Communication between the Unitrends Appliance and Protected Assets

SUMMARY

Detail about which ports are used for communication between a Unitrends appliance, protected servers, virtual hosts and other protected assets.

 

For information regarding firewall configurations to allow a Unitrends appliance to communicate to the WAN, see What Firewall Ports should be allowed from the Unitrends appliance through my firewall?

 

RESOLUTION

 

Intranet - Between Your Clients and the Recovery Series Appliance\UB

The following ports are used to communicate between the Unitrends Appliance or UEB and Client Agents as well as to other Unitrends appliances. The ports may need to be opened depending on your company's security policies in client software firewalls.  Also consider local and group policy settings which may affect connectivity and communications between a Client and the Appliance or UEB.  Port connectivity to cloud providers including Amazon AWS/EC2, Azure, Rackspace, or others are not included in this list.  See 3rd party documentation for their requirements as they may vary by cloud provider. 
 

Port   Protocol - Reason 
NA         ICMP - required for many services including support tunnels, hot copy replication, openvpn, daily client inventory sync, and numerous cloud functions.  
1*          TCP - Only needed during setup of legacy vaulting (v6.4 and older)
21 (and 20) TCP - FTP for updates from repo.unitrends.com (both ports required!). It does us PASV FTP which opens an
                  ephemeral port and informs the FTP client to connect to that port before requesting data transfer
22          TCP - used for SSH access to the Unitrends appliance.  Also used by legacy vaulting
80          TCP - Redirect to https port (also used for some updates via http protocol)
111        TCP – Port mapping protocol used by the NFS service.
137         TCP – NetBIOS name service used this port to start sessions.
139         UDP - legacy client SMB access (Win 2000 and older)
161         TCP – SNMP
443        TCP – SSL Unitrends UI / Unitrends Image Level Agent. VMware backups. Used for updates to Docker engines (required after release 10.3)
445         TCP - SMB/CIFS - required for Hyper-V IR, Agent Push, NAS (CIFS), Oracle and Sharepoint backups.
873         TCP – RSYNC
888         TCP – Agent Pairing
902        TCP and UDP - VMWare vSphere ESXi hosts and vCenter Server agent.  Custom vSphere ports are not supported.  
1194*       UDP - OpenVPN (Default Hot Copy Replication only) NOTE: This will be different is you are Replicating to the Unitrends Cloud**
1743        TCP - Unitrends control port (between Client and Unitrends Appliance)
1744**      TCP - Unitrends Data Port using dynamically assigned high number port.
1745-1749** TCP - Unitrends Data Ports using the port assigned in the C:\PCBP\MASTER.ini on Windows based computers
1745-1844** TCP - Unitrends Data Ports using the port assigned in the /usr/bp/bpinit/master.ini file on *NIX based computers
2049 TCP - For protecting a NAS or Cold Backup Copy using NFS. Oracle backups from some clients. Recovery to VMware. 3260        TCP – iSCSI 4970        TCP – PostgreSQL 5432        TCP – PostgreSQL 5721        TCP – Kaseya VSA Agent 5900-5910 TCP - VNC 9443 TCP - vSphere web API connectivity for VMWare backup 10000 TCP - NDMP 22024 TCP - VMware Data Recovery Management 55404 TCP - ELK Stack Telemetry 59200 TCP - ELK Stack Telemetry 49152-65535 TCP - Dynamic port range may be used by agent backups if default Data ports are not available

 

Unitrends Client Agent to Appliance Ports

These are the minimum ports required for command, control, and data transfer between your Clients (Protected Asset) and your Unitrends Appliance. 

Note: backups through hardware firewalls separating networks are not supported, the below information is for reference for client software firewalls only.  
 

Command and Control Channel
The TCP Port 1743 is used for Command and Control messages between the Unitrends appliance and the BP Agent on the computer you want to protect. This is adjusted on the Unitrends appliance and is never changed.  This port is opened in either direction.  
 

Data Transport Channel

The data itself is transferred over a different TCP Port. In some cases, you may need to alter the TCP Port used (IE. Microsoft ISA and Forefront Firewall uses 1745). The default TCP Port 1744 allows for a random available high port number if the expected port is in use (unless the Unitrends Port Security is set to the value of Medium or High). 

This change can be made on the Client station by editing the file (windows C:\PCBP\MASTER.ini  and for *NIX /usr/bp/bpinit/master.ini) and changing the value of data=.


For Firewalls and Gateways:  Windows and Linux Agents dependent on Secure Agent Pairing cannot be protected through a firewall or gateway directly and must exist in the same network segment as the Unitrends appliance.   The above port information may be required for endpoint software firewalls, but does not apply to firewalls that separate whole networks. To protect systems on the other side of a firewall or gateway device, either add an additional network adapter to a Unitrends appliance in that other network segment and prevent routing through your firewall, back them up via a host as virtual machines, or deploy an additional appliance in the secure network.  

 

For additional details regarding firewalls:

How to configure your Windows and Linux firewalls for the Unitrends Backup Agent

Backup fails through Router, DMZ, or Firewall

Effect of Windows Firewall on Windows Agent and Windows Instant Recovery (WIR)


 VMware Protection
Unitrends uses VMware's VDDK to communicate via the vStorage API for Data Protection (VADP) when backing up VMware. If SAN-direct is not being used, the data will be send via Network Block Device (NBDSSL) using the Network File Copy (NFC) protocol. The VADP backup traffic is not done through vCenter server. vCenter is used only during: VM discovery, Snapshots requests or VM creations during recovery. The rest is done between the ESXi and Unitrends (which is why you should add the ESXi hosts as a Protected Asset). In absence of vCenter, all request are processed by the ESXi host. There are two ports used during the backup or restore:

 443 - between backup host and vCenter
 902 - between backup host and ESXi host
 111 - NFS mounts for Unitrends during recovery
2049 - NFS mounts for Unitrends during recovery

(New release of VMware may require additional ports.)

 

 Windows Image Backup

Windows Image based backup utilizes port 443 over HTTPS in addition to above ports for windows clients. For more information on Image-level backups, please review the Unitrends Administrators Guide, Chapter 8.
 

 XenServer

You will need to allow TCP Ports 22,80,443 and the minimum, to and from the Xenserver Poolmaster, Hosts, and Unitrends. Ports 3389, 5900, and 7279 are also required for future backup and management APIs.

Port Description
22  –  SSH
80  – HTTP
443 –  SSL
3389 – RDP
5900 – VNC console for Linux VM’s
27000 – license manager
7279 – Check-in/check-out of Citrix licenses

 

NOTES

Unitrends does not recommend allowing the Unitrends Appliance or UEB direct access to the Internet. Do not assign it a public IP address or NAT ports from unfiltered IPs to any ports on your appliance. All UB communication to the internet is outgoing only.

Have more questions?

Contact us

Was this article helpful?
0 out of 1 found this helpful

Provide feedback for the Documentation team!

Browse this section