Ask the Community
Groups
Which Firewall Ports are Used by the Unitrends Appliance? - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="summary"><strong>SUMMARY</strong></h2> <p>Detail about which ports are used for Client to Appliance communications, Source to Target replication, and internal management of the Unitrends Appliance/UEB.</p> <h2 data-id="issue"><strong>ISSUE</strong></h2> <ul><li> <p>What firewall ports are used by Unitrends Support to support your Recovery Series Appliance or UEB, Client to Appliance communications, Source to Target replication, and internal management of your Appliance/UEB?</p> </li> <li> <p>What servers does Unitrends Support use for supporting and communicating with a Unitrends Recovery Series Appliance?</p> </li> </ul><h2 data-id="resolution"><strong>RESOLUTION</strong></h2> <p> </p> <h3 data-id="validate-open-ports">Validate Open Ports</h3> <p>To test what ports are open on the target, run the following command:</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">nmap -P0 [targetIPaddress]</pre> <p>Additionally, a downloadable tool exists to run on a windows machine to validate target connectivity on specific provided OpenVPN ports. See your Unitrends community site, under the training link, select the "catalogs" link and locate the Quick Demo's and Top Resources catalog. Review the Unitrends install Onboarding training package for more information about connecting to Unitrends Cloud and prerequisite requirements. <br> </p> <h3 data-id="internet-between-your-recovery-series-appliance-ub-and-unitrends">Internet - Between your Recovery Series Appliance\UB and Unitrends</h3> <p>For details on which Internet-facing (public) ports Unitrends requires for product functionality such as support tunnel, upgrade downloads, and SNMP notifications, please see:</p> <p><strong><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fkaseya.vanillacommunities.com%2Fkb%2Farticles%2Faliases%2Funitrends%2Fhc%2Fen-us%2Farticles%2F360013264518%3Fq%3DSELECT%2BArticleNumber%252CId%252CSummary%252CResolution__c%252CAttachment__Body__s%252CCause__c%252CNotes__c%252CAttachment__ContentType__s%252CAttachment__Length__s%252CAttachment__Name__s%252CTitle%252CKnowledgeArticleId%252CDescription__c%2Bfrom%2BArticle__kav%2Bwhere%2BPublishStatus%253D%2527Online%2527" rel="noopener nofollow">What ports does Unitrends need open in my firewall?</a></strong><br> </p> <h3 data-id="intranet-between-your-clients-and-the-recovery-series-appliance-ub">Intranet - Between Your Clients and the Recovery Series Appliance\UB</h3> <p>The following ports are used to communicate between the Unitrends Appliance or UEB and Client Agents as well as to other Unitrends appliances. The ports may need to be opened depending on your company's security policies. Also consider local and group policy settings which may affect connectivity and communications between a Client and the Appliance or UEB. Port connectivity to cloud providers including Amazon AWS/EC2, Azure, Rackspace, or others are not included in this list. See 3rd party documentation for their requirements as they may vary by cloud provider. <br> </p> <pre class="code codeBlock" spellcheck="false" tabindex="0">Port Protocol - Reason NA ICMP - required for many services including support tunnels, hot copy replication, openvpn, daily client inventory sync, and numerous cloud functions. 1<strong>*</strong> TCP - Only needed during setup of legacy vaulting (v6.4 and older) 21 (and 20) TCP - FTP for updates from repo.unitrends.com (both ports required!). It does us PASV FTP which opens an <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fen.wikipedia.org%2Fwiki%2FEphemeral_port" rel="noopener nofollow">ephemeral port</a> and informs the FTP client to connect to that port before requesting data transfer 22 TCP - used for SSH access to the Unitrends appliance. Also used by legacy vaulting 80 TCP - Redirect to https port (also used for some updates via http protocol) 111♦ TCP – Port mapping protocol used by the NFS service. 137 TCP – NetBIOS name service used this port to start sessions. 139 UDP - legacy client SMB access (Win 2000 and older) 161 TCP – SNMP 443♦ TCP – SSL Unitrends UI / Unitrends Image Level Agent. VMware backups. Used for updates to Docker engines (required after release 10.3) 445 TCP - SMB/CIFS - required for HVIR, Agent Push, NAS (CIFS), Oracle and Sharepoint backups. 873 TCP – RSYNC 888 TCP – 3WARE Web Admin Interface (RAID Controller) 902♦ TCP and UDP - VMWare <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fdocs.vmware.com%2Fen%2FVMware-vSphere%2F6.5%2Fcom.vmware.vsphere.security.doc%2FGUID-171B99EA-15B3-4CC5-8B9A-577D8336FAA0.html" rel="noopener nofollow">vSphere ESXi</a> hosts and vCenter Server agent. Custom vSphere ports are not supported. 1194<strong>*</strong> UDP - OpenVPN (Default Hot Copy Replication only) NOTE: This will be different is you are Replicating to the Unitrends Cloud** 1743 TCP - Unitrends control port (between Client and Unitrends Appliance) 1744<strong>**</strong> TCP - Unitrends Data Port using dynamically assigned high number port. 1745-1749<strong>**</strong> TCP - Unitrends Data Ports using the port assigned in the C:\PCBP\MASTER.ini on Windows based computers<br>1745-1844<strong>**</strong> TCP - Unitrends Data Ports using the port assigned in the /usr/bp/bpinit/master.ini file on *NIX based computers 2049♦ TCP - For protecting a NAS or Cold Backup Copy using NFS. Oracle backups from some clients. Recovery to VMware. 3260 TCP – iSCSI 4970 TCP – PostgreSQL 5432 TCP – PostgreSQL 5721 TCP – Kasea VSA Agent 5900-5910 TCP - VNC 9443 TCP - vSphere web API connectivity for VMWare backup 10000 TCP - NDMP 22024 TCP - VMware port for data recovery 55404 TCP - ELK Stack Telemetry 59200 TCP - ELK Stack Telemetry 49152-65535 TCP - Dynamic port range may be used by agent backups if default Data ports are not available </pre> <div> <p> </p> <h3 data-id="n-a"> </h3> </div> <h2 data-id="cause"><strong>CAUSE</strong></h2> <p> </p> <h3 data-id="hot-backup-copy-replication"> * Hot Backup Copy Replication</h3> <p><br>Unitrends recommends having the manager/replication Target be the OpenVPN Server and the manager / replication Source be the OpenVPN Client before remote management is configured. OpenVPN use is a requirement of all hot copy replication since unitrends release 9.0.0-6. (it was prior optional but no longer is). OpenVPN allows for packet transmission retry and enforced packet ordering HTTPS alone does not supply, and though it has a small overhead of less than 0.5% it overall improves replication reliability and throughput greatly in excess of this overhead. OpenVPN requires ICMP to establish connectivity.</p> <h3 data-id="client-to-appliance-ports"> <br><strong>**</strong> <strong>Client to Appliance Ports</strong> </h3> <p>Ports 1743 – 1749 (or 1743 - 1844 on *NIX) are very important for the communication between your Clients (what your protect) and our Appliance.</p> <p> </p> <p><strong>Command and Control Channel</strong><br>The <strong>TCP Port 1743</strong> is used for Command and Control messages between the Unitrends appliance and the BP Agent on the computer you want to protect. This is adjusted on the Unitrends appliance and is never changed.</p> <p> </p> <p><strong>Data Transport Channel</strong></p> <p>The data itself is transferred over a different port. In some cases, you may need to alter the port used (IE. Microsoft ISA and Forefront Firewall uses 1745). The default 1744 allows for a random available port number (unless the Unitrends firewall setting in the UI is set to "low" or higher), otherwise, a port must be chosen between</p> <ul><li>1745 and 1749 on Windows based computers.</li> <li>1745 and 1844 on *NIX based computers.</li> </ul><p>This change can be made on the Client station by editing the file (windows <strong>C:\PCBP\MASTER.ini</strong> and for *NIX <strong>/usr/bp/bpinit/master.ini)</strong> and changing the value of <strong>data=</strong>.</p> <p> </p> <p>♦ <strong>VMware Protection</strong><br>Unitrends uses VMware's VDDK to communicate via the vStorage API for Data Protection (VADP) when backing up VMware. If SAN-direct is not being used, the data will be send via Network Block Device (NBDSSL) using the Network File Copy (NFC) protocol. The VADP backup traffic is not done through vCenter server. vCenter is used only during: VM discovery, Snapshots requests or VM creations during recovery. The rest is done between the ESXi and Unitrends (which is why you should add the ESXi hosts as a Protected Asset). In absence of vCenter, all request are processed by the ESXi host. There are two ports used during the backup or restore:</p> <p> 443 - between backup host and vCenter<br> 902 - between backup host and ESXi host<br> 111 - NFS mounts for Unitrends during recovery<br>2049 - NFS mounts for Unitrends during recovery</p> <p>(New release of VMware may require additional ports.)</p> <p> </p> <p>♦ <strong>Windows Image Backup</strong></p> <p>Windows Image based backup utilizes port 443 over HTTPS.<br> </p> <h2 data-id="notes"><strong>NOTES</strong></h2> <p> </p> <div>Unitrends does not recommend allowing the Unitrends Appliance or UEB direct access to the Internet. Do not assign it a public IP address or NAT ports from unfiltered IPs to any ports on your appliance. All UB communication to the internet is outgoing only.</div> </article> </main>