Ports

On backup infrastructure components, Veeam Backup & Replication automatically creates firewall rules for the required ports. These rules allow components to communicate with each other.

Important

Some Linux distributions require firewall and security rules to be created manually. For details, see this Veeam KB article.

You can find the full list of the ports in this section.

Backup Server

The following table describes network ports that must be opened to ensure proper communication of the backup server with backup infrastructure components.

From

To

Protocol

Port

Notes

Communication with Virtualization Servers

Backup server

vCenter Server

TCP

443

Default port used for connections to vCenter Server.

If you use VMware Cloud Director, make sure you open port 443 on underlying vCenter Servers.

ESXi server

TCP

443

Default port used for connections to ESXi host.

This port is not required for VMware Cloud on AWS.

TCP

902

Port used for data transfer to ESXi host. It is also used during guest OS file recovery if you recover files from replicas.

This port is not required for VMware Cloud on AWS.

VMware Cloud Director

TCP

443

Default port used for connections to VMware Cloud Director.

Other Communications

Backup server

PostgreSQL server hosting the Veeam Backup & Replication configuration database

TCP

5432

Port used for communication with PostgreSQL server on which the Veeam Backup & Replication configuration database is deployed.

Microsoft SQL Server hosting the Veeam Backup & Replication configuration database

TCP

1433

Port used for communication with Microsoft SQL Server on which the Veeam Backup & Replication configuration database is deployed (if you use a Microsoft SQL Server default instance).

Additional ports may need to be open depending on your configuration. For more information, see Microsoft Docs.

DNS server with forward/reverse name resolution of all backup servers

UDP

53

Port used for communication with the DNS Server.

Veeam Update Notification Server

TCP

443

Default port used to download information about available updates from the Veeam Update Notification Server over HTTPS.

Veeam Update Notification Server endpoints:

  • dev.veeam.com

Veeam License Update Server

TCP

443

Default port used to automatically update license from the Veeam License Update Server over HTTPS.

Veeam License Update Server endpoints:

  • vbr.butler.veeam.com
  • autolk.veeam.com

80

Required for certificate validation when Veeam Backup & Replication connects to Veeam License Update Server to check if the new license is available and download it.

Certificate verification endpoints:

  • *.ss2.us
  • *.amazontrust.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

KMS server

TCP

5696

Default port used for communication with Key Management System server.

Veeam ONE Server

TCP

2741

Default port used for communication with Veeam ONE internal Web API.

Required for the Analytics view. For more information, see Configuring Analytics View.

Veeam ONE Web Services

TCP

1239

Default port used by Veeam ONE Web Services.

Required for the Analytics view. For more information, see Configuring Analytics View.

Backup server

TCP

9501

Port used locally on the backup server for communication between Veeam Broker Service and Veeam services and components.

Backup server

TCP

6172

Port used to provide REST access to the Veeam Backup & Replication database.

Management client PC (remote access)

Backup server

TCP

3389

Default port used by Remote Desktop Services. If you use third-party solutions to connect to the backup server, other ports may need to be open.

REST client

Backup server

TCP

9419

Default port for communication with REST API service.

 

Backup & Replication Console

The following table describes network ports that must be opened to ensure proper communication with the Veeam Backup & Replication console.

From

To

Protocol

Port

Notes

Veeam Backup & Replication console

Backup server

TCP

9392
9420

Ports used by the Veeam Backup & Replication console to communicate with the backup server.

For Veeam Backup & Replication 12 and earlier versions, only port 9392 is required. Starting from Veeam Backup & Replication 12.1 (build 12.1.0.2131), both ports are required.

TCP

9396

Port used by the Veeam.Backup.UIService process for managing database connections.

TCP

9401

[Remote console only] Port used by the Veeam Backup & Replication console during Windows file-level recovery. Required to perform Copy to and Mount to console operations.

TCP

10003

[Remote console only] Port used by the Veeam Backup & Replication console to connect to the backup server only when managing the Veeam Cloud Connect infrastructure.

Mount server

TCP

2500 to 3300

[Remote console only] Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

This port is used if the mount server is not located on the console.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Veeam AI Assistant (rest-ai.veeam.com)

TCP

443

Default port for communication with the Veeam AI Assistant service.

Required starting from Veeam Backup & Replication 12.1 (build 12.1.0.2131).

Backup Proxy

The following table describes network ports that must be opened to ensure proper communication of backup proxies with other backup components. For more information about ports that must be opened between the backup proxy and specific backup repository, see Backup Repositories.

From

To

Protocol

Port

Notes

Communication with Backup Server

Backup server

Backup proxy (Microsoft Windows)

TCP

445
135

Required for deploying Veeam Backup & Replication components.

TCP

6160

Default port used by Veeam Installer Service.

TCP

6162

Default port used by Veeam Data Mover Service.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Backup proxy (Linux)

TCP

22

Default SSH port used as a control channel.

TCP

6160

Default port used by Veeam Installer Service for Linux.

TCP

6162

Default port used by Veeam Data Mover Service.

You can specify a different port while adding the Linux server to the Veeam Backup & Replication infrastructure. Note that you can specify a different port only if there is no previously installed Veeam Data Mover on this Linux server. For more information, see Specify Credentials and SSH Settings.

Backup proxy

TCP

2500 to 3300

Default range of ports used as data transmission channels and for collecting log files. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

6210

Default port used by the Veeam Backup VSS Integration Service for taking a VSS snapshot during the SMB file share backup.

Communication with Virtualization Servers

Backup proxy

vCenter Server

TCP

443

Default VMware web service port that can be customized in vCenter settings.

ESXi server

TCP

902

Default VMware port used for data transfer.

This port is not required for VMware Cloud on AWS.

TCP

443

Default VMware web service port that can be customized in ESXi host settings. Not required if vCenter connection is used.

This port is not required for VMware Cloud on AWS.

Other Communications

Backup proxy

Gateway server

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup proxy

TCP

2500 to 3300

Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

 

Gateway Server

The following table describes network ports that must be opened to ensure proper communication with gateway servers. For more information about ports that must be opened between the gateway server and specific backup repository, see Backup Repositories.

From

To

Protocol

Port

Notes

Backup server

Gateway server (Microsoft Windows)

TCP

445
135

Required for deploying Veeam Backup & Replication components.

TCP

6160

Default port used by Veeam Installer Service.

TCP

6162

Default port used by Veeam Data Mover Service.

Gateway server (Linux)

TCP

22

Default SSH port used as a control channel.

TCP

6160

Default port used by Veeam Installer Service for Linux.

TCP

6162

Default port used by Veeam Data Mover Service.

You can specify a different port while adding the Linux server to the Veeam Backup & Replication infrastructure. Note that you can specify a different port only if there is no previously installed Veeam Data Mover on this Linux server. For more information, see Specify Credentials and SSH Settings.

Gateway server

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup proxy

Gateway server

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup Repositories

Microsoft Windows/Linux-based Backup Repository

The following table describes network ports that must be opened to ensure proper communication with Microsoft Windows/Linux-based backup repositories.

From

To

Protocol

Port

Notes

Backup server

Backup repository (Microsoft Windows)

TCP

445
135

Required for deploying Veeam Backup & Replication components.

TCP

6160

Default port used by Veeam Installer Service.

TCP

6162

Default port used by Veeam Data Mover Service.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Backup repository (Linux)

TCP

22

Default SSH port used as a control channel.

TCP

6160

Default port used by Veeam Installer Service for Linux.

TCP

6162

Default port used by Veeam Data Mover Service.

You can specify a different port while adding the Linux server to the Veeam Backup & Replication infrastructure. Note that you can specify a different port only if there is no previously installed Veeam Data Mover on this Linux server. For more information, see Specify Credentials and SSH Settings.

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup repository (Linux)

Backup server

TCP

2500 to 3300

Default range of ports used as transmission channels for copy backup operations if the backup server is used as the target backup repository. These ports are also required for file copy operations between the Linux backup repository and the backup server.

For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup proxy

Backup repository

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Source backup repository

Target backup repository

TCP

2500 to 3300

Default range of ports used as transmission channels for backup copy jobs and copy backup operations. For every TCP connection that a job uses, one port from this range is assigned.

If the backup copy job utilizes WAN accelerators, make sure that ports specific for WAN accelerators are opened.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

NFS Backup Repository

The following table describes network ports that must be opened to ensure proper communication with NFS shares added as backup repositories.

From

To

Protocol

Port

Notes

Gateway server or backup proxy

NFS backup repository

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

Also used as a transmission channel from the gateway server to the target NFS backup repository if a gateway server is specified explicitly in NFS backup repository settings.

Gateway server or backup proxy

NFS backup repository
(NFS v3)

TCP, UDP

mountd_port

Dynamic port used for mountd service. Can be assigned statically.

TCP, UDP

statd_port

Dynamic port used for statd service. Can be assigned statically.

TCP, UDP

lockd_port

Dynamic port used for lockd service. Can be assigned statically.

SMB Backup Repository

The following table describes network ports that must be opened to ensure proper communication with SMB (CIFS) shares added as backup repositories.

From

To

Protocol

Port

Notes

Gateway server or backup proxy

SMB (CIFS) backup repository (Microsoft Windows)

TCP

445

Used as a transmission channel from the gateway server to the target SMB (CIFS) backup repository if a gateway server is specified explicitly in SMB (CIFS) backup repository settings.

Dell Data Domain System

For more information, see Dell Documents.

From

To

Protocol

Port

Notes

Backup server or gateway server

Dell Data Domain

TCP

111

Port used to assign a random port for the mountd service used by NFS and DDBOOST. Mountd service port can be statically assigned.

TCP

2049

Main port used by NFS. Can be modified using the ‘nfs set server-port’ command. Command requires SE mode.

TCP

2052

Main port used by NFS MOUNTD. Can be modified using the 'nfs set mountd-port' command in SE mode.

ExaGrid

From

To

Protocol

Port

Notes

Backup server

ExaGrid

TCP

22

Default command port used for communication with ExaGrid.

Backup proxy

ExaGrid

TCP

2500 to 3300

Default range of ports used for communication with the backup proxy.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

HPE StoreOnce

From

To

Protocol

Port

Notes

Backup server
or
gateway server

HPE StoreOnce

TCP

9387

Default command port used for communication with HPE StoreOnce.

9388

Default data port used for communication with HPE StoreOnce.

Quantum DXi

From

To

Protocol

Port

Notes

Backup server

Quantum DXi

TCP

22

Default command port used for communication with Quantum DXi.

Backup proxy

Quantum DXi

TCP

2500 to 3300

Default range of ports used for communication with the backup proxy.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Fujitsu ETERNUS CS800

From

To

Protocol

Port

Notes

Backup server

Fujitsu ETERNUS CS800

TCP

22

Default command port used for communication with Fujitsu ETERNUS CS800.

Backup proxy

Fujitsu ETERNUS CS800

TCP

2500 to 3300

Default range of ports used for communication with the backup proxy.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Infinidat InfiniGuard

From

To

Protocol

Port

Notes

Backup server

Infinidat InfiniGuard

TCP

22

Default command port used for communication with Infinidat InfiniGuard.

Backup proxy

Infinidat InfiniGuard

TCP

2500 to 3300

Default range of ports used for communication with the backup proxy.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Object Storage Repository

The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories. For more information, see Object Storage Repository.

From

To

Protocol

Port

Notes

Source object storage repository

Backup proxy (direct connection)/Gateway server or backup server

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup proxy (direct connection)/Gateway server or backup server

Amazon S3 object storage

TCP

443

Used to communicate with the Amazon S3 object storage through the following endpoints:

  • *.amazonaws.com (for both Global and Government regions)
  • *.amazonaws.com.cn (for China region)

All AWS service endpoints are specified in the AWS documentation.

80

Used to verify the certificate status through the following endpoints:

  • *.amazontrust.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

Microsoft Azure object storage

TCP

443

Used to communicate with the Microsoft Azure object storage through the following endpoints:

  • xxx.blob.core.windows.net (for Global region)
  • xxx.blob.core.chinacloudapi.cn (for China region)
  • xxx.blob.core.usgovcloudapi.net (for Government region)

Consider that the <xxx> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal.

80

Used to verify the certificate status through the following endpoints:

  • ocsp.digicert.com
  • ocsp.msocsp.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. For more details, see also this Microsoft article.

Google Cloud storage

TCP

443

Used to communicate with Google Cloud storage through the following endpoints:

  • storage.googleapis.com

All cloud endpoints are specified in this Google article.

80

Used to verify the certificate status through the following endpoints:

  • ocsp.pki.goog
  • pki.goog
  • crl.pki.goog

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

IBM Cloud object storage

TCP

Depends on device configuration

Used to communicate with IBM Cloud object storage.

S3 compatible object storage

TCP

Depends on device configuration

Used to communicate with S3 compatible object storage.

External Repository

The following table describes network ports and endpoints that must be opened to ensure proper communication with external repositories. For more information, see External Repository.

From

To

Protocol

Port

Notes

Source object storage repository

Gateway server or backup server

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Gateway server or backup server

Amazon S3 object storage

TCP

443

Used to communicate with the Amazon S3 object storage through the following endpoints:

  • *.amazonaws.com (for both Global and Government regions)
  • *.amazonaws.com.cn (for China region)

All AWS service endpoints are specified in the AWS documentation.

80

Used to verify the certificate status through the following endpoints:

  • *.amazontrust.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

Microsoft Azure object storage

TCP

443

Used to communicate with the Microsoft Azure object storage through the following endpoints:

  • xxx.blob.core.windows.net (for Global region)
  • xxx.blob.core.chinacloudapi.cn (for China region)
  • xxx.blob.core.usgovcloudapi.net (for Government region)

Consider that the <xxx> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal.

80

Used to verify the certificate status through the following endpoints:

  • ocsp.digicert.com
  • ocsp.msocsp.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. For more details, see also this Microsoft article.

Google Cloud storage

TCP

443

Used to communicate with Google Cloud storage through the following endpoints:

  • storage.googleapis.com

All cloud endpoints are specified in this Google article.

80

Used to verify the certificate status through the following endpoints:

  • ocsp.pki.goog
  • pki.goog
  • crl.pki.goog

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

Archive Object Storage Repository

The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories used as a part of Archive Tier. For more information, see Archive Tier.

From

To

Protocol

Port

Notes

Gateway server or backup server

Amazon EC2 helper appliance

TCP

443

Used by default to communicate with the Amazon EC2 helper appliance through public/private IPv4 addresses of EC2 appliances.

If you use Amazon S3 Glacier object storage, the gateway server should have direct connection to AWS service endpoints. HTTP/HTTPS proxy servers are not supported.

If there is no gateway server selected, the backup server will be used as a gateway server.

TCP

22

Default SSH port used as a control channel.

Microsoft Azure proxy appliance

TCP

443

Used by default to communicate with the Microsoft Azure helper appliance through public/private IPv4 addresses of Azure appliances.

If there is no gateway server selected, the backup server will be used as a gateway server.

TCP

22

Default SSH port used as a control channel.

Amazon EC2 helper appliance

Amazon S3 object storage

TCP

443

Used to communicate with the Amazon S3 object storage through the following endpoints:

  • *.amazonaws.com (for both Global and Government regions)
  • *.amazonaws.com.cn (for China region)

All AWS service endpoints are specified in the AWS documentation

TCP

80

Used to verify the certificate status through the following endpoints:

  • *.amazontrust.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

Microsoft Azure proxy appliance

Microsoft Azure object storage

TCP

443

Used to communicate with the Microsoft Azure object storage through the following endpoints:

  • xxx.blob.core.windows.net (for Global region)
  • xxx.blob.core.chinacloudapi.cn (for China region)
  • xxx.blob.core.usgovcloudapi.net (for Government region)

Consider that the <xxx> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal.

TCP

80

Used to verify the certificate status through the following endpoints:

  • ocsp.digicert.com
  • ocsp.msocsp.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. For more details, see also this Microsoft article.

Storage Systems

Dell VNX(e) Storage

From

To

Protocol

Port

Notes

Backup server

VNX File

TCP

22

Default command port used for communication with Dell VNX File over SSH.

VNX Block

VNXe

TCP

443

Default port used for communication with Dell VNX Block/Dell VNXe over HTTPS and sending REST API calls.

Backup proxy

VNX Block

VNXe

TCP

3260

Default iSCSI target port.

VNX File

VNXe

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

Dell Unity XT, Unity Storage

From

To

Protocol

Port

Notes

Backup server

Dell Unity XT/Unity storage system

TCP

443

Default port used for communication with Dell Unity XT/Unity over HTTPS and sending REST API calls.

Backup proxy

Dell Unity XT/Unity storage system

TCP

3260

Default iSCSI target port.

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

Dell PowerScale (Formerly Isilon) Storage

From

To

Protocol

Port

Notes

Backup server

Dell PowerScale storage system

TCP

8080

Default port used for communication with Dell PowerScale over HTTPS and sending REST API calls.

Backup proxy

Dell PowerScale storage system

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

TCP

445

Standard SMB port.

HPE 3PAR StoreServ Storage

From

To

Protocol

Port

Notes

Backup server

HPE 3PAR StoreServ storage system

TCP

8008

Default port used for communication with HPE 3PAR StoreServ over HTTP.

TCP

8080

Default port used for communication with HPE 3PAR StoreServ over HTTPS.

TCP

22

Default command port used for communication with HPE 3PAR StoreServ over SSH.

Backup proxy

HPE 3PAR StoreServ storage system

TCP

3260

Default iSCSI target port.

HPE Alletra MP, Alletra 9000, Primera Storage

From

To

Protocol

Port

Notes

Backup server

HPE Alletra MP/Alletra 9000/Primera storage system

TCP

443

Default port used for communication with HPE Alletra MP/Alletra 9000/Primera over HTTPS.

TCP

22

Default command port used for communication with HPE Alletra MP/Alletra 9000/Primera over SSH.

Backup proxy

HPE Alletra MP/Alletra 9000/Primera storage system

TCP

3260

Default iSCSI target port.

HPE StoreVirtual (formerly LeftHand/P4000 Series) and StoreVirtual VSA Storage

From

To

Protocol

Port

Notes

Backup server

HPE StoreVirtual/LeftHand/P4000 series storage system

TCP

16022

Default command port used for communication with HPE StoreVirtual/LeftHand/P4000 series.

Backup proxy

HPE StoreVirtual/LeftHand/P4000 series storage system

TCP

3260

Default iSCSI target port.

HPE Alletra 5000, Alletra 6000, Nimble Storage

From

To

Protocol

Port

Notes

Backup server

HPE Alletra 5000/Alletra 6000/Nimble storage system

TCP

5392

Default command port used for communication with HPE Alletra 5000/Alletra 6000/Nimble.

Backup proxy

HPE Alletra 5000/Alletra 6000/Nimble storage system

TCP

3260

Default iSCSI target port.

IBM FlashSystem (formerly Spectrum Virtualize) Storage

From

To

Protocol

Port

Notes

Backup server

IBM Spectrum Virtualize storage system

TCP

22

Default command port used for communication with IBM Spectrum Virtualize over SSH.

Backup proxy

IBM Spectrum Virtualize storage system

TCP

3260

Default iSCSI target port.

Lenovo ThinkSystem DM/DG Series Storage

From

To

Protocol

Port

Notes

Backup server

Lenovo ThinkSystem DM/DG Series storage system

TCP

80

Default command port used for communication with Lenovo ThinkSystem DM/DG Series over HTTP.

TCP

443

Default command port used for communication with Lenovo ThinkSystem DM/DG Series over HTTPS.

Backup proxy

Lenovo ThinkSystem DM/DG Series storage system

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

TCP

445

Standard SMB port.

TCP

3260

Default iSCSI target port.

NetApp ONTAP Storage

From

To

Protocol

Port

Notes

Backup server

NetApp ONTAP storage system

TCP

80

Default command port used for communication with NetApp ONTAP over HTTP.

TCP

443

Default command port used for communication with NetApp ONTAP over HTTPS.

Backup proxy

NetApp ONTAP storage system

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

TCP

445

Standard SMB port.

TCP

3260

Default iSCSI target port.

Nutanix Files Storage

From

To

Protocol

Port

Notes

Backup server

Nutanix Files storage system

TCP

9440

Default port used for communication with Nutanix Files and sending REST API calls.

Backup proxy

Nutanix Files storage system

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

TCP

445

Standard SMB port.

Universal Storage API Integrated System

The following tables describe network ports that must be opened to ensure proper communication with Universal Storage API integrated systems:

DataCore SANsymphony

From

To

Protocol

Port

Notes

Backup server

DataCore SANsymphony storage system

TCP

443

Default command port used for communication with DataCore SANsymphony over HTTPS.

Backup proxy

DataCore SANsymphony storage system

TCP

3260

Default iSCSI target port.

Dell SC Series

From

To

Protocol

Port

Notes

Backup server

Dell SC Series storage system

TCP

3033

Default command port used for communication with Dell SC Series over HTTPS.

Backup proxy

Dell SC Series storage system

TCP

3260

Default iSCSI target port.

Dell PowerMax

From

To

Protocol

Port

Notes

Backup server

Dell PowerMax storage system

TCP

8443

Default command port used for communication with Dell PowerMax over HTTPS.

Backup proxy

Dell PowerMax storage system

TCP

3260

Default iSCSI target port.

Dell PowerStore

From

To

Protocol

Port

Notes

Backup server

Dell PowerStore storage system

TCP

443

Default command port used for communication with Dell PowerStore over HTTPS.

Backup proxy

Dell PowerStore storage system

TCP

3260

Default iSCSI target port.

Fujitsu ETERNUS DX/AF

From

To

Protocol

Port

Notes

Backup server

Fujitsu ETERNUS DX/AF storage system

TCP

22

Default command port used for communication with Fujitsu ETERNUS DX/AF over SSH.

Backup proxy

Fujitsu ETERNUS DX/AF storage system

TCP

3260

Default iSCSI target port.

INFINIDAT InfiniBox

From

To

Protocol

Port

Notes

Backup server

INFINIDAT InfiniBox storage system

TCP

443

Default command port used for communication with INFINIDAT InfiniBox over HTTPS.

Backup proxy

INFINIDAT InfiniBox storage system

TCP

3260

Default iSCSI target port.

NetApp SolidFire/HCI

From

To

Protocol

Port

Notes

Backup server

NetApp SolidFire/HCI storage system

TCP

443

Default command port used for communication with NetApp SolidFire/HCI over HTTPS.

Backup proxy

NetApp SolidFire/HCI storage system

TCP

3260

Default iSCSI target port.

Pure Storage FlashArray

From

To

Protocol

Port

Notes

Backup server

Pure Storage FlashArray system

TCP

443

Default command port used for communication with Pure Storage FlashArray over HTTPS.

Backup proxy

Pure Storage FlashArray system

TCP

3260

Default iSCSI target port.

 

Tintri IntelliFlash (formerly Western Digital IntelliFlash, Tegile)

From

To

Protocol

Port

Notes

Backup server

Tintri IntelliFlash system

TCP

443

Default command port used for communication with Tintri IntelliFlash over HTTPS.

Backup proxy

Tintri IntelliFlash system

TCP

3260

Default iSCSI target port.

Tintri IntelliFlash system

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

 

Unstructured Data Backup Components

The following tables describe network ports that must be opened to ensure proper communication between unstructured data backup components.

File Share Connections

From

To

Protocol

Port

Notes

Backup proxy

File server

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

NAS filer (NetApp Data ONTAP or Lenovo ThinkSystem DM/DG Series storage system)

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

TCP

445

Standard SMB port.

TCP

3260

Default iSCSI target port.

NAS filer (Dell PowerScale (formerly Isilon) or Nutanix Files storage system)

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

TCP

445

Standard SMB port.

Backup proxy or tape server

NFS share

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

SMB share

TCP

445

Standard SMB port.

Amazon S3 object storage

TCP

443

Used to communicate with the Amazon S3 object storage through the following endpoints:

  • *.amazonaws.com (for both Global and Government regions)
  • *.amazonaws.com.cn (for China region)

All AWS service endpoints are specified in the AWS documentation.

TCP

80

Used to verify the certificate status through the following endpoints:

  • *.amazontrust.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

Microsoft Azure object storage

TCP

443

Used to communicate with the Microsoft Azure object storage through the following endpoints:

  • xxx.blob.core.windows.net (for Global region)
  • xxx.blob.core.chinacloudapi.cn (for China region)
  • xxx.blob.core.usgovcloudapi.net (for Government region)

Consider that the <xxx> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal.

TCP

80

Used to verify the certificate status through the following endpoints:

  • ocsp.digicert.com
  • ocsp.msocsp.com

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself. For more details, see also this Microsoft article.

S3 compatible object storage

TCP

Depends on device configuration

Used to communicate with S3 compatible object storage.

Cache Repository Connections

From

To

Protocol

Port

Notes

Backup proxy

Cache repository

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Cache repository

Backup proxy

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Primary or secondary backup repository

TCP

2500 to 3300

Default range of ports used as transmission channels for file share backup restore jobs. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Archive Repository Connections

From

To

Protocol

Port

Notes

Primary backup repository

Archive repository

TCP

2500 to 3300

Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Tape Server

The following table describes network ports that must be opened to ensure proper communication with tape servers.

From

To

Protocol

Port

Notes

Backup server

Tape server

TCP

445
135

Required for deploying Veeam Backup & Replication components.

TCP

2500 to 3300

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

6160

Default port used by Veeam Installer Service.

TCP

6162

Default port used by Veeam Data Mover Service.

TCP

6166

Controlling port for RPC calls.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Tape server

Backup server

TCP

2500 to 3300

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup repository or gateway server

TCP

2500 to 3300

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

NFS share

TCP, UDP

111, 2049

Standard NFS ports. Port 111 is used by the port mapper service.

SMB share

TCP

445

Standard SMB port.

WAN Accelerator

The following table describes network ports that must be opened to ensure proper communication between WAN accelerators used in backup copy jobs and replication jobs.

From

To

Protocol

Port

Notes

Backup server

WAN accelerator
(source and target)

TCP

445
135

Required for deploying Veeam Backup & Replication components.

TCP

6160

Default port used by Veeam Installer Service.

TCP

6162

Default port used by Veeam Data Mover Service.

TCP

6164

Controlling port for RPC calls.

TCP

6220

Port used for traffic control (throttling) for tenants that use WAN accelerators.

This port is required only in the Veeam Cloud Connect infrastructure.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

WAN accelerator
(source and target)

Backup repository
(source and target)

TCP

2500 to 3300

Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is selected dynamically.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

WAN accelerator

WAN accelerator

TCP

6164

Controlling port for RPC calls.

TCP

6165

Default port used for data transfer between WAN accelerators. Ensure this port is open in firewall between sites where WAN accelerators are deployed.

Guest Processing Components

Connections with Non-Persistent Runtime Components

The following tables describe network ports that must be opened to ensure proper communication of the backup server and backup infrastructure components with the non-persistent runtime components deployed inside the VM guest OS for application-aware processing and indexing.

From

To

Protocol

Port

Notes

Backup server

VM guest OS (Linux)

TCP

22

Default SSH port used as a control channel.

Guest interaction proxy

TCP

6190

Used for communication with the guest interaction proxy.

TCP

6290

Used as a control channel for communication with the guest interaction proxy.

TCP

445

Port used as a transmission channel.

Guest interaction proxy

ESXi server

TCP

443

Default port used for connections to ESXi host.
[For VMware vSphere earlier than 6.5] Not required if vCenter connection is used. In VMware vSphere versions 6.5 and later, port 443 is required by vCenter Web Services.

Network ports described in the following table are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

From

To

Protocol

Port

Notes

Guest interaction proxy

VM guest OS (Microsoft Windows)

TCP

445
135

Required to deploy the runtime coordination process on the VM guest OS.

TCP

2500 to 3300

Default range of ports used as transmission channels for log shipping.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Used by the runtime process deployed inside the VM for guest OS interaction (when working over the network, not over VIX API).

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

VM guest OS (Linux)

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 3300

Default range of ports used as transmission channels for log shipping.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

VM guest OS

Guest interaction proxy

TCP

2500 to 3300

Default range of ports used as transmission channels for log shipping.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Connections with Persistent Agent Components

The following table describes network ports that must be opened to ensure proper communication of the backup server with the persistent agent components deployed inside the VM guest OS for application-aware processing and indexing.

From

To

Protocol

Port

Notes

Backup server

VM guest OS (Linux)

TCP

6160

Default port used by Veeam Installer Service for Linux.

TCP

6162

Default Management Agent port. Required if it is used as a control channel instead of SSH.

Guest interaction proxy

VM guest OS

TCP

6160
11731

Default port and failover port used by Veeam Installer Service.

TCP

6173
2500

Used by the Veeam Guest Helper for guest OS processing and file-level restore.

Log Shipping Components

The following tables describe network ports that must be opened to ensure proper communication between log shipping components.

Log Shipping Server Connections

From

To

Protocol

Port

Notes

Backup server

Log shipping server

TCP

445
135

Required for deploying Veeam Backup & Replication components.

TCP

6160

Default port used by Veeam Installer Service.

TCP

6162

Default port used by Veeam Data Mover Service.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Log shipping server

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository and transfer log backups.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

MS SQL Guest OS Connections

From

To

Protocol

Port

Notes

Guest interaction proxy

MS SQL VM guest OS

TCP

445
135

[Non-persistent runtime components only] Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component.

These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

TCP

2500 to 3300

Default range of ports used for communication with a guest OS.

These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

49152 to 65535

[Non-persistent runtime components only] Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

TCP

6160
11731

[Persistent agent components only] Default port and failover port used by Veeam Installer Service.

TCP

6167

Used by the Veeam Log Shipping Service for preparing the database and taking logs.

MS SQL VM guest OS

Guest interaction proxy

TCP

2500 to 3300

Default range of ports used for communication with a guest interaction proxy.

These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

MS SQL VM guest OS

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the MS SQL server has a direct connection to the backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

MS SQL VM guest OS

Log shipping server

TCP

2500 to 3300

Default range of ports used for communication with a log shipping server and transfer log backups.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Oracle Guest OS Connections

From

To

Protocol

Port

Notes

Guest interaction proxy

Oracle VM guest OS (Microsoft Windows)

TCP

445
135

[Non-persistent runtime components only] Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component.

These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

TCP

2500 to 3300

Default range of ports used for communication with a guest OS.

These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

49152 to 65535

[Non-persistent runtime components only] Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

TCP

6160
11731

[Persistent agent components only] Default port and failover port used by Veeam Installer Service.

TCP

6167

Used by the Veeam Log Shipping Service for preparing the database and taking logs.

Oracle VM guest OS (Linux)

TCP

22

[Non-persistent runtime components only] Default SSH port used as a control channel.

This port is NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

TCP

6162

[Persistent agent components only] Default Management Agent port. Required if it is used as a control channel instead of SSH.

TCP

2500 to 3300

Default range of ports used for communication with a guest OS.

These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Oracle VM guest OS

Guest interaction proxy

TCP

2500 to 3300

Default range of ports used for communication with a guest interaction proxy.

These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Oracle VM guest OS

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the Oracle server has a direct connection to the backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Oracle VM guest OS

Log shipping server

TCP

2500 to 3300

Default range of ports used for communication with a log shipping server and transfer log backups.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

PostgreSQL Guest OS Connections

From

To

Protocol

Port

Notes

Guest interaction proxy

PostgreSQL VM guest OS

TCP

22

[Non-persistent runtime components only] Default SSH port used as a control channel.

This port is NOT required when working in networkless mode over vSphere Web Services.

TCP

6162

[Persistent agent components only] Default Management Agent port. Required if it is used as a control channel instead of SSH.

TCP

2500 to 3300

Default range of ports used for communication with a guest OS.

This port is NOT required when working in networkless mode over vSphere Web Services.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

PostgreSQL VM guest OS

Guest interaction proxy

TCP

2500 to 3300

Default range of ports used for communication with a guest interaction proxy.

This port is NOT required when working in networkless mode over vSphere Web Services.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

PostgreSQL VM guest OS

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the PostgreSQL server has a direct connection to the backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

PostgreSQL VM guest OS

Log shipping server

TCP

2500 to 3300

Default range of ports used for communication with a log shipping server and transfer log backups.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

CDP Components

The following table describes network ports that must be opened to ensure proper communication of Veeam CDP components with other backup components.

From

To

Protocol

Port

Notes

ESXi host (source)

CDP proxy (source)

TCP

33032

Default port used as a transmission channel to the source CDP proxy.

ESXi host (source)

TCP

33033

Port used locally on the source ESXi host for data transfer between I/O filter components.

ESXi host (source)

TCP

33036

Port used locally on the source ESXi host for communication between CDP components over HTTPS without HTTP Reverse Proxy.

ESXi host (source)

TCP

33038

Port used locally on the source ESXi host for communication between CDP components over HTTPS.

CDP proxy (source)

CDP proxy (target)

TCP

33033

Default port used as a transmission channel to the target CDP proxy.

ESXi host (source and target)

TCP

902

Default VMware port used for data transfer. Used during the initial synchronization.

vCenter Server (source and target)

TCP

443

Default VMware web service port that can be customized in vCenter settings. Used during the initial synchronization.

CDP proxy (target)

ESXi host (target)

TCP

33032

Default port used as a transmission channel to the target ESXi host.

ESXi host (source and target)

TCP

902

Default VMware port used for data transfer. Used during the initial synchronization.

vCenter Server (source and target)

TCP

443

Default VMware web service port that can be customized in vCenter settings. Used during the initial synchronization.

ESXi host (target)

ESXi host (target)

TCP

33034

Port used locally on the target ESXi host for communication between the I/O filter components during failover.

ESXi host (target)

TCP

33036

Port used locally on the target ESXi host for communication between CDP components over HTTPS without HTTP Reverse Proxy.

ESXi host (target)

TCP

33038

Port used locally on the target ESXi host for communication between CDP components over HTTPS.

Backup server

ESXi host (source and target)

TCP

443

Port used as a control channel.

vCenter Server (source and target)

TCP

443

Port used as a control channel.

CDP proxy (source and target)

TCP

6182

Port used as a control channel.

Backup server

TCP

9509

Port used locally on the backup server for communication between Veeam Backup Service and Veeam CDP Coordinator Service.

ESXi host (source and target)

Backup server

TCP

33034

Port used for communication with Veeam CDP Coordinator Service.

vCenter Server (source and target)

Backup server

HTTP

33035

Port used to install I/O filter components on the vCenter servers and ESXi hosts.

Note: This port is required starting from Veeam Backup & Replication 12.1 (build 12.1.0.2131).

TCP

33034

Port used for communication with Veeam CDP Coordinator Service.

CDP proxy (source and target)

Backup server

TCP

33034

Port used for communication with Veeam CDP Coordinator Service.

Recovery Components

Guest OS File Recovery

The following table describes network ports that must be opened to ensure proper communication between components for guest OS file recovery.

Mount Server Connections

From

To

Protocol

Port

Notes

Mount server

Backup server

TCP

9401

Used for communication with the Veeam Backup Service.

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup server

Mount server

TCP

445

Required for deploying Veeam Backup & Replication components.

TCP

2500 to 3300

Default range of ports used for communication with a mount server.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

6160

Default port used by Veeam Installer Service including checking the compatibility between components before starting the recovery process.

TCP

6162

Default port used by Veeam Data Mover Service.

TCP

6170

Used for communication with a local or remote Mount Service.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Helper Appliance Connections

From

To

Protocol

Port

Notes

Helper appliance

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Helper appliance

ESXi server

TCP

443

Default port used for connections to the ESXi host if restore is performed over VIX API/vSphere Web Services.

[For VMware vSphere earlier than 6.5] Not required if vCenter connection is used. In VMware vSphere versions 6.5 and later, port 443 is required by vSphere Web Services.

Backup server

Helper appliance

 

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 3300

Default range of ports used for communication with a helper appliance.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Mount server

Helper appliance

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 3300

Default range of ports used for communication with a helper appliance.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Helper Host Connections

From

To

Protocol

Port

Notes

Helper host

Backup repository

TCP

2500 to 3300

Default range of ports used for communication with a backup repository.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Helper host

ESXi server

TCP

443

Default port used for connections to the ESXi host if restore is performed over VIX API/vSphere Web Services.

[For VMware vSphere earlier than 6.5] Not required if vCenter connection is used. In VMware vSphere versions 6.5 and later, port 443 is required by vSphere Web Services.

Backup server

Helper host

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 3300

Default range of ports used for communication with a helper host.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

6162

Default port used by Veeam Data Mover Service.

TCP

32768 to 60999

Dynamic port range for Linux distributions. Used for communication with a helper host. For more information, see the Linux kernel documentation.

Mount server

Helper host

TCP

22

Default SSH port used as a control channel.

TCP

2500 to 3300

Default range of ports used for communication with a helper host.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

TCP

32768 to 60999

Dynamic port range for Linux distributions. Used for communication with a helper host. For more information, see the Linux kernel documentation.

Guest OS Connections

From

To

Protocol

Port

Notes

VM guest OS (Linux/Unix)

Helper appliance

TCP

21

Default port used for protocol control messages if FTP server is enabled.

Helper appliance

VM guest OS (Linux/Unix)

TCP

20

Default port used for data transfer if FTP server is enabled.

TCP

2500 to 3300

Default range of ports used for communication with a VM guest OS.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Helper host

VM guest OS (Linux/Unix)

TCP

2500 to 3300

Default range of ports used for communication with a VM guest OS.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Backup server

VM guest OS (Linux/Unix)

TCP

22

Default SSH port used as a control channel.

Mount server

VM guest OS (Microsoft Windows)

TCP

445
135

Required to deploy the runtime coordination process on the VM guest OS.

TCP

6160
11731

Default port and failover port used by Veeam Installer Service.

TCP

6173
2500

Used by the Veeam Guest Helper for guest OS processing and file-level restore if persistent agent components are deployed inside the VM guest OS.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Backup server

VM guest OS

TCP

2500 to 3300

Default range of ports used for communication with a VM guest OS.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Veeam vPower NFS Service

From

To

Protocol

Port

Notes

Backup server

Microsoft Windows server with the mount server role running vPower NFS Service

TCP

6160

Default port used by Veeam Installer Service.

TCP

6161

Default port used by the Veeam vPower NFS Service.

ESXi host

Microsoft Windows server with the mount server role running vPower NFS Service

TCP
UDP

111

Standard port used by the port mapper service.

TCP
UDP

1058+ or 1063+

Default mount port. The number of port depends on where the vPower NFS Service is located:

  • 1058+: If the vPower NFS Service is located on the backup server.
  • 1063+: If the vPower NFS Service is located on a separate Microsoft Windows machine.

If port 1058/1063 is occupied, the succeeding port numbers will be used.

TCP
UDP

2049+

Standard NFS port. If port 2049 is occupied, the succeeding port numbers will be used.

Backup repository or
gateway server working with backup repository

Microsoft Windows server with the mount server role running vPower NFS Service

TCP

2500 to 3300

Default range of ports used as transmission channels during Instant Recovery, SureBackup or Linux file-level recovery.

For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

Microsoft Windows server with the mount server role running vPower NFS Service

Backup repository or
gateway server working with backup repository

TCP

2500 to 3300

Default range of ports used as transmission channels during Instant Recovery, SureBackup or Linux file-level recovery.

For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

SureBackup

The following table describes network ports that must be opened to ensure proper communication between SureBackup components.

From

To

Protocol

Port

Notes

Backup server

Proxy appliance

TCP

443

Used for communication with the proxy appliance in the virtual lab.

Applications on VMs in the virtual lab

Application-specific ports to perform port probing test. For example, to verify a DC, Veeam Backup & Replication probes port 389 for a response.

Internet-facing proxy server

VMs in the virtual lab

TCP

8080

Used to let VMs in the virtual lab access the Internet.

Microsoft Windows server with the mount server role running vPower NFS Service

Backup repository or
gateway server working with backup repository

TCP

2500 to 3300

Default range of ports used as transmission channels during SureBackup.

For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

ESXi server

TCP

443

Default port used for connections to ESXi host.

Backup repository or
gateway server working with backup repository

Microsoft Windows server with the mount server role running vPower NFS Service

TCP

2500 to 3300

Default range of ports used as transmission channels during SureBackup.

For every TCP connection that a job uses, one port from this range is assigned.

Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components.

SureReplica Recovery Verification

The following table describes network ports that must be opened to ensure proper communication between SureReplica components.

From

To

Protocol

Port

Notes

Backup server

Proxy appliance

TCP

443

Used for communication with the proxy appliance in the virtual lab.

Applications on VMs in the virtual lab

Application-specific ports to perform port probing test. For example, to verify a DC, Veeam Backup & Replication probes port 389 for a response.

Internet-facing proxy server

VMs in the virtual lab

TCP

8080

Used to let VMs in the virtual lab access the Internet.

Veeam U-AIR

The following table describes network ports that must be opened to ensure proper communication of U-AIR wizards with other components.

From

To

Protocol

Port

Notes

U-AIR wizards

Veeam Backup Enterprise Manager

TCP

9394

Used by default for communication with Veeam Backup Enterprise Manager. Can be customized during Veeam Backup Enterprise Manager installation.

Microsoft Active Directory Domain Controller Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the backup server with the Microsoft Active Directory VM during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft
Active Directory VM guest OS

TCP

135

Used for communication between the domain controller and backup server.

TCP,
UDP

389

LDAP connections.

TCP

636, 3268, 3269

LDAP connections.

TCP

49152 to 65535

Dynamic RPC port range for Microsoft Windows 2008 and later used by the runtime coordination process deployed inside the VM guest OS for application-aware processing (when working over the network, not over VIX API). For more information, see this Microsoft KB article.

Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article.

Microsoft Exchange Server Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the Veeam backup server with the Microsoft Exchange Server system during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft Exchange 2003/2007 CAS Server

TCP

80, 443

WebDAV connections.

Microsoft Exchange 2010/2013/2016/2019 CAS Server

TCP

443

Microsoft Exchange Web Services Connections.

Microsoft SQL Server Connections During Application Item Restore

The following table describes network ports that must be opened to ensure proper communication of the backup server with the VM guest OS system during application-item restore.

From

To

Protocol

Port

Notes

Backup server

Microsoft
SQL VM guest OS

TCP

1433,
1434 and other

Used for communication with the Microsoft SQL Server installed inside the VM.

Port numbers depends on configuration of your Microsoft SQL server. For more information, see this Microsoft article.

UDP

1434

Used by the Microsoft SQL Server Browser service.

For more information, see this Microsoft article.

Restore to Amazon EC2

From

To

Protocol

Port

Notes

Backup server or backup repository

Helper appliance

TCP

22

Used as a communication channel to the helper appliance.

TCP

443

Default redirector port. You can change the port in helper appliance settings. For details, see the Specify Helper Appliance section in Restore to Amazon EC2.

Restore to Google Cloud

From

To

Protocol

Port

Notes

Backup server or backup repository

Helper appliance

TCP

22

Used as a communication channel to the helper appliance.

TCP

443

Default redirector port. You can change the port in helper appliance settings. For details, see the Specify Helper Appliance section in Restore to Google Cloud.

Restore to Microsoft Azure

From

To

Protocol

Port

Notes

Backup server

Helper appliance

TCP

22

Used by default as a communication channel to the helper appliance when restoring Linux workloads. Can be changed during helper appliance deployment. For details, see Configuring Helper Appliances.

Microsoft Azure

TCP

443

Default management and data transport port required for communication with Microsoft Azure.

Azure Windows VM agent distribution server

TCP

443

Used by Veeam Backup & Replication to install the Azure Windows VM agent on the restored VM through the following URLs:

  • go.microsoft.com
  • aka.ms (additional components required for the Azure Windows VM agent installation)
  • github.com (additional components required for the Azure Windows VM agent installation)
  • objects.githubusercontent.com (additional components required for the Azure Windows VM agent installation)

Consider that these URLs are subject to change. For more information, see this Microsoft article.

Azure Stack Hub

TCP

443, 30024

Default management and data transport port required for communication with Azure Stack Hub.

Backup server or backup repository

Azure restore proxy appliance (former Azure proxy)

TCP

443

Default management and data transport port required for communication with the Azure restore proxy appliance. The port must be opened on the backup server and backup repository storing VM backups.

Can be changed in the settings of the Azure restore proxy appliance. For details, see Specify Credentials and Transport Port.

Veeam Backup Enterprise Manager

Veeam Backup Enterprise Manager Connections

 

Veeam Explorers

Veeam Cloud Connect

Veeam Cloud Connect Connections

Veeam Agents

Veeam Agent for Microsoft Windows

Veeam Agent for Linux

Veeam Agent for Mac

Veeam Plug-ins for Enterprise Applications

Veeam Plug-ins for Cloud Solutions

Kasten K10

Veeam Plug-ins for Kasten K10

Other Connections

NDMP Servers

The following table describes network ports that must be opened to ensure proper communication with NDMP servers.

From

To

Protocol

Port

Notes

Gateway server

NDMP server

NDMP

10000

Port used for data transfer between the components.

Mail Servers

The following table describes network ports that must be opened to ensure proper communication of the backup server with mail servers.

From

To

Protocol

Port

Notes

Backup server

SMTP server

TCP

25

Used by the SMTP server.

TCP

587

Used by the SMTP server if SSL is enabled.

Gmail REST API (gmail.googleapis.com)

TCP

443

Used to communicate with Google Mail services.

Microsoft Graph REST API (graph.microsoft.com, login.microsoftonline.com)

TCP

443

Used to communicate with Microsoft Exchange Online organizations.

Event Forwarding Components

The following table describes network ports that must be opened to ensure proper communication with event forwarding components.

From

To

Protocol

Port

Notes

Backup server

Syslog server

TCP
UDP

514

Default port used to communicate with the syslog server.

TLS

6514

Default port used to communicate with the syslog server over TLS.

Internet Connections

If you use an HTTP/HTTPS proxy server to access the Internet, make sure that WinHTTP settings are properly configured on Microsoft Windows machines with Veeam backup infrastructure components. For information on how to configure WinHTTP settings, see Microsoft Docs.

Note

Tenants cannot access Veeam Cloud Connect infrastructure components through HTTP/HTTPS proxy servers. For information on supported protocols for Veeam Cloud Connect, see the Ports section in the Veeam Cloud Connect Guide.

Page updated 5/17/2024

Page content applies to build 12.1.2.172