To provide additional security for assets with backup agents installed, this knowledge article serves as a reference to set up whitelisting of appliances connecting to assets while restricting all other IPs from connecting to ports where Unitrends agent services are running. The details below are seperated into two sections:
Firewall rules need to be created on Windows assets to whitelist the local IP address of your physical or virtual Recovery Series appliance to ports 1743 - 1749 over TCP. A script is provided below for configuring Windows Defender Firewall.
TCP Port 1743: Command and Control communications between your Appliance and BP Agent Service.
TCP Ports 1744-1749: Data is transferred through this port.
If you use another firewall solution, create rules to only allow access from the local IP address of your physical or virtual Recovery Series appliance to ports 1743 - 1749 over TCP.
Script for Windows Defender Firewall:
Supported OS list
Windows Server 2008R2
Windows Server 2012
Windows Server 2012 R2
Windows Server 2016
Windows Server 2019
You must "Set-ExecutionPolicy Unrestricted" before running this script.
After running this script you can "Set-ExecutionPolicy Restricted"
This script works only on systems with installed Unitrends Agent software. If the Unitrends agent is not installed the script will immediately exit.
DenyRuleName = "Deny Unknown Unitrends Agent Inbound Traffic"
Blocks inbound TCP traffic into ports range from 1743 to 1749 for all IP addresses.
Only appliances which are protecting the windows asset will be able to connect to the Unitrends service ports
Windows Server 2016-2019 and Windows 10
Create allow inbound traffic to Unitrends applications from IPs in appliances.ini
Appliances.ini file will have this IP only after inventory sync
setup_unitrends_firewall_rules.ps1 -Action Protect
Windows Server 2008-2012 and Windows 8.1 or older
Create allow inbound traffic to Unitrends applications, the IP of the appliance must be defined, in this example the IP of the appliance is 192.168.1.121
setup_unitrends_firewall_rules.ps1 -Action Allow -Ip 192.168.1.121
Block all traffic to Unitrends ports - creates a deny rule for inbound TCP traffic to ports 1743-1745 (this will block all backups from running)
setup_unitrends_firewall_rules.ps1 -Action Block
Remove the block
setup_unitrends_firewall_rules.ps1 -Action Unblock
Remove any changes
setup_unitrends_firewall_rules.ps1 -Action Unprotect
Case 1: If ports
1743:1844 are closed, use the following commands to open the port range
1743:1844 for the
sudo iptables -A INPUT -p tcp -s <ApplianceIP> --dport 1743:1844 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 1743:1844 -m state --state ESTABLISHED -j ACCEPT
Case 2: If ports
1743:1844 are already open, use the following command to deny access from any IP other than
<ApplianceIP>, change <ApplianceIP> to the IP of the appliance protecting these assets:
sudo iptables -A INPUT -p tcp ! -s <ApplianceIP> --dport 1743:1844 -m state --state NEW,ESTABLISHED -j DROP
Save ip tables on Ubuntu
Make sure iptables-persistent package is installed, and run the following commands :
sudo /etc/init.d/iptables-persistent save sudo /etc/init.d/iptables-persistent reload
Save ip tables on CentOS / RedHat
service iptables save