Ask the Community
Groups
About security levels in Unitrends 9 - Connect IT Community | Kaseya
<main> <article class="userContent"> <h2 data-id="summary"><strong>SUMMARY</strong></h2> <p>With the release of the UI for 9.0 CentOS 6 based appliances, the below described feature is only available from the legacy UI interface. These instructions assume you are using the Recovery Console. To Access the Recovery console from the Satori UI, select the gear icon near the top right of your screen and select “Open Legacy interface” which will then open in a new tab.</p> <h2 data-id="issue"><strong>ISSUE</strong></h2> <p>Notice: With the release of the UI for 9.0 CentOS 6 based appliances, the below described feature is only available from the legacy UI interface. These instructions assume you are using the Recovery Console. To Access the Recovery console from the Satori UI, select the gear icon near the top right of your screen and select “Open Legacy interface” which will then open in a new tab. <br> <br>By default, the security level on the system is set to No Security. This allows all ports to remain open. The administrator can choose the level of security desired on a particular system. Security levels can be set by selecting Settings > Clients, Networking, and Notifications > Ports and are categorized as: </p> <ul><li>No Security</li> <li>Low Security</li> <li>Medium Security</li> <li>High Security</li> </ul> <br>To access the system using medium security<br>When using medium security, access the Administrator Interface by entering <a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F%3CSystem_IP_address%3E%2Frecoveryconsole%2F">https://<System_IP_address>/recoveryconsole/</a> as the browser address.<br> <br>Access context-sensitive help by directing the browser to<br><u><a href="/home/leaving?allowTrusted=1&target=https%3A%2F%2F%3CSystem_IP_Address%3E%2Frecoveryconsole%2Fhelp%2Fmain_menu.html">https://<System_IP_Address>/recoveryconsole/help/main_menu.html</a></u>.<br> <br>Answer yes to any warning messages received.<br> <br>To access the system using high security<br>When high security is enabled, the system can only be accessed using a KVM or directly attached monitor, keyboard, and mouse for physical systems, or from the VM console for virtual systems. You have access to the system console only. There is no way to access the Administrator Interface to view functions (such as backups, archives, and replication) or make changes to any system settings.<br> <br>To disable high security <ol><li> Connect to the system console. <ul><li>For physical systems, connect using a KVM or directly attached monitor, keyboard, and mouse.</li> <li>For Unitrends Enterprise Backup for Hyper-V, launch Hyper-V Manager, select the Unitrends VM, and click Connect.</li> <li>For Unitrends Enterprise Backup for VMware, connect to the Unitrends VM using the VMware vSphere Client, VMware Player, or VMware Workstation.</li> </ul></li> <li> In the Console Interface, enter 3 in the Please enter choice field. </li> <li> On the Firewall Security Level screen, enter 1, 2, or 3 in the Please enter choice field to change security level to None, Low, or Medium. </li> </ol><p>Open ports and security levels<br>The ports open for each security level are listed in the table below. Additionally, in the General Configuration section of the Settings interface (Settings > System, Updates, and Licensing > General Configuration > Configuration Options), there is a field named dataport_count. This field represents the number of TCP ports allowed to be opened for data transfer. This value includes the control value and four additional ports to determine the actual port numbers from which to select. When any level of security is enabled, the control value is 1745. The default number of additional ports added to 1745 is four. When configuring a firewall (using a security setting and a dataport count of five), ports 1745 through 1749 should be opened between the system and the clients the system protects.<br> <br>NOTE: About replication and vaulting. Port 1 must be open during the initial configuration of replication or legacy vaulting. During replication or vaulting setup, if you configure a secure tunnel using OpenVPN (the recommended configuration), port 1194 is used for all communication between the source and target (or vault) systems. If you do not configure a secure tunnel using OpenVPN, ports 1743,1745 and 5432 are required for managing a system from the replication target or vault. Additionally, if you do not configure a secure tunnel using OpenVPN, port 80 is used for replication and port 22 for vaulting. The necessary ports must be open in the firewall for management of the system from the replication target or vault. For more details, see KB 3372. </p> <table border="1" cellpadding="0" style="border-spacing: 0px;"><thead><tr><th colspan="1" rowspan="1"><b>Security Level</b></th> <th colspan="1" rowspan="1"><b>Ports Open</b></th> <th colspan="1" rowspan="1"><b>Usage</b></th> </tr></thead><tbody><tr><td colspan="1" rowspan="26"><b>Low</b></td> <td colspan="1" rowspan="1">1</td> <td colspan="1" rowspan="1">Replication or legacy vaulting setup</td> </tr><tr><td colspan="1" rowspan="1">22</td> <td colspan="1" rowspan="1">Secure shell</td> </tr><tr><td colspan="1" rowspan="1">80</td> <td colspan="1" rowspan="1">HTTP web access</td> </tr><tr><td colspan="1" rowspan="1">139</td> <td colspan="1" rowspan="1">Samba share</td> </tr><tr><td colspan="1" rowspan="1">161</td> <td colspan="1" rowspan="1">SNMP</td> </tr><tr><td colspan="1" rowspan="1">443</td> <td colspan="1" rowspan="1">Secure HTTP web access</td> </tr><tr><td colspan="1" rowspan="1">445</td> <td colspan="1" rowspan="1">CIFS</td> </tr><tr><td colspan="1" rowspan="1">873</td> <td colspan="1" rowspan="1">Rsync</td> </tr><tr><td colspan="1" rowspan="1">888</td> <td colspan="1" rowspan="1">3ware web access</td> </tr><tr><td colspan="1" rowspan="1">1194</td> <td colspan="1" rowspan="1">OpenVPN*</td> </tr><tr><td colspan="1" rowspan="1">1743</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1744</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1745</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1746</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1747</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1748</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1749</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">2049</td> <td colspan="1" rowspan="1">Network file system</td> </tr><tr><td colspan="1" rowspan="1">3260</td> <td colspan="1" rowspan="1">iSCSI</td> </tr><tr><td colspan="1" rowspan="1">4970</td> <td colspan="1" rowspan="1">Postgres database access</td> </tr><tr><td colspan="1" rowspan="1">5432</td> <td colspan="1" rowspan="1">Postgres database access</td> </tr><tr><td colspan="1" rowspan="1">5801</td> <td colspan="1" rowspan="1">VNC (Java) access</td> </tr><tr><td colspan="1" rowspan="1">5900</td> <td colspan="1" rowspan="1">VNC access</td> </tr><tr><td colspan="1" rowspan="1">5902</td> <td colspan="1" rowspan="1">VNC access</td> </tr><tr><td colspan="1" rowspan="1">6001</td> <td colspan="1" rowspan="1">VNC HTTP web access</td> </tr><tr><td colspan="1" rowspan="1">10000</td> <td colspan="1" rowspan="1">NDMP</td> </tr></tbody></table><table border="1" cellpadding="0" style="border-spacing: 0px;"><tbody><tr><td colspan="1" rowspan="1"><b>Security Level</b></td> <td colspan="1" rowspan="1"><b>Ports Open</b></td> <td colspan="1" rowspan="1"><b>Usage</b></td> </tr><tr><td colspan="1" rowspan="16"><b>Medium</b></td> <td colspan="1" rowspan="1">1</td> <td colspan="1" rowspan="1">Replication or legacy vaulting setup</td> </tr><tr><td colspan="1" rowspan="1">22</td> <td colspan="1" rowspan="1">Secure shell</td> </tr><tr><td colspan="1" rowspan="1">39</td> <td colspan="1" rowspan="1">Samba share</td> </tr><tr><td colspan="1" rowspan="1">443</td> <td colspan="1" rowspan="1">Secure HTTP web access</td> </tr><tr><td colspan="1" rowspan="1">445</td> <td colspan="1" rowspan="1">CIFS</td> </tr><tr><td colspan="1" rowspan="1">1194</td> <td colspan="1" rowspan="1">OpenVPN*</td> </tr><tr><td colspan="1" rowspan="1">1743</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1745</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1746</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1747</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1748</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1749</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">4970</td> <td colspan="1" rowspan="1">Postgres database access</td> </tr><tr><td colspan="1" rowspan="1">5432</td> <td colspan="1" rowspan="1">Postgres database access</td> </tr><tr><td colspan="1" rowspan="1">3260</td> <td colspan="1" rowspan="1">iSCSI</td> </tr><tr><td colspan="1" rowspan="1">10000</td> <td colspan="1" rowspan="1">NDMP</td> </tr></tbody></table><table border="1" cellpadding="0" style="border-spacing: 0px;"><tbody><tr><td colspan="1" rowspan="1"><b>Security Level</b></td> <td colspan="1" rowspan="1"><b>Ports Open</b></td> <td colspan="1" rowspan="1"><b>Usage</b></td> </tr><tr><td colspan="1" rowspan="5"><b>High</b></td> <td colspan="1" rowspan="1">1743</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1745</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1746</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1747</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr><tr><td colspan="1" rowspan="1">1748</td> <td colspan="1" rowspan="1">Extended Internet daemon</td> </tr></tbody></table><br>level Ports open Usage<br>122 *OpenVPN by default should be configured on port 1194. In some cases, including when working with Unitrends Cloud, this port may be a different port number. Security levels are not supported to be enabled if Replication or Vaulting is used over openVPN on non-standard ports as this will prevent OpenVPN connections. <br> </article> </main>