Ports

The following diagram and table describe ports that must be open to ensure that Veeam Service Provider Console components and machines interacting with these components can exchange data.

Ports

From

To

Protocol

Port

Description

Veeam Service Provider Console Web UI

Veeam Service Provider Console Server

TCP

1989

Default port that the Veeam Service Provider Console Web UI component uses to communicate with the Server component.

ConnectWise Manage plugin

TCP

9996

Port used for communication with ConnectWise Manage plugin.

File-level restore server

TCP

9999

Default port that the file-level restore plugin Web UI component uses to communicate with the server component.

Management agent

Cloud gateway

TCP

6180

Default port on a cloud gateway used to transfer traffic from management agents, deployed in a client infrastructure, to cloud gateways.

Veeam Service Provider Console Server

TCP

9999

Default port used to transfer traffic from management agents, deployed in a service provider infrastructure, to Veeam Service Provider Console.

Certificate Revocation Lists

TCP

80 or 443 (most popular)

Tenant backup server needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the SP.

Generally, information about CRL locations can be found on the CA website.

Windows Automatic Root Certificates Update component

TCP

443

Port used by the Automatic Root Certificates Update component for communication with the Windows Update endpoint.

Applicable to Microsoft Windows 10 and later, Microsoft Windows Server 2016 and later.

For details, see Microsoft Docs.

Veeam Cloud Connect server

Cloud gateway

TCP

2500-5000

Port range used during transfer of the management agent from the Veeam Cloud Connect server to a tenant’s or service provider's backup server.

The management agent transfer is performed when a Veeam Backup & Replication, Veeam ONE or Veeam Backup for Microsoft 365 server is connected to Veeam Service Provider Console.

Cloud gateway

Veeam Cloud Connect server

TCP

6169

Default port on the Veeam Cloud Connect server used to listen to cloud commands from a tenant's or service provider's backup server.

Cloud gateway

Veeam Service Provider Console Server

TCP

9999

Default port used to transfer traffic from cloud gateways and Veeam Cloud Connect server to Veeam Service Provider Console Server component.

Note: If you deploy Veeam Service Provider Console server and Veeam Cloud Connect server in different networks, we recommend to set up a VPN bridge between these networks. Exposing Veeam Service Provider Console server and Veeam Cloud Connect server ports to the internet is not recommended.

Veeam Cloud Connect server

Web browser

Veeam Service Provider Console Web UI

TCP

1280

Default port used to transfer traffic between Veeam Service Provider Console Web UI component, including REST API, and a web browser.

Veeam Service Provider Console Server

Veeam License Update Server
(autolk.veeam.com, vac.butler.veeam.com)

TCP

443

Default port used to update a license and send license usage statistics to the Veeam License Update Server. Port 443 must be open on the Veeam Service Provider Console Server to allow incoming and outgoing traffic.

Veeam Installation Server
(vac.butler.veeam.com, download.veeam.com, download2.veeam.com)

TCP

443

Default port used to check version availability and download Veeam backup agent setup files from the Veeam Installation Server. Port 443 must be open on the machine that runs the Veeam Service Provider Console Server.

Certificate Revocation Lists

TCP

80 or 443 (most popular)

Veeam Service Provider Console server needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the SP.

Generally, information about CRL locations can be found on the CA website.

Certificate validation is required when Veeam Service Provider Console server connects to Veeam Installation Server (autolk.veeam.com, vac.butler.veeam.com, download.veeam.com, download2.veeam.com) and VCSP Pulse plugin (propartner.veeam.com, openapi.veeam.com) to check for new product versions and license update.

HTTP

Certificate verification endpoints:

  • *.ss2.us
  • *.amazontrust.com

VCSP Pulse plugin (propartner.veeam.com, openapi.veeam.com)

TCP

443

Port used for communication with VCSP Pulse.

Amazon S3 object storage

TCP

80

Used to verify the certificate status.

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

HTTP

Certificate verification endpoints:

  • *.amazontrust.com

Amazon S3 object storage

TCP

80

Used to verify the certificate status.

Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. The actual list of addresses can be found in the certificate itself.

HTTP

Certificate verification endpoints:

  • *.amazontrust.com

Veeam Cloud Connect server

TCP

135, 445, 49152 to 65535

Ports required for Remote Scheduled Tasks Management (RPC). For details, see Microsoft Docs.

Note: If you deploy Veeam Service Provider Console server and Veeam Cloud Connect, Veeam ONE or Veeam Backup for Microsoft 365 server in different networks, we recommend to set up a VPN bridge between these networks. Exposing Veeam Service Provider Console server and Veeam Cloud Connect, Veeam ONE or Veeam Backup for Microsoft 365 server ports to the internet is not recommended.

Veeam Backup for Microsoft 365 server

Veeam ONE server

Microsoft SQL Server

TCP

1433

Port used for communication with the Microsoft SQL Server on which the Veeam Service Provider Console database is deployed.

You may need to open additional ports depending on your configuration. For details, see Microsoft Docs.

SMTP server

TCP

25

Default port used by the SMTP server to send email notifications.

Port 25 is most commonly used but the actual port number depends on configuration of your environment.

NTP server

TCP

123

Port used to synchronize time between Veeam Service Provider Console server and NIST Internet Time Servers. The port is required if you configure multi-factor authentication to access Veeam Service Provider Console.

Management agent on Veeam Cloud Connect

Veeam Backup for Public Clouds appliance

TCP

443

Port used for communication with Veeam Backup for Public Clouds appliance.

Master management agent

Veeam Installation Server
(vac.butler.veeam.com, download.veeam.com, download2.veeam.com)

TCP

443

Default port used to download Veeam Agent for Microsoft Windows setup file from the Veeam Installation Server. Port 443 must be open on the machine that runs the master management agent.

Veeam Backup Agent computer (Windows)

TCP

445

Port required for remote network discovery of computers in the client infrastructure.

TCP

135, 1025 to 5000 (for Microsoft Windows 2003), 49152 to 65535 (for Microsoft Windows 2008 and newer)

Ports required for Remote Scheduled Tasks Management (RPC). For details, see Microsoft Docs.

TCP

9999

Port used to transfer settings required for Veeam Backup Agent computer to connect to Veeam Service Provider Console.

Veeam Backup Agent computer (Linux)

TCP

22

Port required to establish SSH connection and remote network discovery of computers in the client infrastructure.

Remote Access Console

(SP LAN)

Veeam Cloud Connect server

TCP

8191

Port used for communication with the Veeam Cloud Connect Service and Veeam Cloud Connect-side network redirector(s).

TCP

9392

Port used for communication with the Veeam Backup Service.

TCP

10003

Port used for communication with the Veeam Backup Service.

Remote Access Console

(Internet)

Cloud gateway

TCP

6180

Default port used for communication with the Veeam Cloud Connect Service and Veeam Cloud Connect-side network redirector(s).

Certificate Revocation Lists

TCP

80 or 443 (most popular)

Remote Access Console needs access to CRLs (Certificate Revocation Lists) of the CA (Certification Authority) who issued a certificate to the Veeam Cloud Connect provider.

Generally, information about CRL locations can be found on the CA website.

Page updated 10/23/2024

Page content applies to build 8.1.0.21999