Configuring the software firewall on a Unitrends Appliance using Security Levels

ISSUE

By default, the security level on the system is set to No Security. This allows all ports to remain open. The administrator can choose the level of security desired on a particular system. Security levels can be set by selecting Configure > Network > Ports and are categorized as:

  • None (Open All)
  • Low Security
  • Medium Security
  • High Security

RESOLUTION

 

To gain access to the security Ports section:

/ui/#/: CONFIGURE > Appliances (tab, select the line item) > Network (tab, below) > Ports.
To Access the System Using Medium Security

 

When using medium security, access the Administrator Interface by entering the following for the browser address: 
/ui/#/: https://<System_IP_address>/ui/#/

Access context-sensitive Help Guides by directing the browser to:
/ui/#/: https://<System_IP_address>/unitrendsmanuals/Default.htm

Answer yes to any warning messages received.


To access the system using high security

When high security is enabled, the system can only be accessed using a KVM or directly attached monitor, keyboard, and mouse for physical systems, or from the VM console for virtual systems. You have access to the system console only. There is no way to access the Administrator Interface to view functions (such as backups, archives, replication) or make changes to any system settings.


To Disable High Security

  1. Connect to the system console.
    • For physical systems, connect using a KVM or directly attached monitor, keyboard, and mouse.
    • For Unitrends Enterprise Backup for Hyper-V, launch Hyper-V Manager, select the Unitrends VM, and click Connect.
    • For Unitrends Enterprise Backup for VMware, connect to the Unitrends VM using the VMware vSphere Client, VMware Player, or VMware Workstation.
  2. In the Console Interface, enter 3 in the Please enter choice field.
  3. On the Firewall Security Level screen, enter 1, 2, or 3 in the Please enter choice field to change security level to None, Low, or Medium.

CAUSE

 

Open Ports and Security Levels

The ports open for each security level are listed in the table below. Additionally, in the General Configuration section of the Settings interface (Settings > System, Updates, and Licensing > General Configuration > Configuration Options), there is a field named dataport_count. This field represents the number of TCP ports allowed to be opened for data transfer. This value includes the control value and four additional ports to determine the actual port numbers from which to select. When any level of security is enabled, the control value is 1745. The default number of additional ports added to 1745 is four. When configuring a firewall (using a security setting and a dataport count of five), ports 1745 through 1749 should be opened between the system and the clients the system protects.
 
NOTE: About replication and vaulting. Port 1 must be open during the initial configuration of replication or legacy vaulting. During replication or vaulting setup, if you configure a secure tunnel using OpenVPN (the recommended configuration), port 1194 is used for all communication between the source and target (or vault) systems. If you do not configure a secure tunnel using OpenVPN, ports 1743,1745 and 5432 are required for managing a system from the replication target or vault. Additionally, if you do not configure a  secure tunnel using OpenVPN, port 80 is used for replication and port 22 for vaulting. The necessary ports must be open in the firewall for management of the system from the replication target or vault. For more details, see What firewall ports are necessary for a Unitrends appliance to manage or be a replication target of another appliance?.

Security Level Ports Open Usage
Low 1 Replication or legacy vaulting setup
22 Secure shell
80 HTTP web access
139 Samba share
161 SNMP
443 Secure HTTP web access
445 CIFS
873 Rsync
888 Agent Pairing
1194 OpenVPN*
1743 Extended Internet daemon
1744 Extended Internet daemon
1745 Extended Internet daemon
1746 Extended Internet daemon
1747 Extended Internet daemon
1748 Extended Internet daemon
1749 Extended Internet daemon
2049 Network file system
3260 iSCSI
4970 Postgres database access
5432 Postgres database access
5801 VNC (Java) access
5900 VNC access
5902 VNC access
6001 VNC HTTP web access
10000 NDMP

 

Security Level Ports Open Usage
Medium 1 Replication or legacy vaulting setup
22 Secure shell
139 Samba share
443 Secure HTTP web access
445 CIFS
1194 OpenVPN*
1743 Extended Internet daemon
1745 Extended Internet daemon
1746 Extended Internet daemon
1747 Extended Internet daemon
1748 Extended Internet daemon
1749 Extended Internet daemon
3260 iSCSI
4970 Postgres database access
5432 Postgres database access
10000 NDMP

 

Security Level Ports Open Usage
High 1743 Extended Internet daemon
1745 Extended Internet daemon
1746 Extended Internet daemon
1747 Extended Internet daemon
1748 Extended Internet daemon
  1749 Extended Internet daemon

 

 

 

Use of the High Port Security Level will prevent communications over OpenVPN port 1194.  When using Unitrends Cloud, you must use the None (Open All) Port Security Level. Any other options will prevent communications between the Source and the Target Unitrends appliances.


NOTE: OpenVPN by default transmits over UDP port 1194 unless dictated differently by your Unitrends Onboarding Engineer or Unitrends Cloud Operations.

 

 

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section