracle Database Restore (Custom Settings)

From

To

Protocol

Port

Notes

Machine running mount service1

Oracle on Windows server

TCP

49152 to 65535

Recommended dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see Microsoft Support KB 832017.

TCP

1025 to 1034

Default port range for the runtime component installed on the guest machine to support restore operations in most scenarios. These ports are opened only during application item restore.

Oracle on Linux server

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 5000

Default port range for data transmission.

1 Mount server associated with the repository (if restoring from backup), or a backup server (if restoring from replica).

Note

For more information on the process of database restore with custom settings, see Restore with Custom Settings.