Ports
On backup infrastructure components, Veeam Backup & Replication automatically creates firewall rules for the required ports. These rules allow communication between the components.
Important |
Some Linux distributions require firewall and/or security rules to be created manually. For details, see this Veeam KB article. |
You can find the full list of the ports below.
The following table describes network ports that must be opened to ensure proper communication with Microsoft Windows servers.
Each Microsoft Windows server that is a backup infrastructure component or a machine for which you enable application-aware processing must have these ports opened. If you want to use the server as a backup infrastructure component, you must also open ports that the component role requires.
For example, if you assign the role of a backup proxy to your Microsoft Windows server, you must open ports listed below and also ports listed in the Backup Proxy section.
The Microsoft Windows server that acts as an NFS file share requires network ports listed below and also ports listed in the NFS Backup Repository. The Microsoft Windows server that acts as an SMB file share requires network ports listed below and also ports listed in the SMB Backup Repository.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Microsoft Windows server | TCP | 445 | Port required for deploying Veeam Backup & Replication components. Note: Port 135 is optional to provide faster deployment. |
Backup proxy | TCP | 6160 | Default port used by the Veeam Installer Service. | |
Backup repository | TCP | 2500 to 33001 | Default range of ports used as data transmission channels and for collecting log files. For every TCP connection that a job uses, one port from this range is assigned. | |
Gateway server | TCP | 6161 | [For Microsoft Windows servers running the vPower NFS Service] Default port used by the Veeam vPower NFS Service. | |
Mount server | TCP | 6162 | Default port used by the Veeam Data Mover. | |
WAN accelerator | TCP | 49152 to 65535 | Dynamic port range. For more information, see this Microsoft KB article. | |
Tape server |
1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.
The following table describes network ports that must be opened to ensure proper communication with Linux servers.
Each Linux server that is a backup infrastructure component or a machine for which you enable application-aware processing must have these ports opened. If you want to use the server as a backup infrastructure component, you must also open ports that the component role requires.
For example, if you assign the role of a backup repository to your Linux server, you must open ports listed below and also ports listed in the Microsoft Windows/Linux-based Backup Repository section.
The Linux server that acts as an NFS file share requires network ports listed below and also ports listed in the NFS Backup Repository. The Linux server that acts as an SMB file share requires network ports listed below and also ports listed in the SMB Backup Repository.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Linux server | TCP | 22 | Port used as a control channel from the console to the target Linux host. |
TCP | 6160 | Default port used by the Veeam Installer Service for Linux. | ||
TCP | 6162 | Default port used by the Veeam Data Mover. You can specify a different port while adding the Linux server to the Veeam Backup & Replication infrastructure. Note that you can specify a different port only if there is no previously installed Veeam Data Mover on this Linux server. For more information, see Specify Credentials and SSH Settings. | ||
TCP | 2500 to 33001 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. | ||
Linux server | Backup server | TCP | 2500 to 33001 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. |
1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.
The following table describes network ports that must be opened to ensure proper communication of the backup server with backup infrastructure components.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Virtualization Servers | ||||
Backup server | vCenter Server | TCP | 443 | Default port used for connections to vCenter Server. If you use VMware Cloud Director, make sure you open port 443 on underlying vCenter Servers. |
ESXi server | TCP | 443 | Default port used for connections to ESXi host. This port is not required for VMware Cloud on AWS. | |
TCP | 902 | Port used for data transfer to ESXi host. It is also used during guest OS file recovery if you recover files from replicas. This port is not required for VMware Cloud on AWS. | ||
VMware Cloud Director | TCP | 443 | Default port used for connections to VMware Cloud Director. | |
Other Servers | ||||
Backup server | PostgreSQL server hosting the Veeam Backup & Replication configuration database | TCP | 5432 | Port used for communication with PostgreSQL server on which the Veeam Backup & Replication configuration database is deployed. |
Microsoft SQL Server hosting the Veeam Backup & Replication configuration database | TCP | 1433 | Port used for communication with Microsoft SQL Server on which the Veeam Backup & Replication configuration database is deployed (if you use a Microsoft SQL Server default instance). Additional ports may need to be open depending on your configuration. For more information, see Microsoft Docs. | |
DNS server with forward/reverse name resolution of all backup servers | UDP | 53 | Port used for communication with the DNS Server. | |
Veeam Update Notification Server (dev.veeam.com) | TCP | 443 | Default port used to download information about available updates from the Veeam Update Notification Server over the Internet. | |
Veeam License Update Server (vbr.butler.veeam.com, autolk.veeam.com) | TCP | 443 | Default port used for license auto-update. | |
Backup Server | ||||
Backup server | Backup server | TCP | 9501 | Port used locally on the backup server for communication between Veeam Broker Service and Veeam services and components. |
Backup server | Backup server | TCP | 6172 | Port used to provide REST access to the Veeam Backup & Replication database. |
Remote Access | ||||
Management client PC (remote access) | Backup server | TCP | 3389 | Default port used by the Remote Desktop Services. If you use third-party solutions to connect to the backup server, other ports may need to be open. |
REST API | ||||
REST client | Backup server | TCP | 9419 | Default port for communication with REST API service. |
The following table describes network ports that must be opened to ensure proper communication with the Veeam Backup & Replication console installed remotely.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Veeam Backup & Replication Console | Backup server | TCP | 9392 | Port used by the Veeam Backup & Replication console to connect to the backup server. |
TCP | 10003 | Port used by the Veeam Backup & Replication console to connect to the backup server only when managing the Veeam Cloud Connect infrastructure. | ||
TCP | 9396 | Port used by the Veeam.Backup.UIService process for managing database connections. | ||
Veeam Backup & Replication Console | Mount server (if the mount server is not located on the console) | TCP | 2500 to 33001 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. |
1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.
The following table describes network ports that must be opened to ensure proper communication of backup proxies with other backup components.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Backup proxy | Backup proxy can be a Microsoft Windows or Linux server. Depending on which server you use, the ports listed in Microsoft Windows Server or Linux Server must be opened. | ||
Communication with Backup Server | ||||
Backup server | Backup proxy | TCP | 6210 | Default port used by the Veeam Backup VSS Integration Service for taking a VSS snapshot during the SMB file share backup. |
Communication with VMware Servers | ||||
Backup proxy | vCenter Server | TCP | 443 | Default VMware web service port that can be customized in vCenter settings. |
ESXi server | TCP | 902 | Default VMware port used for data transfer. This port is not required for VMware Cloud on AWS. | |
TCP | 443 | Default VMware web service port that can be customized in ESXi host settings. Not required if vCenter connection is used. This port is not required for VMware Cloud on AWS. | ||
Communication with Backup Repositories | ||||
Backup proxy | Backup repository | TCP | 2500 to 3300 | Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Backup repository (Microsoft Windows) | TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | |
SMB (CIFS) backup repository | TCP | 445 | Ports used as a transmission channel from the backup proxy to the target SMB (CIFS) backup repository. Traffic goes between the backup proxy and the SMB (CIFS) share only if a gateway server is not specified explicitly in SMB (CIFS) backup repository settings (the Automatic selection option is used). If a gateway server is specified explicitly, traffic goes between the gateway server and the SMB (CIFS) share. For more information about required ports, see the Gateway server > SMB (CIFS) share line below in this table. | |
NFS backup repository | TCP, UDP | 111, 2049 | Ports used as a transmission channel from the backup proxy to the target NFS backup repository. Traffic goes between the backup proxy and the NFS share only if a gateway server is not specified explicitly in NFS backup repository settings (the Automatic selection option is used). If a gateway server is specified explicitly, traffic goes between the gateway server and the NFS share. For more information about required ports, see the Gateway server > NFS share line below in this table. | |
Gateway server | TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | |
Gateway server | SMB (CIFS) backup repository | TCP | 445 | Ports used as a transmission channel from the gateway server to the target SMB (CIFS) backup repository. |
Gateway server | NFS backup repository | TCP, UDP | 111, 2049 | Ports used as a transmission channel from the gateway server to the target NFS backup repository. |
Communication with Backup Proxies | ||||
Backup proxy | Backup proxy | TCP | 2500 to 3300 | Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
1 Port 135 is optional to provide faster deployment.
- Dell Data Domain System
- ExaGrid
- HPE StoreOnce
- Quantum DXi
- Fujitsu ETERNUS CS800
- Infinidat InfiniGuard
- Object Storage Repository
- External Repository
- Archive Object Storage Repository
Microsoft Windows/Linux-based Backup Repository
The following table describes network ports that must be opened to ensure proper communication with backup repositories. Cache repositories in NAS backup use the same network ports as backup repositories.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup proxy | Microsoft Windows server performing the role of the backup repository/file server | Ports listed in Microsoft Windows Server must be opened. | ||
Backup proxy | Linux server performing the role of the backup repository/file server | Ports listed in Linux Server must be opened. | ||
Backup proxy | Backup repository | TCP | 2500 to 33001 | Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned. |
Source backup repository | Target backup repository | TCP | 2500 to 33001 | Default range of ports used as transmission channels for backup copy jobs. For every TCP connection that a job uses, one port from this range is assigned. |
Source backup repository | Object storage repository gateway server | TCP | 2500 to 33001 | Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned. |
Backup repository/ secondary backup repository | Cache repository in NAS backup | TCP | 2500 to 33001 | Default range of ports used as transmission channels for file share backup restore jobs. For every TCP connection that a job uses, one port from this range is assigned. |
Microsoft Windows server running vPower NFS Service | Backup repository gateway server working with backup repository | TCP | 2500 to 33001 | Default range of ports used as transmission channels during Instant Recovery, SureBackup or Linux file-level recovery. For every TCP connection that a job uses, one port from this range is assigned. |
1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.
The following table describes network ports that must be opened to ensure proper communication with NFS shares added as backup repositories.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Microsoft Windows server performing the role of the gateway server/backup proxy | NFS backup repository/file share | Ports listed in Microsoft Windows Server must be opened. | ||
Linux server performing the role of the gateway server/backup proxy | NFS backup repository/file share | Ports listed in Linux Server must be opened. | ||
Gateway server/backup proxy (Microsoft Windows/Linux) | NFS backup repository/file share | TCP | 2049 | Default NFS port. |
TCP | 111 | Port used for rpcbind service. | ||
Gateway server/backup proxy (Microsoft Windows/Linux) | NFS backup repository/file share | TCP | mountd_port | Dynamic port used for mountd service. Can be assigned statically. |
TCP | statd_port | Dynamic port used for statd service. Can be assigned statically. | ||
TCP | lockd_port | Dynamic TCP port used for lockd service. Can be assigned statically. | ||
UDP | lockd_port | Dynamic UDP port used for lockd service. Can be assigned statically. | ||
Gateway server/backup proxy (specified in the NFS repository settings) | NFS backup repository/file share | TCP | 111, 2049 | Standard NFS ports used as a transmission channel from the gateway server to the target NFS share. |
The following table describes network ports that must be opened to ensure proper communication with SMB (CIFS) shares added as backup repositories.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Microsoft Windows server performing the role of the gateway server/backup proxy | SMB (CIFS) backup repository/file share | Ports listed in Microsoft Windows Server must be opened. | ||
Gateway server/backup proxy (Microsoft Windows) | SMB (CIFS) backup repository | TCP | 445 | Ports used as a transmission channel from the gateway server to the target SMB (CIFS) share. |
1 Port 135 is optional to provide faster deployment.
For more information, see Dell Documents.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Dell Data Domain | TCP | 111 | Port used to assign a random port for the mountd service used by NFS and DDBOOST. Mountd service port can be statically assigned. |
TCP | 2049 | Main port used by NFS. Can be modified using the ‘nfs set server-port’ command. Command requires SE mode. | ||
TCP | 2052 | Main port used by NFS MOUNTD. Can be modified using the 'nfs set mountd-port' command in SE mode. | ||
Backup server | Gateway server | Ports listed in Gateway Server must be opened. | ||
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | ExaGrid | TCP | 22 | Default command port used for communication with ExaGrid. |
Backup proxy | ExaGrid | TCP | 2500 to 3300 | Default range of ports used for communication with the backup proxy. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | HPE StoreOnce | TCP | 9387 | Default command port used for communication with HPE StoreOnce. |
9388 | Default data port used for communication with HPE StoreOnce. | |||
Backup server | Gateway server | Ports listed in Gateway Server must be opened. | ||
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Quantum DXi | TCP | 22 | Default command port used for communication with Quantum DXi. |
Backup proxy | Quantum DXi | TCP | 2500 to 3300 | Default range of ports used for communication with the backup proxy. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Fujitsu ETERNUS CS800 | TCP | 22 | Default command port used for communication with Fujitsu ETERNUS CS800. |
Backup proxy | Fujitsu ETERNUS CS800 | TCP | 2500 to 3300 | Default range of ports used for communication with the backup proxy. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Infinidat InfiniGuard | TCP | 22 | Default command port used for communication with Infinidat InfiniGuard. |
Backup proxy | Infinidat InfiniGuard | TCP | 2500 to 3300 | Default range of ports used for communication with the backup proxy. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories. For more information, see Object Storage Repository.
From | To | Protocol | Port/Endpoint | Notes |
|---|---|---|---|---|
Gateway server | Amazon S3 object storage | TCP | 443 | Used to communicate with Amazon S3 object storage. |
HTTPS | AWS service endpoints:
A complete list of connection endpoints can be found in AWS Documentation. | |||
TCP | 80 | Used to verify the certificate status. Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. | ||
HTTP | Certificate verification endpoints:
| |||
Microsoft Azure object storage | TCP | 443 | Used to communicate with Microsoft Azure object storage. Consider that the <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Azure management portal. | |
HTTPS | Cloud endpoints:
| |||
TCP | 80 | Used to verify the certificate status. Consider the following:
| ||
HTTP | Certificate verification endpoints:
| |||
Google Cloud storage | TCP | 443 | Used to communicate with Google Cloud storage.
| |
HTTPS | Cloud endpoints:
A complete list of connection endpoints can be found in this Google article. | |||
TCP | 80 | Used to verify the certificate status. Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. | ||
HTTP | Certificate verification endpoints:
| |||
IBM Cloud object storage | TCP/HTTPS | Customizable and depends on device configuration | Used to communicate with IBM Cloud object storage. | |
S3 compatible object storage | TCP/HTTPS | Customizable and depends on device configuration | Used to communicate with S3 compatible object storage. |
The following table describes network ports and endpoints that must be opened to ensure proper communication with external repositories. For more information, see External Repository.
From | To | Protocol | Port/Endpoint | Notes |
|---|---|---|---|---|
Gateway server | Amazon S3 object storage | TCP | 443 | Used to communicate with Amazon S3 object storage. |
HTTPS | AWS service endpoints:
A complete list of connection endpoints can be found in AWS Documentation. | |||
TCP | 80 | Used to verify the certificate status. Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. | ||
HTTP | Certificate verification endpoints:
| |||
Microsoft Azure object storage | TCP | 443 | Used to communicate with Microsoft Azure object storage. Consider that the <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Azure management portal. | |
HTTPS | Cloud endpoints:
| |||
TCP | 80 | Used to verify the certificate status. Consider the following:
| ||
HTTP | Certificate verification endpoints:
| |||
Google Cloud storage | TCP | 443 | Used to communicate with Google Cloud storage.
| |
HTTPS | Cloud endpoints:
A complete list of connection endpoints can be found in this Google article. | |||
TCP | 80 | Used to verify the certificate status. Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. | ||
HTTP | Certificate verification endpoints:
|
Archive Object Storage Repository
The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories used as a part of Archive Tier. For more information, see Archive Tier.
From | To | Protocol | Port/Endpoint | Notes |
|---|---|---|---|---|
Gateway server | Amazon EC2 helper appliance | TCP | 443 (default, adjustable via Amazon S3 Glacier wizard) | If there is no gateway server selected, VBR server will be used as a gateway server. If you use Amazon S3 Glacier object storage, the gateway server should have direct connection to AWS service endpoints. HTTP(S) proxy servers are not supported. |
TCP | 22 | |||
HTTPS | AWS service endpoints:
| |||
Microsoft Azure proxy appliance | TCP | 443 (default, adjustable via Azure Archive wizard) | ||
TCP | 22 | |||
HTTPS | Cloud endpoints:
| |||
Amazon EC2 proxy appliance | Amazon S3 object storage | TCP | 443 | Used to communicate with Amazon S3 object storage. |
HTTPS | Cloud endpoints:
A complete list of connection endpoints can be found in AWS Documentation. | |||
TCP | 80 | Used to verify the certificate status. Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. | ||
HTTP | Certificate verification endpoints:
| |||
Microsoft Azure proxy appliance | Microsoft Azure object storage | TCP | 443 | Used to communicate with Microsoft Azure object storage. The <xxx> part of the address must be replaced with your actual storage account URL, which can be found in the Microsoft Azure management portal. |
HTTPS | Cloud endpoints:
| |||
TCP | 80 | Used to verify the certificate status. Certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. The *.d-trust.net endpoint is used for the Germany region only. | ||
HTTP | Certificate verification endpoints:
|
- HPE 3PAR StoreServ Storage
- HPE Primera/Alletra 9000 Storage
- HPE Lefthand Storage
- HPE Nimble/Alletra 6000 Storage
- IBM Spectrum Virtualize Storage
- NetApp Data ONTAP Storage
- Nutanix Files Storage
- Universal Storage API Integrated System
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | VNX File | TCP | 22 | Default command port used for communication with VNX File over SSH. |
VNX Block | TCP | 443 | Default port used for communication with Dell VNX Block. | |
VNXe | TCP | 443 | Default port used for communication with Dell VNXe and sending REST API calls. | |
Backup proxy | VNX Block VNXe | TCP | 3260 | Default iSCSI target port. |
VNX File VNXe | TCP, UDP | 2049, 111 | Standard NFS ports. Port 111 is used by the port mapper service. |
Dell PowerScale (Formerly Isilon) Storage
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Dell PowerScale storage system | TCP | 8080 | Default port used for communication with Dell PowerScale over HTTPS and sending REST API calls. |
Backup proxy | Dell PowerScale storage system | TCP, UDP | 2049, 111 | Standard NFS ports. Port 111 is used by the port mapper service. |
TCP | 445 | Standard SMB port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | HPE 3PAR StoreServ storage system | TCP | 8008 | Default port used for communication with HPE 3PAR StoreServ over HTTP. |
TCP | 8080 | Default port used for communication with HPE 3PAR StoreServ over HTTPS. | ||
TCP | 22 | Default command port used for communication with HPE 3PAR StoreServ over SSH. | ||
Backup proxy | HPE 3PAR StoreServ storage system | TCP | 3260 | Default iSCSI target port. |
HPE Primera/Alletra 9000 Storage
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | HPE Primera/Alletra 9000 storage system | TCP | 443 | Default port used for communication with HPE Primera/Alletra 9000 over HTTPS. |
TCP | 22 | Default command port used for communication with HPE Primera/Alletra 9000 over SSH. | ||
Backup proxy | HPE Primera/Alletra 9000 storage system | TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | HPE Lefthand storage system | TCP | 16022 | Default command port used for communication with HPE Lefthand. |
Backup proxy | HPE Lefthand storage system | TCP | 3260 | Default iSCSI target port. |
HPE Nimble/Alletra 6000 Storage
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | HPE Nimble/Alletra 6000 storage system | TCP | 5392 | Default command port used for communication with HPE Nimble (Nimble OS 2.3 and later)/Alletra 6000. |
Backup proxy | HPE Nimble/Alletra 6000 storage system | TCP | 3260 | Default iSCSI target port. |
IBM Spectrum Virtualize Storage
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | IBM Spectrum Virtualize storage system | TCP | 22 | Default command port used for communication with IBM Spectrum Virtualize over SSH. |
Backup proxy | IBM Spectrum Virtualize storage system | TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | NetApp Data ONTAP storage system | TCP | 80 | Default command port used for communication with NetApp Data ONTAP over HTTP. |
TCP | 443 | Default command port used for communication with NetApp Data ONTAP over HTTPS. | ||
Backup proxy | NetApp Data ONTAP storage system | TCP, UDP | 2049, 111 | Standard NFS ports. Port 111 is used by the port mapper service. |
TCP | 445 | Standard SMB port. | ||
TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Nutanix Files storage system | TCP | 9440 | Default port used for communication with Nutanix Files and sending REST API calls. |
Backup proxy | Nutanix Files storage system | TCP, UDP | 2049, 111 | Standard NFS ports. Port 111 is used by the port mapper service. |
TCP | 445 | Standard SMB port. |
Universal Storage API Integrated System
The following tables describe network ports that must be opened to ensure proper communication with Universal Storage API integrated systems:
- DataCore SANsymphony
- Dell SC Series
- Dell PowerMax
- Fujitsu ETERNUS DX/AF
- INFINIDAT InfiniBox
- NetApp SolidFire/HCI
- Pure Storage FlashArray
- Tintri IntelliFlash/Western Digital/Tegile
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | DataCore SANsymphony storage system | TCP | 443 | Default command port used for communication with DataCore SANsymphony over HTTPS. |
Backup proxy | DataCore SANsymphony storage system | TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Dell SC Series storage system | TCP | 3033 | Default command port used for communication with Dell SC Series over HTTPS. |
Backup proxy | Dell SC Series storage system | TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Dell PowerMax storage system | TCP | 8443 | Default command port used for communication with Dell PowerMax over HTTPS. |
Backup proxy | Dell PowerMax storage system | TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Fujitsu ETERNUS DX/AF storage system | TCP | 22 | Default command port used for communication with Fujitsu ETERNUS DX/AF over SSH. |
Backup proxy | Fujitsu ETERNUS DX/AF storage system | TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | INFINIDAT InfiniBox storage system | TCP | 443 | Default command port used for communication with INFINIDAT InfiniBox over HTTPS. |
Backup proxy | INFINIDAT InfiniBox storage system | TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | NetApp SolidFire/HCI storage system | TCP | 443 | Default command port used for communication with NetApp SolidFire/HCI over HTTPS. |
Backup proxy | NetApp SolidFire/HCI storage system | TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Pure Storage FlashArray system | TCP | 443 | Default command port used for communication with Pure Storage FlashArray over HTTPS. |
Backup proxy | Pure Storage FlashArray system | TCP | 3260 | Default iSCSI target port. |
Tintri IntelliFlash/Western Digital/Tegile
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Tintri IntelliFlash system | TCP | 443 | Default command port used for communication with Tintri IntelliFlash over HTTPS. |
Backup proxy | Tintri IntelliFlash system | TCP | 3260 | Default iSCSI target port. |
Tintri IntelliFlash system | TCP, UDP | 2049, 111 | Standard NFS ports. Port 111 is used by the port mapper service. |
The following table describes network ports that must be opened to ensure proper communication with gateway servers.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Microsoft Windows server performing the role of the gateway server | Ports listed in Microsoft Windows Server must be opened. | ||
Backup server | Linux server performing the role of the gateway server (if a gateway server is specified explicitly in NFS backup repository settings) | Ports listed in Linux Server must be opened. | ||
Gateway server | SMB (CIFS) share | TCP | 445 | Ports used as a transmission channel from the gateway server to the target SMB (CIFS) share. |
Gateway server | NFS share | TCP, UDP | 111, 2049 | Ports used as a transmission channel from the gateway server to the target NFS share. |
1 Port 135 is optional to provide faster deployment.
The following table describes network ports that must be opened to ensure proper communication with tape servers.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Tape server | Tape server is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server to be opened. | ||
TCP | 6166 | Controlling port for RPC calls. | ||
TCP | 2500 to 33001 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. | ||
Tape server | Backup server | TCP | 2500 to 33001 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. |
Backup repository, gateway server or proxy server | Tape server is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server to be opened. | |||
1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.
The following table describes network ports that must be opened to ensure proper communication between WAN accelerators used in backup copy jobs and replication jobs.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | WAN accelerator | WAN accelerator is a Microsoft Windows server, and it requires the ports listed in Microsoft Windows Server to be opened. | ||
TCP | 6160 | Default port used by the Veeam Installer Service. | ||
TCP | 6162 | Default port used by the Veeam Data Mover. | ||
TCP | 6164 | Controlling port for RPC calls. | ||
WAN accelerator | Backup repository | TCP | 2500 to 33001 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is selected dynamically. |
WAN accelerator | WAN accelerator | TCP | 6164 | Controlling port for RPC calls. |
TCP | 6165 | Default port used for data transfer between WAN accelerators. Ensure this port is open in firewall between sites where WAN accelerators are deployed. | ||
1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.
Connections with Non-Persistent Runtime Components
The following tables describe network ports that must be opened to ensure proper communication of the backup server and backup infrastructure components with the non-persistent runtime components deployed inside the VM guest OS for application-aware processing and indexing.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | VM guest OS (Linux) | TCP | 22 | Default SSH port used as a control channel. |
Guest interaction proxy | TCP | 6190 | Used for communication with the guest interaction proxy. | |
TCP | 6290 | Used as a control channel for communication with the guest interaction proxy. | ||
TCP | 445 | Port used as a transmission channel. | ||
Guest interaction proxy | ESXi server | TCP | 443 | Default port used for connections to ESXi host. |
Network ports described in the table below are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Guest interaction proxy | VM guest OS (Microsoft Windows) | TCP | 445 | Required to deploy the runtime coordination process on the VM guest OS. Note: Port 135 is optional to provide faster deployment. |
TCP | 2500 to 3300 | Default range of ports used as transmission channels for log shipping. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Used by the runtime process deployed inside the VM for guest OS interaction (when working over the network, not over VIX API). Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
VM guest OS (Linux) | TCP | 22 | Default SSH port used as a control channel. | |
TCP | 2500 to 3300 | Default range of ports used as transmission channels for log shipping. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
VM guest OS | Guest interaction proxy | TCP | 2500 to 3300 | Default range of ports used as transmission channels for log shipping. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Connections with Persistent Agent Components
The following table describes network ports that must be opened to ensure proper communication of the backup server with the persistent agent components deployed inside the VM guest OS for application-aware processing and indexing.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | VM guest OS (Linux) | TCP | 6160 | Default port used by the Veeam Installer Service for Linux. |
TCP | 6162 | Default Management Agent port. Required if it is used as a control channel instead of SSH. | ||
Guest interaction proxy | VM guest OS | TCP | 6160 | Default port and failover port used by the Veeam Installer Service. |
TCP | 6173 | Used by the Veeam Guest Helper for guest OS processing and file-level restore. |
The following tables describe network ports that must be opened to ensure proper communication between log shipping components.
- Log Shipping Server Connections
- MS SQL Guest OS Connections
- Oracle Guest OS Connections
- PostgreSQL Guest OS Connections
Log Shipping Server Connections
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Log shipping server | TCP | 445 | Required for deploying Veeam Backup & Replication components. Note: Port 135 is optional to provide faster deployment. |
TCP | 6160 | Default port used by the Veeam Installer Service. | ||
TCP | 6162 | Default port used by the Veeam Data Mover. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
Log shipping server | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Guest interaction proxy | MS SQL VM guest OS | TCP | 445 | [Non-persistent runtime components only] Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services. Note: Port 135 is optional to provide faster deployment. |
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 49152 to 65535 | [Non-persistent runtime components only] Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
TCP | 6160 | [Persistent agent components only] Default port and failover port used by the Veeam Installer Service. | ||
TCP | 6167 | Used by the Veeam Log Shipping Service for preparing the database and taking logs. | ||
MS SQL VM guest OS | Guest interaction proxy | TCP | 2500 to 3300 | Default range of ports used for communication with a guest interaction proxy. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
MS SQL VM guest OS | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the MS SQL server has a direct connection to the backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
MS SQL VM guest OS | Log shipping server | TCP | 2500 to 3300 | Default range of ports used for communication with a log shipping server and transfer log backups. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Guest interaction proxy | Oracle VM guest OS (Microsoft Windows) | TCP | 445 | [Non-persistent runtime components only] Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services. Note: Port 135 is optional to provide faster deployment. |
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 49152 to 65535 | [Non-persistent runtime components only] Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
TCP | 6160 | [Persistent agent components only] Default port and failover port used by the Veeam Installer Service. | ||
TCP | 6167 | Used by the Veeam Log Shipping Service for preparing the database and taking logs. | ||
Oracle VM guest OS (Linux) | TCP | 22 | [Non-persistent runtime components only] Default SSH port used as a control channel. This port is NOT required when working in networkless mode over VMware VIX/vSphere Web Services. | |
TCP | 6162 | [Persistent agent components only] Default Management Agent port. Required if it is used as a control channel instead of SSH. | ||
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
Oracle VM guest OS | Guest interaction proxy | TCP | 2500 to 3300 | Default range of ports used for communication with a guest interaction proxy. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Oracle VM guest OS | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the Oracle server has a direct connection to the backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Oracle VM guest OS | Log shipping server | TCP | 2500 to 3300 | Default range of ports used for communication with a log shipping server and transfer log backups. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
PostgreSQL Guest OS Connections
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Guest interaction proxy | PostgreSQL VM guest OS | TCP | 22 | [Non-persistent runtime components only] Default SSH port used as a control channel. This port is NOT required when working in networkless mode over vSphere Web Services. |
TCP | 6162 | [Persistent agent components only] Default Management Agent port. Required if it is used as a control channel instead of SSH. | ||
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. This port is NOT required when working in networkless mode over vSphere Web Services. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
PostgreSQL VM guest OS | Guest interaction proxy | TCP | 2500 to 3300 | Default range of ports used for communication with a guest interaction proxy. This port is NOT required when working in networkless mode over vSphere Web Services. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
PostgreSQL VM guest OS | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the PostgreSQL server has a direct connection to the backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
PostgreSQL VM guest OS | Log shipping server | TCP | 2500 to 3300 | Default range of ports used for communication with a log shipping server and transfer log backups. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
The following table describes network ports that must be opened to ensure proper communication of Veeam CDP components with other backup components.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
ESXi host (source) | CDP proxy (source) | TCP | 33032 | Default port used as a transmission channel to the source CDP proxy. |
ESXi host (source) | TCP | 33033 | Port used locally on the source ESXi host for data transfer between I/O filter components. | |
ESXi host (source) | TCP | 33036 | Port used locally on the source ESXi host for communication between CDP components over HTTPS without HTTP Reverse Proxy. | |
ESXi host (source) | TCP | 33038 | Port used locally on the source ESXi host for communication between CDP components over HTTPS. | |
CDP proxy (source) | CDP proxy (target) | TCP | 33033 | Default port used as a transmission channel to the target CDP proxy. |
ESXi host (source and target) | TCP | 902 | Default VMware port used for data transfer. Used during the initial synchronization. | |
vCenter Server (source and target) | TCP | 443 | Default VMware web service port that can be customized in vCenter settings. Used during the initial synchronization. | |
CDP proxy (target) | ESXi host (target) | TCP | 33032 | Default port used as a transmission channel to the target ESXi host. |
ESXi host (source and target) | TCP | 902 | Default VMware port used for data transfer. Used during the initial synchronization. | |
vCenter Server (source and target) | TCP | 443 | Default VMware web service port that can be customized in vCenter settings. Used during the initial synchronization. | |
ESXi host (target) | ESXi host (target) | TCP | 33034 | Port used locally on the target ESXi host for communication between the I/O filter components during failover. |
ESXi host (target) | TCP | 33036 | Port used locally on the target ESXi host for communication between CDP components over HTTPS without HTTP Reverse Proxy. | |
ESXi host (target) | TCP | 33038 | Port used locally on the target ESXi host for communication between CDP components over HTTPS. | |
Backup server | ESXi host (source and target) | TCP | 443 | Port used as a control channel. |
vCenter Server (source and target) | TCP | 443 | Port used as a control channel. | |
CDP proxy (source and target) | TCP | 6182 | Port used as a control channel. | |
Backup server | TCP | 9509 | Port used locally on the backup server for communication between Veeam Backup Service and Veeam CDP Coordinator Service. | |
ESXi host (source and target) | Backup server | TCP | 33034 | Port used for communication with Veeam CDP Coordinator Service. |
vCenter Server (source and target) | Backup server | TCP | 33034 | Port used for communication with Veeam CDP Coordinator Service. |
CDP proxy (source and target) | Backup server | TCP | 33034 | Port used for communication with Veeam CDP Coordinator Service. |
- Guest OS File Recovery
- Veeam vPower NFS Service
- SureReplica Recovery Verification
- Veeam U-AIR
- Microsoft Active Directory Domain Controller Connections During Application Item Restore
- Microsoft Exchange Server Connections During Application Item Restore
- Microsoft SQL Server Connections During Application Item Restore
- Helper Appliance (Restore to Amazon EC2, Google Cloud)
- Azure Restore Proxy Appliance (former Azure Proxy)
- Helper Appliance (Restore to Microsoft Azure)
- Azure Stack
The following table describes network ports that must be opened to ensure proper communication between components for guest OS file recovery.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Mount server | Backup server | TCP | 9401 | Used for communication with the Veeam Backup Service. |
Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | |
Backup server | Mount server | TCP | 445 | Required for deploying Veeam Backup & Replication components. |
TCP | 2500 to 3300 | Default range of ports used for communication with a mount server. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 6160 | Default port used by the Veeam Installer Service including checking the compatibility between components before starting the recovery process. | ||
TCP | 6162 | Default port used by the Veeam Data Mover. | ||
TCP | 6170 | Used for communication with a local or remote Mount Service. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Helper appliance | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Backup server | Helper appliance
| TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used for communication with a helper appliance. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
Mount server | Helper appliance | TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used for communication with a helper appliance. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Helper host | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Backup server | Helper host | TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used for communication with a helper host. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 6162 | Default port used by the Veeam Data Mover. | ||
TCP | 32768 to 60999 | Dynamic port range for Linux distributions. Used for communication with a helper host. For more information, see the Linux kernel documentation. | ||
Mount server | Helper host | TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used for communication with a helper host. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 32768 to 60999 | Dynamic port range for Linux distributions. Used for communication with a helper host. For more information, see the Linux kernel documentation. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
VM guest OS (Linux/Unix) | Helper appliance | TCP | 21 | Default port used for protocol control messages if FTP server is enabled. |
Helper appliance | VM guest OS (Linux/Unix) | TCP | 20 | Default port used for data transfer if FTP server is enabled. |
TCP | 2500 to 3300 | Default range of ports used for communication with a VM guest OS. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
Helper host | VM guest OS (Linux/Unix) | TCP | 2500 to 3300 | Default range of ports used for communication with a VM guest OS. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Backup server | VM guest OS (Linux/Unix) | TCP | 22 | Default SSH port used as a control channel. |
Mount server | VM guest OS (Microsoft Windows) | TCP | 445 | Required to deploy the runtime coordination process on the VM guest OS. Note: Port 135 is optional to provide faster deployment. |
TCP | 6160 | Default port and failover port used by the Veeam Installer Service. | ||
TCP | 6173 | Used by the Veeam Guest Helper for guest OS processing and file-level restore if persistent agent components are deployed inside the VM guest OS. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
Backup server | VM guest OS | TCP | 2500 to 3300 | Default range of ports used for communication with a VM guest OS. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Microsoft Windows server running vPower NFS Service | TCP | 6160 | Default port used by the Veeam Installer Service. |
TCP | 6161 | Default port used by the Veeam vPower NFS Service. | ||
ESXi host | Microsoft Windows server running vPower NFS Service | TCP | 111 | Standard port used by the port mapper service. |
TCP | 1058+ or 1063+ | Default mount port. The number of port depends on where the vPower NFS Service is located:
If port 1058/1063 is occupied, the succeeding port numbers will be used. | ||
TCP | 2049+ | Standard NFS port. If port 2049 is occupied, the succeeding port numbers will be used. | ||
Backup repository or | Microsoft Windows server running vPower NFS Service | TCP | 2500 to 33001 | Default range of ports used as transmission channels during Instant Recovery, SureBackup or Linux file-level recovery. For every TCP connection that a job uses, one port from this range is assigned. |
1 This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.
SureReplica Recovery Verification
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | vCenter Server | TCP | 443 | Default port used for connections to vCenter Server. |
ESXi server | TCP | 443 | Default port used for connections to ESXi host. | |
Proxy appliance | TCP | 443 | Port used for communication with the proxy appliance in the virtual lab. | |
22 | Port used for communication with the proxy appliance in the virtual lab. | |||
Applications on VMs in the virtual lab | — | — | Application-specific ports to perform port probing test. For example, to verify a DC, Veeam Backup & Replication probes port 389 for a response. | |
Internet-facing proxy server | VMs in the virtual lab | TCP | 8080 | Port used to let VMs in the virtual lab access the Internet. |
The following table describes network ports that must be opened to ensure proper communication of U-AIR wizards with other components.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
U-AIR wizards | Veeam Backup Enterprise Manager | TCP | 9394 | Default port used for communication with Veeam Backup Enterprise Manager. Can be customized during Veeam Backup Enterprise Manager installation. |
Microsoft Active Directory Domain Controller Connections During Application Item Restore
The following table describes network ports that must be opened to ensure proper communication of the backup server with the Microsoft Active Directory VM during application-item restore.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Microsoft | TCP | 135 | Port required for communication between the domain controller and backup server. |
TCP, | 389 | LDAP connections. | ||
TCP | 636, 3268, 3269 | LDAP connections. | ||
TCP | 49152 to 65535 (for Microsoft Windows 2008 and later) | Dynamic port range used by the runtime coordination process deployed inside the VM guest OS for application-aware processing (when working over the network, not over VIX API).1 For more information, see this Microsoft KB article. |
1 If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports: during setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the “RPC function call failed” error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.
Microsoft Exchange Server Connections During Application Item Restore
The following table describes network ports that must be opened to ensure proper communication of the Veeam backup server with the Microsoft Exchange Server system during application-item restore.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Microsoft Exchange 2003/2007 CAS Server | TCP | 80, 443 | WebDAV connections. |
Microsoft Exchange 2010/2013/2016/2019 CAS Server | TCP | 443 | Microsoft Exchange Web Services Connections. |
Microsoft SQL Server Connections During Application Item Restore
The following table describes network ports that must be opened to ensure proper communication of the backup server with the VM guest OS system during application-item restore.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Microsoft | TCP | 1433, | Port used for communication with the Microsoft SQL Server installed inside the VM. Port numbers depends on configuration of your Microsoft SQL server. For more information, see Microsoft Docs. |
Helper Appliance (Restore to Amazon EC2, Google Cloud)
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server/Backup Repository | Helper appliance | TCP | 22 | Port used as a communication channel to the helper appliance in the restore to Amazon EC2 or Google Cloud process. |
TCP | 443 | Default redirector port. You can change the port in helper appliance settings. For details, see Specify Helper Appliance in Restore to Amazon EC2 and Restore to Google Cloud. |
Azure Restore Proxy Appliance (former Azure Proxy)
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server/ Backup repository | Azure restore proxy appliance (former Azure proxy) | TCP | 443 | Default management and data transport port required for communication with the Azure restore proxy appliance. The port must be opened on the backup server and backup repository storing VM backups. The default port is 443, but you can change it in the settings of the Azure restore proxy appliance. For details, see Specify Credentials and Transport Port |
Helper Appliance (Restore to Microsoft Azure)
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Helper appliance | TCP | 22 | Port used as a communication channel to the helper appliance in the Restore to Azure process. The default port is 22, but you can change it during helper appliance deployment. For details, see Configuring Helper Appliances. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Azure Stack | TCP | 443, 30024 | Default management and data transport port required for communication with the Azure Stack. |
Veeam Backup Enterprise Manager
Veeam Backup Enterprise Manager Connections
- Veeam Explorer for Microsoft Active Directory Connections
- Veeam Explorer for Microsoft Exchange Connections
- Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft OneDrive for Business Connections
- Veeam Explorer for Microsoft SQL Server Connections
- Veeam Explorer for Microsoft Teams Connections
- Veeam Explorer for Oracle Connections
- Veeam Explorer for PostgreSQL Connections
Veeam Cloud Connect Connections
Veeam Agent for Microsoft Windows
- Connections for Veeam Agent for Microsoft Windows Operating in Managed Mode
- Connections for Veeam Agent for Microsoft Windows Operating in Standalone Mode
- Connections for Veeam Agent for Linux Operating in Managed Mode
- Connections for Veeam Agent for Linux Operating in Standalone Mode
- Connections for Veeam Agent for Mac Operating in Managed Mode
- Connections for Veeam Agent for Mac Operating in Standalone Mode
Veeam Plug-ins for Enterprise Applications
- Veeam Plug-in for SAP HANA Connections
- Veeam Plug-in for Oracle RMAN Connections
- Veeam Plug-in for SAP on Oracle Connections
- Veeam Plug-in for Microsoft SQL Server Connections
Veeam Plug-ins for Cloud Solutions
- AWS Plug-in for Veeam Backup & Replication
- Microsoft Azure Plug-in for Veeam Backup & Replication
- Google Cloud Platform Plug-in for Veeam Backup & Replication
The following table describes network ports that must be opened to ensure proper communication with NDMP servers.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Gateway server | NDMP server | NDMP | 10000 | Port used for data transfer between the components. |
The following table describes network ports that must be opened to ensure proper communication of the backup server with mail servers.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | SMTP server | TCP | 25 | Used by the SMTP server. |
TCP | 587 | Used by the SMTP server if SSL is enabled. | ||
Gmail REST API (gmail.googleapis.com) | TCP | 443 | Used to communicate with Google Mail services. | |
Microsoft Graph REST API (graph.microsoft.com, login.microsoftonline.com) | TCP | 443 | Used to communicate with Microsoft Exchange Online organizations. |
If you use an HTTP(S) proxy server to access the Internet, make sure that WinHTTP settings are properly configured on Microsoft Windows machines with Veeam backup infrastructure components. For information on how to configure WinHTTP settings, see Microsoft Docs.
Note |
Tenants cannot access Veeam Cloud Connect infrastructure components through HTTP(S) proxy servers. For information on supported protocols for Veeam Cloud Connect, see the Ports section in the Veeam Cloud Connect Guide. |