Ports
On backup infrastructure components, Veeam Backup & Replication automatically creates firewall rules for the required ports on Windows-based machines. If you are using a third-party firewall, these rules must be created manually. These rules allow components to communicate with each other. You can find the full list of the ports in this section.
Important |
Some Linux distributions also require firewall and security rules to be created manually. For details, see this Veeam KB article. |
If you use an HTTP/HTTPS proxy server to access the Internet, make sure that WinHTTP settings are properly configured on Microsoft Windows machines with Veeam backup infrastructure components. For information on how to configure WinHTTP settings, see Microsoft Docs.
The following tables describe network ports that must be opened to ensure proper communication of the backup server with backup infrastructure components:
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Management client PC (remote access) | Backup server | TCP | 22 | Default port used to connect to the Linux backup server through SSH. |
TCP | 443 | Default ports used to connect to the Web UI console. | ||
Remote Veeam Backup & Replication console | TCP | 443 | Used to communicate with the backup server. | |
Backup proxy | TCP | 2500 to 3300 | Default range of ports used for malware detection metadata transfer. | |
Backup repository (Linux) | TCP | 2500 to 3300 | Default range of ports used as transmission channels for copy backup operations if the backup server is used as the target backup repository. These ports are also required for file copy operations between the Linux backup repository and the backup server. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | |
Tape server | TCP | 2500 to 3300 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | |
Mount server | TCP | 9401 | Used for communication with the Veeam Backup Service. Also required to perform Copy to and Mount to console operations during Windows file-level recovery. | |
REST client | TCP | 9419 | Default port for communication with REST API service. | |
Management client PC (remote access) | TCP | 10443 | Default port used to connect to the Host Management console. | |
CDP components | TCP | 33034 | [CDP only] Port used by the following CDP components to communicate with Veeam CDP Coordinator Service:
For more information, see Continuous Data Protection (CDP) for VMware vSphere. | |
ESXi host | TCP | 33035 | [CDP only] Port used to install I/O filter components on the source and target ESXi hosts. For more information, see Continuous Data Protection (CDP) for VMware vSphere. | |
vCenter Server | TCP | 33035 | [CDP only] Port used to install I/O filter components on the source and target vCenter servers. For more information, see Continuous Data Protection (CDP) for VMware vSphere. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Communication with Virtualization Servers | ||||
Backup server | vCenter Server | TCP | 443 | Used for connections to vCenter Server. Note: The backup server should have a direct connection to vCenter Server. HTTP/HTTPS proxy servers are not supported. If you use VMware Cloud Director, make sure you open port 443 on underlying vCenter Servers. |
ESXi server | TCP | 443 | Used for connections to ESXi host. This port is not required for VMware Cloud on AWS. | |
TCP | 902 | Used for data transfer to ESXi host. It is also used during guest OS file recovery if you recover files from replicas. This port is not required for VMware Cloud on AWS. | ||
VMware Cloud Director | TCP | 443 | Used for connections to VMware Cloud Director. Note: The backup server should have a direct connection to VMware Cloud Director. HTTP/HTTPS proxy servers are not supported. | |
SCVMM | TCP | 8100 | Used to communicate with the VMM server through WCF. | |
TCP | 8732 | Used to communicate with the VMM server. | ||
Microsoft Hyper-V server | TCP | 445, 135 | Required for deploying Veeam Backup & Replication components. | |
TCP | 6160 | Default port used by Veeam Installer Service. | ||
TCP | 6162 | Default port used by Veeam Transport Service. | ||
TCP | 6163 | Default port used to communicate with Veeam Hyper-V Integration Service. | ||
TCP | 2500 to 3300 | Default range of ports used as transmission channels for jobs and for collecting log files. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
Communication with Mail Servers | ||||
Backup server | SMTP server | TCP | 25 | Used by the SMTP server. |
TCP | 587 | Used by the SMTP server if SSL is enabled. | ||
Gmail REST API (gmail.googleapis.com) | TCP | 443 | Used to communicate with Google Mail services. | |
Microsoft Graph REST API (graph.microsoft.com, login.microsoftonline.com) | TCP | 443 | Used to communicate with Microsoft Exchange Online organizations. | |
Other Communications | ||||
Backup server | Veeam Updater | TCP | 443 | Used by Veeam Backup & Replication components deployed from Veeam Software Appliance. Required to download operating system, Veeam product and security updates. Veeam Updater endpoints:
|
Veeam License Update Server | TCP | 443 | Default port used to automatically update license from the Veeam License Update Server over HTTPS. Veeam Threat Hunter and Veeam Data Cloud Vault also require this communication to work properly. Veeam License Update Server endpoints:
| |
80 | Required for certificate validation when Veeam Backup & Replication connects to Veeam License Update Server to check if the new license is available and download it. Certificate verification endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
| |||
Certificate Revocation Lists | TCP | 80 or 443 | Veeam Backup & Replication requires access to the Certificate Revocation Lists (CRL) of the Certificate Authority (CA) that issued the certificate for each backup infrastructure component. Note: The specific CRL endpoint that must be connected to depends on the CA that issued the certificate. You can find the actual list of addresses in the certificate details in the following fields:
| |
DNS server with forward/reverse name resolution of all backup servers | UDP | 53 | Port used for communication with the DNS server. | |
KMS server | TCP | 5696 | Default port used for communication with the Key Management System server. | |
Syslog server | TCP, UDP | 514 | Default port used to communicate with the syslog server. | |
TLS | 6514 | Default port used to communicate with the syslog server over TLS. | ||
Veeam ONE Server | TCP | 2741 | Default port used for communication with Veeam ONE internal Web API. Required for the Analytics view. For more information, see Configuring Analytics View. | |
Veeam ONE Web Services | TCP | 1239 | Default port used by Veeam ONE Web Services. Required for the Analytics view. For more information, see Configuring Analytics View. | |
Microsoft SMB3 server | TCP | 6160 | Default port used by Veeam Installer Service. | |
TCP | 6162 | Default port used by Veeam Transport Service. | ||
TCP | 6163 | Default port used by the Hyper-V Integration Service. | ||
Backup server | TCP | 6172 (local) | Port used to provide REST access to the Veeam Backup & Replication database. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. | |
Backup server | TCP | 9501 (local) | Port used locally on the backup server for communication between Veeam Broker Service and Veeam services and components. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. | |
Backup server | TCP | 9509 (local) | Port used locally on the backup server for communication between Veeam Backup Service and Veeam CDP Coordinator Service. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. | |
Backup server | TCP | 9393 (local) | Default port used by the Veeam Guest Catalog service for catalog replication. Can be customized during Veeam Backup & Replication installation. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. | |
The following table describes network ports that must be opened to ensure proper communication with the Veeam Backup & Replication console.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Veeam Backup & Replication console | Mount server | TCP | 2500 to 3300 | [Remote console only] Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. This port is used if the mount server is not located on the console. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Veeam AI Assistant (rest-ai.veeam.com) | TCP | 443 | Default port for communication with the Veeam AI Assistant service. | |
Nutanix AHV Plug-in for Veeam Backup & Replication | TCP | 8543 | Port used by the Veeam Backup & Replication console to communicate with Nutanix AHV Plug-in for Veeam Backup & Replication. This port is opened by default after you install Veeam Backup & Replication. If you do not use the plug-in, it is still recommended that you keep this port open to speed up the Veeam Backup & Replication console loading time. | |
Proxmox Virtual Environment Plug-in for Veeam Backup & Replication | TCP | 8545 | Port used by the Veeam Backup & Replication console to communicate with Proxmox Virtual Environment Plug-in for Veeam Backup & Replication. This port is opened by default after you install Veeam Backup & Replication. If you do not use the plug-in, it is still recommended that you keep this port open to speed up the Veeam Backup & Replication console loading time. | |
AWS Plug-in for Veeam Backup & Replication | TCP | 9402 | Port used by the Veeam Backup & Replication console to communicate with AWS Plug-in for Veeam Backup & Replication. This port is opened by default after you install Veeam Backup & Replication. If you do not use the plug-in, it is still recommended that you keep this port open to speed up the Veeam Backup & Replication console loading time. | |
Google Cloud Plug-in for Veeam Backup & Replication | TCP | 9403 | Port used by the Veeam Backup & Replication console to communicate with Google Cloud Plug-in for Veeam Backup & Replication. This port is opened by default after you install Veeam Backup & Replication. If you do not use the plug-in, it is still recommended that you keep this port open to speed up the Veeam Backup & Replication console loading time. | |
Kasten Plug-in for Veeam Backup & Replication | TCP | 9404 | Port used by the Veeam Backup & Replication console to communicate with Kasten Plug-in for Veeam Backup & Replication. This port is opened by default after you install Veeam Backup & Replication. If you do not use the plug-in, it is still recommended that you keep this port open to speed up the Veeam Backup & Replication console loading time. | |
Microsoft Azure Plug-in for Veeam Backup & Replication | TCP | 20443 | Port used by the Veeam Backup & Replication console to communicate with Microsoft Azure Plug-in for Veeam Backup & Replication. This port is opened by default after you install Veeam Backup & Replication. If you do not use the plug-in, it is still recommended that you keep this port open to speed up the Veeam Backup & Replication console loading time. |
The following table describes network ports that must be opened to ensure proper communication of backup proxies with other backup components. For more information about ports that must be opened between the backup proxy and specific backup repository, see Backup Repositories.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Communication with Backup Server | ||||
Backup server | Backup proxy (Microsoft Windows) | TCP | 445, 135 | Required for deploying Veeam Backup & Replication components. |
TCP | 6160 | Default port used by Veeam Installer Service. | ||
TCP | 6162 | Default port used by Veeam Transport Service. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
Backup proxy (Linux) | TCP | 22 | Default SSH port used as a control channel. | |
TCP | 6160 | Default port used by Veeam Installer Service for Linux. | ||
TCP | 6162 | Default port used by Veeam Transport Service. You can specify a different port while adding the Linux server to the Veeam Backup & Replication infrastructure. Note that you can specify a different port only if there is no previously installed Veeam Transport Service components on this Linux server. For more information, see Specify Credentials and SSH Settings. | ||
TCP | 443 | Used by backup proxies deployed from the JeOS ISO. Required to download operating system, Veeam product and security updates through Veeam Updater. | ||
TCP | 10443 | Used by backup proxies deployed from the JeOS ISO. Required to connect to the Host Management console. | ||
Backup proxy | TCP | 2500 to 3300 | Default range of ports used as data transmission channels and for collecting log files. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | |
TCP | 6210 | Default port used by the Veeam Backup VSS Integration Service for taking a VSS snapshot during the SMB file share backup. | ||
Communication with Virtualization Servers | ||||
Backup proxy | vCenter Server | TCP | 443 | Default VMware web service port that can be customized in vCenter settings. |
ESXi server | TCP | 902 | Default VMware port used for data transfer. This port is not required for VMware Cloud on AWS. | |
TCP | 443 | Default VMware web service port that can be customized in ESXi host settings. Not required if vCenter connection is used. This port is not required for VMware Cloud on AWS. | ||
Other Communications | ||||
Backup proxy | Gateway server | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Backup proxy | TCP | 2500 to 3300 | Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | |
The following table describes network ports that must be opened to ensure proper communication of off-host backup proxies with other backup components. For more information about ports that must be opened between the off-host backup proxy and specific backup repository, see Backup Repositories.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Communication with Backup Server | ||||
Backup server | Hyper-V server/Off-host backup proxy | TCP | 445, 135 | Required for deploying Veeam Backup & Replication components. |
TCP | 6160 | Default port used by Veeam Installer Service. | ||
TCP | 6162 | Default port used by Veeam Transport Service. | ||
TCP | 6163 | Default port used by the Hyper-V Integration Service. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
Off-host file proxy
| TCP | 6210 | Default port used by the Veeam Backup VSS Integration Service for taking a VSS snapshot during the SMB file share backup. | |
Other Communications | ||||
Hyper-V server/Off-host backup proxy | Gateway server | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Hyper-V server | TCP | 2500 to 3300 | Default range of ports used as transmission channels for replication jobs. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | |
Microsoft SMB3 server | Hyper-V server/Off-host backup proxy | TCP | 2500 to 3300 | Ports used to retrieve CBT information from a Microsoft SMB3 server managing shares that host VM disks. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
The following table describes network ports that must be opened to ensure proper communication with gateway servers. For more information about ports that must be opened between the gateway server and specific backup repository, see Backup Repositories.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Gateway server (Microsoft Windows) | TCP | 445, 135 | Required for deploying Veeam Backup & Replication components. |
TCP | 6160 | Default port used by Veeam Installer Service. | ||
TCP | 6162 | Default port used by Veeam Transport Service. | ||
Gateway server (Linux) | TCP | 22 | Default SSH port used as a control channel. | |
TCP | 6160 | Default port used by Veeam Installer Service for Linux. | ||
TCP | 6162 | Default port used by Veeam Transport Service. You can specify a different port while adding the Linux server to the Veeam Backup & Replication infrastructure. Note that you can specify a different port only if there is no previously installed Veeam Transport Service components on this Linux server. For more information, see Specify Credentials and SSH Settings. | ||
Gateway server | TCP | 2500 to 3300 | Default range of ports used as transmission channels and for collecting log files. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | |
Backup proxy or Hyper-V server/Off-host backup proxy | Gateway server | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
- Dell Data Domain System
- ExaGrid
- HPE StoreOnce
- Quantum DXi
- Fujitsu ETERNUS CS800
- Infinidat InfiniGuard
- Veeam Data Cloud Vault
- Object Storage Repository
- External Repository
- Archive Object Storage Repository
Microsoft Windows/Linux-Based Backup Repository
The following table describes network ports that must be opened to ensure proper communication with Microsoft Windows/Linux-based backup repositories.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Backup repository (Microsoft Windows) | TCP | 445, 135 | Required for deploying Veeam Backup & Replication components. |
TCP | 6160 | Default port used by Veeam Installer Service. | ||
TCP | 6162 | Default port used by Veeam Transport Service. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
Backup repository (Linux) | TCP | 22 | Default SSH port used as a control channel. | |
TCP | 6160 | Default port used by Veeam Installer Service for Linux. | ||
TCP | 6162 | Default port used by Veeam Transport Service. You can specify a different port while adding the Linux server to the Veeam Backup & Replication infrastructure. Note that you can specify a different port only if there is no previously installed Veeam Transport Service components on this Linux server. For more information, see Specify Credentials and SSH Settings. | ||
TCP | 2500 to 3300 | Default range of ports used as transmission channels and for collecting log files. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 443 | Used by backup repositories deployed from the JeOS ISO. Required to download operating system, Veeam product and security updates through Veeam Updater. | ||
TCP | 10443 | Used by backup proxies deployed from the JeOS ISO. Required to connect to the Host Management console. | ||
Backup proxy or Hyper-V server/Off-host backup proxy | Backup repository | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Source backup repository | Target backup repository | TCP | 2500 to 3300 | Default range of ports used as transmission channels for backup copy jobs and copy backup operations. For every TCP connection that a job uses, one port from this range is assigned. If the backup copy job utilizes WAN accelerators, make sure that ports specific for WAN accelerators are opened. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
The following table describes network ports that must be opened to ensure proper communication with NFS shares added as backup repositories.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Gateway server or backup proxy | NFS backup repository | TCP, UDP | 111, 2049 | Standard NFS ports. Port 111 is used by the port mapper service. Also used as a transmission channel from the gateway server to the target NFS backup repository if a gateway server is specified explicitly in NFS backup repository settings. |
Gateway server or backup proxy | NFS backup repository | TCP, UDP | mountd_port | Dynamic port used for mountd service. Can be assigned statically. |
TCP, UDP | statd_port | Dynamic port used for statd service. Can be assigned statically. | ||
TCP, UDP | lockd_port | Dynamic port used for lockd service. Can be assigned statically. |
The following table describes network ports that must be opened to ensure proper communication with SMB (CIFS) shares added as backup repositories.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Gateway server or backup proxy | SMB (CIFS) backup repository (Microsoft Windows) | TCP | 445 | Used as a transmission channel from the gateway server to the target SMB (CIFS) backup repository if a gateway server is specified explicitly in SMB (CIFS) backup repository settings. |
For more information, see Dell Documents.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server or gateway server | Dell Data Domain | TCP | 111 | Port used to assign a random port for the mountd service used by NFS and DDBOOST. Mountd service port can be statically assigned. |
TCP | 2049 | Main port used by NFS. Can be modified using the ‘nfs set server-port’ command. Command requires SE mode. | ||
TCP | 2052 | Main port used by NFS MOUNTD. Can be modified using the 'nfs set mountd-port' command in SE mode. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | ExaGrid | TCP | 22 | Default command port used for communication with ExaGrid. |
Backup proxy | ExaGrid | TCP | 2500 to 3300 | Default range of ports used for communication with the backup proxy. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server or gateway server | HPE StoreOnce | TCP | 9387 | Default command port used for communication with HPE StoreOnce. |
TCP | 9388 | Default data port used for communication with HPE StoreOnce. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Quantum DXi | TCP | 22 | Default command port used for communication with Quantum DXi. |
Backup proxy | Quantum DXi | TCP | 2500 to 3300 | Default range of ports used for communication with the backup proxy. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Fujitsu ETERNUS CS800 | TCP | 22 | Default command port used for communication with Fujitsu ETERNUS CS800. |
Backup proxy | Fujitsu ETERNUS CS800 | TCP | 2500 to 3300 | Default range of ports used for communication with the backup proxy. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Infinidat InfiniGuard | TCP | 22 | Default command port used for communication with Infinidat InfiniGuard. |
Backup proxy | Infinidat InfiniGuard | TCP | 2500 to 3300 | Default range of ports used for communication with the backup proxy. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
The following table describes network ports and endpoints that must be opened to ensure proper communication with Veeam Data Cloud Vault. Note that a connection between the backup server and Veeam License Update Server is also required. For more information, see Backup Server.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Veeam Data Cloud Vault | TCP | 443 | Used to communicate with the Microsoft Azure object storage through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with the location name of your storage account. You can find the location name in the Cloud Management > Vault Subscriptions section of your Veeam Data Cloud account. |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
For more details, see also this Microsoft article. | |||
Backup proxy (direct connection)/Gateway server/Instant Recovery to Azure helper appliance | Veeam Data Cloud Vault | TCP | 443 | Used to communicate with the Microsoft Azure object storage through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with the location name of your storage account. You can find the location name in the Cloud Management > Vault Subscriptions section of your Veeam Data Cloud account. |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
For more details, see also this Microsoft article. | |||
Gateway server | Backup proxy (direct connection)/Gateway server or backup server | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories. For more information, see Object Storage Repository.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Gateway server | Backup proxy (direct connection)/Gateway server or backup server | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Backup proxy (direct connection)/Gateway server or backup server/Instant Recovery to Azure helper appliance | Amazon S3 object storage | TCP | 443 | Used to communicate with the Amazon S3 object storage through the following endpoints:
All AWS service endpoints are specified in the AWS documentation. |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
| |||
Microsoft Azure object storage | TCP | 443 | Used to communicate with the Microsoft Azure object storage through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal. | |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
For more details, see also this Microsoft article. | |||
| ||||
Google Cloud storage | TCP | 443 | Used to communicate with Google Cloud storage through the following endpoints:
All cloud endpoints are specified in this Google article. | |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
| |||
IBM Cloud object storage | TCP | Depends on device configuration | Used to communicate with IBM Cloud object storage. | |
S3 compatible object storage | TCP | Depends on device configuration | Used to communicate with S3 compatible object storage. |
The following table describes network ports and endpoints that must be opened to ensure proper communication with external repositories. For more information, see External Repository.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Gateway server | Backup proxy (direct connection)/Gateway server or backup server | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Gateway server/backup server/Instant Recovery to Azure helper appliance | Amazon S3 object storage | TCP | 443 | Used to communicate with the Amazon S3 object storage through the following endpoints:
All AWS service endpoints are specified in the AWS documentation. |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
| |||
Microsoft Azure object storage | TCP | 443 | Used to communicate with the Microsoft Azure object storage through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal. | |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
For more details, see also this Microsoft article. | |||
Google Cloud storage | TCP | 443 | Used to communicate with Google Cloud storage through the following endpoints:
All cloud endpoints are specified in this Google article. | |
80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
|
Archive Object Storage Repository
The following table describes network ports and endpoints that must be opened to ensure proper communication with object storage repositories used as a part of Archive Tier. For more information, see Archive Tier.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Gateway server or backup server | Amazon EC2 helper appliance | TCP | 443 | Used by default to communicate with the Amazon EC2 helper appliance through public/private IPv4 addresses of EC2 appliances. If you use Amazon S3 Glacier object storage, the gateway server should have direct connection to AWS service endpoints. HTTP/HTTPS proxy servers are not supported. If there is no gateway server selected, the backup server will be used as a gateway server. |
TCP | 22 | Default SSH port used as a control channel. | ||
Microsoft Azure proxy appliance | TCP | 443 | Used by default to communicate with the Microsoft Azure helper appliance through public/private IPv4 addresses of Azure appliances. If there is no gateway server selected, the backup server will be used as a gateway server. | |
TCP | 22 | Default SSH port used as a control channel. | ||
Amazon EC2 helper appliance | Amazon S3 object storage | TCP | 443 | Used to communicate with the Amazon S3 object storage through the following endpoints:
All AWS service endpoints are specified in the AWS documentation |
TCP | 80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
| ||
Microsoft Azure proxy appliance | Microsoft Azure object storage | TCP | 443 | Used to communicate with the Microsoft Azure object storage through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal. |
TCP | 80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
For more details, see also this Microsoft article. |
- HPE 3PAR StoreServ Storage
- HPE Alletra MP, Alletra 9000, Primera Storage
- HPE Alletra 5000, Alletra 6000, Nimble Storage
- Lenovo ThinkSystem DM/DG Series Storage
- NetApp ONTAP Storage
- Nutanix Files Storage
- Universal Storage API Integrated System
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Dell Unity XT/Unity storage system | TCP | 443 | Default port used for communication with Dell Unity XT/Unity over HTTPS and sending REST API calls. |
Backup proxy | Dell Unity XT/Unity storage system | TCP | 3260 | Default iSCSI target port. |
TCP, UDP | 111, 2049 | Standard NFS ports. Port 111 is used by the port mapper service. |
Dell PowerScale (Formerly Isilon) Storage
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Dell PowerScale storage system | TCP | 8080 | Default port used for communication with Dell PowerScale over HTTPS and sending REST API calls. |
Backup proxy | Dell PowerScale storage system | TCP, UDP | 111, 2049 | Standard NFS ports. Port 111 is used by the port mapper service. |
TCP | 445 | Standard SMB port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | HPE 3PAR StoreServ storage system | TCP | 8008 | Default port used for communication with HPE 3PAR StoreServ over HTTP. |
TCP | 8080 | Default port used for communication with HPE 3PAR StoreServ over HTTPS. | ||
TCP | 22 | Default command port used for communication with HPE 3PAR StoreServ over SSH. | ||
Backup proxy | HPE 3PAR StoreServ storage system | TCP | 3260 | Default iSCSI target port. |
HPE Alletra MP, Alletra 9000, Primera Storage
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | HPE Alletra MP/Alletra 9000/Primera storage system | TCP | 443 | Default port used for communication with HPE Alletra MP/Alletra 9000/Primera over HTTPS. |
TCP | 22 | Default command port used for communication with HPE Alletra MP/Alletra 9000/Primera over SSH. | ||
Backup proxy | HPE Alletra MP/Alletra 9000/Primera storage system | TCP | 3260 | Default iSCSI target port. |
HPE Alletra 5000, Alletra 6000, Nimble Storage
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | HPE Alletra 5000/Alletra 6000/Nimble storage system | TCP | 5392 | Default command port used for communication with HPE Alletra 5000/Alletra 6000/Nimble. |
Backup proxy | HPE Alletra 5000/Alletra 6000/Nimble storage system | TCP | 3260 | Default iSCSI target port. |
Lenovo ThinkSystem DM/DG Series Storage
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Lenovo ThinkSystem DM/DG Series storage system | TCP | 80 | Default command port used for communication with Lenovo ThinkSystem DM/DG Series over HTTP. |
TCP | 443 | Default command port used for communication with Lenovo ThinkSystem DM/DG Series over HTTPS. | ||
Backup proxy | Lenovo ThinkSystem DM/DG Series storage system | TCP, UDP | 111, 2049 | Standard NFS ports. Port 111 is used by the port mapper service. |
TCP | 445 | Standard SMB port. | ||
TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | NetApp ONTAP storage system | TCP | 80 | Default command port used for communication with NetApp ONTAP over HTTP. |
TCP | 443 | Default command port used for communication with NetApp ONTAP over HTTPS. | ||
Backup proxy | NetApp ONTAP storage system | TCP, UDP | 111, 2049 | Standard NFS ports. Port 111 is used by the port mapper service. |
TCP | 445 | Standard SMB port. | ||
TCP | 3260 | Default iSCSI target port. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Nutanix Files storage system | TCP | 9440 | Default port used for communication with Nutanix Files and sending REST API calls. |
Backup proxy | Nutanix Files storage system | TCP, UDP | 111, 2049 | Standard NFS ports. Port 111 is used by the port mapper service. |
TCP | 445 | Standard SMB port. |
Universal Storage API Integrated System
The following tables describe network ports that must be opened to ensure proper communication with Universal Storage API integrated systems:
IBM FlashSystem (formerly Spectrum Virtualize) Storage
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | IBM FlashSystem storage system | TCP | 22 | Default command port used for communication with IBM FlashSystem over SSH. |
Backup proxy | IBM FlashSystem storage system | TCP | 3260 | Default iSCSI target port. |
Unstructured Data Backup Components
The following tables describe network ports that must be opened to ensure proper communication between unstructured data backup components.
- File Share Connections
- Cache Repository Connections
- Archive Repository Connections
- NDMP Server Connections
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup proxy | File server | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
NAS filer (NetApp Data ONTAP or Lenovo ThinkSystem DM/DG Series storage system) | TCP, UDP | 111, 2049 | Standard NFS ports. Port 111 is used by the port mapper service. | |
TCP | 445 | Standard SMB port. | ||
TCP | 3260 | Default iSCSI target port. | ||
TCP | 80, 443 | Used by NetApp SnapDiff when changed file tracking (CFT) is enabled. | ||
NAS filer (Dell PowerScale (formerly Isilon) or Nutanix Files storage system) | TCP, UDP | 111, 2049 | Standard NFS ports. Port 111 is used by the port mapper service. | |
TCP | 445 | Standard SMB port. | ||
Backup proxy or tape server | NFS share | TCP, UDP | 111, 2049 | Standard NFS ports. Port 111 is used by the port mapper service. |
SMB share | TCP | 445 | Standard SMB port. | |
Amazon S3 object storage | TCP | 443 | Used to communicate with the Amazon S3 object storage through the following endpoints:
All AWS service endpoints are specified in the AWS documentation. | |
TCP | 80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
| ||
Microsoft Azure object storage | TCP | 443 | Used to communicate with the Microsoft Azure object storage through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal. | |
TCP | 80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the actual list of addresses in the certificate details in the following fields:
For more details, see also this Microsoft article. | ||
S3 compatible object storage | TCP | Depends on device configuration | Used to communicate with S3 compatible object storage. | |
Mount server | SMB share | TCP | 137-139, 445 | Used during Instant File Share Recovery. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup proxy | Cache repository | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Cache repository | Backup proxy | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Primary or secondary backup repository | TCP | 2500 to 3300 | Default range of ports used as transmission channels for file share backup restore jobs. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Archive Repository Connections
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Primary backup repository | Archive repository | TCP | 2500 to 3300 | Default range of ports used as transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
The following table describes network ports that must be opened to ensure proper communication with NDMP servers.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Gateway server | NDMP server | NDMP | 10000 | Default port used to manage the NMDP server. Note: The port range used for data transfer depends on your NDMP server configuration. For more information, contact your hardware vendor. |
The following table describes network ports that must be opened to ensure proper communication with tape servers.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Tape server | TCP | 445, 135 | Required for deploying Veeam Backup & Replication components. |
TCP | 2500 to 3300 | Default range of ports used as data transmission channels and for collecting log files. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 6160 | Default port used by Veeam Installer Service. | ||
TCP | 6162 | Default port used by Veeam Transport Service. | ||
TCP | 6166 | Controlling port for RPC calls. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
Tape server | Backup repository or gateway server | TCP | 2500 to 3300 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
NFS share | TCP, UDP | 111, 2049 | Standard NFS ports. Port 111 is used by the port mapper service. | |
SMB share | TCP | 445 | Standard SMB port. |
The following table describes network ports that must be opened to ensure proper communication between WAN accelerators used in backup copy jobs and replication jobs.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | WAN accelerator | TCP | 445, 135 | Required for deploying Veeam Backup & Replication components. |
TCP | 6160 | Default port used by Veeam Installer Service. | ||
TCP | 6162 | Default port used by Veeam Transport Service. | ||
TCP | 6164 | Controlling port for RPC calls. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
WAN accelerator (target) | Backup repository (target) | TCP | 2500 to 3300 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is selected dynamically. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
WAN accelerator (source) | Backup repository (source) | TCP | 2500 to 3300 | Default range of ports used as data transmission channels. For every TCP connection that a job uses, one port from this range is selected dynamically. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
WAN accelerator (source and target) | WAN accelerator (source and target) | TCP | 6164 | Controlling port for RPC calls. |
TCP | 6165 | Default port used for data transfer between WAN accelerators. Ensure this port is open in firewall between sites where WAN accelerators are deployed. |
Connections with Non-Persistent Runtime Components
The following tables describe network ports that must be opened to ensure proper communication of the backup server and backup infrastructure components with the non-persistent runtime components deployed inside the VM guest OS for application-aware processing and indexing.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | VM guest OS (Linux) | TCP | 22 | Default SSH port used as a control channel. |
Guest interaction proxy | TCP | 6190 | Used for communication with the guest interaction proxy. | |
TCP | 6290 | Used as a control channel for communication with the guest interaction proxy. | ||
TCP | 445 | Port used as a transmission channel. | ||
Guest interaction proxy | ESXi server | TCP | 443 | Default port used for connections to ESXi host. |
Network ports described in the following table are NOT required in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Guest interaction proxy | VM guest OS (Microsoft Windows) | TCP | 445, 135 | Required to deploy the runtime coordination process on the VM guest OS. |
TCP | 2500 to 3300 | Default range of ports used as transmission channels for log shipping. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Used by the runtime process deployed inside the VM for guest OS interaction. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
VM guest OS (Linux) | TCP | 22 | Default SSH port used as a control channel. | |
TCP | 2500 to 3300 | Default range of ports used as transmission channels for log shipping. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
VM guest OS | Guest interaction proxy | TCP | 2500 to 3300 | Default range of ports used as transmission channels for log shipping. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Connections with Persistent Agent Components
The following table describes network ports that must be opened to ensure proper communication of the backup server with the persistent agent components deployed inside the VM guest OS for application-aware processing and indexing.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | VM guest OS (Linux) | TCP | 6160 | Default port used by Veeam Installer Service for Linux. |
TCP | 6162 | Default Management Agent port. Required if it is used as a control channel instead of SSH. | ||
Guest interaction proxy | VM guest OS | TCP | 6160, 11731 | Default port and failover port used by Veeam Installer Service. |
TCP | 6173, 2500 | Used by the Veeam Guest Helper for guest OS processing and file-level restore. |
The following tables describe network ports that must be opened to ensure proper communication between log shipping components.
- Log Shipping Server Connections
- MS SQL Guest OS Connections
- Oracle Guest OS Connections
- PostgreSQL Guest OS Connections
Log Shipping Server Connections
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Log shipping server | TCP | 445, 135 | Required for deploying Veeam Backup & Replication components. |
TCP | 6160 | Default port used by Veeam Installer Service. | ||
TCP | 6162 | Default port used by Veeam Transport Service. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
Hyper-V host | Log shipping server (backup server) | TCP | 2500 to 3300 | Range of ports used for communication with the Hyper-V host and for transfer log backups. Note: These ports are required only if the log shipping server transfers data over PowerShell Direct. In this case, the backup server performs the role of the log shipping server. |
Log shipping server | Backup repository or gateway server | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. By default, the log shipping server connects to the backup repository. However, if the target repository uses a gateway server, the connection will be established with that instead. For more information, see Gateway Servers. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Log shipping server (backup server) | Hyper-V host | TCP | 2500 to 3300 | Range of ports used for communication with the Hyper-V host and for transfer log backups. Note: These ports are required only if the log shipping server transfers data over PowerShell Direct. In this case, the backup server performs the role of the log shipping server. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Guest interaction proxy | MS SQL VM guest OS | TCP | 445, 135 | [Non-persistent runtime components only] Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct. |
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 49152 to 65535 | [Non-persistent runtime components only] Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
TCP | 6160, 11731 | [Persistent agent components only] Default port and failover port used by Veeam Installer Service. | ||
TCP | 6167 | Used by the Veeam Log Shipping Service for preparing the database and taking logs. | ||
MS SQL VM guest OS | Guest interaction proxy | TCP | 2500 to 3300 | Default range of ports used for communication with a guest interaction proxy. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
MS SQL VM guest OS | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the MS SQL server has a direct connection to the backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
MS SQL VM guest OS | Log shipping server | TCP | 2500 to 3300 | Default range of ports used for communication with a log shipping server and transfer log backups. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Guest interaction proxy | Oracle VM guest OS (Microsoft Windows) | TCP | 445, 135 | [Non-persistent runtime components only] Required for deploying Veeam Backup & Replication components including Veeam Log Shipper runtime component. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct. |
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 49152 to 65535 | [Non-persistent runtime components only] Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
TCP | 6160, 11731 | [Persistent agent components only] Default port and failover port used by Veeam Installer Service. | ||
TCP | 6167 | Used by the Veeam Log Shipping Service for preparing the database and taking logs. | ||
Oracle VM guest OS (Linux) | TCP | 22 | [Non-persistent runtime components only] Default SSH port used as a control channel. This port is NOT required when working in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct. | |
TCP | 6162 | [Persistent agent components only] Default Management Agent port. Required if it is used as a control channel instead of SSH. | ||
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
Oracle VM guest OS | Guest interaction proxy | TCP | 2500 to 3300 | Default range of ports used for communication with a guest interaction proxy. These ports are NOT required when working in networkless mode over VMware VIX/vSphere Web Services or PowerShell Direct. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Oracle VM guest OS | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the Oracle server has a direct connection to the backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Oracle VM guest OS | Log shipping server | TCP | 2500 to 3300 | Default range of ports used for communication with a log shipping server and transfer log backups. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
PostgreSQL Guest OS Connections
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Guest interaction proxy | PostgreSQL VM guest OS | TCP | 22 | [Non-persistent runtime components only] Default SSH port used as a control channel. This port is NOT required when working in networkless mode over vSphere Web Services. |
TCP | 6162 | [Persistent agent components only] Default Management Agent port. Required if it is used as a control channel instead of SSH. | ||
TCP | 2500 to 3300 | Default range of ports used for communication with a guest OS. This port is NOT required when working in networkless mode over vSphere Web Services. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
PostgreSQL VM guest OS | Guest interaction proxy | TCP | 2500 to 3300 | Default range of ports used for communication with a guest interaction proxy. This port is NOT required when working in networkless mode over vSphere Web Services. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
PostgreSQL VM guest OS | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository and transfer log backups. Should be opened if log shipping servers are not used in the infrastructure and the PostgreSQL server has a direct connection to the backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
PostgreSQL VM guest OS | Log shipping server | TCP | 2500 to 3300 | Default range of ports used for communication with a log shipping server and transfer log backups. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
The following table describes network ports that must be opened to ensure proper communication of Veeam CDP components with other backup components.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
ESXi host (source) | CDP proxy (source) | TCP | 33032 | Default port used as a transmission channel to the source CDP proxy. |
ESXi host (source) | TCP | 33033 (local) | Port used locally on the source ESXi host for data transfer between I/O filter components. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. | |
ESXi host (source) | TCP | 33035 (local) | Port used locally on the source ESXi host for data transfer between I/O filter components over shared-memory. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. | |
ESXi host (source) | TCP | 33036 | Port used on the source ESXi host for communication between CDP components over HTTPS without HTTP Reverse Proxy. | |
ESXi host (source) | TCP | 33038 (local) | Port used locally on the source ESXi host for communication between CDP components over HTTPS. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. | |
ESXi host (source) | TCP | 33039 (local) | Port used locally on the source ESXi host for control notifications between I/O filter components. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. | |
CDP proxy (source) | CDP proxy (target) | TCP | 33033 | Default port used as a transmission channel to the target CDP proxy. |
ESXi host (source and target) | TCP | 902 | Default VMware port used for data transfer. Used during initial synchronization and restore operations. | |
vCenter Server (source and target) | TCP | 443 | Default VMware web service port that can be customized in vCenter settings. Used during initial synchronization and restore operations. | |
CDP proxy (target) | ESXi host (target) | TCP | 33032 | Default port used as a transmission channel to the target ESXi host. |
ESXi host (source and target) | TCP | 902 | Default VMware port used for data transfer. Used during initial synchronization and restore operations. | |
vCenter Server (source and target) | TCP | 443 | Default VMware web service port that can be customized in vCenter settings. Used during initial synchronization and restore operations. | |
ESXi host (target) | ESXi host (target) | TCP | 33034 (local) | Port used locally on the target ESXi host for communication between the I/O filter components during failover. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. |
ESXi host (target) | TCP | 33036 | Port used on the target ESXi host for communication between CDP components over HTTPS without HTTP Reverse Proxy. | |
ESXi host (target) | TCP | 33038 (local) | Port used locally on the target ESXi host for communication between CDP components over HTTPS. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. | |
Backup server | ESXi host (source and target) | TCP | 443 | Port used as a control channel. |
ESXi host (source and target) | TCP | 33035 | Port used to install I/O filter components on the ESXi hosts. | |
vCenter Server (source and target) | TCP | 443 | Port used as a control channel. | |
CDP proxy (source and target) | TCP | 6182 | Port used as a control channel. |
- Guest OS File Recovery
- Veeam vPower NFS Service
- SureBackup
- SureReplica Recovery Verification
- Microsoft Active Directory Domain Controller Connections During Application Item Restore
- Microsoft Exchange Server Connections During Application Item Restore
- Microsoft SQL Server Connections During Application Item Restore
- Restore to Amazon EC2
- Restore to Google Cloud
- Restore to Microsoft Azure
- Instant Recovery to Microsoft Azure
The following table describes network ports that must be opened to ensure proper communication between components for guest OS file recovery.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Mount server | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
ESXi host | TCP | 443 | Default port used for connections to the ESXi host if Windows file-level restore is performed over VIX API. | |
vCenter server | TCP | 443 | Default port used for connections to the vCenter server if Windows file-level restore is performed using vCenter Web Services. | |
Veeam Signature Update Server | TCP | 443 | Default port used by Veeam Threat Hunter to download information about new malware signatures from the Veeam Signature Update Server over HTTPS. Veeam Signature Update Server endpoints:
| |
Mount server | TCP | 6175 (local) | Used locally for communication with the Veeam Threat Hunter Service. Note: Local ports do not require specific firewall rules. Make sure that this port is not used by another software. Otherwise, this can affect Veeam Backup & Replication functionality. | |
Backup server | Mount server | TCP | 445 | Required for deploying Veeam Backup & Replication components. |
TCP | 2500 to 3300 | Default range of ports used for communication with a mount server and for collecting log files. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 6160 | Default port used by Veeam Installer Service including checking the compatibility between components before starting the recovery process. | ||
TCP | 6162 | Default port used by Veeam Transport Service. | ||
TCP | 6170 | Used for communication with a local or remote Mount Service. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Helper appliance | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Helper appliance | ESXi server | TCP | 443 | Default port used for connections to the ESXi host if restore is performed over VIX API/vSphere Web Services. [For VMware vSphere earlier than 6.5] Not required if vCenter connection is used. In VMware vSphere versions 6.5 and later, port 443 is required by vSphere Web Services. |
Backup server | Helper appliance
| TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used for communication with a helper appliance. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
Mount server | Helper appliance | TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used for communication with a helper appliance. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Helper host | Backup repository | TCP | 2500 to 3300 | Default range of ports used for communication with a backup repository. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Helper host | ESXi server | TCP | 443 | Default port used for connections to the ESXi host if restore is performed over VIX API/vSphere Web Services. [For VMware vSphere earlier than 6.5] Not required if vCenter connection is used. In VMware vSphere versions 6.5 and later, port 443 must also be open to vSphere Web Services. |
Backup server | Helper host | TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used for communication with a helper host and for collecting log files. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 6162 | Default port used by Veeam Transport Service. | ||
TCP | 32768 to 60999 | Dynamic port range for Linux distributions. Used for communication with a helper host. For more information, see the Linux kernel documentation. | ||
Mount server | Helper host | TCP | 22 | Default SSH port used as a control channel. |
TCP | 2500 to 3300 | Default range of ports used for communication with a helper host. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
TCP | 32768 to 60999 | Dynamic port range for Linux distributions. Used for communication with a helper host. For more information, see the Linux kernel documentation. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
VM guest OS (Linux/Unix) | Helper appliance | TCP | 21 | Default port used for protocol control messages if FTP server is enabled. |
Helper appliance | VM guest OS (Linux/Unix) | TCP | 20 | Default port used for data transfer if FTP server is enabled. |
TCP | 2500 to 3300 | Default range of ports used for communication with a VM guest OS. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. | ||
Helper host | VM guest OS (Linux/Unix) | TCP | 2500 to 3300 | Default range of ports used for communication with a VM guest OS. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Backup server | VM guest OS (Linux/Unix) | TCP | 22 | Default SSH port used as a control channel. |
Mount server | VM guest OS (Microsoft Windows) | TCP | 445, 135 | Required to deploy the runtime coordination process on the VM guest OS. |
TCP | 6160, 11731 | Default port and failover port used by Veeam Installer Service. | ||
TCP | 6173, 2500 | Used by the Veeam Guest Helper for guest OS processing and file-level restore if persistent agent components are deployed inside the VM guest OS. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later. For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. | ||
Backup server | VM guest OS | TCP | 2500 to 3300 | Default range of ports used for communication with a VM guest OS. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Mount server running vPower NFS Service | TCP | 6160 | Default port used by Veeam Installer Service. |
TCP | 6161 | Default port used by the Veeam vPower NFS Service. | ||
ESXi host | Mount server running vPower NFS Service | TCP | 111 | Standard port used by the port mapper service. |
TCP | 1058+ or 1063+ | Default mount port. The number of port depends on where the vPower NFS Service is located:
If port 1058/1063 is occupied, the succeeding port numbers will be used. | ||
TCP | 2049+ | Standard NFS port. If port 2049 is occupied, the succeeding port numbers will be used. | ||
Backup repository or | Mount server running vPower NFS Service | TCP | 2500 to 3300 | Default range of ports used as transmission channels during Instant Recovery, SureBackup or Linux file-level recovery. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Mount server running vPower NFS Service | Backup repository or | TCP | 2500 to 3300 | Default range of ports used as transmission channels during Instant Recovery, SureBackup or Linux file-level recovery. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
The following table describes network ports that must be opened to ensure proper communication between SureBackup components.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Proxy appliance | TCP | 443 | Used for communication with the proxy appliance in the virtual lab. |
Applications on VMs in the virtual lab | — | — | Application-specific ports to perform port probing test. For example, to verify a DC, Veeam Backup & Replication probes port 389 for a response. | |
Internet-facing proxy server | VMs in the virtual lab | TCP | 8080 | Used to let VMs in the virtual lab access the Internet. |
Mount server running vPower NFS Service | Backup repository or | TCP | 2500 to 3300 | Default range of ports used as transmission channels during SureBackup. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
ESXi server | TCP | 443 | Default port used for connections to ESXi host. | |
Backup repository or | Mount server running vPower NFS Service | TCP | 2500 to 3300 | Default range of ports used as transmission channels during SureBackup. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
Backup repository or | Hyper-V server | TCP | 2500 to 3300 | Default range of ports used as transmission channels during SureBackup. For every TCP connection that a job uses, one port from this range is assigned. Note: This range of ports applies to newly installed Veeam Backup & Replication starting from version 10.0, without upgrade from previous versions. If you have upgraded from an earlier version of the product, the range of ports from 2500 to 5000 applies to the already added components. |
SureReplica Recovery Verification
The following table describes network ports that must be opened to ensure proper communication between SureReplica components.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Proxy appliance | TCP | 443 | Used for communication with the proxy appliance in the virtual lab. |
Applications on VMs in the virtual lab | — | — | Application-specific ports to perform port probing test. For example, to verify a DC, Veeam Backup & Replication probes port 389 for a response. | |
Internet-facing proxy server | VMs in the virtual lab | TCP | 8080 | Used to let VMs in the virtual lab access the Internet. |
Microsoft Active Directory Domain Controller Connections During Application Item Restore
The following table describes network ports that must be opened to ensure proper communication of the backup server with the Microsoft Active Directory VM during application-item restore.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Microsoft | TCP | 135 | Used for communication between the domain controller and backup server. |
TCP, | 389 | LDAP connections. | ||
TCP | 636, 3268, 3269 | LDAP connections. | ||
TCP | 49152 to 65535 | Dynamic RPC port range for Microsoft Windows 2008 and later used by the runtime coordination process deployed inside the VM guest OS for application-aware processing (when working over the network, not over VIX API). For more information, see this Microsoft KB article. Note: If you use default Microsoft Windows firewall settings, you do not need to configure dynamic RPC ports. During setup, Veeam Backup & Replication automatically creates a firewall rule for the runtime process. If you use firewall settings other than default ones or application-aware processing fails with the "RPC function call failed" error, you need to configure dynamic RPC ports. For more information on how to configure RPC dynamic port allocation to work with firewalls, see this Microsoft KB article. |
Microsoft Exchange Server Connections During Application Item Restore
The following table describes network ports that must be opened to ensure proper communication of the Veeam backup server with the Microsoft Exchange Server system during application-item restore.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Microsoft Exchange 2003/2007 CAS Server | TCP | 80, 443 | WebDAV connections. |
Microsoft Exchange 2010/2013/2016/2019 CAS Server | TCP | 443 | Microsoft Exchange Web Services Connections. |
Microsoft SQL Server Connections During Application Item Restore
The following table describes network ports that must be opened to ensure proper communication of the backup server with the VM guest OS system during application-item restore.
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Microsoft | TCP | 1433, 1434 and other | Used for communication with the Microsoft SQL Server installed inside the VM. Port numbers depends on configuration of your Microsoft SQL server. For more information, see this Microsoft article. |
UDP | 1434 | Used by the Microsoft SQL Server Browser service. For more information, see this Microsoft article. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server or backup repository | Helper appliance | TCP | 22 | Used as a communication channel to the helper appliance. |
TCP | 443 | Default redirector port. You can change the port in helper appliance settings. For details, see the Specify Helper Appliance section in Restore to Amazon EC2. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server or backup repository | Helper appliance | TCP | 22 | Used as a communication channel to the helper appliance. |
TCP | 443 | Default redirector port. You can change the port in helper appliance settings. For details, see the Specify Helper Appliance section in Restore to Google Cloud. |
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Helper appliance | TCP | 22 | Used by default as a communication channel to the helper appliance when restoring Linux workloads. Can be changed during helper appliance deployment. For details, see Configuring Helper Appliances. |
Microsoft Azure | TCP | 443 | Default management and data transport port required for communication with Microsoft Azure. | |
Azure Windows VM agent distribution server | TCP | 443 | Used by Veeam Backup & Replication to install the Azure Windows VM agent on the restored VM through the following URLs:
Consider that these URLs are subject to change. For more information, see this Microsoft article. | |
Azure Stack Hub | TCP | 443, 30024 | Default management and data transport port required for communication with Azure Stack Hub. | |
Backup server or backup repository | Azure restore proxy appliance (former Azure proxy) | TCP | 443 | Default management and data transport port required for communication with the Azure restore proxy appliance. The port must be opened on the backup server and backup repository storing VM backups. Can be changed in the settings of the Azure restore proxy appliance. For details, see Specify Credentials and Transport Port. |
Instant Recovery to Microsoft Azure
From | To | Protocol | Port | Notes |
|---|---|---|---|---|
Backup server | Microsoft Azure Resource Manager service (Service Tag: AzureResourceManager) | TCP/HTTPS | 443 | Used for Azure Resources management and deployment through the following endpoint:
|
Microsoft Azure storage account (Veeam packages upload) (Service Tag: Storage) | TCP/HTTPS | 443 | Used to deliver Veeam components from the backup server to the temporary Azure VM used to create templates of Instant Recovery to Azure helper appliances through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal. | |
Microsoft Azure storage account (message queues) (Service Tag: Storage) | TCP/HTTPS | 443 | Used for communication with Instant Recovery to Azure helper appliances via Azure Message queues through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal. | |
Microsoft Entra ID (Service Tag: AzureActiveDirectory) | TCP/HTTPS | 443 | Used for Entra ID authentication to access storage accounts and message queues through the following endpoints:
| |
Certificate verification endpoints | TCP/HTTP | 80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the up-to date list of addresses in the certificate details in the following fields:
For more details, see this Microsoft article. | |
Instant Recovery for Azure helper appliance | Microsoft Azure storage account (message queues) (Service Tag: Storage) | TCP/HTTPS | 443 | Used for communication with backup server through Azure Message queues through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal. |
Microsoft Azure storage account (backup repository) / Veeam Data Cloud Vault (backup repository) (Service Tag: Storage) | TCP/HTTPS | 443 | Used to access backups through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal in the Cloud Management > Vault Subscriptions section of your Veeam Data Cloud account for Veeam Data Cloud Vault repository. | |
Certificate verification endpoints | TCP/HTTP | 80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the up-to date list of addresses in the certificate details in the following fields:
For more details, see this Microsoft article. | |
Azure Windows VM Agent Distribution location | TCP/HTTPS | 443 | Used to install the Azure Windows VM agent on the restored Windows VM through the following URLs:
Consider that these URLs are subject to change. For more information, see this Microsoft article. | |
Microsoft Entra ID | TCP/HTTPS | 443 | Used for Entra ID authentication to access storage accounts and message queues through the following endpoints:
| |
Azure Instance Metadata Service endpoint (Service Tag: AzureActiveDirectory) | TCP/HTTP | 80 | The following endpoint is used for Entra ID authentication to access storage accounts and message queues and other purposes:
| |
Temporary Azure VMs used to create templates of Instant Recovery to Azure helper appliances | Microsoft Azure storage account (Veeam packages upload) (Service Tag: Storage) | TCP/HTTPS | 443 | Used to deliver Veeam components from the backup server to the temporary VM through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal. |
Microsoft Azure storage account (message queues) (Service Tag: Storage) | TCP/HTTPS | 443 | Used for communication with backup server through Azure Message queues through the following endpoints:
Consider that the <storage-account> part of the address must be replaced with your actual storage account URL that can be found in the Azure management portal. | |
Ubuntu Azure repository | TCP/HTTP | 80 | Used to install prerequisite packages through the following endpoints:
| |
Certificate verification endpoints | TCP/HTTP | 80 | Used to verify the certificate status through the following endpoints:
Consider that certificate verification endpoints (CRL URLs and OCSP servers) are subject to change. You can find the up-to date list of addresses in the certificate details in the following fields:
For more details, see this Microsoft article. | |
Restored VM | Instant Recovery to Azure helper appliance | TCP/iSCSI | 3260-3262 | Used to boot the restored VM from backed up disks with iSCSI protocol. |
TCP/HTTP | 9555 | Used to get boot firmware configuration from the Platform Converter Service running on the appliance. |
Other Veeam Products and Components
Veeam Backup Enterprise Manager
- Veeam Explorer for Microsoft Active Directory Connections
- Veeam Explorer for Microsoft Exchange Connections
- Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft OneDrive for Business Connections
- Veeam Explorer for Microsoft SQL Server Connections
- Veeam Explorer for Microsoft Teams Connections
- Veeam Explorer for Oracle Connections
- Veeam Explorer for PostgreSQL Connections
- Connections for Veeam Agent for Microsoft Windows Operating in Managed Mode
- Connections for Veeam Agent for Linux Operating in Managed Mode
- Connections for Veeam Agent for Mac Operating in Managed Mode
Veeam Plug-ins for Enterprise Applications
- Veeam Plug-in for SAP HANA Connections
- Veeam Plug-in for Oracle RMAN Connections
- Veeam Plug-in for SAP on Oracle Connections
- Veeam Plug-in for Microsoft SQL Server Connections