Used Ports

In this article

    On backup infrastructure components, Veeam Backup & Replication automatically creates firewall rules for the required ports. These rules allow communication between the components.

    Important

    Some Linux distributions require firewall and/or security rules to be created manually. For details, see this Veeam KB article.

    You can find the full list of the ports below.

    Microsoft Windows Server

    The following table describes network ports that must be opened to ensure proper communication with Microsoft Windows servers.

    Each Microsoft Windows server that is a backup infrastructure component or a machine for which you enable application-aware processing must have these ports opened. If you want to use the server as a backup infrastructure component, you must also open ports that the component role requires.

    For example, if you assign the role of a backup proxy to your Microsoft Windows server, you must open ports listed below and also ports listed in the Backup Proxy section.

    The Microsoft Windows server that acts as an NFS file share requires network ports listed below and also ports listed in the NFS Backup Repository. The Microsoft Windows server that acts as an SMB file share requires network ports listed below and also ports listed in the SMB Backup Repository.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Microsoft Windows server

    TCP

    445
    135

    Port required for deploying Veeam Backup & Replication components.

    Note: Port 135 is optional to provide faster deployment.

    Backup proxy

    TCP

    6160

    Default port used by the Veeam Installer Service.

    Backup repository

    TCP

    2500 to 33001

    Default range of ports used as data transmission channels and for collecting log files.

    For every TCP connection that a job uses, one port from this range is assigned.

    Gateway server

    TCP

    6161

    [For Microsoft Windows servers running the vPower NFS Service] Default port used by the Veeam vPower NFS Service.

    Mount server

    TCP

    6162

    Default port used by the Veeam Data Mover.

    WAN accelerator

    TCP

    49152 to 65535
    (for Microsoft Windows 2008 and later)

    Dynamic port range. For more information, see this Microsoft KB article.

    Tape server

    1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Linux Server

    The following table describes network ports that must be opened to ensure proper communication with Linux servers.

    Each Linux server that is a backup infrastructure component or a machine for which you enable application-aware processing must have these ports opened. If you want to use the server as a backup infrastructure component, you must also open ports that the component role requires.

    For example, if you assign the role of a backup repository to your Linux server, you must open ports listed below and also ports listed in the Microsoft Windows/Linux-based Backup Repository section.

    The Linux server that acts as an NFS file share requires network ports listed below and also ports listed in the NFS Backup Repository. The Linux server that acts as an SMB file share requires network ports listed below and also ports listed in the SMB Backup Repository.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Linux server

    TCP

    22

    Port used as a control channel from the console to the target Linux host.

    TCP

    6162

    Default port used by the Veeam Data Mover.

    You can specify a different port while adding the Linux server to the Veeam Backup & Replication infrastructure. Note that you can specify a different port only if there is no previously installed Veeam Data Mover on this Linux server. For more information, see Specify Credentials and SSH Settings.

    TCP

    2500 to 33001

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

    Linux server

    Backup server

    TCP

    2500 to 33001

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

    1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Backup Server

    The following table describes network ports that must be opened to ensure proper communication of the backup server with backup infrastructure components.

    From

    To

    Protocol

    Port

    Notes

    Virtualization Servers

    Backup server

    vCenter Server

    HTTPS TCP

    443

    Default port used for connections to vCenter Server.

    If you use vCloud Director, make sure you open port 443 on underlying vCenter Servers.

    HTTPS TCP

    10443

    Port used to access vCenter Inventory Service (HTTP or HTTPS) and collect vCenter Server tags.

    This port is used for communication with vCenter Server 5.x only.

    This port is not required for VMware Cloud on AWS.

    ESXi server

    HTTPS TCP

    443

    Default port used for connections to ESXi host.

    This port is not required for VMware Cloud on AWS.

    TCP

    902

    Port used for data transfer to ESXi host.

    This port is not required for VMware Cloud on AWS.

    vCloud Director

    HTTPS TCP

    443

    Default port used for connections to vCloud Director.

    Other Servers

    Backup server

    Microsoft SQL Server hosting the Veeam Backup & Replication configuration database

    TCP

    1433

    Port used for communication with Microsoft SQL Server on which the Veeam Backup & Replication configuration database is deployed (if you use a Microsoft SQL Server default instance).

    Additional ports may need to be open depending on your configuration. For more information, see Microsoft Docs.

    DNS server with forward/reverse name resolution of all backup servers

    UDP

    53

    Port used for communication with the DNS Server.

    Veeam Update Notification Server (dev.veeam.com)

    HTTPS TCP

    443

    Default port used to download information about available updates from the Veeam Update Notification Server over the Internet.

    Veeam License Update Server (vbr.butler.veeam.com, autolk.veeam.com)

    TCP

    443

    Default port used for license auto-update.

    Backup Server

    Backup server

    Backup server

    TCP

    9501

    Port used locally on the backup server for communication between Veeam Broker Service and Veeam services and components.

    Backup server

    Backup server

    TCP

    6172

    Port used to provide REST access to the Veeam Backup & Replication database.

    Remote Access

    Management client PC (remote access)

    Backup server

    TCP

    3389

    Default port used by the Remote Desktop Services. If you use third-party solutions to connect to the backup server, other ports may need to be open.

    REST API

    REST client

    Backup server

    TCP

    9419

    Default port for communication with REST API service.

    Backup & Replication Console

    The following table describes network ports that must be opened to ensure proper communication with the Veeam Backup & Replication console installed remotely.

    From

    To

    Protocol

    Port

    Notes

    Veeam Backup & Replication Console

    Backup server

    TCP

    9392

    Port used by the Veeam Backup & Replication console to connect to the backup server.

    TCP

    10003

    Port used by the Veeam Backup & Replication console to connect to the backup server only when managing the Veeam Cloud Connect infrastructure.

    TCP

    9396

    Port used by the Veeam.Backup.UIService process for managing database connections.

    Veeam Backup & Replication Console

    Mount server (if the mount server is not located on the console)

    TCP

    2500 to 33001

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

    1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Backup Proxy

    The following table describes network ports that must be opened to ensure proper communication of backup proxies with other backup components.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Backup proxy

    Backup proxy can be a Microsoft Windows or Linux server. Depending on which server you use, the ports listed in Microsoft Windows Server or Linux Server must be opened.

    Communication with Backup Server

    Backup server

    Backup proxy

    TCP

    6210

    Default port used by the Veeam Backup VSS Integration Service for taking a VSS snapshot during the SMB file share backup.

    Communication with VMware Servers

    Backup proxy

    vCenter Server

    HTTPS

    443

    Default VMware web service port that can be customized in vCenter settings.

    ESXi server

    TCP

    902

    Default VMware port used for data transfer.

    This port is not required for VMware Cloud on AWS.

    HTTPS

    443

    Default VMware web service port that can be customized in ESXi host settings. Not required if vCenter connection is used.

    This port is not required for VMware Cloud on AWS.

    Communication with Backup Repositories

    Backup proxy

    Microsoft Windows server

    TCP

    49152 to 65535
    (for Microsoft Windows 2008 and later)

    Dynamic port range. For more information, see this Microsoft KB article.

    SMB (CIFS) share

    TCP

    445
    1351

    Ports used as a transmission channel from the backup proxy to the target SMB (CIFS) share.

    Traffic goes between the backup proxy and the SMB (CIFS) share only if a gateway server is not specified explicitly in SMB (CIFS) backup repository settings (the Automatic selection option is used).

    If a gateway server is specified explicitly, traffic goes between the gateway server and the SMB (CIFS) share. For more information about required ports, see the Gateway server > SMB (CIFS) share line below in this table.

    NFS share

    TCP, UDP

    111, 2049

    Ports used as a transmission channel from the backup proxy to the target NFS share.

    Traffic goes between the backup proxy and the NFS share only if a gateway server is not specified explicitly in NFS backup repository settings (the Automatic selection option is used).

    If a gateway server is specified explicitly, traffic goes between the gateway server and the NFS share. For more information about required ports, see the Gateway server > NFS share line below in this table.

    Gateway server

    TCP

    49152 to 65535
    (for Microsoft Windows 2008 and later)

    Dynamic port range. For more information, see this Microsoft KB article.

    Gateway server
    (if a gateway server is specified explicitly in SMB (CIFS) backup repository settings)

    SMB (CIFS) share

    TCP

    445
    1351

    Ports used as a transmission channel from the gateway server to the target SMB (CIFS) share.

    Gateway server
    (if a gateway server is specified explicitly in NFS backup repository settings)

    NFS share

    TCP, UDP

    111, 2049

    Ports used as a transmission channel from the gateway server to the target NFS share.

    Communication with Backup Proxies

    Backup proxy

    Backup proxy

    TCP

    2500 to 33002

    Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

    1 Port 135 is optional to provide faster deployment.

    2 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Backup Repositories

    Microsoft Windows/Linux-based Backup Repository

    The following table describes network ports that must be opened to ensure proper communication with backup repositories. Cache repositories in NAS backup use the same network ports as backup repositories.

    From

    To

    Protocol

    Port

    Notes

    Backup proxy

    Microsoft Windows server performing the role of the backup repository/file server

    Ports listed in Microsoft Windows Server must be opened.

    Backup proxy

    Linux server performing the role of the backup repository/file server

    Ports listed in Linux Server must be opened.

    Backup proxy

    Backup repository

    TCP

    2500 to 33001

    Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

    Source backup repository

    Target backup repository

    TCP

    2500 to 33001

    Default range of ports used as transmission channels for backup copy jobs. For every TCP connection that a job uses, one port from this range is assigned.
    Ports 2500 to 3300 are used for backup copy jobs that do not utilize WAN accelerators. If the backup copy job utilizes WAN accelerators, make sure that ports specific for WAN accelerators are open.

    Source backup repository

    Object storage repository gateway server

    TCP

    2500 to 33001

    Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

    Backup repository/ secondary backup repository

    Cache repository in NAS backup

    TCP

    2500 to 33001

    Default range of ports used as transmission channels for file share backup restore jobs. For every TCP connection that a job uses, one port from this range is assigned.

    Microsoft Windows server running vPower NFS Service

    Backup repository gateway server working with backup repository

    TCP

    2500 to 33001

    Default range of ports used as transmission channels during Instant Recovery, SureBackup or Linux file-level recovery.

    For every TCP connection that a job uses, one port from this range is assigned.

    1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    NFS Backup Repository

    The following table describes network ports that must be opened to ensure proper communication with NFS shares added as backup repositories.

    From

    To

    Protocol

    Port

    Notes

    Microsoft Windows server performing the role of the gateway server/backup proxy

    NFS backup repository/file share

    Ports listed in Microsoft Windows Server must be opened.

    Linux server performing the role of the gateway server/backup proxy

    NFS backup repository/file share

    Ports listed in Linux Server must be opened.

    Gateway server/backup proxy (Microsoft Windows/Linux)

    NFS backup repository/file share

    TCP
    UDP

    2049

    Default NFS port.

    TCP
    UDP

    111

    Port used for rpcbind service.

    Gateway server/backup proxy (Microsoft Windows/Linux)

    NFS backup repository/file share
    (for repositories supporting NFS protocol version 3)

    TCP
    UDP

    mountd_port

    Dynamic port used for mountd service. Can be assigned statically.

    TCP
    UDP

    statd_port

    Dynamic port used for statd service. Can be assigned statically.

    TCP

    lockd_port

    Dynamic TCP port used for lockd service. Can be assigned statically.

    UDP

    lockd_port

    Dynamic UDP port used for lockd service. Can be assigned statically.

    Gateway server/backup proxy (specified in the NFS repository settings)

    NFS backup repository/file share

    TCP
    UDP

    111, 2049

    Standard NFS ports used as a transmission channel from the gateway server to the target NFS share.

    SMB Backup Repository

    The following table describes network ports that must be opened to ensure proper communication with SMB (CIFS) shares added as backup repositories.

    From

    To

    Protocol

    Port

    Notes

    Microsoft Windows server performing the role of the gateway server/backup proxy

    SMB (CIFS) backup repository/file share

    Ports listed in Microsoft Windows Server must be opened.

    Gateway server/backup proxy (Microsoft Windows)

    SMB (CIFS) backup repository

    TCP

    445
    1351

    Ports used as a transmission channel from the gateway server to the target SMB (CIFS) share.

    1 Port 135 is optional to provide faster deployment.

    Dell EMC Data Domain System

    For more information, see Dell EMC Documents.

    From

    To

    Protocol

    Port

    Notes

    Backup server
    or
    Gateway server

    Dell EMC Data Domain

    TCP

    111

    Port used to assign a random port for the mountd service used by NFS and DDBOOST. Mountd service port can be statically assigned.

    TCP

    2049

    Main port used by NFS. Can be modified using the ‘nfs set server-port’ command. Command requires SE mode.

    TCP

    2052

    Main port used by NFS MOUNTD. Can be modified using the 'nfs set mountd-port' command in SE mode.

    Backup server

    Gateway server

    Ports listed in Gateway Server must be opened.

    ExaGrid

    From

    To

    Protocol

    Port

    Notes

    Backup server

    ExaGrid

    TCP

    22

    Default command port used for communication with ExaGrid.

    Backup proxy

    ExaGrid

    TCP

    2500 to 3300

    Default range of ports used for communication with the backup proxy.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    HPE StoreOnce

    From

    To

    Protocol

    Port

    Notes

    Backup server
    or
    Gateway server

    HPE StoreOnce

    TCP

    9387

    Default command port used for communication with HPE StoreOnce.

    9388

    Default data port used for communication with HPE StoreOnce.

    Backup server

    Gateway server

    Ports listed in Gateway Server must be opened.

    Quantum DXi

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Quantum DXi

    TCP

    22

    Default command port used for communication with Quantum DXi.

    Backup proxy

    Quantum DXi

    TCP

    2500 to 3300

    Default range of ports used for communication with the backup proxy.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Object Storage Repository

    The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories. For more information, see Object Storage Repository.

    From

    To

    Protocol

    Port/Endpoint

    Notes

    Gateway server

    Amazon S3 Object Storage

    TCP

    443

    Used to communicate with Amazon S3 Object Storage.

    HTTPS

    Cloud endpoints:

    • *.amazonaws.com (for both Global and Government regions)
    • *.amazonaws.com.cn (for China region)

    A complete list of connection endpoints can be found in this Amazon article.

    TCP

    80

    Used to verify the certificate status.

    Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

    HTTP

    Certificate verification endpoints:

    • *.amazontrust.com

    Microsoft Azure Object Storage

    TCP

    443

    Used to communicate with Microsoft Azure Object Storage.

    Consider that the <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Azure management portal.

    HTTPS

    Cloud endpoints:

    • xxx.blob.core.windows.net (for Global region)
    • xxx.blob.core.chinacloudapi.cn (for China region)
    • xxx.blob.core.cloudapi.de (for Germany region)
    • xxx.blob.core.usgovcloudapi.net (for Government region)

    TCP

    80

    Used to verify the certificate status.

    Consider the following:

    • Certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.
    • The *.d-trust.net endpoint is used for the Germany region only.

    HTTP

    Certificate verification endpoints:

    • ocsp.digicert.com
    • ocsp.msocsp.com
    • *.d-trust.net  

    Google Cloud Storage

    TCP

    443

    Used to communicate with Google Cloud Storage.

     

    HTTPS

    Cloud endpoints:

    • storage.googleapis.com

    A complete list of connection endpoints can be found in this Google article.

    TCP

    80

    Used to verify the certificate status.

    Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

    HTTP

    Certificate verification endpoints:

    • ocsp.pki.goog
    • pki.goog
    • crl.pki.goog

    IBM Cloud Object Storage

    TCP/HTTPS

    Customizable and depends on device configuration

    Used to communicate with IBM Cloud Object Storage.

    S3 Compatible Object Storage

    TCP/HTTPS

    Customizable and depends on device configuration

    Used to communicate with S3 Compatible Object Storage.

    External Repository

    The following table describes network ports and endpoints that must be opened to ensure proper communication with external repositories. For more information, see External Repository.

    From

    To

    Protocol

    Port/Endpoint

    Notes

    Gateway server

    Amazon S3 Object Storage

    TCP

    443

    Used to communicate with Amazon S3 Object Storage.

    HTTPS

    Cloud endpoints:

    • *.amazonaws.com (for both Global and Government regions)
    • *.amazonaws.com.cn (for China region)

    A complete list of connection endpoints can be found in this Amazon article.

    TCP

    80

    Used to verify the certificate status.

    Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

    HTTP

    Certificate verification endpoints:

    • *.amazontrust.com

    Microsoft Azure Object Storage

    TCP

    443

    Used to communicate with Microsoft Azure Object Storage.

    Consider that the <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Azure management portal.

    HTTPS

    Cloud endpoints:

    • xxx.blob.core.windows.net (for Global region)
    • xxx.blob.core.chinacloudapi.cn (for China region)
    • xxx.blob.core.cloudapi.de (for Germany region)
    • xxx.blob.core.usgovcloudapi.net (for Government region)

    TCP

    80

    Used to verify the certificate status.

    Consider the following:

    • Certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.
    • The *.d-trust.net endpoint is used for the Germany region only.

    HTTP

    Certificate verification endpoints:

    • ocsp.digicert.com
    • ocsp.msocsp.com
    • *.d-trust.net  

    Google Cloud Storage

    TCP

    443

    Used to communicate with Google Cloud Storage.

     

    HTTPS

    Cloud endpoints:

    • storage.googleapis.com

    A complete list of connection endpoints can be found in this Google article.

    TCP

    80

    Used to verify the certificate status.

    Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

    HTTP

    Certificate verification endpoints:

    • ocsp.pki.goog
    • pki.goog
    • crl.pki.goog

    Archive Object Storage Repository

    The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories used as a part of Archive Tier. For more information, see Archive Tier.

    From

    To

    Protocol

    Port/Endpoint

    Notes

    Gateway server

    Amazon EC2 proxy appliance

    TCP

    443 (default, adjustable via Amazon S3 Glacier wizard)

    If there is no gateway server selected, VBR server will be used as a gateway server

    SSH

    22

    HTTPS

    Cloud endpoints:

    • Public/private IPv4 addresses of EC2 appliances.

    Microsoft Azure proxy appliance

    TCP

    443 (default, adjustable via Azure Archive wizard)

    SSH

    22

    HTTPS

    Cloud endpoints:

    • Public/private IPv4 addresses of Azure appliances.

    Amazon EC2 proxy appliance

    Amazon S3 Object Storage

    TCP

    443

    Used to communicate with Amazon S3 Object Storage.

    HTTPS

    Cloud endpoints:

    • *.amazonaws.com (for both Global and Government regions)
    • *.amazonaws.com.cn (for China region)

    A complete list of connection endpoints can be found in this Amazon article.

    TCP

    80

    Used to verify the certificate status.

    Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

    HTTP

    Certificate verification endpoints:

    • *.amazontrust.com

    Microsoft Azure proxy appliance

    Microsoft Azure Object Storage

    TCP

    443

    Used to communicate with Microsoft Azure Object Storage.

    The <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Microsoft Azure management portal.

    HTTPS

    Cloud endpoints:

    • xxx.blob.core.windows.net (for Global region)
    • xxx.blob.core.chinacloudapi.cn (for China region)
    • xxx.blob.core.cloudapi.de (for Germany region)
    • xxx.blob.core.usgovcloudapi.net (for Government region)

    TCP

    80

    Used to verify the certificate status.

    Certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

    The *.d-trust.net endpoint is used for the Germany region only.

    HTTP

    Certificate verification endpoints:

    • ocsp.digicert.com
    • ocsp.msocsp.com
    • *.d-trust.net

    Storage Systems

    Dell EMC VNX(e) Storage

    From

    To

    Protocol

    Port

    Notes

    Backup server

    VNX File

    TCP

    22

    Default command port used for communication with VNX File over SSH.

    VNX Block

    TCP

    443

    Default port used for communication with Dell EMC VNX Block over HTTPS.

    VNXe

    TCP

    443

    Default port used for communication with Dell EMC VNXe over HTTPS and sending REST API calls.

    Backup proxy

    VNX Block

    VNXe

    TCP

    3260

    Default iSCSI target port.

    VNX File

    VNXe

    TCP, UDP

    2049, 111

    Standard NFS ports. Port 111 is used by the port mapper service.

    Dell EMC Isilon Storage

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Dell EMC Isilon storage system

    TCP

    8080

    Default port used for communication with Dell EMC Isilon over HTTPS and sending REST API calls.

    Backup proxy

    Dell EMC Isilon storage system

    TCP, UDP

    2049, 111

    Standard NFS ports. Port 111 is used by the port mapper service.

    TCP

    445

    Standard SMB port.

    HPE 3PAR StoreServ Storage

    From

    To

    Protocol

    Port

    Notes

    Backup server

    HPE 3PAR StoreServ storage system

    TCP

    8008

    Default port used for communication with HPE 3PAR StoreServ over HTTP.

    TCP

    8080

    Default port used for communication with HPE 3PAR StoreServ over HTTPS.

    TCP

    22

    Default command port used for communication with HPE 3PAR StoreServ over SSH.

    Backup proxy

    HPE 3PAR StoreServ storage system

    TCP

    3260

    Default iSCSI target port.

    HPE Lefthand Storage

    From

    To

    Protocol

    Port

    Notes

    Backup server

    HPE Lefthand storage system

    TCP

    16022

    Default command port used for communication with HPE Lefthand over SSH.

    Backup proxy

    HPE Lefthand storage system

    TCP

    3260

    Default iSCSI target port.

    HPE Nimble Storage

    From

    To

    Protocol

    Port

    Notes

    Backup server

    HPE Nimble storage system

    TCP

    5392

    Default command port used for communication with HPE Nimble (used for Nimble OS 2.3 and later).

    Backup proxy

    HPE Nimble storage system

    TCP

    3260

    Default iSCSI target port.

    IBM Spectrum Virtualize Storage

    From

    To

    Protocol

    Port

    Notes

    Backup server

    IBM Spectrum Virtualize storage system

    TCP

    22

    Default command port used for communication with IBM Spectrum Virtualize over SSH.

    Backup proxy

    IBM Spectrum Virtualize storage system

    TCP

    3260

    Default iSCSI target port.

    NetApp Data ONTAP Storage

    From

    To

    Protocol

    Port

    Notes

    Backup server

    NetApp Data ONTAP storage system

    TCP

    80

    Default command port used for communication with NetApp Data ONTAP over HTTP.

    TCP

    443

    Default command port used for communication with NetApp Data ONTAP over HTTPS.

    Backup proxy

    NetApp Data ONTAP storage system

    TCP, UDP

    2049, 111

    Standard NFS ports. Port 111 is used by the port mapper service.

    TCP

    445

    Standard SMB port.

    TCP

    3260

    Default iSCSI target port.

    Universal Storage API Integrated System

    The following tables describe network ports that must be opened to ensure proper communication with Universal Storage API integrated systems:

    DataCore SANsymphony

    From

    To

    Protocol

    Port

    Notes

    Backup server

    DataCore SANsymphony  storage system

    TCP

    443

    Default command port used for communication with DataCore SANsymphony over HTTPS.

    Backup proxy

    DataCore SANsymphony  storage system

    TCP

    3260

    Default iSCSI target port.

    Dell EMC SC Series/Compellent

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Dell EMC SC Series  storage system

    TCP

    3033

    Default command port used for communication with Dell EMC SC Series over HTTPS.

    Backup proxy

    Dell EMC SC Series  storage system

    TCP

    3260

    Default iSCSI target port.

    Fujitsu ETERNUS DX/AF

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Fujitsu ETERNUS DX/AF storage system

    TCP

    22

    Default command port used for communication with Fujitsu ETERNUS DX/AF over SSH.

    Backup proxy

    Fujitsu ETERNUS DX/AF storage system

    TCP

    3260

    Default iSCSI target port.

    INFINIDAT InfiniBox

    From

    To

    Protocol

    Port

    Notes

    Backup server

    INFINIDAT InfiniBox storage system

    TCP

    443

    Default command port used for communication with INFINIDAT InfiniBox over HTTPS.

    Backup proxy

    INFINIDAT InfiniBox storage system

    TCP

    3260

    Default iSCSI target port.

    NetApp SolidFire/HCI

    From

    To

    Protocol

    Port

    Notes

    Backup server

    NetApp SolidFire/HCI storage system

    TCP

    443

    Default command port used for communication with NetApp SolidFire/HCI over HTTPS.

    Backup proxy

    NetApp SolidFire/HCI storage system

    TCP

    3260

    Default iSCSI target port.

    Pure Storage FlashArray

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Pure Storage FlashArray system

    TCP

    443

    Default command port used for communication with Pure Storage FlashArray over HTTPS.

    Backup proxy

    Pure Storage FlashArray system

    TCP

    3260

    Default iSCSI target port.

     

    Tintri IntelliFlash/Western Digital/Tegile

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Tintri IntelliFlash system

    TCP

    443

    Default command port used for communication with Tintri IntelliFlash over HTTPS.

    Backup proxy

    Tintri IntelliFlash system

    TCP

    3260

    Default iSCSI target port.

    Tintri IntelliFlash system

    TCP, UDP

    2049, 111

    Standard NFS ports. Port 111 is used by the port mapper service.

     

    Gateway Server

    The following table describes network ports that must be opened to ensure proper communication with gateway servers.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Microsoft Windows server performing the role of the gateway server

    Ports listed in Microsoft Windows Server must be opened.

    Backup server

    Linux server performing the role of the gateway server (if a gateway server is specified explicitly in NFS backup repository settings)

    Ports listed in Linux Server must be opened.

    Gateway server
    (if a gateway server is specified explicitly in SMB (CIFS) backup repository settings)

    SMB (CIFS) share

    TCP

    445
    1351

    Ports used as a transmission channel from the gateway server to the target SMB (CIFS) share.

    Gateway server
    (if a gateway server is specified explicitly in NFS backup repository settings)

    NFS share

    TCP, UDP

    111, 2049

    Ports used as a transmission channel from the gateway server to the target NFS share.

    1 Port 135 is optional to provide faster deployment.

    Tape Server

    The following table describes network ports that must be opened to ensure proper communication with tape servers.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Tape server

    Tape server is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server to be opened.

    TCP

    6166

    Controlling port for RPC calls.

    TCP

    2500 to 33001

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

    Tape server

    Backup server

    TCP

    2500 to 33001

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

    Backup repository, gateway server or proxy server

    Tape server is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server to be opened.

    1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    WAN Accelerator

    The following table describes network ports that must be opened to ensure proper communication between WAN accelerators used in backup copy jobs and replication jobs.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    WAN accelerator
    (source and target)

    WAN accelerator is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server to be opened.

    TCP

    6160

    Default port used by the Veeam Installer Service.

    TCP

    6162

    Default port used by the Veeam Data Mover.

    TCP

    6164

    Controlling port for RPC calls.

    WAN accelerator
    (source and target)

    Backup repository
    (source and target)

    TCP

    2500 to 33001

    Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is selected dynamically.

    WAN accelerator

    WAN accelerator

    TCP

    6164

    Controlling port for RPC calls.

    TCP

    6165

    Default port used for data transfer between WAN accelerators. Ensure this port is open in firewall between sites where WAN accelerators are deployed.

    1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Guest Interaction Proxy

    Connections with Non-Persistent Runtime Components

    The following tables describe network ports that must be opened to ensure proper communication of the backup server and backup infrastructure components with the non-persistent runtime components deployed inside the VM guest OS for application-aware processing and indexing.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    VM guest OS (Linux)

    TCP

    22

    Default SSH port used as a control channel.

    Guest interaction proxy

    TCP

    6190

    Used for communication with the guest interaction proxy.

    TCP

    6290

    Used as a control channel for communication with the guest interaction proxy.

    TCP

    445

    Used as a transmission channel.

    Guest interaction proxy

    ESXi server

    TCP

    443

    Default port used for connections to ESXi host.
    [For VMware vSphere earlier than 6.5] Not required if vCenter connection is used. In VMware vSphere versions 6.5 and later, port 443 is required by VMware web services.

    Network ports described in the table below are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    From

    To

    Protocol

    Port

    Notes

    Guest interaction proxy

    VM guest OS (Microsoft Windows)

    TCP

    445
    135

    Required to deploy the runtime coordination process on the VM guest OS.

    Note: Port 135 is optional to provide faster deployment.

    TCP

    2500 to 3300

    Default range of ports used as transmission channels for log shipping.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    TCP

    49152 to 65535

    Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

    Used by the runtime process deployed inside the VM for guest OS interaction (when working over the network, not over VIX API).

    Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

    VM guest OS (Linux)

    TCP

    22

    Default SSH port used as a control channel.

    TCP

    2500 to 3300

    Default range of ports used as transmission channels for log shipping.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    VM guest OS

    Guest interaction proxy

    TCP

    2500 to 3300

    Default range of ports used as transmission channels for log shipping.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Connections with Persistent Agent Components

    The following table describes network ports that must be opened to ensure proper communication of the backup server with the persistent agent components deployed inside the VM guest OS for application-aware processing and indexing.

    From

    To

    Protocol

    Port

    Notes

    Guest interaction proxy

    VM guest OS

    TCP

    6160
    11731

    Default port and failover port used by the Veeam Installer Service.

    TCP

    6173
    2500

    Used by the Veeam Guest Helper for guest OS processing and file-level restore.

    Log Shipping Components

    The following tables describe network ports that must be opened to ensure proper communication between log shipping components.

    Log Shipping Server Connections

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Log shipping server

    TCP

    445
    135

    Required for deploying Veeam Backup & Replication components.

    Note: Port 135 is optional to provide faster deployment.

    TCP

    6160

    Default port used by the Veeam Installer Service.

    TCP

    6162

    Default port used by the Veeam Data Mover.

    TCP

    49152 to 65535

    Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

    Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

    Log shipping server

    Backup repository

    TCP

    2500 to 3300

    Default range of ports used for communication with a backup repository and transfer log backups.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    MS SQL Guest OS Connections

    From

    To

    Protocol

    Port

    Notes

    Guest interaction proxy

    MS SQL VM guest OS

    TCP

    445
    135

    [Non-persistent runtime components only] Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component.

    These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    Note: Port 135 is optional to provide faster deployment.

    TCP

    2500 to 3300

    [Non-persistent runtime components only] Default range of ports used for communication with a guest OS.

    These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    TCP

    49152 to 65535

    [Non-persistent runtime components only] Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

    These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

    TCP

    6160
    11731

    [Persistent agent components only] Default port and failover port used by the Veeam Installer Service.

    TCP

    6167

    Used by the Veeam Log Shipping Service for preparing the database and taking logs.

    MS SQL VM guest OS

    Guest interaction proxy

    TCP

    2500 to 3300

    [Non-persistent runtime components only] Default range of ports used for communication with a guest interaction proxy.

    These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    MS SQL VM guest OS

    Backup repository

    TCP

    2500 to 3300

    Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the MS SQL server has a direct connection to the backup repository.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    MS SQL VM guest OS

    Log shipping server

    TCP

    2500 to 3300

    Default range of ports used for communication with a log shipping server and transfer log backups.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Oracle Guest OS Connections

    From

    To

    Protocol

    Port

    Notes

    Guest interaction proxy

    Oracle VM guest OS (Microsoft Windows)

    TCP

    445
    135

    [Non-persistent runtime components only] Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component.

    These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    Note: Port 135 is optional to provide faster deployment.

    TCP

    2500 to 3300

    [Non-persistent runtime components only] Default range of ports used for communication with a guest OS.

    These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    TCP

    49152 to 65535

    [Non-persistent runtime components only] Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

    These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

    TCP

    6160
    11731

    [Persistent agent components only] Default port and failover port used by the Veeam Installer Service.

    TCP

    6167

    Used by the Veeam Log Shipping Service for preparing the database and taking logs.

    Oracle VM guest OS (Linux)

    TCP

    22

    [Non-persistent runtime components only] Default SSH port used as a control channel.

    This port is NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    TCP

    2500 to 3300

    [Non-persistent runtime components only] Default range of ports used for communication with a guest OS.

    These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Oracle VM guest OS

    Guest interaction proxy

    TCP

    2500 to 3300

    [Non-persistent runtime components only] Default range of ports used for communication with a guest interaction proxy.

    These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Oracle VM guest OS

    Backup repository

    TCP

    2500 to 3300

    Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the Oracle server has a direct connection to the backup repository.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Oracle VM guest OS

    Log shipping server

    TCP

    2500 to 3300

    Default range of ports used for communication with a log shipping server and transfer log backups.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    CDP Components

    The following table describes network ports that must be opened to ensure proper communication of Veeam CDP components with other backup components.

    From

    To

    Protocol

    Port

    Notes

    ESXi host (source)

    CDP proxy (source)

    TCP

    33032

    Default port used as a transmission channel to the source CDP proxy.

    ESXi host (source)

    TCP

    33033

    Port used locally on the source ESXi host for data transfer between I/O filter components.

    ESXi host (source)

    TCP

    33038

    Port used locally on the source ESXi host for communication between CDP components.

    CDP proxy (source)

    CDP proxy (target)

    TCP

    33033

    Default port used as a transmission channel to the target CDP proxy.

    ESXi host (source and target)

    TCP

    902

    Default VMware port used for data transfer. Used during the initial synchronization.

    vCenter Server (source and target)

    TCP

    443

    Default VMware web service port that can be customized in vCenter settings. Used during the initial synchronization.

    CDP proxy (target)

    ESXi host (target)

    TCP

    33032

    Default port used as a transmission channel to the target ESXi host.

    ESXi host (source and target)

    TCP

    902

    Default VMware port used for data transfer. Used during the initial synchronization.

    vCenter Server (source and target)

    TCP

    443

    Default VMware web service port that can be customized in vCenter settings. Used during the initial synchronization.

    ESXi host (target)

    ESXi host (target)

    TCP

    33034

    Port used locally on the target ESXi host for communication between the I/O filter components during failover.

    ESXi host (target)

    TCP

    33038

    Port used locally on the source ESXi host for communication between CDP components.

    Backup server

    ESXi host (source and target)

    TCP

    443

    Port used as a control channel.

    vCenter Server (source and target)

    TCP

    443

    Port used as a control channel.

    CDP proxy (source and target)

    TCP

    6182

    Port used as a control channel.

    Backup server

    TCP

    9509

    Port used locally on the backup server for communication between Veeam Backup Service and Veeam CDP Coordinator Service.

    ESXi host (source and target)

    Backup server

    TCP

    33034

    Port used for communication with Veeam CDP Coordinator Service.

    vCenter Server (source and target)

    Backup server

    TCP

    33034

    Port used for communication with Veeam CDP Coordinator Service.

    CDP proxy (source and target)

    Backup server

    TCP

    33034

    Port used for communication with Veeam CDP Coordinator Service.

    Recovery Components

    Guest OS File Recovery

    The following table describes network ports that must be opened to ensure proper communication between components for guest OS file recovery.

    Mount Server Connections

    From

    To

    Protocol

    Port

    Notes

    Mount server

    Backup server

    TCP

    9401

    Used for communication with the Veeam Backup Service.

    Backup repository

    TCP

    2500 to 3300

    Default range of ports used for communication with a backup repository.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Backup server

    Mount server

    TCP

    445

    Required for deploying Veeam Backup & Replication components.

    TCP

    2500 to 3300

    Default range of ports used for communication with a mount server.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    TCP

    6160

    Default port used by the Veeam Installer Service including checking the compatibility between components before starting the recovery process.

    TCP

    6162

    Default port used by the Veeam Data Mover.

    TCP

    6170

    Used for communication with a local or remote Mount Service.

    TCP

    49152 to 65535

    Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

    Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

    Helper Appliance Connections

    From

    To

    Protocol

    Port

    Notes

    Helper appliance

    Backup repository

    TCP

    2500 to 3300

    Default range of ports used for communication with a backup repository.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Backup server

    Helper appliance

     

    TCP

    22

    Default SSH port used as a control channel.

    TCP

    2500 to 3300

    Default range of ports used for communication with a helper appliance.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Mount server

    Helper appliance

    TCP

    22

    Default SSH port used as a control channel.

    TCP

    2500 to 3300

    Default range of ports used for communication with a helper appliance.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Helper Host Connections

    From

    To

    Protocol

    Port

    Notes

    Helper host

    Backup repository

    TCP

    2500 to 3300

    Default range of ports used for communication with a backup repository.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Backup server

    Helper host

    TCP

    22

    Default SSH port used as a control channel.

    TCP

    2500 to 3300

    Default range of ports used for communication with a helper host.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    TCP

    6162

    Default port used by the Veeam Data Mover.

    Mount server

    Helper host

    TCP

    22

    Default SSH port used as a control channel.

    TCP

    2500 to 3300

    Default range of ports used for communication with a helper host.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Guest OS Connections

    From

    To

    Protocol

    Port

    Notes

    VM guest OS (Linux/Unix)

    Helper appliance

    TCP

    21

    Default port used for protocol control messages if FTP server is enabled.

    Helper appliance

    VM guest OS (Linux/Unix)

    TCP

    20

    Default port used for data transfer if FTP server is enabled.

    TCP

    2500 to 3300

    Default range of ports used for communication with a VM guest OS.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Helper host

    VM guest OS (Linux/Unix)

    TCP

    2500 to 3300

    Default range of ports used for communication with a VM guest OS.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Backup server

    VM guest OS (Linux/Unix)

    TCP

    22

    Default SSH port used as a control channel.

    Mount server

    VM guest OS (Microsoft Windows)

    TCP

    445
    135

    Required to deploy the runtime coordination process on the VM guest OS.

    Note: Port 135 is optional to provide faster deployment.

    TCP

    6160
    11731

    Default port and failover port used by the Veeam Installer Service.

    TCP

    6173
    2500

    Used by the Veeam Guest Helper for guest OS processing and file-level restore if persistent agent components are deployed inside the VM guest OS.

    TCP

    49152 to 65535

    Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

    Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

    Backup server

    VM guest OS

    TCP

    2500 to 3300

    Default range of ports used for communication with a VM guest OS.

    Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    Veeam vPower NFS Service

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Microsoft Windows server running vPower NFS Service

    TCP

    6160

    Default port used by the Veeam Installer Service.

    TCP

    6161

    Default port used by the Veeam vPower NFS Service.

    ESXi host

    Microsoft Windows server running vPower NFS Service

    TCP
    UDP

    111

    Standard port used by the port mapper service.

    TCP
    UDP

    1058+ or 1063+

    Default mount port. The number of port depends on where the vPower NFS Service is located:

    • 1058+: If the vPower NFS Service is located on the backup server.
    • 1063+: If the vPower NFS Service is located on a separate Microsoft Windows machine.

    If port 1058/1063 is occupied, the succeeding port numbers will be used.

    TCP
    UDP

    2049+

    Standard NFS port. If port 2049 is occupied, the succeeding port numbers will be used.

    Backup repository or
    Gateway server working with backup repository

    Microsoft Windows server running vPower NFS Service

    TCP

    2500 to 33001

    Default range of ports used as transmission channels during Instant Recovery, SureBackup or Linux file-level recovery.

    For every TCP connection that a job uses, one port from this range is assigned.

    1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

    SureReplica Recovery Verification

    From

    To

    Protocol

    Port

    Notes

    Backup server

    vCenter Server

    HTTPS TCP

    443

    Default port used for connections to vCenter Server.

    ESXi server

    HTTPS TCP

    443

    Default port used for connections to ESXi host.
    Not required if vCenter connection is used.

    Proxy appliance

    TCP

    443

    Port used for communication with the proxy appliance in the virtual lab.

    22

    Port used for communication with the proxy appliance in the virtual lab.

    Applications on VMs in the virtual lab

    Application-specific ports to perform port probing test. For example, to verify a DC, Veeam Backup & Replication probes port 389 for a response.

    Internet-facing proxy server

    VMs in the virtual lab

    HTTP

    8080

    Port used to let VMs in the virtual lab access the Internet.

    Veeam U-AIR

    The following table describes network ports that must be opened to ensure proper communication of U-AIR wizards with other components.

    From

    To

    Protocol

    Port

    Notes

    U-AIR wizards

    Veeam Backup Enterprise Manager

    TCP

    9394

    Default port used for communication with Veeam Backup Enterprise Manager. Can be customized during Veeam Backup Enterprise Manager installation.

    Microsoft Active Directory Domain Controller Connections During Application Item Restore

    The following table describes network ports that must be opened to ensure proper communication of the backup server with the Microsoft Active Directory VM during application-item restore.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Microsoft
    Active Directory VM guest OS

    TCP

    135

    Port required for communication between the domain controller and backup server.

    TCP,
    UDP

    389

    LDAP connections.

    TCP

    636, 3268, 3269

    LDAP connections.

    TCP

    49152 to 65535 (for Microsoft Windows 2008 and later)

    Dynamic port range used by the runtime coordination process deployed inside the VM guest OS for application-aware processing (when working over the network, not over VIX API).1 For more information, see this Microsoft KB article.

    1 If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports: during setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the “RPC function call failed” error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

    Microsoft Exchange Server Connections During Application Item Restore

    The following table describes network ports that must be opened to ensure proper communication of the Veeam backup server with the Microsoft Exchange Server system during application-item restore.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Microsoft Exchange 2003/2007 CAS Server

    TCP

    80, 443

    WebDAV connections.

    Microsoft Exchange 2010/2013/2016/2019 CAS Server

    TCP

    443

    Microsoft Exchange Web Services Connections.

    Microsoft SQL Server Connections During Application Item Restore

    The following table describes network ports that must be opened to ensure proper communication of the backup server with the VM guest OS system during application-item restore.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Microsoft
    SQL VM guest OS

    TCP

    1433,
    1434 and other

    Port used for communication with the Microsoft SQL Server installed inside the VM.

    Port numbers depends on configuration of your Microsoft SQL server. For more information, see Microsoft Docs.

    Proxy Appliance (Restore to Amazon EC2, Google Cloud)

    From

    To

    Protocol

    Port

    Notes

    Backup server/Backup Repository

    Proxy appliance

    TCP

    22

    Port used as a communication channel to the proxy appliance in the restore to Amazon EC2 or Google Cloud process.

    TCP

    443

    Default redirector port. You can change the port in proxy appliance settings. For details, see Specify Proxy Appliance in Restore to Amazon EC2 and Restore to Google Cloud.

    Azure Proxy

    From

    To

    Protocol

    Port

    Notes

    Backup server/ Backup repository

    Azure proxy

    TCP

    443

    Default management and data transport port required for communication with the Azure proxy. The port must be opened on the backup server and backup repository storing VM backups.

    The default port is 443, but you can change it in the settings of the Azure Proxy. For details, see Specify Credentials and Transport Port

    Azure Helper Appliance

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Azure helper appliance

    TCP

    22

    Port used as a communication channel to the proxy appliance in the Restore to Azure process

    The default port is 22, but you can change it during helper appliance deployment.

    For details, see Configuring Helper Appliances.

    Azure Stack

    From

    To

    Protocol

    Port

    Notes

    Backup server

    Azure Stack

    HTTPS

    443, 30024

    Default management and data transport port required for communication with the Azure Stack.

    Veeam Backup Enterprise Manager

    Veeam Backup Enterprise Manager Connections

     

    Veeam Explorers

    Veeam Cloud Connect

    Veeam Cloud Connect Connections

    Veeam Agents

    Veeam Agent for Microsoft Windows

    Veeam Agent for Linux

    Veeam Agent for Mac

    Veeam Plug-ins for Enterprise Applications

    Veeam Plug-ins for Cloud Solutions

    Kasten K10

    Kasten K10 Connections

    Other Connections

    NDMP Server

    The following table describes network ports that must be opened to ensure proper communication with NDMP servers.

    From

    To

    Protocol

    Port

    Notes

    Gateway server

    NDMP server

    NDMP

    10000

    Port used for data transfer between the components.

    SMTP Server

    The following table describes network ports that must be opened to ensure proper communication of the backup server with the SMTP server.

    From

    To

    Protocol

    Port

    Notes

    Backup server

    SMTP server

    TCP

    25

    Port used by the SMTP server.

    Internet Connections

    If you use an HTTP(S) proxy server to access the Internet, make sure that WinHTTP settings are properly configured on Microsoft Windows machines with Veeam backup infrastructure components. For information on how to configure WinHTTP settings, see Microsoft Docs.

    Note

    Tenants cannot access Veeam Cloud Connect infrastructure components through HTTP(S) proxy servers. For information on supported protocols for Veeam Cloud Connect, see the Used Ports section in the Veeam Cloud Connect Guide.