local Firewall rules need to be created on Windows assets to whitelist the local IP address of your physical or virtual Recovery Series appliance to ports 1743 - 1749 over TCP. A script is provided below for configuring Windows Defender Firewall. Installation of a Unitrends client agent will automatically add these rules to the windows native firewall.
For reference:
TCP Port 1743: Command and Control communications between your Appliance and BP Agent Service. This port must be able to be opened in both directions. Appliance to asset and asset to appliance.
TCP Ports 1745-1749: Data is transferred through this port. Port is always from asset to appliance.
TCP Port 888: Used to establish certificate sharing for Secure Agent Pairing. Only open during pairing. Cannot be passed through firewalls/gateways. bidirectional.
Backup through a firewall or gateway is not supported. Appliance and agent must exist in the same VLAN for protection.
Script for Windows Defender Firewall:
Download
Supported OS list
-
Windows 8
-
Windows 8.1
-
Windows 10
- Windows 11
-
Windows Server 2008R2
-
Windows Server 2012
-
Windows Server 2012 R2
-
Windows Server 2016
-
Windows Server 2019
Pre-Requirements:
You must "Set-ExecutionPolicy Unrestricted" before running this script.
After running this script you can "Set-ExecutionPolicy Restricted"
This script works only on systems with installed Unitrends Agent software. If the Unitrends agent is not installed the script will immediately exit.
Firewall Rules
DenyRuleName = "Deny Unknown Unitrends Agent Inbound Traffic"
Blocks inbound TCP traffic into ports range from 1743 to 1749 for all IP addresses.
Only appliances which are protecting the windows asset will be able to connect to the Unitrends service ports
Suggested Usage
Windows Server 2016-2019 and Windows 10
Create allow inbound traffic to Unitrends applications from IPs in appliances.ini
Appliances.ini file will have this IP only after inventory sync
setup_unitrends_firewall_rules.ps1 -Action Protect
Windows Server 2008-2012 and Windows 8.1 or older
Create allow inbound traffic to Unitrends applications, the IP of the appliance must be defined, in this example the IP of the appliance is 192.168.1.121
setup_unitrends_firewall_rules.ps1 -Action Allow -Ip 192.168.1.121
Additional Usage:
Block all traffic to Unitrends ports - creates a deny rule for inbound TCP traffic to ports 1743-1745 (this will block all backups from running)
setup_unitrends_firewall_rules.ps1 -Action Block
Remove the block
setup_unitrends_firewall_rules.ps1 -Action Unblock
Remove any changes
setup_unitrends_firewall_rules.ps1 -Action Unprotect
The range in Linux is different (100 ports from 1743 - 1844). Firewall rules need to be created on Linux assets to whitelist access to ports 1743:1844 to only the appliance protecting these assets. Port 1743 is still required to have bidirectional communication.
Note: coming in 2023 Linux agents will also require Secure agent pairing and will add required port 888 to pairing operations.
The commands below may assist to customize linux firewall rules if you are leveraging iptables as your firewall. for other firewall engines, see their documentation independently.