Used Ports

On backup infrastructure components, Veeam Backup & Replication automatically creates firewall rules for the required ports. These rules allow communication between the components.

Important

Some Linux distributions require firewall and/or security rules to be created manually. For details, see this Veeam KB article.

You can find the full list of the ports below.

Microsoft Windows Server

The following table describes network ports that must be opened to ensure proper communication with Microsoft Windows servers.

Each Microsoft Windows server that is a backup infrastructure component or a machine for which you enable application-aware processing must have these ports opened. If you want to use the server as a backup infrastructure component, you must also open ports that the component role requires.

For example, if you assign the role of a VMware backup proxy to your Microsoft Windows server, you must open ports listed below and also ports listed in the Backup Proxy section.

The Microsoft Windows server that acts as an NFS file share requires network ports listed below and also ports listed in the NFS Backup Repository. The Microsoft Windows server that acts as an SMB file share requires network ports listed below and also ports listed in the SMB Backup Repository. 

From

To

Protocol

Port

Notes

Backup server

Microsoft Windows server

TCP

445
135

Port required for deploying Veeam Backup & Replication components.

Note: Port 135 is optional to provide faster deployment.

Hyper-V server/Off-host backup proxy

TCP

6160

Default port used by the Veeam Installer Service.

Backup repository

TCP

2500 to 33001

Default range of ports used as data transmission channels and for collecting log files.

For every TCP connection that a job uses, one port from this range is assigned.

Gateway server

TCP

6162

Default port used by the Veeam Data Mover.

Mount server

TCP

49152 to 65535
(for Microsoft Windows 2008 and later)

Dynamic port range. For more information, see this Microsoft KB article.

WAN accelerator

Tape server

Backup server

SMB3 server

TCP

6160

Default port used by the Veeam Installer Service.

TCP

6162

Default port used by the Veeam Data Mover.

1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Linux Server

The following table describes network ports that must be opened to ensure proper communication with Linux servers.

Each Linux server that is a backup infrastructure component or a machine for which you enable application-aware processing must have these ports opened. If you want to use the server as a backup infrastructure component, you must also open ports that the component role requires.

For example, if you assign the role of a backup repository to your Linux server, you must open ports listed below and also ports listed in the Microsoft Windows/Linux-based Backup Repository section.

The Linux server that acts as an NFS file share requires network ports listed below and also ports listed in the NFS Backup Repository. The Linux server that acts as an SMB file share requires network ports listed below and also ports listed in the SMB Backup Repository.

From

To

Protocol

Port

Notes

Backup server

Linux server

TCP

22

Port used as a control channel from the console to the target Linux host.

TCP

6162

Default port used by the Veeam Data Mover.

You can specify a different port while adding the Linux server to the Veeam Backup & Replication infrastructure. Note that you can specify a different port only if there is no previously installed Veeam Data Mover on this Linux server. For more information, see Specify Credentials and SSH Settings.

TCP

2500 to 33001

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Linux server

Backup server

TCP

2500 to 33001

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup Server

The following table describes network ports that must be opened to ensure proper communication of the backup server with backup infrastructure components. 

From

To

Protocol

Port

Notes

Virtualization Servers

Backup server

SCVMM

TCP

8100

Default port used to communicate with the VMM server via WCF.

Microsoft Hyper-V server

TCP

445
1351

Ports required for deploying Veeam Backup & Replication components.

TCP

6160

Default port used by the Veeam Installer Service.

TCP

6162

Default port used by the Veeam Data Mover.

TCP

6163

Default port used to communicate with Veeam Hyper-V Integration Service.

TCP

2500 to 33002

Default range of ports used as transmission channels for jobs. For every TCP connection that a job uses, one port from this range is assigned.

TCP

49152 to 65535 (for Microsoft Windows 2008 and later)

Dynamic port range. For more information, see this Microsoft KB article.

SCVMM

Backup server

TCP

8732

Port used by Veeam PowerShell Manager to establish communication between Veeam Backup & Replication components and the VMM server.

Other Servers

Backup server

Microsoft SQL Server hosting the Veeam Backup & Replication configuration database

TCP

1433

Port used for communication with Microsoft SQL Server on which the Veeam Backup & Replication configuration database is deployed (if you use a Microsoft SQL Server default instance).

Additional ports may need to be open depending on your configuration. For more information, see Microsoft Docs.

DNS server with forward/reverse name resolution of all backup servers

UDP

53

Port used for communication with the DNS Server.

Veeam Update Notification Server (dev.veeam.com)

HTTPS TCP

443

Default port used to download information about available updates from the Veeam Update Notification Server over the Internet.

Veeam License Update Server (vbr.butler.veeam.com, autolk.veeam.com)

TCP

443

Default port used for license auto-update.

Backup Server

Backup server

Backup server

TCP

9501

Port used locally on the backup server for communication between Veeam Broker Service and Veeam services and components.

Backup server

Backup server

TCP

6172

Port used to provide REST access to the Veeam Backup & Replication database.

Remote Access

Management client PC (remote access)

Backup server

TCP

3389

Default port used by the Remote Desktop Services. If you use third-party solutions to connect to the backup server, other ports may need to be open.

REST API

REST client

Backup server

TCP

9419

Default port for communication with REST API service.

1 Port 135 is optional to provide faster deployment.

2 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup & Replication Console

The following table describes network ports that must be opened to ensure proper communication with the Veeam Backup & Replication console installed remotely.

From

To

Protocol

Port

Notes

Veeam Backup & Replication Console

Backup server

TCP

9392

Port used by the Veeam Backup & Replication console to connect to the backup server.

TCP

10003

Port used by the Veeam Backup & Replication console to connect to the backup server only when managing the Veeam Cloud Connect infrastructure.

TCP

9396

Port used by the Veeam.Backup.UIService process for managing database connections.

Veeam Backup & Replication Console

Mount server (if the mount server is not located on the console)

TCP

2500 to 33001

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup Proxy

The following table describes network ports that must be opened to ensure proper communication of backup proxies with other backup components. 

From

To

Protocol

Port

Notes

Backup server

Off-host backup proxy

Off-host backup proxy is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server to be opened.

Communication with Backup Server

Backup server

Off-host backup proxy

TCP

6163

Default port used by the Hyper-V Integration Service.

SMB3 server

TCP

6163

Default port used by the Hyper-V Integration Service.

Off-host file proxy

TCP

6210

Default port used by the Veeam Backup VSS Integration Service for taking a VSS snapshot during the SMB file share backup.

Communication with Backup Repositories

Hyper-V server/ Off-host backup proxy

Microsoft Windows server

TCP

49152 to 65535
(for Microsoft Windows 2008 and later)

Dynamic port range. For more information, see this Microsoft KB article.

SMB (CIFS) share

TCP

445
1351

Ports used as a transmission channel from the backup proxy to the target SMB (CIFS) share.

NFS share

TCP, UDP

111
2049

Ports used as a transmission channel from the backup proxy to the target NFS share.

Gateway server

TCP
UDP

49152 to 65535
(for Microsoft Windows 2008 and later)

Dynamic port range. For more information, see this Microsoft KB article.

Communication with Backup Proxies

Hyper-V server

Backup proxy (onhost or offhost)

TCP

2500 to 33002

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

Microsoft SMB3 server

Backup proxy (onhost or offhost)

TCP

2500 to 33002

Ports used to retrieve CBT information from a Microsoft SMB3 server managing shares that host VM disks.

1 Port 135 is optional to provide faster deployment.

2 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup Repositories

Microsoft Windows/Linux-based Backup Repository

The following table describes network ports that must be opened to ensure proper communication with backup repositories. Cache repositories in NAS backup use the same network ports as backup repositories.

From

To

Protocol

Port

Notes

Hyper-V server/ Off-host backup proxy

Microsoft Windows server performing the role of the backup repository/file server

Ports listed in Microsoft Windows Server must be opened.

Hyper-V server/ Off-host backup proxy

Linux server performing the role of the backup repository/file server

Ports listed in Linux Server must be opened.

Backup proxy

Backup repository

TCP

2500 to 33001

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

Source backup repository

Target backup repository

TCP

2500 to 33001

Default range of ports used as transmission channels for backup copy jobs. For every TCP connection that a job uses, one port from this range is assigned.
Ports 2500 to 3300 are used for backup copy jobs that do not utilize WAN accelerators. If the backup copy job utilizes WAN accelerators, make sure that ports specific for WAN accelerators are open.

Source backup repository

Object storage repository gateway server

TCP

2500 to 33001

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

Backup repository/ secondary backup repository

Cache repository in NAS backup

TCP

2500 to 33001

Default range of ports used as transmission channels for file share backup restore jobs. For every TCP connection that a job uses, one port from this range is assigned.

Microsoft Windows server running vPower NFS Service

Backup repository gateway server working with backup repository

TCP

2500 to 33001

Default range of ports used as transmission channels during Instant Recovery to VMware vSphere.

For every TCP connection that a job uses, one port from this range is assigned.

1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

NFS Backup Repository

The following table describes network ports that must be opened to ensure proper communication with NFS shares added as backup repositories.

From

To

Protocol

Port

Notes

Microsoft Windows server performing the role of the gateway server/backup proxy

NFS backup repository/file share

Ports listed in Microsoft Windows Server must be opened.

Linux server performing the role of the gateway server/backup proxy

NFS backup repository/file share

Ports listed in Linux Server must be opened.

Gateway server/backup proxy (Microsoft Windows/Linux)

NFS backup repository/file share

TCP
UDP

2049

Default NFS port.

TCP
UDP

111

Port used for rpcbind service.

Gateway server/backup proxy (Microsoft Windows/Linux)

NFS backup repository/file share
(for repositories supporting NFS protocol version 3)

TCP
UDP

mountd_port

Dynamic port used for mountd service. Can be assigned statically.

TCP
UDP

statd_port

Dynamic port used for statd service. Can be assigned statically.

TCP

lockd_port

Dynamic TCP port used for lockd service. Can be assigned statically.

UDP

lockd_port

Dynamic UDP port used for lockd service. Can be assigned statically.

Gateway server/backup proxy (specified in the NFS repository settings)

NFS backup repository/file share

TCP
UDP

111, 2049

Standard NFS ports used as a transmission channel from the gateway server to the target NFS share.

SMB Backup Repository

The following table describes network ports that must be opened to ensure proper communication with SMB (CIFS) shares added as backup repositories.

From

To

Protocol

Port

Notes

Microsoft Windows server performing the role of the gateway server/backup proxy

SMB (CIFS) backup repository/file share

Ports listed in Microsoft Windows Server must be opened.

Gateway server/backup proxy (Microsoft Windows)

SMB (CIFS) backup repository

TCP

445
1351

Ports used as a transmission channel from the gateway server to the target SMB (CIFS) share.

1 Port 135 is optional to provide faster deployment.

Dell EMC Data Domain System

For more information, see Dell EMC Documents.

From

To

Protocol

Port

Notes

Backup server
or
Gateway server

Dell EMC Data Domain

TCP

111

Port used to assign a random port for the mountd service used by NFS and DDBOOST. Mountd service port can be statically assigned.

TCP

2049

Main port used by NFS. Can be modified using the ‘nfs set server-port’ command. Command requires SE mode.

TCP

2052

Main port used by NFS MOUNTD. Can be modified using the 'nfs set mountd-port' command in SE mode.

Backup server

Gateway server

Ports listed in Gateway Server must be opened.

ExaGrid

From

To

Protocol

Port

Notes

Backup server

ExaGrid

TCP

22

Default command port used for communication with ExaGrid.

Backup proxy

ExaGrid

TCP

2500 to 3300

Default range of ports used for communication with the backup proxy.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

HPE StoreOnce

From

To

Protocol

Port

Notes

Backup server
or
Gateway server

HPE StoreOnce

TCP

9387

Default command port used for communication with HPE StoreOnce.

9388

Default data port used for communication with HPE StoreOnce.

Backup server

Gateway server

Ports listed in Gateway Server must be opened.

Quantum DXi

From

To

Protocol

Port

Notes

Backup server

Quantum DXi

TCP

22

Default command port used for communication with Quantum DXi.

Backup proxy

Quantum DXi

TCP

2500 to 3300

Default range of ports used for communication with the backup proxy.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Object Storage Repository

The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories. For more information, see Object Storage Repository.

From

To

Protocol

Port/Endpoint

Notes

Gateway server

Amazon S3 object storage

TCP

443

Used to communicate with Amazon S3 object storage.

HTTPS

AWS service endpoints:

  • *.amazonaws.com (for both Global and Government regions)
  • *.amazonaws.com.cn (for China region)

A complete list of connection endpoints can be found in this Amazon article.

TCP

80

Used to verify the certificate status.

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

HTTP

Certificate verification endpoints:

  • *.amazontrust.com

Microsoft Azure object storage

TCP

443

Used to communicate with Microsoft Azure object storage.

Consider that the <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Azure management portal.

HTTPS

Cloud endpoints:

  • xxx.blob.core.windows.net (for Global region)
  • xxx.blob.core.chinacloudapi.cn (for China region)
  • xxx.blob.core.cloudapi.de (for Germany region)
  • xxx.blob.core.usgovcloudapi.net (for Government region)

TCP

80

Used to verify the certificate status.

Consider the following:

  • Certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.
  • The *.d-trust.net endpoint is used for the Germany region only.

HTTP

Certificate verification endpoints:

  • ocsp.digicert.com
  • ocsp.msocsp.com
  • *.d-trust.net  

Google Cloud storage

TCP

443

Used to communicate with Google Cloud storage.

 

HTTPS

Cloud endpoints:

  • storage.googleapis.com

A complete list of connection endpoints can be found in this Google article.

TCP

80

Used to verify the certificate status.

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

HTTP

Certificate verification endpoints:

  • ocsp.pki.goog
  • pki.goog
  • crl.pki.goog

IBM Cloud object storage

TCP/HTTPS

Customizable and depends on device configuration

Used to communicate with IBM Cloud object storage.

S3 compatible object storage

TCP/HTTPS

Customizable and depends on device configuration

Used to communicate with S3 compatible object storage.

External Repository

The following table describes network ports and endpoints that must be opened to ensure proper communication with external repositories. For more information, see External Repository.

From

To

Protocol

Port/Endpoint

Notes

Gateway server

Amazon S3 object storage

TCP

443

Used to communicate with Amazon S3 object storage.

HTTPS

AWS service endpoints:

  • *.amazonaws.com (for both Global and Government regions)
  • *.amazonaws.com.cn (for China region)

A complete list of connection endpoints can be found in this Amazon article.

TCP

80

Used to verify the certificate status.

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

HTTP

Certificate verification endpoints:

  • *.amazontrust.com

Microsoft Azure object storage

TCP

443

Used to communicate with Microsoft Azure object storage.

Consider that the <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Azure management portal.

HTTPS

Cloud endpoints:

  • xxx.blob.core.windows.net (for Global region)
  • xxx.blob.core.chinacloudapi.cn (for China region)
  • xxx.blob.core.cloudapi.de (for Germany region)
  • xxx.blob.core.usgovcloudapi.net (for Government region)

TCP

80

Used to verify the certificate status.

Consider the following:

  • Certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.
  • The *.d-trust.net endpoint is used for the Germany region only.

HTTP

Certificate verification endpoints:

  • ocsp.digicert.com
  • ocsp.msocsp.com
  • *.d-trust.net  

Google Cloud storage

TCP

443

Used to communicate with Google Cloud storage.

 

HTTPS

Cloud endpoints:

  • storage.googleapis.com

A complete list of connection endpoints can be found in this Google article.

TCP

80

Used to verify the certificate status.

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

HTTP

Certificate verification endpoints:

  • ocsp.pki.goog
  • pki.goog
  • crl.pki.goog

Archive Object Storage Repository

The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories used as a part of Archive Tier. For more information, see Archive Tier.

From

To

Protocol

Port/Endpoint

Notes

Gateway server

Amazon EC2 proxy appliance

TCP

443 (default, adjustable via Amazon S3 Glacier wizard)

If there is no gateway server selected, VBR server will be used as a gateway server.

If you use Amazon S3 Glacier object storage, the gateway server should have direct connection to AWS service endpoints. HTTP(S) proxy servers are not supported.

SSH

22

HTTPS

AWS service endpoints:

  • Public/private IPv4 addresses of EC2 appliances.

Microsoft Azure proxy appliance

TCP

443 (default, adjustable via Azure Archive wizard)

SSH

22

HTTPS

Cloud endpoints:

  • Public/private IPv4 addresses of Azure appliances.

Amazon EC2 proxy appliance

Amazon S3 object storage

TCP

443

Used to communicate with Amazon S3 object storage.

HTTPS

AWS service endpoints:

  • *.amazonaws.com (for both Global and Government regions)
  • *.amazonaws.com.cn (for China region)

A complete list of connection endpoints can be found in this Amazon article.

TCP

80

Used to verify the certificate status.

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

HTTP

Certificate verification endpoints:

  • *.amazontrust.com

Microsoft Azure proxy appliance

Microsoft Azure object storage

TCP

443

Used to communicate with Microsoft Azure object storage.

The <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Microsoft Azure management portal.

HTTPS

Cloud endpoints:

  • xxx.blob.core.windows.net (for Global region)
  • xxx.blob.core.chinacloudapi.cn (for China region)
  • xxx.blob.core.cloudapi.de (for Germany region)
  • xxx.blob.core.usgovcloudapi.net (for Government region)

TCP

80

Used to verify the certificate status.

Certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

The *.d-trust.net endpoint is used for the Germany region only.

HTTP

Certificate verification endpoints:

  • ocsp.digicert.com
  • ocsp.msocsp.com
  • *.d-trust.net

Gateway Server

The following table describes network ports that must be opened to ensure proper communication with gateway servers.

From

To

Protocol

Port

Notes

Backup server

Microsoft Windows server performing the role of the gateway server

Ports listed in Microsoft Windows Server must be opened.

Backup server

Linux server performing the role of the gateway server (if a gateway server is specified explicitly in NFS backup repository settings)

Ports listed in Linux Server must be opened.

Gateway server
(if a gateway server is specified explicitly in SMB (CIFS) backup repository settings)

SMB (CIFS) share

TCP

445
1351

Ports used as a transmission channel from the gateway server to the target SMB (CIFS) share.

Gateway server
(if a gateway server is specified explicitly in NFS backup repository settings)

NFS share

TCP, UDP

111, 2049

Ports used as a transmission channel from the gateway server to the target NFS share.

1 Port 135 is optional to provide faster deployment.

Tape Server

The following table describes network ports that must be opened to ensure proper communication with tape servers.

From

To

Protocol

Port

Notes

Backup server

Tape server

Tape server is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server to be opened.

TCP

6166

Controlling port for RPC calls.

TCP

2500 to 33001

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Tape server

Backup server

TCP

2500 to 33001

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Backup repository, gateway server or proxy server

Tape server is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server to be opened.

1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

WAN Accelerator

The following table describes network ports that must be opened to ensure proper communication between WAN accelerators used in backup copy jobs and replication jobs.

From

To

Protocol

Port

Notes

Backup server

WAN accelerator
(source and target)

WAN accelerator is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server to be opened.

TCP

6160

Default port used by the Veeam Installer Service.

TCP

6162

Default port used by the Veeam Data Mover.

TCP

6164

Controlling port for RPC calls.

WAN accelerator
(source and target)

Backup repository
(source and target)

TCP

2500 to 33001

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is selected dynamically.

WAN accelerator

WAN accelerator

TCP

6164

Controlling port for RPC calls.

TCP

6165

Default port used for data transfer between WAN accelerators. Ensure this port is open in firewall between sites where WAN accelerators are deployed.

1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Guest Interaction Proxy

Connections with Non-Persistent Runtime Components

The following tables describe network ports that must be opened to ensure proper communication of the backup server and backup infrastructure components with the non-persistent runtime components deployed inside the VM guest OS for application-aware processing and indexing.

From

To

Protocol

Port

Notes

Backup server

VM guest OS (Linux)

TCP

22

Default SSH port used as a control channel.

Guest interaction proxy

TCP

6190

Used for communication with the guest interaction proxy.

TCP

6290

Used as a control channel for communication with the guest interaction proxy.

TCP

445

Used as a transmission channel.

Network ports described in the table below are NOT required when working in networkless mode over PowerShell Direct.

From

To

Protocol

Port

Notes

Guest interaction proxy

VM guest OS (Microsoft Windows)

TCP

445
135

Required to deploy the runtime coordination process on the VM guest OS.

Note: Port 135 is optional to provide faster deployment.

TCP

2500 to 3300

Default range of ports used as transmission channels for log shipping.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Used by the runtime process deployed inside the VM for guest OS interaction.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

VM guest OS (Linux)

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 3300

Default range of ports used as transmission channels for log shipping.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

VM guest OS

Guest interaction proxy

TCP

2500 to 3300

Default range of ports used as transmission channels for log shipping.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Connections with Persistent Agent Components

The following table describes network ports that must be opened to ensure proper communication of the backup server with the persistent agent components deployed inside the VM guest OS for application-aware processing and indexing.

From

To

Protocol

Port

Notes

Guest interaction proxy

VM guest OS

TCP

6160
11731

Default port and failover port used by the Veeam Installer Service.

TCP

6173
2500

Used by the Veeam Guest Helper for guest OS processing and file-level restore.

Log Shipping Components

The following tables describe network ports that must be opened to ensure proper communication between log shipping components.

Log Shipping Server Connections

From

To

Protocol

Port

Notes

Backup server

Log shipping server

TCP

445
135

Required for deploying Veeam Backup & Replication components.

Note: Port 135 is optional to provide faster deployment.

TCP

6160

Default port used by the Veeam Installer Service.

TCP

6162

Default port used by the Veeam Data Mover.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Log shipping server

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository and transfer log backups.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

MS SQL Guest OS Connections

From

To

Protocol

Port

Notes

Guest interaction proxy

MS SQL VM guest OS

TCP

445
135

[Non-persistent runtime components only] Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component.

These ports are NOT required when working in networkless mode over PowerShell Direct.

Note: Port 135 is optional to provide faster deployment.

TCP

2500 to 3300

[Non-persistent runtime components only] Default range of ports used for communication with a guest OS.

These ports are NOT required when working in networkless mode over PowerShell Direct.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

49152 to 65535

[Non-persistent runtime components only] Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

These ports are NOT required when working in networkless mode over PowerShell Direct.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

TCP

6160
11731

[Persistent agent components only] Default port and failover port used by the Veeam Installer Service.

TCP

6167

Used by the Veeam Log Shipping Service for preparing the database and taking logs.

MS SQL VM guest OS

Guest interaction proxy

TCP

2500 to 3300

[Non-persistent runtime components only] Default range of ports used for communication with a guest interaction proxy.

These ports are NOT required when working in networkless mode over PowerShell Direct.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

MS SQL VM guest OS

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the MS SQL server has a direct connection to the backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

MS SQL VM guest OS

Log shipping server

TCP

2500 to 3300

Default range of ports used for communication with a log shipping server and transfer log backups.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Oracle Guest OS Connections

From

To

Protocol

Port

Notes

Guest interaction proxy

Oracle VM guest OS (Microsoft Windows)

TCP

445
135

[Non-persistent runtime components only] Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component.

These ports are NOT required when working in networkless mode over PowerShell Direct.

Note: Port 135 is optional to provide faster deployment.

TCP

2500 to 3300

[Non-persistent runtime components only] Default range of ports used for communication with a guest OS.

These ports are NOT required when working in networkless mode over PowerShell Direct.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

49152 to 65535

[Non-persistent runtime components only] Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

These ports are NOT required when working in networkless mode over PowerShell Direct.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

TCP

6160
11731

[Persistent agent components only] Default port and failover port used by the Veeam Installer Service.

TCP

6167

Used by the Veeam Log Shipping Service for preparing the database and taking logs.

Oracle VM guest OS (Linux)

TCP

22

[Non-persistent runtime components only] Default SSH port used as a control channel.

This port is NOT required when working in networkless mode over PowerShell Direct.

TCP

2500 to 3300

[Non-persistent runtime components only] Default range of ports used for communication with a guest OS.

These ports are NOT required when working in networkless mode over PowerShell Direct.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Oracle VM guest OS

Guest interaction proxy

TCP

2500 to 3300

[Non-persistent runtime components only] Default range of ports used for communication with a guest interaction proxy.

These ports are NOT required when working in networkless mode over PowerShell Direct.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Oracle VM guest OS

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the Oracle server has a direct connection to the backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Oracle VM guest OS

Log shipping server

TCP

2500 to 3300

Default range of ports used for communication with a log shipping server and transfer log backups.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Recovery Components

Guest OS File Recovery

The following table describes network ports that must be opened to ensure proper communication between components for guest OS file recovery.

Mount Server Connections

From

To

Protocol

Port

Notes

Mount server

Backup server

TCP

9401

Used for communication with the Veeam Backup Service.

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup server

Mount server

TCP

445

Required for deploying Veeam Backup & Replication components.

TCP

2500 to 3300

Default range of ports used for communication with a mount server.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

6160

Default port used by the Veeam Installer Service including checking the compatibility between components before starting the recovery process.

TCP

6162

Default port used by the Veeam Data Mover.

TCP

6170

Used for communication with a local or remote Mount Service.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Helper Appliance Connections

From

To

Protocol

Port

Notes

Helper appliance

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup server

Helper appliance

 

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 3300

Default range of ports used for communication with a helper appliance.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Mount server

Helper appliance

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 3300

Default range of ports used for communication with a helper appliance.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Helper Host Connections

From

To

Protocol

Port

Notes

Helper host

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup server

Helper host

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 3300

Default range of ports used for communication with a helper host.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

6162

Default port used by the Veeam Data Mover.

Mount server

Helper host

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 3300

Default range of ports used for communication with a helper host.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Guest OS Connections

From

To

Protocol

Port

Notes

VM guest OS (Linux/Unix)

Helper appliance

TCP

21

Default port used for protocol control messages if FTP server is enabled.

Helper appliance

VM guest OS (Linux/Unix)

TCP

20

Default port used for data transfer if FTP server is enabled.

TCP

2500 to 3300

Default range of ports used for communication with a VM guest OS.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Helper host

VM guest OS (Linux/Unix)

TCP

2500 to 3300

Default range of ports used for communication with a VM guest OS.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup server

VM guest OS (Linux/Unix)

TCP

22

Default SSH port used as a control channel.

Mount server

VM guest OS (Microsoft Windows)

TCP

445
135

Required to deploy the runtime coordination process on the VM guest OS.

Note: Port 135 is optional to provide faster deployment.

TCP

6160
11731

Default port and failover port used by the Veeam Installer Service.

TCP

6173
2500

Used by the Veeam Guest Helper for guest OS processing and file-level restore if persistent agent components are deployed inside the VM guest OS.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Backup server

VM guest OS

TCP

2500 to 3300

Default range of ports used for communication with a VM guest OS.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Veeam U-AIR

The following table describes network ports that must be opened to ensure proper communication of U-AIR wizards with other components.

From

To

Protocol

Port

Notes

U-AIR wizards

Veeam Backup Enterprise Manager

TCP

9394

Default port used for communication with Veeam Backup Enterprise Manager. Can be customized during Veeam Backup Enterprise Manager installation.

Microsoft Active Directory Domain Controller Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the backup server with the Microsoft Active Directory VM during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft
Active Directory VM guest OS

TCP

135

Port required for communication between the domain controller and backup server.

TCP,
UDP

389

LDAP connections.

TCP

636, 3268, 3269

LDAP connections.

TCP

49152 to 65535 (for Microsoft Windows 2008 and later)

Dynamic port range used by the runtime coordination process deployed inside the VM guest OS for application-aware processing1 For more information, see this Microsoft KB article.

1 If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports: during setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the “RPC function call failed” error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Microsoft Exchange Server Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the Veeam backup server with the Microsoft Exchange Server system during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft Exchange 2003/2007 CAS Server

TCP

80, 443

WebDAV connections.

Microsoft Exchange 2010/2013/2016/2019 CAS Server

TCP

443

Microsoft Exchange Web Services Connections.

Microsoft SQL Server Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the backup server with the VM guest OS system during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft
SQL VM guest OS

TCP

1433,
1434 and other

Port used for communication with the Microsoft SQL Server installed inside the VM.

Port numbers depends on configuration of your Microsoft SQL server. For more information, see Microsoft Docs.

Proxy Appliance (Restore to Amazon EC2, Google Cloud)

From

To

Protocol

Port

Notes

Backup server/Backup Repository

Proxy appliance

TCP

22

Port used as a communication channel to the proxy appliance in the restore to Amazon EC2 or Google Cloud process.

TCP

443

Default redirector port. You can change the port in proxy appliance settings. For details, see Specify Proxy Appliance in Restore to Amazon EC2 and Restore to Google Cloud.

Azure Proxy

From

To

Protocol

Port

Notes

Backup server/ Backup repository

Azure proxy

TCP

443

Default management and data transport port required for communication with the Azure proxy. The port must be opened on the backup server and backup repository storing VM backups.

The default port is 443, but you can change it in the settings of the Azure Proxy. For details, see Specify Credentials and Transport Port

Azure Helper Appliance

From

To

Protocol

Port

Notes

Backup server

Azure helper appliance

TCP

22

Port used as a communication channel to the proxy appliance in the Restore to Azure process

The default port is 22, but you can change it during helper appliance deployment.

For details, see Configuring Helper Appliances.

Azure Stack

From

To

Protocol

Port

Notes

Backup server

Azure Stack

HTTPS

443, 30024

Default management and data transport port required for communication with the Azure Stack.

Veeam Backup Enterprise Manager

Veeam Backup Enterprise Manager Connections

 

Veeam Explorers

Veeam Cloud Connect

Veeam Cloud Connect Connections

Veeam Agents

Veeam Agent for Microsoft Windows

Veeam Agent for Linux

Veeam Agent for Mac

Veeam Plug-ins for Enterprise Applications

Veeam Plug-ins for Cloud Solutions

Kasten K10

Kasten K10 Connections

Other Connections

NDMP Server

The following table describes network ports that must be opened to ensure proper communication with NDMP servers.

From

To

Protocol

Port

Notes

Gateway server

NDMP server

NDMP

10000

Port used for data transfer between the components.

SMTP Server

The following table describes network ports that must be opened to ensure proper communication of the backup server with the SMTP server.

From

To

Protocol

Port

Notes

Backup server

SMTP server

TCP

25

Port used by the SMTP server.

Internet Connections

If you use an HTTP(S) proxy server to access the Internet, make sure that WinHTTP settings are properly configured on Microsoft Windows machines with Veeam backup infrastructure components. For information on how to configure WinHTTP settings, see Microsoft Docs.

Note

Tenants cannot access Veeam Cloud Connect infrastructure components through HTTP(S) proxy servers. For information on supported protocols for Veeam Cloud Connect, see the Used Ports section in the Veeam Cloud Connect Guide.