SUMMARY
A common question during deployment is 'what ports and or hosts are required to be opened for Unitrends to access the internet.
ISSUE
- What Ports does the Unitrends appliance require opened in our firewall?
- My appliance is unable to receive updates.
- Support informed me the tunnel I opened is not accessible.
RESOLUTION
There are several addresses you should permit for all deployments. All of these ports are outgoing connections from the Unitrends Appliance, we do not require incoming NAT of ports or exposing the unit to a public IP, only outgoing communication from a local source Unitrends appliance is needed.
NOTE: NEVER expose the appliance Web UI or SSH connections to open external ports. Doing so may void your support agreement until the appliance can be secured properly. NEVER deploy the Unitrends appliance on a public IP. All incoming ports to a Unitrends appliance MUST be firewall protected. Privately operated Hot Copy Targets should be deployed in such a way as to secure the VPN connection to only trusted source external IPs.
Product Updates
NOTE: THIS LIST IS REQUIRED FOR UPDATES STARTING JULY 8 2024 AND WAS UPDATED RECENTLY. PLEASE CONFIRM YOUR FIREWALLS ALLOW ALL NOTED PORTS THROUGH WHITELISTS.
ALL of the following are REQUIRED to perform standard appliance updates (Helix is optional for most customers)
This is used for the main software repository for updates seen in the update UI.
-
Hosts required for updates
-
repo.unitrends.com*
-
kaseyagroup-applianceregistry.jfrog.io
-
sftp.kaseya.com
-
registry.unitrends.com <- New Requirement July 8 2024 forward.
-
-
*Repo Mirrors
-
ubrs-repo-production-east.s3.amazonaws.com
-
ubrs-repo-production-west.s3.us-west-1.amazonaws.com
-
mirrors.elrepo.org
-
This is used to pull updates from our software repository mirror which is closest geographically.
If restricting outbound HTTPS (443/TCP) traffic, all AWS/Cloudfront IP ranges listed via the following URLs must be whitelisted:
AWS CloudFront IP address range info for repo.unitrends.com can be found here: https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/LocationsOfEdgeServers.html
AWS IP address range for registry.unitrends.com info can be found here: https://docs.aws.amazon.com/vpc/latest/userguide/aws-ip-ranges.html
Unitrends Backup Portal (backup.net)
The following sites and ports must be allowed to enable management of the Unitrends appliance through the Unitrends backup portal.
- login.backup.net port 443
- {homerealm}.backup.net port 443
- proxy.backup.net port 443
- api.backup.net port 443
- download.backup.net port 443
- index.docker.io port 443
- hub.docker.com port 443
- public.ecr.aws port 443
-
*.cloudfront.net port 443
Helix services
- iad2helix.kaseya.net outgoing port 5721/TCP
Helix free edition can be used by customers for to perform appliance automatic updates and may be required for use by your MSP for system monitoring. This port is usually open as it is the common Microsoft ActiveSync port and protocol, but may be blocked in some environments.
Helix is also a paid subscription service allowing various client automation tasks, and any asset the helix paid agent is deployed on also requires this connectivity open from that individual machine to this address. Helix access for the physical appliance is a requirement for customers on subscription contracts with Unitrends.
Hot Backup Copy Replication
OpenVPN use is a requirement of all hot copy replication. (in effect since 9.0.0-6 for security and compliance). This encrypts the communication channel between the Source and Target and makes future changes easy to adjust. OpenVPN allows for packet transmission retry and enforced packet ordering HTTPS alone does not supply, and though it has a small overhead of less than 0.5% it overall improves replication reliability and throughput greatly in excess of this overhead. OpenVPN requires ICMP to establish connectivity. Unitrends recommends having the Target/Manager configured to be the OpenVPN Server and the Source be the OpenVPN Client before remote management is configured.
Source: Receives the backups from the computers it protects (Protected Assets).
Target: Received backup copy data from the Source appliance(s).
Manager: An appliance given permission to manage a Source appliance.
Unitrends Cloud
When first setting up your connection with the Unitrends Cloud Partner, the Firewall/IDS/IPS/Web Filter/Application Control of your network security device must be relaxed to allow traffic bidirectional between your appliance and the FQDN of the Unitrends Cloud only for the setup portion. Once it has been completed, you will only need to allow the UDP Port specifically assigned to your Appliance for Hot Backup Copy Replication.
Third-party Cloud Targets (Google, Amazon, Rackspace, Azure Blob)
- If using CloudHook services with Google Nearline or Amazon S3 storage or potentially other providers, please see the provider documentation for ports and addresses that are required for use.
Proactive Monitoring
- notifications.unitrends.com outgoing port 162/UDP
This is used for SNMP trap collection for all proactive monitoring functions provided by Unitrends. This is recommended for all appliances but most especially Unitrends Hardware appliances to ensure proactive hardware monitoring for disk and chassis health alerts.
- es.telemetry.unitrends.com outgoing port 162/UDP
- 1822f510d5b0459f96be33df425d8a09.us-east-1.aws.found.io outgoing port 9243/TCP
This is used for telemetry data collection from your appliance, including limited backup history, error codes reported, and more. This data is directly used by our onboarding team, support teams, and development teams to troubleshoot and solve an array of issues with appliances in the field and can avoid in many cases the requirement for direct access to an appliances being needed. It also provides capabilities for proactive support case generation. Failure to have this port enabled may substantially delay troubleshooting efforts for system issues. This service uses dynamic IP pools that are subject to change.
NOTE: SNMP cannot be tested using Telnet as it is a UDP, one way protocol. You can use Microsoft's portqry tool if you wish to test if you can communicate with notifications.unitrends.com.
Remote Support Tunnel
- support-itivity.unitrends.com outgoing HTTP and HTTPS (Ports 80/TCP and 443/TCP)
Our primary remote support system
All Unitrends Technical Support Engineers are skilled at utilizing the remote access capabilities of applicable Unitrends products. Remote System Access, often referred to by the Technical Support Engineers as a “Support Tunnel”, is required to ensure successful and timely resolution to reported issues. Remote access is controlled from the appliance and is enabled and disabled at will of the appliance operator. Unitrends cannot access appliances remotely unless the service is opened manually by the end user, and this access remains in the control of the end user and can be disabled again at will. All remote access is logged. Per the Unitrends Support Handbook Remote access is a requirement for timely resolution of customer issues, and without it, the Unitrends Customer Support Engineer may also be severely limited in options for how to resolve issues.
Of special note: Should a unit require it's license key to be reset (common for a UEB if the MAC changes or the system UUID changes - which can occur if a UEB is moved to a different virtual host, or for physical appliances if ETH0 is disabled or fails), remote access through a tunnel is required to reset this condition. This process will not be permitted through a Zoom or other remote connection under any circumstances and expressly requires direct support connectivity. If a license failure occurs and this port cannot be temporarily opened, a redeployment of the unit may be required to resolve.
Reports
Unitrends uses an images that comes from the unitrends.com site as part of the email template for the reports. You will need to allow us to pull data from this site so that the reports are properly populated and understandable:
http://www.unitrends.com/reports/notifications/
http://www.unitrends.com/assets/images/
http://www.unitrends.com/reports/
www.unitrends.com outgoing HTTP and HTTPS (Port 80/TCP and 443/TCP)
Troubleshooting guide
Corporate firewalls may be configured in such a way as to be very restrictive and prevent key functionality of the Unitrends appliance from operating correctly.
Today's security appliances include multiple points of control for maximum security. You will need to review your network and security solution's logs and support documents for ways to monitor and manage the various controls which many include anything from the physical layer to the application layer of the OSI model.
Validate Open Ports
To test what ports are open on the target, run the following command:
nmap -P0 [targetIPaddress]
Additionally, a downloadable tool exists to run on a windows machine to validate target connectivity on specific provided OpenVPN ports. See your Unitrends community site, under the training link, select the "catalogs" link and locate the Quick Demo's and Top Resources catalog. Review the Unitrends install Onboarding training package for more information about connecting to Unitrends Cloud and prerequisite requirements.
Deep Packet Inspection (DPI)
We have seen services such as HTTPS Deep Packet Inspection for SSL disrupt the ability of the Support Tunnel or Updates to the appliance to complete. Your may need to disable this function or create an exclusion for the Unitrends appliance itself to allow the systems listed above to bypass the rule. DPI will also negatively impact hot Copy Replication performance between a backup source appliance and targets for replication