What Firewall Ports should be allowed from the Unitrends appliance through my firewall?

SUMMARY

A common question during deployment is 'what ports and or hosts are required to be opened for Unitrends to access the internet.

ISSUE

• What Ports does the Unitrends appliance require opened in our firewall?
• My appliance is unable to receive updates.
• Support informed me the tunnel I opened is not accessible.

RESOLUTION

There are several addresses you should permit for all deployments.  All of these ports are outgoing connections from the Unitrends Appliance, we do not require incoming NAT of ports or exposing the unit to a public IP, only outgoing communication from a local source Unitrends appliance is needed.  

NOTE: NEVER expose the appliance Web UI or SSH connections to open external ports.  Doing so may void your support agreement until the appliance can be secured properly.  NEVER deploy the Unitrends appliance on a public IP.  All incoming ports to a Unitrends appliance MUST be firewall protected.   Privately operated Hot Copy Targets should be deployed in such a way as to secure the VPN connection to only trusted source external IPs.  

Product Updates:  ALL of the following are REQUIRED to perform standard appliance updates (Helix is optional for most customers)

This is used for the main software repository for updates seen in the update UI.

• Primary Repo
  • repo.unitrends.com*
• Mirrors
  
  • ubrs-repo-production-east.s3.amazonaws.com
  • ubrs-repo-production-west.s3.us-west-1.amazonaws.com
  • mirrors.elrepo.org

This is used to pull updates from our software repository mirror which is closest geographically.

*A variety of protocols, both legacy and current are in-use to communicate with repo.unitrends.com.  If you find you are having difficulties updating, please engage support for assistance.

Helix services

• 173.247.66.64 TCP and UDP Port 5721 outgoing

Helix free edition can be used by customers for to perform appliance automatic updates and may be required for use by your MSP for system monitoring.  This port is usually open as it is the common Microsoft ActiveSync port and protocol, but may be blocked in some environments. 

Helix is also a paid subscription service allowing various client automation tasks, and any asset the helix paid agent is deployed on also requires this connectivity open from that individual machine to this address.  Helix access for the physical appliance is a requirement for customers on subscription contracts with Unitrends.  

Proactive Monitoring

• notifications.unitrends.com ports 161 and 162 UDP

This is used for SNMP trap collection for all proactive monitoring functions provided by Unitrends. This is recommended for all appliances but most especially Unitrends Hardware appliances to ensure proactive hardware monitoring for disk and chassis health alerts.

• es.telemetry.unitrends.com ports 161 and 162 UDP and 9243 TCP

This is used for telemetry data collection from your appliance, including limited backup history, error codes reported, and more.  This data is directly used by our onboarding team, support teams, and development teams to troubleshoot and solve an array of issues with appliances in the field and can avoid in many cases the requirement for direct access to an appliances being needed.  It also provides capabilities for proactive support case generation. Failure to have this port enabled may substantially delay troubleshooting efforts for system issues. This service uses dynamic IP pools that are subject to change.  

NOTE: SNMP cannot be tested using Telnet as it is a UDP, one way protocol. You can use Microsoft's portqry tool if you wish to test if you can communicate with notifications.unitrends.com.
 

Remote Support Services

• support-itivity.unitrends.com on HTTP and HTTPS (Ports 80 and 443 TCP)

Our primary remote support system

All Unitrends Technical Support Engineers are skilled at utilizing the remote access capabilities of applicable Unitrends products. Remote System Access, often referred to by the Technical Support Engineers as a “Support Tunnel”, is required to ensure successful and timely resolution to reported issues. Remote access is controlled from the appliance and is enabled and disabled at will of the appliance operator. Unitrends cannot access appliances remotely unless the service is opened manually by the end user, and this access remains in the control of the end user and can be disabled again at will. All remote access is logged.  Per the Unitrends Support Handbook Remote access is a requirement for timely resolution of customer issues, and without it, the Unitrends Customer Support Engineer may also be severely limited in options for how to resolve issues.  

Of special note: Should a unit require it's license key to be reset (common for a UEB if the MAC changes or the system UUID changes - which can occur if a UEB is moved to a different virtual host, or for physical appliances if ETH0 is disabled or fails), remote access through a tunnel is required to reset this condition. This process will not be permitted through a Webex or other remote connection under any circumstances and expressly requires direct support connectivity. If a license failure occurs and this port cannot be temporarily opened, a redeployment of the unit may be required to resolve.  
 

Reports

Unitrends uses an images that comes from the unitrends.com site as part of the email template for the reports. You will need to allow us to pull data from this site so that the reports are properly populated and understandable: 

          http://www.unitrends.com/reports/notifications/

          http://www.unitrends.com/assets/images/

          http://www.unitrends.com/reports/

• www.unitrends.com on Port 80 and 443 TCP

Other ports:

• If your appliance will be connected to the Unitrends Appliance Portal (aka UniView), please also see What firewall ports need to be accessible for the Unitrends Backup Portal (backup.net)
• For Unitrends Replication as well as for information about client to system requirements for backup that may also pass through a firewall, please see this article: https://helpdesk.kaseya.com/hc/en-gb/articles/4407593650833-Which-Firewall-Ports-are-Used-by-the-Unitrends-Appliance-
• If using CloudHook services with Google Nearline or Amazon S3 storage or potentially other providers, please see the provider documentation for ports and addresses that are required for use.  
   

Additional Considerations:

Deep Packet Inspection (DPI):  We have seen services such as HTTPS Deep Packet Inspection for SSL disrupt the ability of the Support Tunnel or Updates to the appliance to complete. Your may need to  disable this function or create an exclusion for the Unitrends appliance itself to allow the systems listed above to bypass the rule.  DPI will also negatively impact hot Copy Replication performance between a backup source appliance and targets for replication.  

CAUSE

Corporate firewalls may be configured in such a way as to be very restrictive and prevent key functionality of the Unitrends appliance from operating correctly.

Today's security appliances include multiple points of control for maximum security. You will need to review your network and security solution's logs and support documents for ways to monitor and manage the various controls which many include anything from the physical layer to the application layer of the OSI model.