Comprehensive data protection for all workloads
Post Reply
timofcourse
Enthusiast
Posts: 36
Liked: 1 time
Joined: Nov 28, 2011 5:18 pm
Full Name: Tim Graffam
Contact:

Port requirements clarfication

Post by timofcourse »

Hi all
I'm hoping to get some clarification as to what ports and to/from what machines we need to setup to meet our specific configuration.

We have 2 isolated vSphere environments that currently have no network access to between them - let's call them environments "A" and "B". Within each environment we have a Veeam B&R instance/VM responsible for backing up all VMs within their respective environments. What we'd like to do is setup a Veeam VM Copy job in environment "A" to copy VMs from environment "B" to a Veeam backup repository in environment "A".

I've looked through Veeam's Used ports guide, but I'm still not clear on the minimum requirements to make this happen. For example, I'm not sure if we actually need to setup communication to the vSphere server in env "B" or if we can route everything through the Veeam server in that env.

Any advice provided would be greatly appreciated!
foggy
Veeam Software
Posts: 21139
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Port requirements clarfication

Post by foggy »

Tim, could you please confirm you're talking about VM Copy and not Backup Copy jobs between the environments?
timofcourse
Enthusiast
Posts: 36
Liked: 1 time
Joined: Nov 28, 2011 5:18 pm
Full Name: Tim Graffam
Contact:

Re: Port requirements clarfication

Post by timofcourse »

Correct. We're only looking to use a VM Copy job to copy a few VMs from "B" environment to a backup repository in the "A" environment.
skrause
Veteran
Posts: 487
Liked: 106 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Port requirements clarfication

Post by skrause »

All of the transport communication should be handled by the machines acting as Veeam proxies between the sites so as long as your proxy in site A can talk to your proxy in site B you should be ok.

Of course each site's proxy will also need to be able to communicate with the vCenter/hosts in their site and the B&R server that is managing the job will have to be able to access both environments to orchestrate the job but I assume you were already aware of that.
Steve Krause
Veeam Certified Architect
foggy
Veeam Software
Posts: 21139
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Port requirements clarfication

Post by foggy »

Since VM copy jobs use the same infrastructure components as backup jobs, you'd need connection between the proxy and repository server (or gateway server, in case of CIFS target). Of course, backup server would also need access to the remote repository, otherwise the repository cannot be added. Make sure all components shared between Veeam B&R instances are at the same patch level. Connection to remote vSphere would'n be required.
skrause
Veteran
Posts: 487
Liked: 106 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Port requirements clarfication

Post by skrause »

For some reason I was thinking about replication and not backup copies. Ugh, recovering from a site failure is really great on the cognitive skills...
Steve Krause
Veeam Certified Architect
timofcourse
Enthusiast
Posts: 36
Liked: 1 time
Joined: Nov 28, 2011 5:18 pm
Full Name: Tim Graffam
Contact:

Re: Port requirements clarfication

Post by timofcourse »

foggy wrote:Since VM copy jobs use the same infrastructure components as backup jobs, you'd need connection between the proxy and repository server (or gateway server, in case of CIFS target). Of course, backup server would also need access to the remote repository, otherwise the repository cannot be added. Make sure all components shared between Veeam B&R instances are at the same patch level. Connection to remote vSphere would'n be required.
My network team needs a list of servers and specific ports that need connectivity to one another. They don't care/need to know whether communication is inbound/outbound, however.

Also, one thing I didn't mention is the Env B backup repository is connected locally to the Env B Veeam server. So I believe the only connectivity between the two networks is Env A Veeam Server needs to communicate with Env B vSphere and Env B Veeam Server (which is acting as the proxy and the connection to backup repository, right?)?

If that assumption is correct, this is my best guess so far as to what exactly needs to be setup :

Code: Select all

Servers                          Protocol   Port/s     Need
Env A Veeam / Env B vCenter      HTTPS+TCP  443        Connections to vCenter Server
Env A Veeam / Env B Veeam        TCP        2500-5000  Transmission channels for replication jobs
Env A Veeam / Env B Veeam        TCP        6061       Veeam vPower NFS Service
Env A Veeam / Env B Veeam        TCP        6062       Veeam Data Mover Service
Anything else I'm missing here or that can be removed?

Also, regarding the "Transmission channels for replication jobs" ports - if we only have 5 VMs we ever plan to copy, can we get away with only opening ports 2500-2504 or does Veeam randomly pick ports in that range?

Thanks!
skrause
Veteran
Posts: 487
Liked: 106 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Port requirements clarfication

Post by skrause »

Typically the Veeam process starts at the bottom and works up from my experience but you want to make sure you give it at least some overhead.

Are you wanting to do Backup Copy jobs or replication? The processes work very differently and require different network connections

For Backup Copy jobs, you will need to make sure that the ports listed in "Microsoft Windows Server" on the used port lists are open between the B&R server managing the jobs and the repository server:

https://helpcenter.veeam.com/docs/backu ... =95#backup

You only need 2500-5000 to be open between two repository servers for Backup Copy jobs as long as the B&R server managing the job can access both servers as listed above.
Steve Krause
Veeam Certified Architect
timofcourse
Enthusiast
Posts: 36
Liked: 1 time
Joined: Nov 28, 2011 5:18 pm
Full Name: Tim Graffam
Contact:

Re: Port requirements clarfication

Post by timofcourse »

skrause wrote:Typically the Veeam process starts at the bottom and works up from my experience but you want to make sure you give it at least some overhead.
Are you wanting to do Backup Copy jobs or replication? The processes work very differently and require different network connections
We're only looking to setup VM Copy jobs.
skrause wrote:For Backup Copy jobs, you will need to make sure that the ports listed in "Microsoft Windows Server" on the used port lists are open between the B&R server managing the jobs and the repository server:
https://helpcenter.veeam.com/docs/backu ... =95#backup
In regards to the Windows Server requirements listed there... Because this communication is occurring between two Veeam servers at the same version, I would assume the following requirements wouldn't be needed since all Veeam components are already on the server, right?:
  • Ports required for deploying Veeam Backup & Replication components.
  • Default port used by the Veeam Installer Service.
Also, my network team isn't going to be okay with us asking that "all ports at and above 1058 and 2049, and the entire range of 49152-65535 need to be open". I'm hoping / assuming we can be more precise in what is actually required here?
skrause wrote:You only need 2500-5000 to be open between two repository servers for Backup Copy jobs as long as the B&R server managing the job can access both servers as listed above.
Apologies for not fully understanding what you're trying to implicate here - are you saying these ports are or are not needed? Further, does that entire range really need to be open, or only the range for the number of VM's that would ever be copied in a job (e.g. 5 VMs = only need ports 2500-2504)?

Thanks again all!
skrause
Veteran
Posts: 487
Liked: 106 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Port requirements clarfication

Post by skrause »

In the document it describes which services are used by each port. For example, if you don't plan on using vPower NFS to do Instant VM Recovery from the backup copy location, those ports would be unecessary.

You will likely need the component install ports open regardless of if the components are installed already.

I am sure your networking guys have had to deal with RPC before, there are ways to shrink the range of ports used by RPC which they may have a practice for already.

As I said, in my experience, Veeam starts with 2500 and increments from there. But there is no guarantee that it won't have an issue on port, say 2501 and try 2505. Limiting it to EXACTLY 4 ports is probably more hassle than it is worth. Since it is only between two specific servers and not a blanket open to the world rule, I don't think your networking guys are going to scream too much about opening that range.
Steve Krause
Veeam Certified Architect
timofcourse
Enthusiast
Posts: 36
Liked: 1 time
Joined: Nov 28, 2011 5:18 pm
Full Name: Tim Graffam
Contact:

Re: Port requirements clarfication

Post by timofcourse »

skrause wrote:In the document it describes which services are used by each port. For example, if you don't plan on using vPower NFS to do Instant VM Recovery from the backup copy location, those ports would be unnecessary.
So if we don't plan to do Instant VM Recovery, could we also eliminate the network requirement for [For Microsoft Windows servers running the vPower NFS Service] Standard NFS ports. If ports 2049 and 1058 are occupied, the succeeding port numbers will be used. or would that be needed regardless?

Thanks!
skrause
Veteran
Posts: 487
Liked: 106 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Port requirements clarfication

Post by skrause »

Correct. If you don't plan on using vPower NFS (used by instant recovery) you would not need the ports listed in that line.
Steve Krause
Veeam Certified Architect
timofcourse
Enthusiast
Posts: 36
Liked: 1 time
Joined: Nov 28, 2011 5:18 pm
Full Name: Tim Graffam
Contact:

Re: Port requirements clarfication

Post by timofcourse »

Excellent. And one more question (for now) - if we added the WAN accelerator to each environment (we don't currently have licensing for it, but considering in the future), is my assumption correct that all port requirements between these two environments would be replaced entirely with only needing the 2 ports mentioned in Communication Between WAN Accelerators here: https://helpcenter.veeam.com/docs/backu ... ver=95#wan?
foggy
Veeam Software
Posts: 21139
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Port requirements clarfication

Post by foggy »

You would still need to allow connection from the backup server.
swiniarz
Novice
Posts: 9
Liked: 1 time
Joined: Jul 06, 2016 11:39 am
Full Name: Sebastien Winiarz
Contact:

Re: Port requirements clarfication

Post by swiniarz »

Hi all,

This post is very interesting because one of our customer want to firewall communication between Veaam Server and other component (Proxies, VMs, ...)

As said there's an option in Veeam to reduce RPC range 2500-5000 but is there also an option to reduce RPC range 49152-65535 ?

Thanks in advance.

Regards
foggy
Veeam Software
Posts: 21139
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Port requirements clarfication

Post by foggy »

Hi Sebastien, what option to reduce RPC range 2500-5000 do you mean?
skrause
Veteran
Posts: 487
Liked: 106 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Port requirements clarfication

Post by skrause »

swiniarz wrote:This post is very interesting because one of our customer want to firewall communication between Veaam Server and other component (Proxies, VMs, ...)

As said there's an option in Veeam to reduce RPC range 2500-5000 but is there also an option to reduce RPC range 49152-65535 ?
You can reduce the RPC range, but it is not a Veeam setting. You need to adjust the range used for RPC by Windows through registry changes. You will need to do this on all of your Windows servers to ensure that they can communicate and you want to make sure you leave the range large enough to allow the connections a server needs. Windows uses RPC as the source port for almost all outbound network connections (web, etc) so keep that in mind.

https://support.microsoft.com/en-us/hel ... -firewalls
Steve Krause
Veeam Certified Architect
swiniarz
Novice
Posts: 9
Liked: 1 time
Joined: Jul 06, 2016 11:39 am
Full Name: Sebastien Winiarz
Contact:

Re: Port requirements clarfication

Post by swiniarz »

Hello,

Thanks for answer,

I'm talking about the option you can fin in credential tab -> Ports -> Data Transfer option -> port range when you add an Hyper-V host.
It allows you to customize range 2500 - 5000 but not range range 49152-65535.

Moreover, does this setting apply for all RPC connexion that Veeam B&R will initiate (runtime injection, service deployment, ...) or only for job data transfer ?

Regards
foggy
Veeam Software
Posts: 21139
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Port requirements clarfication

Post by foggy »

Got it. Then you can limit that range according to Steve's advice. All types of connections that require ports from this range are listed in the corresponding user guide section.
JannieH
Novice
Posts: 5
Liked: 2 times
Joined: Apr 25, 2018 11:10 am
Full Name: Jannie Hanekom
Contact:

Re: Port requirements clarfication

Post by JannieH »

swiniarz wrote:Hi all,
As said there's an option in Veeam to reduce RPC range 2500-5000 but is there also an option to reduce RPC range 49152-65535 ?
49152-65535 are dynamic client ports, typically used for "reply" traffic (review the MS KB article linked to from the Veeam KB article.) The originating Veeam component would use a "source" port of 49152+ and use port 2500 (for example) as destination. When the destination talks back, the TCP packets will be marked with a source port of 2500 and a destination of 49152+.

If you have a stateful firewall (read: any firewall other than "dumb" network switch ACLs), these would not typically need to be opened explicitly - the firewall would automatically maintain a state table and dynamically open and close these return ports as needed. This is not specific to Veeam; it is a core way of how TCP/IP functions, and applies to anything from your web browser to your ERP system to your VoIP calls.
odruard
Enthusiast
Posts: 40
Liked: 5 times
Joined: Jan 25, 2011 2:12 pm
Full Name: Olivier Druard
Contact:

[MERGED] Offsite Backup Copy with few ports opening

Post by odruard »

Hello,

We would like to secure our backup jobs with a backup copy to a remote physical server hosted by a provider. It is not a "cloud" as usually understood, but just a server in a secured area on a remote site with a private Wan link and firewalls on each side.

Our Veeam infrastructure on premise is installed on Windows servers.
However, we would avoid to open thousands of ports, especially RPC ports, between our local network and the remote network.
We would like to reduce even the 2500 ports needed for communication between source and backup repository.

Is there some document, white paper, best practice, explaining how to perform this ?
Can we install a target repository server running on Linux, if the source server is running on Windows ? It would allow us to open only port 22 instead the thousands of Microsoft ports.
For the 2500 ports between veeam servers (TCP/2500 to TCP/5000), helpcenter specify that one port is assigned to each TCP connection. However, how can we estimate the needed number of TCP connections ? How many connections needs each job ?

I hope I was clear (English is not my native language).
Thanks for any help.

Olivier Druard.
PTide
Product Manager
Posts: 6551
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Port requirements clarfication

Post by PTide »

Hi,

Is any of those repositories configured as Per-VM?

Thanks
odruard
Enthusiast
Posts: 40
Liked: 5 times
Joined: Jan 25, 2011 2:12 pm
Full Name: Olivier Druard
Contact:

Re: Port requirements clarfication

Post by odruard »

Sorry, I was away for 2 weeks.
No, repositories are not configured as Per-VM.

O. Druard
PTide
Product Manager
Posts: 6551
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Port requirements clarfication

Post by PTide »

Ok, so, since neither source or target repos are configured as per-VM, then each Backup Copy Job will consume N+1 ports, where N is the amount of VM (not disks!) in the Backup Copy Job.
Also you have to keep outbound dynamic ports range 49152-65535 opened on the source. That is, for the case of "spherical horse in a vacuum":

Assuming that there are no other jobs running, a Backup Copy Job with 10 VMs in it will consume ports 2500,2501,2502, ... , 2510.

However, you should keep in mind, that if the backup copy job overlaps with another job, then the amount of ports required will increase.

Thanks
foggy
Veeam Software
Posts: 21139
Liked: 2141 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Port requirements clarfication

Post by foggy »

And yes, you can have a target repository on Linux if the source one is on Windows. This would still require opening ports according to the listed requirements, though.
odruard
Enthusiast
Posts: 40
Liked: 5 times
Joined: Jan 25, 2011 2:12 pm
Full Name: Olivier Druard
Contact:

Re: Port requirements clarfication

Post by odruard »

Thanks PTide and foggy.
I guess we'll try to copy to Linux, as it needs less opened ports than Windows, and reduce the Veeam ports to a few undreds.

Thanks a lot.
O. Druard
PTide
Product Manager
Posts: 6551
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Port requirements clarfication

Post by PTide »

Have you considered using Cloud Connect? Although the number of ports required is still greater than "1", it is much smaller than "2500".

Thanks
odruard
Enthusiast
Posts: 40
Liked: 5 times
Joined: Jan 25, 2011 2:12 pm
Full Name: Olivier Druard
Contact:

Re: Port requirements clarfication

Post by odruard »

No, we didn't considered using Cloud Connect because in my mind (but maybe I'm wrong) it is only usable with an actual Cloud Provider and through some gateway managed by provider (and we are not in this case).

O. Druard
PTide
Product Manager
Posts: 6551
Liked: 765 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Port requirements clarfication

Post by PTide »

Depending on the size of your company, you might want to take a look at "Cloud Connect for Enterprise". VeeamPN is also VeeamPN worth checking.

Thanks
odruard
Enthusiast
Posts: 40
Liked: 5 times
Joined: Jan 25, 2011 2:12 pm
Full Name: Olivier Druard
Contact:

Re: Port requirements clarfication

Post by odruard »

OK, I will have a look to Cloud Connect and VeeamPN
Thanks

O. Druard
Post Reply

Who is online

Users browsing this forum: Google [Bot] and 60 guests