Help Center
Choose product document...
Veeam Backup & Replication 9.5 Update 4
User Guide for Microsoft Hyper-V

Used Ports

On backup infrastructure components, Veeam Backup & Replication automatically creates firewall rules for the required ports. These rules allow communication between the components.

Used PortsImportant!

Some Linux distributions require firewall and/or security rules to be created manually. For details, see this Veeam KB article.

You can find the full list of the ports below.

Backup Server Connections

The following table describes network ports that must be opened to ensure proper communication of the backup server with backup infrastructure components. 

From

To

Protocol

Port

Notes

Virtualization Servers

Backup server

SCVMM

WCF

8100

Default VMM Administrator Console to VMM server port required by the Veeam Backup Management.

TCP

8732

Port used as the control channel to the SCVMM server.
This port must be opened on the backup server only.

Microsoft Hyper-V server

TCP
UDP

135,
137 to 139,
445

Ports required for deploying Veeam Backup & Replication components.

TCP

6160

Default port used by the Veeam Installer Service.

TCP

6162

Default port used by the Veeam Data Mover Service.

TCP

6163

Default port used to communicate with Veeam Hyper-V Integration Service.

TCP

2500 to 5000

Default range of ports used as transmission channels for jobs. For every TCP connection that a job uses, one port from this range is assigned.

TCP

49152 to 65535 (for Microsoft Windows 2008 and newer)

Dynamic RPC port range. For more information, see this Microsoft KB article.

Other Servers

Backup server

Microsoft SQL Server hosting the Veeam Backup & Replication configuration database

TCP

1433

Port used for communication with Microsoft SQL Server on which the Veeam Backup & Replication configuration database is deployed (if you use a Microsoft SQL Server default instance).

Additional ports may need to be open depending on your configuration. For more information, see Microsoft Docs.

DNS server with forward/reverse name resolution of all backup servers

UDP

53

Port used for communication with the DNS Server.

Veeam Update Notification Server (dev.veeam.com)

TCP

80

Default port used to download information about available updates from the Veeam Update Notification Server over the Internet.

Veeam License Update Server (autolk.veeam.com)

TCP

443

Default port used for license auto-update.

Backup Server

Backup server

Backup server

TCP

9501

Port used locally on the backup server for communication between Veeam Broker Service and Veeam services and components.

Remote Access

Management client PC (remote access)

Backup server

TCP

3389

Default port used by the Remote Desktop Services. If you use third-party solutions to connect to the backup server, other ports may need to be open.

 

Veeam Backup & Replication Console Connections

The following table describes network ports that must be opened to ensure proper communication with the Veeam Backup & Replication console installed remotely.

From

To

Protocol

Port

Notes

Veeam Backup & Replication Console

Backup server

TCP

9392

Port used by the Veeam Backup & Replication console to connect to the backup server.

TCP

10003

Port used by the Veeam Backup & Replication console to connect to the backup server only when managing the Veeam Cloud Connect infrastructure.

Veeam Backup & Replication Console

Mount server (if the mount server is not located on the console)

TCP

2500 to 5000

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Microsoft Windows Server Connections

The following table describes network ports that must be opened to ensure proper communication with Microsoft Windows servers.

Each Microsoft Windows server that is a backup infrastructure component or a machine for which you enable application-aware processing must have these ports opened. If you want to use the server as a backup infrastructure component, you must also open ports that the component role requires.

For example, if you assign the role of a backup proxy to your Microsoft Windows server, you must open ports listed below and also ports listed in the Backup Proxy Connections section. 

From

To

Protocol

Port

Notes

Backup server

Microsoft Windows server

TCP
UDP

135,
137 to 139,
445

Ports required for deploying Veeam Backup & Replication components.

Hyper-V server/Off-host backup proxy

TCP

6160

Default port used by the Veeam Installer Service.

Backup repository

TCP

2500 to 5000

Default range of ports used as data transmission channels and for collecting log files.

For every TCP connection that a job uses, one port from this range is assigned.

Gateway server

TCP

6162

Default port used by the Veeam Data Mover Service.

Mount server

TCP

49152 to 65535
(for Microsoft Windows 2008 and newer)

Dynamic RPC port range. For more information, see this Microsoft KB article.

WAN accelerator

Tape server

Backup server

SMB3 server

TCP

6160

Default port used by the Veeam Installer Service.

TCP

6162

Default port used by the Veeam Data Mover Service.

 

Linux Server Connections

The following table describes network ports that must be opened to ensure proper communication with Linux servers.

Each Linux server that is a backup infrastructure component or a machine for which you enable application-aware processing must have these ports opened. If you want to use the server as a backup infrastructure component, you must also open ports that the component role requires.

For example, if you assign the role of a backup repository to your Linux server, you must open ports listed below and also ports listed in the Backup Repository Connections section.

From

To

Protocol

Port

Notes

Backup server

Linux server

TCP

22

Port used as a control channel from the console to the target Linux host.

TCP

2500 to 5000

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Linux server

Backup server

TCP

2500 to 5000

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Backup Proxy Connections

The following table describes network ports that must be opened to ensure proper communication of backup proxies with other backup components. 

From

To

Protocol

Port

Notes

Backup server

Off-host backup proxy

Off-host backup proxy is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server Connections to be opened.

Communication with Backup Server

Backup server

Off-host backup proxy

TCP

6163

Default port used by the Hyper-V Integration Service.

SMB3 server

TCP

6163

Default port used by the Hyper-V Integration Service.

Communication with Backup Repositories

Hyper-V server/ Off-host backup proxy

Linux server

TCP

22

Port used as a control channel from the backup proxy to the target Linux host.

Microsoft Windows server

TCP

49152 to 65535
(for Microsoft Windows 2008 and newer)

Dynamic RPC port range. For more information, see this Microsoft KB article.

Shared folder CIFS (SMB) share

TCP
UDP

135,
137 to 139,
445

Ports used as a transmission channel from the backup proxy to the target CIFS (SMB) share.

Gateway server

TCP
UDP

49152 to 65535
(for Microsoft Windows 2008 and newer)

Dynamic RPC port range. For more information, see this Microsoft KB article.

Communication with Backup Proxies

Hyper-V server

Backup proxy (onhost or offhost)

TCP

2500 to 5000

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

Microsoft SMB3 server

Backup proxy (onhost or offhost)

TCP

2500 to 5000

Ports used to retrieve CBT information from a Microsoft SMB3 server managing shares that host VM disks.

 

Backup Repository Connections

The following table describes network ports that must be opened to ensure proper communication with backup repositories.

From

To

Protocol

Port

Notes

Hyper-V server/ Off-host backup proxy

Microsoft Windows server performing the role of the backup repository

Ports listed in Microsoft Windows Server Connections must be opened.

Hyper-V server/ Off-host backup proxy

Linux server performing the role of the backup repository

Ports listed in Linux Server Connections must be opened.

Backup repository

Backup proxy

TCP

2500 to 5000

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

Source backup repository

Target backup repository

TCP

2500 to 5000

Default range of ports used as transmission channels for backup copy jobs. For every TCP connection that a job uses, one port from this range is assigned.
Ports 2500 to 5000 are used for backup copy jobs that do not utilize WAN accelerators. If the backup copy job utilizes WAN accelerators, make sure that ports specific for WAN accelerators are open.

Microsoft Windows server running vPower NFS service

Backup repository gateway server working with backup repository

TCP

2500 to 5000

Default range of ports used as transmission channels during Instant VM Recovery, SureBackup or Linux file-level recovery.

For every TCP connection that a job uses, one port from this range is assigned.

Object Storage Repository Connections

The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories.

From

To

Protocol

Port/Endpoint

Notes

Gateway server

Amazon S3 Object Storage

TCP

443

Used to communicate with Amazon S3 Object Storage.

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

HTTPS

Cloud endpoints:

  • *.amazonaws.com (for both Global and Government regions)
  • *.amazonaws.com.cn (for China region)

A complete list of connection endpoints can be found in this Amazon article.

Certificate verification endpoints:

  • *.amazontrust.com

Microsoft Azure Object Storage

TCP

443

Used to communicate with Microsoft Azure Object Storage.

Consider the following:

  • The <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Azure management portal.
  • Certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.
  • The *.d-trust.net endpoint is used for the Germany region only.

HTTPS

Cloud endpoints:

  • xxx.blob.core.windows.net (for Global region)
  • xxx.blob.core.chinacloudapi.cn (for China region)
  • xxx.blob.core.cloudapi.de (for Germany region)
  • xxx.blob.core.usgovcloudapi.net (for Government region)

Certificate verification endpoints:

  • ocsp.digicert.com
  • ocsp.msocsp.com
  • *.d-trust.net  

IBM Cloud Object Storage

TCP/HTTPS

Customizable and depends on device configuration

Used to communicate with IBM Cloud Object Storage.

S3 Compatible Object Storage

TCP/HTTPS

Customizable and depends on device configuration

Used to communicate with S3 Compatible Object Storage.

For more information, see Object Storage Repository.

Dell EMC Data Domain System Connections

From

To

Protocol

Port

Notes

Backup server
or
Gateway server

Dell EMC Data Domain

TCP

111

Port used to assign a random port for the mountd service used by NFS and DDBOOST. Mountd service port can be statically assigned.

TCP

2049

Main port used by NFS. Can be modified via the ‘nfs set server-port’ command. Command requires SE mode.

TCP

2052

Main port used by NFS MOUNTD. Can be modified via the 'nfs set mountd-port' command in SE mode.

Backup server

Gateway server

Ports listed in Gateway Server Connections must be opened.

For more information, see Dell EMC Documents.

HPE StoreOnce Connections

From

To

Protocol

Port

Notes

Backup server
or
Gateway server

HPE StoreOnce

TCP

9387

Default command port used for communication with HPE StoreOnce.

9388

Default data port used for communication with HPE StoreOnce.

Backup server

Gateway server

Ports listed in Gateway Server Connections must be opened.

Gateway Server Connections

The following table describes network ports that must be opened to ensure proper communication with gateway servers.

From

To

Protocol

Port

Notes

Backup server

Gateway server

Gateway server is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server Connections to be opened.

TCP
UDP

135,
137 to 139,
445

Ports required for deploying Veeam Backup & Replication components.

Gateway server
(if a gateway server is specified explicitly in CIFS (SMB) backup repository settings)

Shared folder CIFS (SMB) share

TCP
UDP

135,
137 to 139,
445

Ports used as a transmission channel from a gateway server to the target CIFS (SMB) share.

Mount Server Connections

The following table describes network ports that must be opened to ensure proper communication with mount servers.

From

To

Protocol

Port

Notes

Backup server

Mount server

Mount server is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server Connections to be opened.

TCP

6170

Port used for communication with a local or remote Mount Service.

Mount server
(or machine running the Veeam Backup & Replication console)

Backup server

TCP

9401

Port used for communication with the Veeam Backup Service.

Mount server
(or machine running the Veeam Backup & Replication console)

Backup repository

TCP

2500 to 5000

Default range of ports used for communication with a backup repository.

Mount server

Helper appliance

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 2600

Default range of ports used for communicating with the appliance.

Mount server

VM guest OS

Ports listed in VM Guest OS Connections must be opened.

 

Proxy Appliance (Multi-OS FLR) Connections

From

To

Protocol

Port

Notes

Backup server

Helper appliance

TCP

22

Port used as a communication channel from the backup server to the proxy appliance in the multi-OS file-level recovery process.

TCP

2500 to 5000

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

VM guest OS

TCP

2500 to 5000

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Helper appliance

VM guest OS

TCP

22

Port used as a communication channel from the proxy appliance to the Linux guest OS during multi-OS file-level recovery process.

TCP

20

[If FTP option is used] Default port used for data transfer.

TCP

2500 to 5000

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

VM guest OS

Helper appliance

TCP

22

Port used as a communication channel from the proxy appliance to Linux guest OS during multi-OS file-level recovery process.

TCP

21

[If FTP option is used] Default port used for protocol control messages.

Helper appliance

Backup repository

TCP

2500 to 5000

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

 

WAN Accelerator Connections

The following table describes network ports that must be opened to ensure proper communication between WAN accelerators used in backup copy jobs and replication jobs.

From

To

Protocol

Port

Notes

Backup server

WAN accelerator
(source and target)

WAN accelerator is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server Connections to be opened.

TCP

6160

Default port used by the Veeam Installer Service.

TCP

6162

Default port used by the Veeam Data Mover Service.

TCP

6164

Controlling port for RPC calls.

WAN accelerator
(source and target)

Backup repository
(source and target)

TCP

2500 to 5000

Default range of ports used by the Veeam Data Mover Service for transferring files of a small size such as GuestIndexData.zip and others. A port from the range is selected dynamically.

WAN accelerator

WAN accelerator

TCP

6164

Controlling port for RPC calls.

TCP

6165

Default port used for data transfer between WAN accelerators. Ensure this port is open in firewall between sites where WAN accelerators are deployed.

Tape Server Connections

The following table describes network ports that must be opened to ensure proper communication with tape servers.

From

To

Protocol

Port

Notes

Backup server

Tape server

Tape server is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server Connections to be opened.

TCP

6166

Controlling port for RPC calls.

Tape server

Backup repository, gateway server or proxy server

Tape server is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server Connections to be opened.

 

VM Guest OS Connections

The following table describes network ports that must be opened to ensure proper communication of the backup server with the runtime coordination process deployed inside the VM guest OS for application-aware processing and indexing.

From

To

Protocol

Port

Notes

Backup server

Linux VM guest OS

TCP

22

Default SSH port used as a control channel.

Guest interaction proxy

TCP

6190

Port used for communication with the guest interaction proxy.

TCP

6290

Port used as a control channel for communication with the guest interaction proxy.

TCP, UDP

137 to 139,
445

Ports used as a transmission channel.

Guest interaction proxy
or
Mount server

Microsoft Windows VM guest OS

TCP, UDP

135,
137 to 139,
445

Ports required to deploy the runtime coordination process on the VM guest OS.

TCP

49152 to 65535 (for Microsoft Windows 2008 and newer)

Dynamic RPC port range used by the runtime process deployed inside the VM for guest OS interaction.

For more information, see this Microsoft KB article.

TCP

6167,
2500 to 5000

[For Microsoft SQL logs shipping] Port used by the runtime process on the VM guest OS from which Microsoft SQL logs are collected.

Linux VM guest OS

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 5000

Default range of ports used as transmission channels during Linux file-level recovery and for Oracle log backup.

For every TCP connection that a job uses, one port from this range is assigned.

* If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports: during setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the “RPC function call failed” error, you need to configure dynamic RPC ports.

Veeam U-AIR Connections

The following table describes network ports that must be opened to ensure proper communication of U-AIR wizards with other components.

From

To

Protocol

Port

Notes

U-AIR wizards

Veeam Backup Enterprise Manager

TCP

9394

Default port used for communication with Veeam Backup Enterprise Manager. Can be customized during Veeam Backup Enterprise Manager installation.

Azure Proxy Connections

From

To

Protocol

Port

Notes

Backup server/ Backup repository

Azure proxy

TCP

443

Default management and data transport port required for communication with the Azure proxy. The port must be opened on the backup server and backup repository storing VM backups.

The default port is 443, but you can change it in the settings of the Azure Proxy. For details, see Specify Credentials and Transport Port

Azure Stack Connections

From

To

Protocol

Port

Notes

Backup server

Azure Stack

HTTPS

443, 30024

Default management and data transport port required for communication with the Azure Stack.

Proxy Appliance Connections (Restore to Amazon EC2)

From

To

Protocol

Port

Notes

Backup server/Backup Repository

Proxy appliance

TCP

22

Port used as a communication channel to the proxy appliance in the restore to Amazon EC2 process.

TCP

443

Default redirector port. You can change the port in proxy appliance settings. For details, see Specify Proxy Appliance.

Microsoft Active Directory Domain Controller Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the backup server with the Microsoft Active Directory VM during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft
Active Directory VM guest OS

TCP

135

Port required for communication between the domain controller and backup server.

TCP,
UDP

389

LDAP connections.

TCP

636, 3268, 3269

LDAP connections.

TCP

49152 to 65535 (for Microsoft Windows 2008 and newer)

Dynamic RPC port range used by the runtime coordination process deployed inside the VM guest OS for application-aware processing* For more information, see this Microsoft KB article.

Microsoft Exchange Server Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the Veeam backup server with the Microsoft Exchange Server system during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft Exchange 2003/2007 CAS Server

TCP

80, 443

WebDAV connections.

Microsoft Exchange 2010/2013 CAS Server

TCP

443

Microsoft Exchange Web Services Connections.

Microsoft SQL Server Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the backup server with the VM guest OS system during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft
SQL VM guest OS

TCP

1433,
1434 and other

Port used for communication with the Microsoft SQL Server installed inside the VM.

Port numbers depends on configuration of your Microsoft SQL server. For more information, see Microsoft Docs.

SMTP Server Connections

The following table describes network ports that must be opened to ensure proper communication of the backup server with the SMTP server.

From

To

Protocol

Port

Notes

Backup server

SMTP server

TCP

25

Port used by the SMTP server.

Port 25 is most commonly used but the actual port number depends on configuration of your environment.

Veeam Backup Enterprise Manager Connections

Veeam Backup Enterprise Manager Connections

 

Veeam Explorers Connections

Veeam Cloud Connect Connections

Veeam Cloud Connect Connections

Veeam Agent for Microsoft Windows Connections

Veeam Agent for Microsoft Windows Connections

Veeam Agent for Linux Connections

Veeam Agent for Linux Connections

Veeam Plug-ins for Enterprise Applications Connections

Internet Connections

If you use an HTTP(S) proxy server to access the Internet, make sure that WinHTTP settings are properly configured on Microsoft Windows machines with Veeam backup infrastructure components. For information on how to configure WinHTTP settings, see Microsoft Docs.

Used Ports Note:

Tenants cannot access Veeam Cloud Connect infrastructure components through HTTP(S) proxy servers. For information on supported protocols for Veeam Cloud Connect, see the Used Ports section in the Veeam Cloud Connect Guide.

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Agent Management Guide

Veeam Explorers User Guide

Backup and Restore of SQL Server Databases

Veeam Plug-ins for Enterprise Applications

PowerShell Reference

Veeam Explorers PowerShell Reference

RESTful API Reference

Required Permissions Reference

Veeam Availability for Nutanix AHV Documentation

Veeam Backup for Microsoft Office 365 Documentation

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation