Ports
The following diagram and table describe ports that must be open to ensure that Veeam Service Provider Console components and machines interacting with these components can exchange data.
From | To | Protocol | Port | Description |
---|---|---|---|---|
Veeam Service Provider Console Web UI | Veeam Service Provider Console Server | TCP, UDP | 1989 | Default port that the Veeam Service Provider Console Web UI component uses to communicate with the Server component. |
Management agent | Cloud gateway | TCP, UDP | 6180 | Default port on a cloud gateway used to transfer traffic from management agents, deployed in a client infrastructure, to cloud gateways. |
Certificate Revocation Lists | TCP | 80 or 443 (most popular) | Tenant backup server needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the SP. Generally, information about CRL locations can be found on the CA website. | |
Windows Automatic Root Certificates Update component | TCP | 443 | Port used by the Automatic Root Certificates Update component for communication with the Windows Update endpoint. Applicable to Microsoft Windows 10 and later, Microsoft Windows Server 2016 and later. For details, see https://docs.microsoft.com/en-us/windows/privacy/manage-windows-endpoints#certificates. | |
Cloud gateway | Veeam Cloud Connect server | TCP | 2500-5000 | Port range used during transfer of the management agent from the Veeam Cloud Connect server to a tenant’s backup server. The management agent transfer is performed when a Veeam Backup & Replication server is connected to Veeam Service Provider Console. |
Cloud gateway | Veeam Service Provider Console Server | TCP, UDP | 9999 | Default port used to transfer traffic from cloud gateways and Veeam Cloud Connect server to Veeam Service Provider Console Server component. Note: If you deploy Veeam Service Provider Console server and Veeam Cloud Connect server in different networks, we recommend to set up a VPN bridge between these networks. Exposing Veeam Service Provider Console server and Veeam Cloud Connect server ports to the internet is not recommended. |
Veeam Cloud Connect server | ||||
Web browser | Veeam Service Provider Console Web UI | TCP, UDP | 1280 | Default port used to transfer traffic between Veeam Service Provider Console Web UI component and a web browser. |
Client application | Veeam Service Provider Console Web UI | TCP, UDP | 1281 | Default port used to exchange RESTful API requests and responses between Veeam Service Provider Console Web UI component and a client application. |
Veeam Service Provider Console Server | Veeam License Update Server | TCP | 443 | Default port used to update a license and send license usage statistics to the Veeam License Update Server. Port 443 must be open on the Veeam Service Provider Console Server to allow incoming and outgoing traffic. |
Veeam Installation Server | TCP | 443 | Default port used to download Veeam Agent for Microsoft Windows setup file from the Veeam Installation Server. Port 443 must be open on the machine that runs the Veeam Service Provider Console Server. | |
Certificate Revocation Lists | TCP | 80 or 443 (most popular) | Veeam Service Provider Console server needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the SP. Generally, information about CRL locations can be found on the CA website. Certificate validation is required when Veeam Service Provider Console server connects to Veeam Installation Server (autolk.veeam.com, vac.butler.veeam.com) to check for new product versions. | |
Veeam Cloud Connect server | TCP, UDP | 135, 445, 49152 to 65535 | Ports required for Remote Scheduled Tasks Management (RPC). For details, see https://support.microsoft.com/kb/929851/en-us. Note: If you deploy Veeam Service Provider Console server and Veeam Cloud Connect server in different networks, we recommend to set up a VPN bridge between these networks. Exposing Veeam Service Provider Console server and Veeam Cloud Connect server ports to the internet is not recommended. | |
Microsoft SQL Server | TCP | 1433 | Port used for communication with the Microsoft SQL Server on which the Veeam Service Provider Console database is deployed. You may need to open additional ports depending on your configuration. For details, see https://msdn.microsoft.com/en-us/library/cc646023(v=sql.120).aspx#BKMK_ssde. | |
ConnectWise Manage Plugin | TCP | 9996 | Port used for communication with ConnectWise Manage plugin. | |
SMTP server | TCP | 25 | Default port used by the SMTP server to send email notifications. Port 25 is most commonly used but the actual port number depends on configuration of your environment. | |
Master management agent | Veeam Installation Server | TCP | 443 | Default port used to download Veeam Agent for Microsoft Windows setup file from the Veeam Installation Server. Port 443 must be open on the machine that runs the master management agent. |
Veeam Backup Agent computer | TCP | 445 | Port required for remote network discovery of computers in the client infrastructure. | |
TCP, UDP | 135, 1025 to 5000 (for Microsoft Windows 2003), 49152 to 65535 (for Microsoft Windows 2008 and newer) | Ports required for Remote Scheduled Tasks Management (RPC). For details, see https://support.microsoft.com/kb/929851/en-us. | ||
TCP, UDP | 9999 | Port used to transfer settings required for Veeam Backup Agent computer to connect to Veeam Service Provider Console. | ||
Remote Access Console (SP LAN) | Veeam Cloud Connect server | TCP | 8191 | Port used for communication with the Veeam Cloud Connect Service and Veeam Cloud Connect-side network redirector(s). |
TCP | 9392 | Port used for communication with the Veeam Backup Service. | ||
TCP | 10003 | Port used for communication with the Veeam Backup Service. | ||
Remote Access Console (Internet) | Cloud gateway | TCP | 6180 | Default port used for communication with the Veeam Cloud Connect Service and Veeam Cloud Connect-side network redirector(s). |
Certificate Revocation Lists | TCP | 80 or 443 (most popular) | Remote Access Console needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the Veeam Cloud Connect provider. Generally, information about CRL locations can be found on the CA website. |