Standalone backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)
Post Reply
Cragdoo
Veeam Vanguard
Posts: 628
Liked: 251 times
Joined: Sep 27, 2011 12:17 pm
Full Name: Craig Dalrymple
Location: Scotland
Contact:

accidental RDP port access

Post by Cragdoo » 5 people like this post

Here's little gotcha (with simple fix) that people might not be aware off.


As per the Veeam Help center guide, https://helpcenter.veeam.com/docs/agent ... tml?ver=30 , the VAW requires access from the agent computer to a Windows based repo over TCP 2500 to 5000. So if you leave it as default and ask your network team to add rules to allow access through, then you will be inadvertently open up RDP access (3389) from your agent machine to your Windows repo server.

This might not be something people are aware off when setting up the VAW for the 1st time

Of course the easy fix is 2 firewall rules (Open up 2500-3387 and then 3390-5000)
Dima P.
Product Manager
Posts: 14396
Liked: 1568 times
Joined: Feb 04, 2013 2:07 pm
Full Name: Dmitry Popov
Location: Prague
Contact:

Re: accidental RDP port access

Post by Dima P. »

Hello Craig,

Thanks for sharing your thoughts with the community. I'll discuss your feedback with RnD folks!
Cragdoo
Veeam Vanguard
Posts: 628
Liked: 251 times
Joined: Sep 27, 2011 12:17 pm
Full Name: Craig Dalrymple
Location: Scotland
Contact:

Re: accidental RDP port access

Post by Cragdoo »

Of course the other work around is to disable RDP access on your repo, as stated in the best practices

https://www.veeambp.com/infrastructure_ ... ry_windows

But not everyone is going to have access to a KVM-over-ip system :)
hyvokar
Veteran
Posts: 406
Liked: 29 times
Joined: Nov 21, 2014 10:05 pm
Contact:

Re: accidental RDP port access

Post by hyvokar »

Hi,

as a workaround, you can also change the port that RDP listens

https://docs.microsoft.com/en-us/window ... ening-port
Bed?! Beds for sleepy people! Lets get a kebab and go to a disco!
MS MCSA, MCITP, MCTS, MCP
VMWare VCP5-DCV
Veeam VMCE
Gostev
Chief Product Officer
Posts: 31456
Liked: 6647 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: accidental RDP port access

Post by Gostev »

Cragdoo wrote: Aug 16, 2019 11:22 amAs per the Veeam Help center guide, https://helpcenter.veeam.com/docs/agent ... tml?ver=30 , the VAW requires access from the agent computer to a Windows based repo over TCP 2500 to 5000.
This requirement is excessive anyway. As far as I know, ports are used (and reused) by data movers sequentially starting from 2500, 1 port for each concurrent tasks. For example, if your concurrent tasks limit on the backup repository is 100, you will only ever need to open ports 2500 to 2600. Thus, very few people out there should need the entire range we request :D

However, I'm afraid though that those who do have more than 887 concurrent tasks for the repository will experience failures with your workaround applied. For it to work, we need to teach the data mover not to attempt to use RDP ports.

Let me confirm this with the devs and follow up.
Gostev
Chief Product Officer
Posts: 31456
Liked: 6647 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: accidental RDP port access

Post by Gostev » 4 people like this post

So, my summary above was mostly correct - except the suggested workaround will in fact work, because our data mover already knows to skip occupied and unavailable ports.

We decided to update our default settings and documentation to require only ports TCP 2500 to 3000, as this should be more than enough for virtually any Veeam deployment out there. But we will also add a note explaining that you can open additional TCP ports in case you need more than 500 concurrent tasks for the given component.

Thanks for bringing this up, nice catch!
saintdle
Veeam Vanguard
Posts: 103
Liked: 17 times
Joined: Aug 05, 2014 1:13 pm
Full Name: Dean lewis
Contact:

Re: accidental RDP port access

Post by saintdle » 1 person likes this post

Loving the quick response and action on this in your software :D This is what makes Veeam so great!
Technical Architect
Veeam Certified Architect
Veeam Vanguard
  • Personal Technical Blog - www.veducate.co.uk
  • Twitter - @saintdle
Gostev
Chief Product Officer
Posts: 31456
Liked: 6647 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: accidental RDP port access

Post by Gostev » 3 people like this post

Small update: in the end, actual default port range in v10 is TCP 2500 to 3300. This gives us a bit more head room for concurrency, but still without overlapping with the RDP port.
Post Reply

Who is online

Users browsing this forum: darmarko and 31 guests