-
- Enthusiast
- Posts: 36
- Liked: 1 time
- Joined: Nov 28, 2011 5:18 pm
- Full Name: Tim Graffam
- Contact:
Port requirements clarfication
Hi all
I'm hoping to get some clarification as to what ports and to/from what machines we need to setup to meet our specific configuration.
We have 2 isolated vSphere environments that currently have no network access to between them - let's call them environments "A" and "B". Within each environment we have a Veeam B&R instance/VM responsible for backing up all VMs within their respective environments. What we'd like to do is setup a Veeam VM Copy job in environment "A" to copy VMs from environment "B" to a Veeam backup repository in environment "A".
I've looked through Veeam's Used ports guide, but I'm still not clear on the minimum requirements to make this happen. For example, I'm not sure if we actually need to setup communication to the vSphere server in env "B" or if we can route everything through the Veeam server in that env.
Any advice provided would be greatly appreciated!
I'm hoping to get some clarification as to what ports and to/from what machines we need to setup to meet our specific configuration.
We have 2 isolated vSphere environments that currently have no network access to between them - let's call them environments "A" and "B". Within each environment we have a Veeam B&R instance/VM responsible for backing up all VMs within their respective environments. What we'd like to do is setup a Veeam VM Copy job in environment "A" to copy VMs from environment "B" to a Veeam backup repository in environment "A".
I've looked through Veeam's Used ports guide, but I'm still not clear on the minimum requirements to make this happen. For example, I'm not sure if we actually need to setup communication to the vSphere server in env "B" or if we can route everything through the Veeam server in that env.
Any advice provided would be greatly appreciated!
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Port requirements clarfication
Tim, could you please confirm you're talking about VM Copy and not Backup Copy jobs between the environments?
-
- Enthusiast
- Posts: 36
- Liked: 1 time
- Joined: Nov 28, 2011 5:18 pm
- Full Name: Tim Graffam
- Contact:
Re: Port requirements clarfication
Correct. We're only looking to use a VM Copy job to copy a few VMs from "B" environment to a backup repository in the "A" environment.
-
- Veteran
- Posts: 487
- Liked: 106 times
- Joined: Dec 08, 2014 2:58 pm
- Full Name: Steve Krause
- Contact:
Re: Port requirements clarfication
All of the transport communication should be handled by the machines acting as Veeam proxies between the sites so as long as your proxy in site A can talk to your proxy in site B you should be ok.
Of course each site's proxy will also need to be able to communicate with the vCenter/hosts in their site and the B&R server that is managing the job will have to be able to access both environments to orchestrate the job but I assume you were already aware of that.
Of course each site's proxy will also need to be able to communicate with the vCenter/hosts in their site and the B&R server that is managing the job will have to be able to access both environments to orchestrate the job but I assume you were already aware of that.
Steve Krause
Veeam Certified Architect
Veeam Certified Architect
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Port requirements clarfication
Since VM copy jobs use the same infrastructure components as backup jobs, you'd need connection between the proxy and repository server (or gateway server, in case of CIFS target). Of course, backup server would also need access to the remote repository, otherwise the repository cannot be added. Make sure all components shared between Veeam B&R instances are at the same patch level. Connection to remote vSphere would'n be required.
-
- Veteran
- Posts: 487
- Liked: 106 times
- Joined: Dec 08, 2014 2:58 pm
- Full Name: Steve Krause
- Contact:
Re: Port requirements clarfication
For some reason I was thinking about replication and not backup copies. Ugh, recovering from a site failure is really great on the cognitive skills...
Steve Krause
Veeam Certified Architect
Veeam Certified Architect
-
- Enthusiast
- Posts: 36
- Liked: 1 time
- Joined: Nov 28, 2011 5:18 pm
- Full Name: Tim Graffam
- Contact:
Re: Port requirements clarfication
My network team needs a list of servers and specific ports that need connectivity to one another. They don't care/need to know whether communication is inbound/outbound, however.foggy wrote:Since VM copy jobs use the same infrastructure components as backup jobs, you'd need connection between the proxy and repository server (or gateway server, in case of CIFS target). Of course, backup server would also need access to the remote repository, otherwise the repository cannot be added. Make sure all components shared between Veeam B&R instances are at the same patch level. Connection to remote vSphere would'n be required.
Also, one thing I didn't mention is the Env B backup repository is connected locally to the Env B Veeam server. So I believe the only connectivity between the two networks is Env A Veeam Server needs to communicate with Env B vSphere and Env B Veeam Server (which is acting as the proxy and the connection to backup repository, right?)?
If that assumption is correct, this is my best guess so far as to what exactly needs to be setup :
Code: Select all
Servers Protocol Port/s Need
Env A Veeam / Env B vCenter HTTPS+TCP 443 Connections to vCenter Server
Env A Veeam / Env B Veeam TCP 2500-5000 Transmission channels for replication jobs
Env A Veeam / Env B Veeam TCP 6061 Veeam vPower NFS Service
Env A Veeam / Env B Veeam TCP 6062 Veeam Data Mover Service
Also, regarding the "Transmission channels for replication jobs" ports - if we only have 5 VMs we ever plan to copy, can we get away with only opening ports 2500-2504 or does Veeam randomly pick ports in that range?
Thanks!
-
- Veteran
- Posts: 487
- Liked: 106 times
- Joined: Dec 08, 2014 2:58 pm
- Full Name: Steve Krause
- Contact:
Re: Port requirements clarfication
Typically the Veeam process starts at the bottom and works up from my experience but you want to make sure you give it at least some overhead.
Are you wanting to do Backup Copy jobs or replication? The processes work very differently and require different network connections
For Backup Copy jobs, you will need to make sure that the ports listed in "Microsoft Windows Server" on the used port lists are open between the B&R server managing the jobs and the repository server:
https://helpcenter.veeam.com/docs/backu ... =95#backup
You only need 2500-5000 to be open between two repository servers for Backup Copy jobs as long as the B&R server managing the job can access both servers as listed above.
Are you wanting to do Backup Copy jobs or replication? The processes work very differently and require different network connections
For Backup Copy jobs, you will need to make sure that the ports listed in "Microsoft Windows Server" on the used port lists are open between the B&R server managing the jobs and the repository server:
https://helpcenter.veeam.com/docs/backu ... =95#backup
You only need 2500-5000 to be open between two repository servers for Backup Copy jobs as long as the B&R server managing the job can access both servers as listed above.
Steve Krause
Veeam Certified Architect
Veeam Certified Architect
-
- Enthusiast
- Posts: 36
- Liked: 1 time
- Joined: Nov 28, 2011 5:18 pm
- Full Name: Tim Graffam
- Contact:
Re: Port requirements clarfication
We're only looking to setup VM Copy jobs.skrause wrote:Typically the Veeam process starts at the bottom and works up from my experience but you want to make sure you give it at least some overhead.
Are you wanting to do Backup Copy jobs or replication? The processes work very differently and require different network connections
In regards to the Windows Server requirements listed there... Because this communication is occurring between two Veeam servers at the same version, I would assume the following requirements wouldn't be needed since all Veeam components are already on the server, right?:skrause wrote:For Backup Copy jobs, you will need to make sure that the ports listed in "Microsoft Windows Server" on the used port lists are open between the B&R server managing the jobs and the repository server:
https://helpcenter.veeam.com/docs/backu ... =95#backup
- Ports required for deploying Veeam Backup & Replication components.
- Default port used by the Veeam Installer Service.
Apologies for not fully understanding what you're trying to implicate here - are you saying these ports are or are not needed? Further, does that entire range really need to be open, or only the range for the number of VM's that would ever be copied in a job (e.g. 5 VMs = only need ports 2500-2504)?skrause wrote:You only need 2500-5000 to be open between two repository servers for Backup Copy jobs as long as the B&R server managing the job can access both servers as listed above.
Thanks again all!
-
- Veteran
- Posts: 487
- Liked: 106 times
- Joined: Dec 08, 2014 2:58 pm
- Full Name: Steve Krause
- Contact:
Re: Port requirements clarfication
In the document it describes which services are used by each port. For example, if you don't plan on using vPower NFS to do Instant VM Recovery from the backup copy location, those ports would be unecessary.
You will likely need the component install ports open regardless of if the components are installed already.
I am sure your networking guys have had to deal with RPC before, there are ways to shrink the range of ports used by RPC which they may have a practice for already.
As I said, in my experience, Veeam starts with 2500 and increments from there. But there is no guarantee that it won't have an issue on port, say 2501 and try 2505. Limiting it to EXACTLY 4 ports is probably more hassle than it is worth. Since it is only between two specific servers and not a blanket open to the world rule, I don't think your networking guys are going to scream too much about opening that range.
You will likely need the component install ports open regardless of if the components are installed already.
I am sure your networking guys have had to deal with RPC before, there are ways to shrink the range of ports used by RPC which they may have a practice for already.
As I said, in my experience, Veeam starts with 2500 and increments from there. But there is no guarantee that it won't have an issue on port, say 2501 and try 2505. Limiting it to EXACTLY 4 ports is probably more hassle than it is worth. Since it is only between two specific servers and not a blanket open to the world rule, I don't think your networking guys are going to scream too much about opening that range.
Steve Krause
Veeam Certified Architect
Veeam Certified Architect
-
- Enthusiast
- Posts: 36
- Liked: 1 time
- Joined: Nov 28, 2011 5:18 pm
- Full Name: Tim Graffam
- Contact:
Re: Port requirements clarfication
So if we don't plan to do Instant VM Recovery, could we also eliminate the network requirement for [For Microsoft Windows servers running the vPower NFS Service] Standard NFS ports. If ports 2049 and 1058 are occupied, the succeeding port numbers will be used. or would that be needed regardless?skrause wrote:In the document it describes which services are used by each port. For example, if you don't plan on using vPower NFS to do Instant VM Recovery from the backup copy location, those ports would be unnecessary.
Thanks!
-
- Veteran
- Posts: 487
- Liked: 106 times
- Joined: Dec 08, 2014 2:58 pm
- Full Name: Steve Krause
- Contact:
Re: Port requirements clarfication
Correct. If you don't plan on using vPower NFS (used by instant recovery) you would not need the ports listed in that line.
Steve Krause
Veeam Certified Architect
Veeam Certified Architect
-
- Enthusiast
- Posts: 36
- Liked: 1 time
- Joined: Nov 28, 2011 5:18 pm
- Full Name: Tim Graffam
- Contact:
Re: Port requirements clarfication
Excellent. And one more question (for now) - if we added the WAN accelerator to each environment (we don't currently have licensing for it, but considering in the future), is my assumption correct that all port requirements between these two environments would be replaced entirely with only needing the 2 ports mentioned in Communication Between WAN Accelerators here: https://helpcenter.veeam.com/docs/backu ... ver=95#wan?
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Port requirements clarfication
You would still need to allow connection from the backup server.
-
- Novice
- Posts: 9
- Liked: 1 time
- Joined: Jul 06, 2016 11:39 am
- Full Name: Sebastien Winiarz
- Contact:
Re: Port requirements clarfication
Hi all,
This post is very interesting because one of our customer want to firewall communication between Veaam Server and other component (Proxies, VMs, ...)
As said there's an option in Veeam to reduce RPC range 2500-5000 but is there also an option to reduce RPC range 49152-65535 ?
Thanks in advance.
Regards
This post is very interesting because one of our customer want to firewall communication between Veaam Server and other component (Proxies, VMs, ...)
As said there's an option in Veeam to reduce RPC range 2500-5000 but is there also an option to reduce RPC range 49152-65535 ?
Thanks in advance.
Regards
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Port requirements clarfication
Hi Sebastien, what option to reduce RPC range 2500-5000 do you mean?
-
- Veteran
- Posts: 487
- Liked: 106 times
- Joined: Dec 08, 2014 2:58 pm
- Full Name: Steve Krause
- Contact:
Re: Port requirements clarfication
You can reduce the RPC range, but it is not a Veeam setting. You need to adjust the range used for RPC by Windows through registry changes. You will need to do this on all of your Windows servers to ensure that they can communicate and you want to make sure you leave the range large enough to allow the connections a server needs. Windows uses RPC as the source port for almost all outbound network connections (web, etc) so keep that in mind.swiniarz wrote:This post is very interesting because one of our customer want to firewall communication between Veaam Server and other component (Proxies, VMs, ...)
As said there's an option in Veeam to reduce RPC range 2500-5000 but is there also an option to reduce RPC range 49152-65535 ?
https://support.microsoft.com/en-us/hel ... -firewalls
Steve Krause
Veeam Certified Architect
Veeam Certified Architect
-
- Novice
- Posts: 9
- Liked: 1 time
- Joined: Jul 06, 2016 11:39 am
- Full Name: Sebastien Winiarz
- Contact:
Re: Port requirements clarfication
Hello,
Thanks for answer,
I'm talking about the option you can fin in credential tab -> Ports -> Data Transfer option -> port range when you add an Hyper-V host.
It allows you to customize range 2500 - 5000 but not range range 49152-65535.
Moreover, does this setting apply for all RPC connexion that Veeam B&R will initiate (runtime injection, service deployment, ...) or only for job data transfer ?
Regards
Thanks for answer,
I'm talking about the option you can fin in credential tab -> Ports -> Data Transfer option -> port range when you add an Hyper-V host.
It allows you to customize range 2500 - 5000 but not range range 49152-65535.
Moreover, does this setting apply for all RPC connexion that Veeam B&R will initiate (runtime injection, service deployment, ...) or only for job data transfer ?
Regards
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Port requirements clarfication
Got it. Then you can limit that range according to Steve's advice. All types of connections that require ports from this range are listed in the corresponding user guide section.
-
- Novice
- Posts: 5
- Liked: 2 times
- Joined: Apr 25, 2018 11:10 am
- Full Name: Jannie Hanekom
- Contact:
Re: Port requirements clarfication
49152-65535 are dynamic client ports, typically used for "reply" traffic (review the MS KB article linked to from the Veeam KB article.) The originating Veeam component would use a "source" port of 49152+ and use port 2500 (for example) as destination. When the destination talks back, the TCP packets will be marked with a source port of 2500 and a destination of 49152+.swiniarz wrote:Hi all,
As said there's an option in Veeam to reduce RPC range 2500-5000 but is there also an option to reduce RPC range 49152-65535 ?
If you have a stateful firewall (read: any firewall other than "dumb" network switch ACLs), these would not typically need to be opened explicitly - the firewall would automatically maintain a state table and dynamically open and close these return ports as needed. This is not specific to Veeam; it is a core way of how TCP/IP functions, and applies to anything from your web browser to your ERP system to your VoIP calls.
-
- Enthusiast
- Posts: 40
- Liked: 5 times
- Joined: Jan 25, 2011 2:12 pm
- Full Name: Olivier Druard
- Contact:
[MERGED] Offsite Backup Copy with few ports opening
Hello,
We would like to secure our backup jobs with a backup copy to a remote physical server hosted by a provider. It is not a "cloud" as usually understood, but just a server in a secured area on a remote site with a private Wan link and firewalls on each side.
Our Veeam infrastructure on premise is installed on Windows servers.
However, we would avoid to open thousands of ports, especially RPC ports, between our local network and the remote network.
We would like to reduce even the 2500 ports needed for communication between source and backup repository.
Is there some document, white paper, best practice, explaining how to perform this ?
Can we install a target repository server running on Linux, if the source server is running on Windows ? It would allow us to open only port 22 instead the thousands of Microsoft ports.
For the 2500 ports between veeam servers (TCP/2500 to TCP/5000), helpcenter specify that one port is assigned to each TCP connection. However, how can we estimate the needed number of TCP connections ? How many connections needs each job ?
I hope I was clear (English is not my native language).
Thanks for any help.
Olivier Druard.
We would like to secure our backup jobs with a backup copy to a remote physical server hosted by a provider. It is not a "cloud" as usually understood, but just a server in a secured area on a remote site with a private Wan link and firewalls on each side.
Our Veeam infrastructure on premise is installed on Windows servers.
However, we would avoid to open thousands of ports, especially RPC ports, between our local network and the remote network.
We would like to reduce even the 2500 ports needed for communication between source and backup repository.
Is there some document, white paper, best practice, explaining how to perform this ?
Can we install a target repository server running on Linux, if the source server is running on Windows ? It would allow us to open only port 22 instead the thousands of Microsoft ports.
For the 2500 ports between veeam servers (TCP/2500 to TCP/5000), helpcenter specify that one port is assigned to each TCP connection. However, how can we estimate the needed number of TCP connections ? How many connections needs each job ?
I hope I was clear (English is not my native language).
Thanks for any help.
Olivier Druard.
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Port requirements clarfication
Hi,
Is any of those repositories configured as Per-VM?
Thanks
Is any of those repositories configured as Per-VM?
Thanks
-
- Enthusiast
- Posts: 40
- Liked: 5 times
- Joined: Jan 25, 2011 2:12 pm
- Full Name: Olivier Druard
- Contact:
Re: Port requirements clarfication
Sorry, I was away for 2 weeks.
No, repositories are not configured as Per-VM.
O. Druard
No, repositories are not configured as Per-VM.
O. Druard
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Port requirements clarfication
Ok, so, since neither source or target repos are configured as per-VM, then each Backup Copy Job will consume N+1 ports, where N is the amount of VM (not disks!) in the Backup Copy Job.
Also you have to keep outbound dynamic ports range 49152-65535 opened on the source. That is, for the case of "spherical horse in a vacuum":
Assuming that there are no other jobs running, a Backup Copy Job with 10 VMs in it will consume ports 2500,2501,2502, ... , 2510.
However, you should keep in mind, that if the backup copy job overlaps with another job, then the amount of ports required will increase.
Thanks
Also you have to keep outbound dynamic ports range 49152-65535 opened on the source. That is, for the case of "spherical horse in a vacuum":
Assuming that there are no other jobs running, a Backup Copy Job with 10 VMs in it will consume ports 2500,2501,2502, ... , 2510.
However, you should keep in mind, that if the backup copy job overlaps with another job, then the amount of ports required will increase.
Thanks
-
- Veeam Software
- Posts: 21139
- Liked: 2141 times
- Joined: Jul 11, 2011 10:22 am
- Full Name: Alexander Fogelson
- Contact:
Re: Port requirements clarfication
And yes, you can have a target repository on Linux if the source one is on Windows. This would still require opening ports according to the listed requirements, though.
-
- Enthusiast
- Posts: 40
- Liked: 5 times
- Joined: Jan 25, 2011 2:12 pm
- Full Name: Olivier Druard
- Contact:
Re: Port requirements clarfication
Thanks PTide and foggy.
I guess we'll try to copy to Linux, as it needs less opened ports than Windows, and reduce the Veeam ports to a few undreds.
Thanks a lot.
O. Druard
I guess we'll try to copy to Linux, as it needs less opened ports than Windows, and reduce the Veeam ports to a few undreds.
Thanks a lot.
O. Druard
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Port requirements clarfication
Have you considered using Cloud Connect? Although the number of ports required is still greater than "1", it is much smaller than "2500".
Thanks
Thanks
-
- Enthusiast
- Posts: 40
- Liked: 5 times
- Joined: Jan 25, 2011 2:12 pm
- Full Name: Olivier Druard
- Contact:
Re: Port requirements clarfication
No, we didn't considered using Cloud Connect because in my mind (but maybe I'm wrong) it is only usable with an actual Cloud Provider and through some gateway managed by provider (and we are not in this case).
O. Druard
O. Druard
-
- Product Manager
- Posts: 6551
- Liked: 765 times
- Joined: May 19, 2015 1:46 pm
- Contact:
Re: Port requirements clarfication
Depending on the size of your company, you might want to take a look at "Cloud Connect for Enterprise". VeeamPN is also VeeamPN worth checking.
Thanks
Thanks
-
- Enthusiast
- Posts: 40
- Liked: 5 times
- Joined: Jan 25, 2011 2:12 pm
- Full Name: Olivier Druard
- Contact:
Re: Port requirements clarfication
OK, I will have a look to Cloud Connect and VeeamPN
Thanks
O. Druard
Thanks
O. Druard
Who is online
Users browsing this forum: Google [Bot] and 60 guests