Ask the Community
Groups
Backup Agent Firewall Rules - Connect IT Community | Kaseya
<main> <article class="userContent"> <p><br>To provide additional security for assets with backup agents installed, this knowledge article serves as a reference to set up whitelisting of appliances connecting to assets while restricting all other IPs from connecting to ports where Unitrends agent services are running.</p> <div data-tid="messageBodyContent"> <div> <div></div> <h2 data-id="windows-based-assets">Windows-based assets</h2> <div>Steps to further increase security on protected assets running on a Windows OS:</div> <div></div> <div> <p><span data-contrast="none">Firewall rules need to be created on Windows assets to whitelist the local IP address of your physical or virtual Recovery Series appliance to ports 1743:1749 over TCP. A script is provided below for configuring Windows Defender Firewall. </span><span data-ccp-props="{}"> </span></p> <p><span data-contrast="none">If you use another firewall solution, create rules to only allow access from the local IP address of your physical or virtual Recovery Series appliance to ports 1743:1749 over TCP.</span><span data-ccp-props="{}"> </span></p> <p><span data-ccp-props="{}"> </span></p> <p><span data-contrast="none">Script for Windows Defender Firewall:</span><span data-ccp-props="{}"> </span></p> <p><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2Fbpagent.s3.amazonaws.com%2Flatest%2Fsetup_unitrends_firewall_rules.ps1" rel="noopener nofollow"><span data-contrast="none">Download</span><span data-ccp-props="{}"> </span></a></p> <h2 id="Supported-OS-list" data-renderer-start-pos="125" data-id="supported-os-list">Supported OS list<span role="presentation"></span> </h2> <ul data-indent-level="1"><li> <p data-renderer-start-pos="159">Windows 8</p> </li> <li> <p data-renderer-start-pos="172">Windows 8.1</p> </li> <li> <p data-renderer-start-pos="187">Windows 10</p> </li> <li> <p data-renderer-start-pos="224">Windows Server 2008R2</p> </li> <li> <p data-renderer-start-pos="249">Windows Server 2012</p> </li> <li> <p data-renderer-start-pos="272">Windows Server 2012 R2</p> </li> <li> <p data-renderer-start-pos="298">Windows Server 2016</p> </li> <li> <p data-renderer-start-pos="321">Windows Server 2019</p> </li> </ul><h2 id="Pre-Requirements:" data-renderer-start-pos="344" data-id="pre-requirements">Pre-Requirements:<span role="presentation"></span> </h2> <p data-renderer-start-pos="363">You must "Set-ExecutionPolicy Unrestricted" before running this script.</p> <p data-renderer-start-pos="437">After running this script you can "Set-ExecutionPolicy Restricted"<br>This script works only on systems with installed Unitrends Agent software. If the Unitrends agent is not installed the script will immediately exit.</p> <h2 id="Firewall-Rules" data-renderer-start-pos="654" data-id="firewall-rules">Firewall Rules<span role="presentation"></span> </h2> <p data-renderer-start-pos="670">DenyRuleName = "<strong data-renderer-mark="true">Deny Unknown Unitrends Agent Inbound Traffic</strong>"<br>Blocks inbound TCP traffic into ports range from 1743 to 1749 for all IP addresses.</p> <p data-renderer-start-pos="817">Only appliances which are protecting the windows asset will be able to connect to the Unitrends service ports</p> <br><p><span data-ccp-props="{}"> </span></p> <h1 data-renderer-start-pos="928" data-id="suggested-usage">Suggested Usage</h1> <h2 data-renderer-start-pos="928" data-id="windows-server-2016-2019-and-windows-10">Windows Server 2016-2019 and Windows 10<span role="presentation"></span> </h2> <p data-renderer-start-pos="947">Create allow inbound traffic to Unitrends applications from IPs in appliances.ini</p> <p>Appliances.ini file will have this IP only after inventory sync</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">setup_unitrends_firewall_rules.ps1 -Action Protect</pre> <h2 id="Suggested-Usage" data-renderer-start-pos="928" data-id="windows-server-2008-2012-and-windows-8-1-or-older">Windows Server 2008-2012 and Windows 8.1 or older</h2> <p data-renderer-start-pos="947">Create allow inbound traffic to Unitrends applications, the IP of the appliance must be defined, in this example the IP of the appliance is 192.168.1.121</p> <pre class="code codeBlock" spellcheck="false" tabindex="0">setup_unitrends_firewall_rules.ps1 -Action Allow -Ip 192.168.1.121</pre> <h2 id="Additional-Usage:" data-renderer-start-pos="1153" data-id="additional-usage">Additional Usage:<span role="presentation"></span> </h2> <p data-renderer-start-pos="1174">Block <strong>all</strong> traffic to Unitrends ports - creates a deny rule for inbound TCP traffic to ports 1743-1745 (this will block <strong>all</strong> backups from running)</p> <pre data-renderer-start-pos="1174" class="code codeBlock" spellcheck="false" tabindex="0">setup_unitrends_firewall_rules.ps1 -Action Block</pre> <p data-renderer-start-pos="1174">Remove the block</p> <pre data-renderer-start-pos="1174" class="code codeBlock" spellcheck="false" tabindex="0">setup_unitrends_firewall_rules.ps1 -Action Unblock</pre> <p data-renderer-start-pos="1174">Remove any changes</p> <pre data-renderer-start-pos="1174" class="code codeBlock" spellcheck="false" tabindex="0">setup_unitrends_firewall_rules.ps1 -Action Unprotect</pre> </div> <h2 data-id="n-a"> </h2> <h2 data-id="linux-based-assets">Linux-based assets</h2> <div>Steps to further increase security on protected assets running on a Linux OS:</div> <div></div> <div>Firewall rules need to be created on Linux assets to whitelist access to ports 1743:1749 to only the appliance protecting these assets.</div> <div></div> <div> <p data-renderer-start-pos="103">Case 1: If ports <code class="code code codeInline" data-renderer-mark="true" spellcheck="false" tabindex="0">1743:1749</code> are closed, use the following commands to open the port range <code class="code code codeInline" data-renderer-mark="true" spellcheck="false" tabindex="0">1743:1749</code> for the <code class="code code codeInline" data-renderer-mark="true" spellcheck="false" tabindex="0"><ApplianceIP></code></p> </div> </div> <div> <pre class="code codeBlock" spellcheck="false" tabindex="0"><span data-contrast="auto">sudo iptables -A INPUT -p tcp -s <ApplianceIP> --dport 1743:1749 -m state --state NEW,ESTABLISHED -j ACCEPT <br>sudo iptables -A OUTPUT -p tcp --sport 1743:1749 -m state --state ESTABLISHED -j ACCEPT </span></pre> <div> <p data-renderer-start-pos="420">Case 2: If ports <code class="code code codeInline" data-renderer-mark="true" spellcheck="false" tabindex="0">1743:1749</code> are already open, use the following command to deny access from any IP other than <code class="code code codeInline" data-renderer-mark="true" spellcheck="false" tabindex="0"><ApplianceIP></code>, change <ApplianceIP> to the IP of the appliance protecting these assets:</p> <pre data-renderer-start-pos="420" class="code codeBlock" spellcheck="false" tabindex="0">sudo iptables -A INPUT -p tcp ! -s <ApplianceIP> --dport 1743:1749 -m state --state NEW,ESTABLISHED -j DROP</pre> </div> <h3 data-id="save-ip-tables-on-ubuntu">Save ip tables on Ubuntu</h3> <p>Make sure iptables-persistent package is installed, and run the following commands :</p> <pre class="code codeBlock" spellcheck="false" tabindex="0"><span data-contrast="auto">sudo /etc/init.d/iptables-persistent save sudo /etc/init.d/iptables-persistent reload</span></pre> <div> <div> <div></div> <h3 data-id="save-ip-tables-on-centos-redhat">Save ip tables on CentOS / RedHat</h3> <div> <pre class="code codeBlock" spellcheck="false" tabindex="0"><span data-contrast="auto">service iptables save</span></pre> </div> </div> </div> </div> </div> <p> </p> </article> </main>