Ports
This section covers typical Veeam Backup Enterprise Manager connections and default ports required for communication between Enterprise Manager components. The ports must be open on the target machine for inbound connections.
Note |
For more information on ports specific for Veeam Backup & Replication infrastructure components, see the Ports section of the Veeam Backup & Replication User Guide. |
Veeam Backup Enterprise Manager Connections
The following ports must be opened to ensure proper operation of Veeam Backup Enterprise Manager and communication between components.
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Veeam Backup Enterprise Manager server | Backup server | TCP | 9405 | Default certificate port used by Enterprise Manager for collecting data from backup servers that have Veeam Backup & Replication 12 or later installed. You can customize the port when you add a backup server. For more information, see Adding Backup Servers. |
9392 | Default port required for initial connection to a backup server (no matter what version it has). The port is also used by Enterprise Manager for collecting data from backup servers that have Veeam Backup & Replication 11a or earlier installed. You can customize the port when you add a backup server. For more information, see Adding Backup Servers. | |||
9393 | Default port used by the Veeam Guest Catalog service for catalog replication. Can be customized during Veeam Backup & Replication installation. | |||
2500 to 2600 | Ports used by the Veeam Guest Catalog service for replicating catalog data. | |||
49152 to 65535 (for Microsoft Windows Server 2012 and later) | Dynamic RPC port range. For more information, see this Microsoft KB article. | |||
PostgreSQL hosting the Enterprise Manager configuration database | TCP | 5432 | Default port used for communication with PostgreSQL hosting the Enterprise Manager configuration database. | |
Microsoft SQL Server hosting the Enterprise Manager configuration database | TCP | 1433 | Default port used for communication with Microsoft SQL Server hosting the Enterprise Manager configuration database. Additional ports may be needed depending on your configuration. For more information, see the Microsoft SQL Docs Configure the Windows Firewall to Allow SQL Server Access article. | |
VMware vCenter Server | TCP | 443 | Default port used for connection to a vCenter Server and deploying the Veeam Plug-in for vSphere Client. Can be customized during Enterprise Manager installation. For more information, see Specify Service Ports. | |
DNS server with forward/reverse name resolution of all backup servers | UDP | 53 | Port used for communication with the DNS Server. | |
Active Directory domain controller | TCP, UDP | 389 | Port used by Enterprise Manager service to communicate with Active Directory over the LDAP protocol. | |
TCP | 636 | Port used by Enterprise Manager service to communicate with Active Directory over the LDAPS (LDAP over TLS/SSL) protocol. | ||
TCP | 3268 | Port used by Enterprise Manager service to communicate with LDAP Global Catalog. | ||
TCP | 3269 | Port used by Enterprise Manager service to communicate with LDAP Global Catalog over TLS/SSL. | ||
TCP | 49152 to 65535 (for Microsoft Windows 2008 and later) | Ports used by Enterprise Manager service to communicate with Active Directory. These ports are also used during restore through Veeam Self-Service File Restore Portal. This is a default dynamic port range. For more information, see Microsoft Support KB 832017. | ||
Veeam License Update Server | TCP | 443 | Default port used to automatically update license from the Veeam License Update Server over HTTPS. Veeam License Update Server endpoints:
| |
80 | Required for certificate validation when Enterprise Manager connects to Veeam License Update Server to check if the new license is available and download it. Certificate verification endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. | |||
Veeam Backup Enterprise Manager | Veeam Backup Enterprise Manager service | TCP | 9394 | Default port used by IIS extension to communicate with Veeam Backup Enterprise Manager. Can be customized during Veeam Backup Enterprise Manager installation. For more information, see Specify Service Ports. |
Veeam Cloud Connect Portal | Veeam Backup Enterprise Manager service | TCP | 9397 | Default port used by IIS extension to communicate with Veeam Backup Enterprise Manager. This port value is built-in and cannot be customized during installation. |
Browser | Veeam Backup Enterprise Manager website (IIS extension) | HTTP | 9080 | Default ports used to communicate with the website. Can be customized during Veeam Backup Enterprise Manager installation. For more information, see Specify Service Ports. When you work with Veeam Self-Service Backup Portal (accessed by the portal URL or from the native VMware Cloud Director environment) and vSphere Self-Service Backup Portal, your browser also communicates with the Veeam Backup Enterprise Manager website over this port. |
HTTPS | 9443 | |||
Veeam Cloud Connect Portal website (IIS extension) | HTTPS | 6443 | Default ports used to communicate with the website. Can be customized during Veeam Backup Enterprise Manager installation. For more information, see Specify Service Ports. | |
Veeam Backup Enterprise Manager REST API client | Veeam Backup Enterprise Manager REST API | HTTP | 9399 | Default ports used to communicate with Veeam Backup Enterprise Manager REST API. Can be customized during Veeam Backup Enterprise Manager installation. For more information, see Specify Service Ports. |
HTTPS | 9398 | |||
Veeam ONE Server | Veeam Backup Enterprise Manager server | TCP | Dynamically assigned ports | If you add the Veeam Backup Enterprise Manager server to the Veeam ONE monitoring scope, you must open ports required to gather data through WMI. For more information on enabling and disabling WMI traffic, see the Connecting to WMI Remotely with VBScript and Setting up a Remote WMI Connection articles of the Microsoft Windows Dev Center. |
Note |
Consider the following:
|
Guest OS File Restore (Windows)
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Veeam Backup Enterprise Manager server | Mount server associated with backup repository | TCP | 2500 to 6000 | Ports used for file download. |
Guest OS File Restore (non-Windows)
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Veeam Backup Enterprise Manager server | Mount server (helper host or helper appliance) | TCP | 2500 to 6000 | Ports used for file download. For more information on the mount server, see Preparing for File Search and Restore (non-Windows machines). |
Note |
Consider the following:
|
Microsoft SQL Server Database Restore
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Target remote Microsoft SQL Server | Mount server associated with backup repository | TCP | 3260 to 3270 | Ports used for transfer of iSCSI traffic during database restore to the original Microsoft SQL Server. These ports are used during the restore process only. |
Oracle Database Restore (1-Click)
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Target remote machine to which application items are restored | Machine running mount service1 | TCP | 3260 to 3270 | Ports used by Veeam Backup and Replication for iSCSI traffic. Ports are open only during the application item restore session. |
1 Mount server associated with the repository (if restoring from backup), or a backup server (if restoring from replica).
Note |
For more information on 1-Click Database Restore to the original Oracle server machine (remote machine), see 1-Click Restore to Original Location. |
Oracle Database Restore (Custom Settings)
From | To | Protocol | Port | Notes |
---|---|---|---|---|
Machine running mount service1 | Oracle on Windows server | TCP | 49152 to 65535 | Recommended dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see Microsoft Support KB 832017. |
TCP | 1025 to 1034 | Default port range for the runtime component installed on the guest machine to support restore operations in most scenarios. These ports are opened only during application item restore. | ||
Oracle on Linux server | TCP | 22 | Default SSH port used as a control channel. | |
TCP | 2500 to 5000 | Default port range for data transmission. |
1 Mount server associated with the repository (if restoring from backup), or a backup server (if restoring from replica).
Note |
For more information on the process of database restore with custom settings, see Restore with Custom Settings. |