SUMMARY
Detail about which ports are used for communication between a Unitrends appliance, protected servers, virtual hosts and other protected assets.
For information regarding firewall configurations to allow a Unitrends appliance to communicate to the WAN, see What Firewall Ports should be allowed from the Unitrends appliance through my firewall?
RESOLUTION
Intranet - Between Your Clients and the Recovery Series Appliance\UB
The following ports are used to communicate between the Unitrends Appliance or UEB and Client Agents as well as to other Unitrends appliances. The ports may need to be opened depending on your company's security policies in client software firewalls. Also consider local and group policy settings which may affect connectivity and communications between a Client and the Appliance or UEB. Port connectivity to cloud providers including Amazon AWS/EC2, Azure, Rackspace, or others are not included in this list. See 3rd party documentation for their requirements as they may vary by cloud provider.
Port Protocol - Reason NA ICMP - required for many services including support tunnels, hot copy replication, openvpn, daily client inventory sync, and numerous cloud functions. 1* TCP - Only needed during setup of legacy vaulting (v6.4 and older) 21 (and 20) TCP - FTP for updates from repo.unitrends.com (both ports required!). It does us PASV FTP which opens an ephemeral port and informs the FTP client to connect to that port before requesting data transfer 22 TCP - used for SSH access to the Unitrends appliance. Also used by legacy vaulting 80 TCP - Redirect to https port (also used for some updates via http protocol) 111♦ TCP – Port mapping protocol used by the NFS service. 137 TCP – NetBIOS name service used this port to start sessions. 139 UDP - legacy client SMB access (Win 2000 and older) 161 TCP – SNMP 443♦ TCP – SSL Unitrends UI / Unitrends Image Level Agent. VMware backups. Used for updates to Docker engines (required after release 10.3) 445 TCP - SMB/CIFS - required for Hyper-V IR, Agent Push, NAS (CIFS), Oracle and Sharepoint backups. 873 TCP – RSYNC 888 TCP – Agent Pairing 902♦ TCP and UDP - VMWare vSphere ESXi hosts and vCenter Server agent. Custom vSphere ports are not supported. 1194* UDP - OpenVPN (Default Hot Copy Replication only) NOTE: This will be different is you are Replicating to the Unitrends Cloud** 1743 TCP - Unitrends control port (between Client and Unitrends Appliance) 1744** TCP - Unitrends Data Port using dynamically assigned high number port. 1745-1749** TCP - Unitrends Data Ports using the port assigned in the C:\PCBP\MASTER.ini on Windows based computers
1745-1844** TCP - Unitrends Data Ports using the port assigned in the /usr/bp/bpinit/master.ini file on *NIX based computers
2049♦ TCP - For protecting a NAS or Cold Backup Copy using NFS. Oracle backups from some clients. Recovery to VMware. 3260 TCP – iSCSI 4970 TCP – PostgreSQL 5432 TCP – PostgreSQL 5721 TCP – Kaseya VSA Agent 5900-5910 TCP - VNC 9443 TCP - vSphere web API connectivity for VMWare backup 10000 TCP - NDMP 22024 TCP - VMware Data Recovery Management 55404 TCP - ELK Stack Telemetry 59200 TCP - ELK Stack Telemetry 49152-65535 TCP - Dynamic port range may be used by agent backups if default Data ports are not available
Unitrends Client Agent to Appliance Ports
These are the minimum ports required for command, control, and data transfer between your Clients (Protected Asset) and your Unitrends Appliance.
Note: backups through hardware firewalls separating networks are not supported, the below information is for reference for client software firewalls only.
Command and Control Channel
The TCP Port 1743 is used for Command and Control messages between the Unitrends appliance and the BP Agent on the computer you want to protect. This is adjusted on the Unitrends appliance and is never changed. This port is opened in either direction.
Data Transport Channel
The data itself is transferred over a different TCP Port. In some cases, you may need to alter the TCP Port used (IE. Microsoft ISA and Forefront Firewall uses 1745). The default TCP Port 1744 allows for a random available high port number if the expected port is in use (unless the Unitrends Port Security is set to the value of Medium or High).
-
- 1745 - 1749 on Windows based computers. (1744 uses ephemeral ports if 1745-1749 are in use)
- 1745 - 1844 on Linux/UNIX based computers. (1744 uses ephemeral ports if 1745-1844 are in use)
- 443 used for Image-level backups on Windows systems
This change can be made on the Client station by editing the file (windows C:\PCBP\MASTER.ini and for *NIX /usr/bp/bpinit/master.ini) and changing the value of data=.
For Firewalls and Gateways: Windows and Linux Agents dependent on Secure Agent Pairing cannot be protected through a firewall or gateway directly and must exist in the same network segment as the Unitrends appliance. The above port information may be required for endpoint software firewalls, but does not apply to firewalls that separate whole networks. To protect systems on the other side of a firewall or gateway device, either add an additional network adapter to a Unitrends appliance in that other network segment and prevent routing through your firewall, back them up via a host as virtual machines, or deploy an additional appliance in the secure network.
For additional details regarding firewalls:
How to configure your Windows and Linux firewalls for the Unitrends Backup Agent
Backup fails through Router, DMZ, or Firewall
Effect of Windows Firewall on Windows Agent and Windows Instant Recovery (WIR)
♦ VMware Protection
Unitrends uses VMware's VDDK to communicate via the vStorage API for Data Protection (VADP) when backing up VMware. If SAN-direct is not being used, the data will be send via Network Block Device (NBDSSL) using the Network File Copy (NFC) protocol. The VADP backup traffic is not done through vCenter server. vCenter is used only during: VM discovery, Snapshots requests or VM creations during recovery. The rest is done between the ESXi and Unitrends (which is why you should add the ESXi hosts as a Protected Asset). In absence of vCenter, all request are processed by the ESXi host. There are two ports used during the backup or restore:
443 - between backup host and vCenter
902 - between backup host and ESXi host
111 - NFS mounts for Unitrends during recovery
2049 - NFS mounts for Unitrends during recovery
(New release of VMware may require additional ports.)
♦ Windows Image Backup
Windows Image based backup utilizes port 443 over HTTPS in addition to above ports for windows clients. For more information on Image-level backups, please review the Unitrends Administrators Guide, Chapter 8.
♦ XenServer
You will need to allow TCP Ports 22,80,443 and the minimum, to and from the Xenserver Poolmaster, Hosts, and Unitrends. Ports 3389, 5900, and 7279 are also required for future backup and management APIs.
Port Description
22 – SSH
80 – HTTP
443 – SSL
3389 – RDP
5900 – VNC console for Linux VM’s
27000 – license manager
7279 – Check-in/check-out of Citrix licenses