Help Center
Choose product document...
Veeam Backup & Replication 9.5
User Guide for VMware vSphere

Used Ports

This section covers typical connection settings for the backup infrastructure components.

Used Ports Note:

During installation, Veeam Backup & Replication automatically creates firewall rules for default ports to allow communication for the application components.

In This Section

Backup Server Connections

The following table describes network ports that must be opened to ensure proper communication of the backup server with other infrastructure components.

From

To

Protocol

Port

Notes

Backup server

vCenter Server

HTTPS TCP

443

Default port used for connections to vCenter Server.

If you use vCloud Director, make sure you open port 443 on underlying vCenter Servers.

HTTPS TCP

10443

Port used for communication with vCenter Server.

ESX(i) server

HTTPS TCP

443

Default port used for connections to ESX(i) host.
Not required if vCenter connection is used.

Note: When configuring firewalls, consider opening port 443 on ESX(i) hosts even if you add vCenter Server to the backup infrastructure. Port 443 may be required for backup and restore without vCenter Server, for example, if you back up a VM that hosts vCenter Server and restore it when vCenter Server is down.

TCP

902

Port used for data transfer to ESX(i) host.

TCP

22

Port used as a control channel (only for jobs that use an ESX target with the console agent enabled).

vCloud Director

HTTPS TCP

443

Default port used for connections to vCloud Director.

Linux server

TCP

22

Port used as a control channel from the console to the target Linux host.

Microsoft Windows server

TCP
UDP

135, 137 to 139, 445

Ports required for deploying Veeam Backup & Replication components.

TCP

6160

Default port used by the Veeam Installer Service.

TCP

6161

[For Microsoft Windows servers running the vPower NFS Service] Default port used by the Veeam vPower NFS Service.

TCP

6162

Default port used by the Veeam Data Mover Service.

TCP,
UDP

111, 2049+, 1058+

[For Microsoft Windows servers running the vPower NFS Service] Standard NFS ports. If ports 2049 and 1058 are occupied, the succeeding port numbers will be used.

TCP

49152-65535
(for Microsoft Windows 2008 and newer)

Dynamic RPC port range. For more information, see http://support.microsoft.com/kb/929851/en-us.

Proxy appliance (multi-OS FLR)

SSH

22

Port used as a communication channel from the console to the proxy appliance in the multi-OS file-level recovery process.

Gateway server

TCP, UDP

135, 137 to 139, 445

Ports required for deploying Veeam Backup & Replication components.

Microsoft SQL Server hosting the Veeam Backup & Replication configuration database

TCP

1433

Port used for communication with Microsoft SQL Server on which the Veeam Backup & Replication configuration database is deployed (if you use a Microsoft SQL Server default instance).

Additional ports may need to be open depending on your configuration. For more information, see https://msdn.microsoft.com/en-us/library/cc646023(v=sql.120).aspx#BKMK_ssde.

DNS server with forward/reverse name resolution of all backup servers

UDP

53

Port used for communication with the DNS Server.

Veeam Update Notification Server (dev.veeam.com)

TCP

80

Default port used to download information about available updates from the Veeam Update Notification Server over the Internet.

Veeam License Update Server (autolk.veeam.com)

TCP

443

Default port used for license auto-update.

Backup server

TCP

9501

Port used locally on the backup server for communication between Veeam Broker Service and Veeam services and components.

Veeam Backup & Replication Console

Backup server

TCP

9392

Port used by the Veeam Backup & Replication console to connect to the backup server.

Linux server

Backup server

TCP

2500 to 5000

Default range of ports used as transmission channels for jobs writing to Linux target. For every TCP connection that a job uses, one port from this range is assigned.

Microsoft Windows server

Backup server

TCP

2500 to 5000

Default range of ports used as transmission channels for jobs writing to Microsoft Windows target. For every TCP connection that a job uses, one port from this range is assigned.

Management client PC (remote access)

Backup server

TCP

3389

Default port used by the Remote Desktop Services. If you use third-party solutions to connect to the backup server, other ports may need to be open.

 

Backup Proxy Connections

The following table describes network ports that must be opened to ensure proper communication of backup proxies with other infrastructure components.

From

To

Protocol

Port

Notes

Communication with VMware Servers

Backup proxy

vCenter Server

HTTPS

443

Default VMware web service port that can be customized in vCenter settings.

ESX(i) server

TCP

902

VMware data mover port.

HTTPS

443

Default VMware web service port that can be customized in ESX host settings. Not required if vCenter connection is used.

Communication with Backup Repositories

Backup proxy

Linux server

TCP

22

Port used as a control channel from the backup proxy to the target Linux host.

Microsoft Windows server

TCP

49152-65535 
(for Microsoft Windows 2008 and newer)

Dynamic RPC port range. For more information, see http://support.microsoft.com/kb/929851/en-us.

Shared folder CIFS (SMB) share

TCP
UDP

135, 137 to 139, 445

Ports used as a transmission channel from a backup proxy to the target CIFS (SMB) share.

Traffic goes between a backup proxy and CIFS (SMB) share only if a gateway server is not specified explicitly in CIFS (SMB) backup repository settings (Automatic selection option is used).

If a gateway server is specified explicitly, traffic goes between a gateway server and CIFS (SMB) share. For more information about required ports, see the Gateway server > Shared folder line below in this table.

 

Gateway server

TCP

49152-65535 
(for Microsoft Windows 2008 and newer)

Dynamic RPC port range. For more information, see http://support.microsoft.com/kb/929851/en-us.

Gateway server
(if a gateway server is specified explicitly in CIFS (SMB) backup repository settings)

Shared folder CIFS (SMB) share

TCP
UDP

135, 137 to 139, 445

Ports used as a transmission channel from a gateway server to the target CIFS (SMB) share.

Communication with Backup Proxies

Backup proxy

Backup proxy

TCP

2500 to 5000

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

 

Backup Repository Connections

From

To

Protocol

Port

Notes

Backup proxy

Linux Server performing the role of the backup repository

TCP

2500 to 5000

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

Microsoft Windows Server performing the role of the backup repository

Backup repository

Backup proxy

TCP

2500 to 5000

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

Source backup repository

Target backup repository

TCP

2500 to 5000

Default range of ports used as transmission channels for backup copy jobs. For every TCP connection that a job uses, one port from this range is assigned.
Ports 2500 to 5000 are used for backup copy jobs that do not utilize WAN accelerators. If the backup copy job utilizes WAN accelerators, make sure that ports specific for WAN accelerators are open.

Microsoft Windows Server Running vPower NFS Service Connections

Backup repository gateway server working with backup repository

 

TCP

2500 to 5000

Default range of ports used as transmission channels during Instant VM Recovery, SureBackup or Linux file-level recovery.

For every TCP connection that a job uses, one port from this range is assigned.

Dell EMC Data Domain System Connections

From

To

Protocol

Port

Notes

Backup server or gateway server

Dell EMC Data Domain

TCP

111

Port used to assign a random port for the mountd service used by NFS and DDBOOST. Mountd service port can be statically assigned.

TCP

2049

Main port used by NFS. Can be modified via the ‘nfs set server-port’ command. Command requires SE mode.

TCP

2052

Main port used by NFS MOUNTD. Can be modified via the 'nfs set mountd-port' command in SE mode.

Backup server

Gateway server

See Backup Server Connections.

For more information, see https://community.emc.com/docs/DOC-33258.

HPE StoreOnce Connection

From

To

Protocol

Port

Notes

Backup server or gateway server

HPE StoreOnce

TCP

9387

Default command port used for communication with HPE StoreOnce.

9388

Default data port used for communication with HPE StoreOnce.

Backup server

Gateway server

See Backup Server Connections.

Mount Server Connections

From

To

Protocol

Port

Notes

Mount server
(or machine running the Veeam Backup & Replication console)

Backup server

TCP

9401

Port used for communication with the Veeam Backup Service.

Backup server

Mount server

TCP

6170

Port used for communication with a local or remote Mount Service.

Mount server
(or machine running the Veeam Backup & Replication console)

Backup repository

TCP

2500 to 5000

Default range of ports used for communication with a backup repository.

Microsoft Windows Server Running vPower NFS Service Connections

From

To

Protocol

Port

Notes

Backup server

Microsoft Windows server running vPower NFS Service

TCP
UDP

1058+, 2049+

[For Microsoft Windows servers running the vPower NFS Service] Standard NFS ports. If ports 2049 and 1058 are occupied, the succeeding port numbers will be used.

TCP

6160

Default port used by the Veeam Installer Service.

TCP

6161

Default RPC port used by the Veeam vPower NFS Service.

ESX(i) host

Microsoft Windows server running vPower NFS Service

TCP
UDP

111

RPC service port.

Backup repository or gateway server working with backup repository

Microsoft Windows server running vPower NFS Service

 

TCP

2500-5000

Default range of ports used as transmission channels during Instant VM Recovery, SureBackup or Linux file-level recovery.

For every TCP connection that a job uses, one port from this range is assigned.

Proxy Appliance (Multi-OS FLR) Connections

From

To

Protocol

Port

Notes

Backup server

Proxy appliance

TCP

22

Port used as a communication channel from the backup server to the proxy appliance in the multi-OS file-level recovery process.

TCP

2500-5000

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

VM guest OS

TCP

2500-5000

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Proxy appliance

VM guest OS

TCP

22

Port used as a communication channel from the proxy appliance to the Linux guest OS during multi-OS file-level recovery process.

TCP

20

[If FTP option is used] Default port used for data transfer.

TCP

2500-5000

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

VM guest OS

Proxy appliance

TCP

22

Port used as a communication channel from the proxy appliance to Linux guest OS during multi-OS file-level recovery process.

TCP

21

[If FTP option is used} Default port used for protocol control messages.

SureReplica Recovery Verification Connections

From

To

Protocol

Port

Notes

Backup server

vCenter Server

HTTPS TCP

443

Default port used for connections to vCenter Server.

ESX(i) server

HTTPS TCP

443

Default port used for connections to ESX(i) host.
Not required if vCenter connection is used.

TCP

22

Port used as a control channel (only for jobs that use an ESX target with the console agent enabled).

Proxy appliance

TCP

443

Port used for communication with the proxy appliance in the virtual lab.

22

Port used for communication with the proxy appliance in the virtual lab.

Applications on VMs in the virtual lab

Application-specific ports to perform port probing test. For example, to verify a DC, Veeam Backup & Replication probes port 389 for a response.

Internet-facing proxy server

VMs in the virtual lab

HTTP

8080

Port used to let VMs in the virtual lab access the Internet.

 

WAN Accelerator Connections

The following table describes network ports that must be opened to ensure proper communication between WAN accelerators used in backup copy jobs.

From

To

Protocol

Port

Notes

Communication with Backup Server

Backup server

WAN accelerator
(source and target)

TCP

6160

Default port used by the Veeam Installer Service.

TCP

6162

Default port used by the Veeam Data Mover Service.

TCP

6164

Controlling port for RPC calls.

Communication with Backup Repositories

WAN accelerator
(source and target)

Backup repository
(source and target)

TCP

2500 to 5000

Default range of ports used by the Veeam Data Mover Service for transferring files of a small size such as NVRAM, VMX, VMXF, GuestIndexData.zip and others. A port from the range is selected dynamically.

Communication Between WAN Accelerators

WAN accelerator

WAN accelerator

TCP

6164

Controlling port for RPC calls.

TCP

6165

Default port used for data transfer between WAN accelerators. Ensure this port is open in firewall between sites where WAN accelerators are deployed.

Tape Server Connections

From

To

Protocol

Port

Notes

Backup server

Tape server

TCP

6166

Controlling port for RPC calls.

Dell EMC VNX(e) Storage Connections

From

To

Protocol

Port

Notes

Backup server

VNX File

SSH

22

Default command port used for communication with VNX File over SSH.

VNX Block

HTTPS

443

Default port used for communication with Dell EMC VNX Block.

VNXe

HTTPS

443

Default port used for communication with Dell EMC VNXe and sending RESTful API calls.

Backup proxy

VNX Block

VNXe

TCP

3260

Default iSCSI target port.

VNX File

VNXe

TCP, UDP

2049, 111

Standard NFS ports. Port 111 is used by the port mapper service.

HPE 3PAR StoreServ Storage Connections

From

To

Protocol

Port

Notes

Backup server

HPE 3PAR StoreServ
storage system

HTTP

8008

Default port used for communication with the HPE 3PAR StoreServ storage system over HTTP.

HTTPS

8080

Default port used for communication with the HPE 3PAR StoreServ storage system over HTTPS.

SSH

22

Default command port used for communication with HPE 3PAR StoreServ over SSH.

Backup proxy

HPE 3PAR StoreServ
storage system

TCP

3260

Default iSCSI target port.

HPE Lefthand Storage Connections

From

To

Protocol

Port

Notes

Backup server

HPE Lefthand storage system

SSH

16022

Default command port used for communication with HPE Lefthand.

Backup proxy

HPE Lefthand storage system

TCP

3260

Default iSCSI target port.

NetApp Storage Connections

From

To

Protocol

Port

Notes

Backup server

NetApp storage system

HTTP

80

Default command port used for communication with NetApp over HTTP.

HTTPS

443

Default command port used for communication with NetApp over HTTPS.

Backup proxy

NetApp storage system

TCP, UDP

2049, 111

Standard NFS ports. Port 111 is used by the port mapper service.

TCP

3260

Default iSCSI target port.

Nimble Storage Connections

From

To

Protocol

Port

Notes

Backup server

Nimble storage system

TCP

5392

Default command port used for communication with Nimble storage (used for Nimble OS 2.3 and later).

 

VM Guest OS Connections

The following table describes network ports that must be opened to ensure proper communication of the backup server with the runtime coordination process deployed inside the VM guest OS for application-aware processing and indexing.

From

To

Protocol

Port

Notes

Backup server

Linux VM guest OS

TCP

22

Default SSH port used as a control channel.

Guest interaction proxy

TCP

6190

Port used for communication with the guest interaction proxy.

TCP

6290

Port used as a control channel for communication with the guest interaction proxy.

Guest interaction proxy

Microsoft Windows VM guest OS

TCP, UDP

135, 137-139, 445

Ports required to deploy the runtime coordination process on the VM guest OS.

TCP

49152-65535 (for Microsoft Windows 2008 and newer)

Dynamic RPC port range used by the runtime process deployed inside the VM for guest OS interaction (when working over the network, not over VIX API).

For more information, see http://support.microsoft.com/kb/929851/en-us.

TCP

6167

[For Microsoft SQL logs shipping] Port used by the runtime process on the VM guest OS from which Microsoft SQL logs are collected.

Microsoft Windows VM guest OS

Guest interaction proxy

TCP

 

49152-65535 (for Microsoft Windows 2008 and newer)

Dynamic RPC port range used by the runtime process deployed inside the VM for guest OS interaction (when working over the network, not over VIX API).

For more information, see http://support.microsoft.com/kb/929851/en-us.

Note: Microsoft Exchange expands a standard Windows dynamic RPC port range. For more information, see https://helpcenter.veeam.com/docs/backup/explorers/vee_ports.html?ver=95.

* If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports: during setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the “RPC function call failed” error, you need to configure dynamic RPC ports.

Veeam U-AIR Wizards Connections

The following table describes network ports that must be opened to ensure proper communication of U-AIR wizards with other components.

From

To

Protocol

Port

Notes

U-AIR wizards

Veeam Backup Enterprise Manager

TCP

9394

Default port used for communication with Veeam Backup Enterprise Manager. Can be customized during Veeam Backup Enterprise Manager installation.

Azure Proxy Connections

From

To

Protocol

Port

Notes

Backup server

Azure proxy

TCP

6181

Default management and data transport port required for communication with the Azure proxy. The port must be opened on the backup server and backup repository storing VM backups.

Microsoft Active Directory Domain Controller Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the backup server with the Microsoft Active Directory VM during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft
Active Directory VM guest OS

TCP

135

Port required for communication between the domain controller and backup server.

TCP,
UDP

389

LDAP connections.

TCP

636, 3268, 3269

LDAP connections.

TCP

49152-65535 (for Microsoft Windows 2008 and newer)

Dynamic RPC port range used by the runtime coordination process deployed inside the VM guest OS for application-aware processing (when working over the network, not over VIX API).* For more information, see http://support.microsoft.com/kb/929851/en-us.

Microsoft Exchange Server Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the Veeam backup server with the Microsoft Exchange Server system during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft Exchange 2003/2007 CAS Server

TCP

80, 443

WebDAV connections

Microsoft Exchange 2010/2013 CAS Server

TCP

443

Microsoft Exchange Web Services Connections

 

Microsoft SQL Server Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the backup server with the VM guest OS system during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft
SQL VM guest OS

TCP

1433,1434 and other

Port used for communication with the Microsoft SQL Server installed inside the VM.

Port numbers depends on configuration of your Microsoft SQL server. For more information, see http://msdn.microsoft.com/en-us/library/cc646023.aspx#BKMK_ssde.

SMTP Server Connections

The following table describes network ports that must be opened to ensure proper communication of the backup server with the SMTP server.

From

To

Protocol

Port

Notes

Backup server

SMTP server

TCP

25

Port used by the SMTP server.

Port 25 is most commonly used but the actual port number depends on configuration of your environment.

Veeam Backup Enterprise Manager Connections

Veeam Backup Enterprise Manager

 

Veeam Explorers Connections

Veeam Agent for Windows Connections

Veeam Agent for Windows

Veeam Agent for Linux Connections

Veeam Agent for Linux

Veeam Large Logo

User Guide for VMware vSphere

User Guide for Microsoft Hyper-V

Enterprise Manager User Guide

Veeam Cloud Connect Guide

Veeam Backup Explorers User Guide

PowerShell Reference

RESTful API Reference

Veeam Backup FREE Edition User Guide

Veeam Backup for Microsoft Office 365

Veeam ONE Documentation

Veeam Agent for Windows Documentation

Veeam Agent for Linux Documentation

Veeam Management Pack Documentation