To provide additional security for assets with backup agents installed, this knowledge article serves as a reference to set up whitelisting of appliances connecting to assets while restricting all other IPs from connecting to ports where Unitrends agent services are running. The details below are separated into two sections:
Windows-based assets
local Firewall rules need to be created on Windows assets to whitelist the local IP address of your physical or virtual Recovery Series appliance to ports 1743 - 1749 over TCP. A script is provided below for configuring Windows Defender Firewall. Installation of a Unitrends client agent will automatically add these rules to the Windows native firewall, but in some cases this script may also be used (for example if the firewall was disabled during agent installation)
For reference:
TCP Port 1743: Command and Control communications between your Appliance and BP Agent Service. This port must be able to be opened in both directions. Appliance to asset and asset to appliance.
TCP Ports 1745-1749: Data is transferred through this port. Port is always from asset to appliance.
TCP Port 888: Used to establish certificate sharing for Secure Agent Pairing. Only open during pairing. Cannot be passed through firewalls/gateways. bidirectional.
Backup through a firewall or gateway is not supported. Appliance and agent must exist in the same VLAN for protection.
Script for Windows Defender Firewall:
Supported OS list
-
Windows 8
-
Windows 8.1
-
Windows 10
- Windows 11
-
Windows Server 2008R2
-
Windows Server 2012
-
Windows Server 2012 R2
-
Windows Server 2016
-
Windows Server 2019
Pre-Requirements:
You must "Set-ExecutionPolicy Unrestricted" before running this script.
After running this script you can "Set-ExecutionPolicy Restricted"
This script works only on systems with installed Unitrends Agent software. If the Unitrends agent is not installed the script will immediately exit.
Firewall Rules
DenyRuleName = "Deny Unknown Unitrends Agent Inbound Traffic"
Blocks inbound TCP traffic into ports range from 1743 to 1749 for all IP addresses.
Only appliances which are protecting the windows asset will be able to connect to the Unitrends service ports
Suggested Usage
Windows Server 2016-2019 and Windows 10
Create allow inbound traffic to Unitrends applications from IPs in appliances.ini
Appliances.ini file will have this IP only after inventory sync
setup_unitrends_firewall_rules.ps1 -Action Protect
Windows Server 2008-2012 and Windows 8.1 or older
Create allow inbound traffic to Unitrends applications, the IP of the appliance must be defined, in this example the IP of the appliance is 192.168.1.121
setup_unitrends_firewall_rules.ps1 -Action Allow -Ip 192.168.1.121
Additional Usage:
Block all traffic to Unitrends ports - creates a deny rule for inbound TCP traffic to ports 1743-1745 (this will block all backups from running)
setup_unitrends_firewall_rules.ps1 -Action Block
Remove the block
setup_unitrends_firewall_rules.ps1 -Action Unblock
Remove any changes
setup_unitrends_firewall_rules.ps1 -Action Unprotect
Linux-based assets
TCP Port 1743: Command and Control communications between your Appliance and BP Agent Service. This port must be able to be opened in both directions. Appliance to asset and asset to appliance.
TCP Ports 1745-1844: Data is transferred through this port. Port is always from asset to appliance.
Case 1: If ports 1743:1844
are closed, use the following commands to open the port range 1743:1844
for the <ApplianceIP>
sudo iptables -A INPUT -p tcp -s <ApplianceIP> --dport 1743:1844 -m state --state NEW,ESTABLISHED -j ACCEPT
sudo iptables -A OUTPUT -p tcp --sport 1743:1844 -m state --state ESTABLISHED -j ACCEPT
Case 2: If ports 1743:1844
are already open, use the following command to deny access from any IP other than <ApplianceIP>
, change <ApplianceIP> to the IP of the appliance protecting these assets:
sudo iptables -A INPUT -p tcp ! -s <ApplianceIP> --dport 1743:1844 -m state --state NEW,ESTABLISHED -j DROP
Save ip tables on Ubuntu
Make sure iptables-persistent package is installed, and run the following commands :
sudo /etc/init.d/iptables-persistent save
sudo /etc/init.d/iptables-persistent reload
Save ip tables on CentOS / RedHat
service iptables save