Ask the Community
Groups
What Firewall Ports should be allowed from the Unitrends appliance through my firewall? - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="summary"><strong>SUMMARY</strong></h2> <p>A common question for deployment, what ports are required to be opened for access the Unitrends appliance will generally require</p> <h2 data-id="issue"><strong>ISSUE</strong></h2> <ul><li>What Ports does the Unitrends appliance require opened in our firewall?</li> <li>My appliance is unable to receive updates.</li> <li>Support informed me the tunnel I opened is not accessible.</li> </ul><p><strong>NOTE: THESE REQUIREMENTS HAVE CHANGED WITH RELEASE 10.4.0!</strong></p> <h2 data-id="n-a"> </h2> <h2 data-id="resolution"><strong>RESOLUTION</strong></h2> <p>There are several addresses you should permit for all deployments. All of these ports are outgoing connections from the Unitrends Appliance, <strong>we do not require incoming NAT of ports or exposing the unit to a public IP, </strong>only outgoing communication from a local source Unitrends appliance is needed. <br><br><strong>NOTE: NEVER expose the appliance Web UI or SSH connections to open external ports.</strong> Doing so may void your support agreement until the appliance can be secured properly. NEVER deploy the Unitrends appliance on a public IP. All incoming ports to a Unitrends appliance MUST be firewall protected. Privately operated Hot Copy Targets should be deployed in such a way as to secure the VPN connection to only trusted source external IPs. </p> <p><br><strong>Product Updates:</strong> ALL of the following are REQUIRED to perform standard appliance updates (Helix is optional for most customers)</p> <ul><li><strong>updateftp<em>.</em>unitrends<em>.</em>com on FTP and HTTP and HTTPS (ports 20 and 21, 80 and 443 ALL required)</strong></li> </ul><p>This is used for the main software repository for updates seen in the update UI.</p> <ul><li> <strong>repo<em>.</em>unitrends<em>.</em>com on FTP and HTTP and HTTPS (ports 20 and 21, 80 and 443 ALL required)</strong> <ul><li> <strong>US based appliances may load balance between: </strong> <ul><li><strong>ubrs-repo-production-east.s3.amazonaws.com</strong></li> <li><strong>ubrs-repo-production-west.s3.us-west-1.amazonaws.com</strong></li> </ul></li> </ul></li> </ul><p>This is used to pull updates from a software repository mirror which is closest geographically.</p> <ul><li><strong>ftp<em>.</em>unitrends<em>.</em>com on FTP (20 and 21)</strong></li> </ul><p>This is used for several scripts and utilities in the appliance for proactive management, repository alignment, and used heavily by support. Several components in the appliance automatically check and update from this location. Some updates on the main site will not be available if this second system is not accessible. This address is also used for some services that check daily for critical system messages. Should Unitrends identify a critical defect in a release, we may use files at this location to cause your appliance to prompt critical messages on login. Failure to be able to reach this address may result in failure to communicate critical messages. (we also send those by email, but that is a less reliable technology as you may block, filter, or opt-out of such messages). <br><br><strong>Note:</strong> The FTP connections are PASV FTP and may require dynamic return ports to be accepted and allocated by your firewall to connect. Most firewalls can be configured to allow ephemeral ports to be dynamically allocated for FTP connections. On some firewalls which do not allow for automatic temporary ftp port assignment, it may be necessary to allow all ports between 49152 and 65535 to be allowed outgoing to our ftp sites in addition to port 20 and 21.</p> <p>If FTP access cannot be enabled, Unitrends offers downloadable media to upgrade the appliance. However, not every release is produced in downloadable form, and these releases often trail GA releases by several weeks. Hotfixes or patches may also be difficult or impossible to provide without FTP and/or remote access. It is strongly recommended tat appliances receive updates online. </p> <ul><li><strong>173.247.66.64 TCP and UDP Port 5721 outgoing</strong></li> </ul><p>This is for Helix services. Helix can be used by customers for free to perform appliance automatic updates and may be required for use by your MSP for system monitoring. Helix is also a paid subscription service allowing various client automation tasks, and any asset the helix paid agent is deployed on also requires this connectivity open from that individual machine to this address. Helix access for the physical appliance is a requirement for customers on subscription contracts with Unitrends. </p> <h3 data-id="proactive-monitoring">Proactive Monitoring</h3> <ul><li><strong>notifications<em>.</em>unitrends<em>.</em>com ports 161 and 162 UDP</strong></li> </ul><p>This is used for SNMP trap collection for all proactive monitoring functions provided by Unitrends. This is recommended for all appliances but most especially Unitrends Hardware appliances to ensure proactive hardware monitoring for disk and chassis health alerts.</p> <ul><li><strong>es<em>.</em>telemetry<em>.</em>unitrends<em>.</em>com ports 161 and 162 UDP and 9243 TCP</strong></li> </ul><p>This is used for telemetry data collection from your appliance, including limited backup history, error codes reported, and more. This data is directly used by our onboarding team, support teams, and development teams to troubleshoot and solve an array of issues with appliances in the field and can avoid in many cases the requirement for direct access to an appliances being needed. It also provides capabilities for proactive support case generation. Failure to have this port enabled may substantially delay troubleshooting efforts for system issues. This service uses dynamic IP pools that are subject to change. <br><br>NOTE: SNMP cannot be tested using Telnet as it is a UDP, one way protocol. You can use <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fsupport.microsoft.com%2Fen-us%2Fhelp%2F310099%2Fdescription-of-the-portqry-exe-command-line-utility" rel="noopener nofollow">Microsoft's portqry tool</a> if you wish to test if you can communicate with notifications.unitrends.com.<br> </p> <h3 data-id="remote-support-services">Remote Support Services</h3> <ul><li><strong>support-itivity<em>.</em>unitrends<em>.</em>com on HTTP and HTTPS (Ports 80 and 443 TCP)</strong></li> </ul><p>Our primary remote support system</p> <p>All Unitrends Technical Support Engineers are skilled at utilizing the remote access capabilities of applicable Unitrends products. Remote System Access, often referred to by the Technical Support Engineers as a “Support Tunnel”, is required to ensure successful and timely resolution to reported issues. Remote access is controlled from the appliance and is enabled and disabled at will of the appliance operator. Unitrends cannot access appliances remotely unless the service is opened manually by the ens user, and this access remains in the control of the end user and can be disabled again at will. All remote access is logged. Per the <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fkaseya%2Fhc%2Fen-us%2Farticles%2F360013279618" rel="noopener nofollow">Unitrends Support Handbook</a> Remote access is a requirement for timely resolution of customer issues, and without it, the Unitrends Customer Support Engineer may also be severely limited in options for how to resolve issues. </p> <p>Of special note: Should a unit require it's license key to be reset (common for a UEB if the MAC changes or the system UUID changes - which can occur if a UEB is moved to a different virtual host, or for physical appliances if ETH0 is disabled or fails), remote access through a tunnel is <em>required</em> to reset this condition. This process will <em>not</em> be permitted through a Webex or other remote connection under any circumstances and expressly requires direct support connectivity. If a license failure occurs and this port cannot be temporarily opened, a redeployment of the unit may be required to resolve. <br> </p> <h3 data-id="reports">Reports</h3> <p>Unitrends uses an images that comes from the unitrends.com site as part of the email template for the reports. You will need to allow us to pull data from this site so that the reports are properly populated and understandable:</p> <p> <a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fwww.unitrends.com%2Freports%2Fnotifications%2Froundedrectangletop.png" rel="noopener noreferrer nofollow">http://www.unitrends.com/reports/notifications/</a></p> <p><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fwww.unitrends.com%2Fassets%2Fimages%2F"> http://www.unitrends.com/assets/images/</a></p> <p><a href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fwww.unitrends.com%2Freports%2Fyou-tube.jpg" rel="noopener noreferrer nofollow"> http://www.unitrends.com/reports/</a></p> <ul><li><strong><a rel="nofollow" href="/home/leaving?allowTrusted=1&target=http%3A%2F%2Fwww.unitrends.com">www.unitrends.com</a> on Port 80 TCP</strong></li> </ul><h3 data-id="other-ports">Other ports:</h3> <p>For Unitrends Replication as well as for information about client to system requirements for backup that may also pass through a firewall, please see this article: <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Fkaseya%2Fhc%2Fen-us%2Farticles%2F360013175397%3Fq%3DSELECT%2BArticleNumber%252CId%252CSummary%252CResolution__c%252CAttachment__Body__s%252CCause__c%252CNotes__c%252CAttachment__ContentType__s%252CAttachment__Length__s%252CAttachment__Name__s%252CTitle%252CKnowledgeArticleId%252CDescription__c%2Bfrom%2BArticle__kav%2Bwhere%2BPublishStatus%253D%2527Online%2527" rel="noopener nofollow">What firewall ports are used by Unitrends Support to support your Appliance or UEB, Client to Appliance communications, Source to Target replication, and internal management of your Appliance/UEB?</a><br><br>Additionally, if using CloudHook services with Google Nearline or Amazon S3 storage or potentially other providers, please see the provider documentation for ports and addresses that are required for use. <br> </p> <h3 data-id="additional-considerations">Additional Considerations:</h3> <p><strong>Deep Packet Inspection (DPI)</strong>: We have seen services such as HTTPS Deep Packet Inspection for SSL disrupt the ability of the Support Tunnel or Updates to the appliance to complete. Your may need to temporarily disable this function or create an exclusion to allow the systems listed above to bypass the rule.</p> <p> </p> <h2 data-id="cause"><strong>CAUSE</strong></h2> <p>Corporate firewalls may be configured in such a way as to be very restrictive and prevent key functionality of the Unitrends appliance from operating correctly.<br><br>Today's security appliances include multiple points of control for maximum security. You will need to review your network and security solution's logs and support documents for ways to monitor and manage the various controls which many include anything from the <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FOSI_model%23Layer_1%3A_Physical_Layer" rel="noopener nofollow">physical layer</a> to the <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FOSI_model%23Layer_7%3A_Application_Layer" rel="noopener nofollow">application layer</a> of the <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FOSI_model" rel="noopener nofollow">OSI model</a>.</p> </article> </main>