How to configure your Windows and Linux firewalls for the Unitrends Backup Agent


To provide additional security for assets with backup agents installed, this knowledge article serves as a reference to set up whitelisting of appliances connecting to assets while restricting all other IPs from connecting to ports where Unitrends agent services are running. The details below are separated into two sections:


Windows-based Assets

Linux Based Assets

Windows-based assets

Steps to further increase security on protected assets running on a Windows OS:

local Firewall rules need to be created on Windows assets to whitelist the local IP address of your physical or virtual Recovery Series appliance to ports 1743 - 1749 over TCP. A script is provided below for configuring Windows Defender Firewall.   Installation of a Unitrends client agent will automatically add these rules to the Windows native firewall, but in some cases this script may also be used (for example if the firewall was disabled during agent installation)

For reference:
TCP Port 1743: Command and Control communications between your Appliance and BP Agent Service.  This port must be able to be opened in both directions.  Appliance to asset and asset to appliance. 
TCP Ports 1745-1749: Data is transferred through this port.  Port is always from asset to appliance. 
TCP Port 888: Used to establish certificate sharing for Secure Agent Pairing.  Only open during pairing.  Cannot be passed through firewalls/gateways.  bidirectional.  

Backup through a firewall or gateway is not supported.  Appliance and agent must exist in the same VLAN for protection.  

 

Script for Windows Defender Firewall: 

Download 

Supported OS list

  • Windows 8

  • Windows 8.1

  • Windows 10

  • Windows 11
  • Windows Server 2008R2

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Server 2016

  • Windows Server 2019

Pre-Requirements:

You must "Set-ExecutionPolicy Unrestricted" before running this script.

After running this script you can "Set-ExecutionPolicy Restricted"
This script works only on systems with installed Unitrends Agent software. If the Unitrends agent is not installed the script will immediately exit.

Firewall Rules

DenyRuleName = "Deny Unknown Unitrends Agent Inbound Traffic"
Blocks inbound TCP traffic into ports range from 1743 to 1749 for all IP addresses.

Only appliances which are protecting the windows asset will be able to connect to the Unitrends service ports


 

Suggested Usage

Windows Server 2016-2019 and Windows 10

Create allow inbound traffic to Unitrends applications from IPs in appliances.ini

Appliances.ini file will have this IP only after inventory sync

setup_unitrends_firewall_rules.ps1 -Action Protect

Windows Server 2008-2012 and Windows 8.1 or older

Create allow inbound traffic to Unitrends applications, the IP of the appliance must be defined, in this example the IP of the appliance is 192.168.1.121

setup_unitrends_firewall_rules.ps1 -Action Allow -Ip 192.168.1.121

Additional Usage:

Block all traffic to Unitrends ports - creates a deny rule for inbound TCP traffic to ports 1743-1745 (this will block all backups from running)

setup_unitrends_firewall_rules.ps1 -Action Block

Remove the block

setup_unitrends_firewall_rules.ps1 -Action Unblock

Remove any changes

setup_unitrends_firewall_rules.ps1 -Action Unprotect

 

 

 

Linux-based assets

Steps to further increase security on protected assets running on a Linux OS:
All non-windows agents use the following ports.  
TCP Port 1743: Command and Control communications between your Appliance and BP Agent Service.  This port must be able to be opened in both directions.  Appliance to asset and asset to appliance. 
TCP Ports 1745-1844: Data is transferred through this port.  Port is always from asset to appliance. 
The range in Linux is different (100 ports from 1743 - 1844). Firewall rules need to be created on Linux assets to whitelist access to ports 1743:1844 to only the appliance protecting these assets.  Port 1743 is still required to have bidirectional communication.  
Note: coming in 2023 Linux agents will also require Secure agent pairing and will add required port 888 to pairing operations.  
The commands below may assist to customize linux firewall rules if you are leveraging iptables as your firewall.  for other firewall engines, see their documentation independently.  

Case 1: If ports 1743:1844 are closed, use the following commands to open the port range 1743:1844 for the <ApplianceIP>

sudo iptables -A INPUT -p tcp -s <ApplianceIP> --dport 1743:1844 -m state --state NEW,ESTABLISHED -j ACCEPT 
sudo iptables -A OUTPUT -p tcp --sport 1743:1844 -m state --state ESTABLISHED -j ACCEPT

Case 2: If ports 1743:1844 are already open, use the following command to deny access from any IP other than <ApplianceIP>, change <ApplianceIP> to the IP of the appliance protecting these assets:

sudo iptables -A INPUT -p tcp ! -s <ApplianceIP> --dport 1743:1844 -m state --state NEW,ESTABLISHED -j DROP

Save ip tables on Ubuntu

Make sure iptables-persistent package is installed, and run the following commands :

sudo /etc/init.d/iptables-persistent save 
sudo /etc/init.d/iptables-persistent reload

Save ip tables on CentOS / RedHat

service iptables save

 

Have more questions?

Contact us

Was this article helpful?
0 out of 0 found this helpful

Provide feedback for the Documentation team!

Browse this section