Ports
To ensure proper communication of components in the Veeam Backup for Microsoft 365 infrastructure within the AWS environment, you must configure inbound rules for security groups associated with Veeam Backup for Microsoft 365 infrastructure components. A security group for the EC2 instance is created during the product installation. For more information, see Deploying Veeam Backup for Microsoft 365 from AWS Marketplace.
To learn how to add rules to security groups, see AWS Documentation.
Note |
In a simple Veeam Backup for Microsoft 365 installation, all product components — Veeam Backup for Microsoft 365 server, backup proxy server, Veeam Explorers and REST API with Restore Portal — run on the same machine. |
The following table describes network ports that must be open to ensure proper communication of components in the Veeam Backup for Microsoft 365 infrastructure.
From | To | Protocol | Port | Description |
|---|---|---|---|---|
Management workstation | Veeam Backup for Microsoft 365 EC2 instance | TCP, UDP | 3389 | Required to access the Veeam Backup for Microsoft 365 user interface by using the Remote Desktop client from a management workstation. |
Veeam Backup for Microsoft 365 server | Microsoft Exchange Online | TCP | 443 | Required to connect to Microsoft Exchange Online organizations. The endpoints are: outlook.office365.com and autodiscover-s.outlook.com. |
Microsoft SharePoint Online | TCP | 443 | Required to connect to Microsoft SharePoint Online organizations. The endpoints are: <tenant>.sharepoint.com, <tenant>-my.sharepoint.com and <tenant>-admin.sharepoint.com. | |
On-premises Microsoft SharePoint server | HTTP (HTTPS) | 5985 (5986 — used by default) | Required to connect to on-premises Microsoft SharePoint organizations through the WinRM port. | |
On-premises Microsoft Exchange server | TCP | 80 or 443 | Required to connect to on-premises Microsoft Exchange organizations. | |
Backup proxy server | TCP | 9193 (used by default) | Required to manage inbound/outbound traffic when interacting with the Veeam Backup for Microsoft 365 server. Make sure to open this port on a backup proxy server. | |
TCP | 445 | This port is used to:
| ||
Veeam auto-update server | HTTPS | 443 | Required to access the auto-update server and licensing server. For more information, see the Updating Veeam Backup for Microsoft 365 and Installing and Updating License sections of the Veeam Backup for Microsoft 365 User Guide. The endpoints are: https://vbo.butler.veeam.com and download2.veeam.com. | |
S3 Compatible object storage / IBM Cloud / Wasabi Cloud object storage | TCP | 443 | Required to work with any of object storage. The endpoint is <account>.blob.core.windows.net. | |
Amazon S3 object storage | ||||
Azure Blob Storage | ||||
Microsoft 365 | TCP | 443 | Required to connect to Microsoft 365. The endpoints are: graph.microsoft.com, graph.windows.net and login.microsoftonline.com. | |
SMTP server | TCP | 25 or 465 or 587 | Required to send email notifications using an SMTP server. The endpoint is smtp.office365.com. | |
Veeam Backup for Microsoft 365 components | Veeam Backup for Microsoft 365 server | TCP | 9191 | Required to manage inbound/outbound traffic when interacting with the following components:
Make sure to open port on the Veeam Backup for Microsoft 365 server. |
Veeam Explorer for Microsoft Exchange | Veeam Backup for Microsoft 365 server | TCP | 9194 | Required to manage inbound/outbound traffic when interacting with Veeam Explorer for Microsoft Exchange. Make sure to open this port on the Veeam Backup for Microsoft 365 server. |
Microsoft Exchange Online | TCP | 443 | Required to restore Microsoft Exchange data. | |
SMTP server | TCP | 25 or 465 or 587 | Required to send email notifications using an SMTP server. The endpoint is smtp.office365.com. | |
Veeam Explorer for Microsoft SharePoint (including Veeam Explorer for Microsoft OneDrive for Business) | Veeam Backup for Microsoft 365 server | TCP | 9194 | Required to manage inbound/outbound traffic when interacting with Veeam Explorer for Microsoft SharePoint. Make sure to open this port on the Veeam Backup for Microsoft 365 server. |
Microsoft SharePoint Online | TCP | 443 | Required to restore Microsoft SharePoint data. | |
SMTP server | TCP | 25 or 465 or 587 | Required to send email notifications using an SMTP server. The endpoint is smtp.office365.com. | |
Veeam Explorer for Microsoft Teams | Veeam Backup for Microsoft 365 server | TCP | 9194 | Required to manage inbound/outbound traffic when interacting with Veeam Explorer for Microsoft Teams. Make sure to open this port on the Veeam Backup for Microsoft 365 server. |
Microsoft Teams Online | TCP | 443 | Required to restore Microsoft Teams data. The endpoint is developer.microsoft.com. | |
SMTP server | TCP | 25 or 465 or 587 | Required to send email notifications using an SMTP server. The endpoint is smtp.office365.com. | |
Backup proxy server | Veeam Backup for Microsoft 365 server | TCP | 9191 | Required to manage inbound/outbound traffic when interacting with backup proxy servers. Make sure to open this port on the Veeam Backup for Microsoft 365 server. You can also change this port. For more information, see the Editing Backup Proxy Server Settings section of the Veeam Backup for Microsoft 365 User Guide. |
Microsoft Exchange Online | TCP | 443 | Required to connect to Microsoft Exchange Online through EWS (Exchange Web Services). The endpoints are: outlook.office365.com and autodiscover-s.outlook.com. | |
Microsoft SharePoint Online | TCP | 443 | Required to connect to Microsoft SharePoint Online organizations. The endpoints are: <tenant>.sharepoint.com, <tenant>-my.sharepoint.com and <tenant>-admin.sharepoint.com. | |
On-premises Microsoft SharePoint server | HTTP (HTTPS) | 5985 (5986) | Required to connect to on-premises Microsoft SharePoint organizations through the WinRM port. | |
On-premises Microsoft Exchange server | TCP | 80 or 443 | Required to connect to on-premises Microsoft Exchange organizations. | |
S3 Compatible object storage / IBM Cloud / Wasabi Cloud object storage | TCP | 443 | Required to work with any of object storage. The endpoint is <account>.blob.core.windows.net. | |
Amazon S3 object storage | ||||
Azure Blob Storage | ||||
Microsoft 365 | TCP | 443 | Required to connect to Microsoft 365. The endpoints are: graph.microsoft.com, graph.windows.net and login.microsoftonline.com. | |
SMTP server | TCP | 25 or 465 or 587 | Required to send email notifications using an SMTP server. The endpoint is smtp.office365.com. | |
Web browser | Veeam Backup for Microsoft 365 REST API | HTTPS | 4443 (used by default) | Required to connect to Restore Portal. You can also use different port. |
Host machine with REST API | Veeam Backup for Microsoft 365 server | TCP | 9194 | Required for Restore Portal to work. |
Microsoft 365 | TCP | 443 | Required for user login to Restore Portal. The endpoint is login.microsoftonline.com (depends on a Microsoft Azure region). |
