Connections from ESXi to Veeam? (not Veeam to ESXi)

[TimoW]

Dear Community,
until now I was always of the opinion that Veeam does not need any incoming communication. However, yesterday we had a message from the virus scanner on the Veeam server that an incoming TCP connection was blocked.

Specifically, it was about the connection
Source: ESXi host
Destination: Veeam host, port tcp/902

That the communication in the other direction (Veeam -> ESXi) is needed is clear to me. But also in the opposite direction?
Or should I worry about possible malicious code on the ESXi host? Very strange.
Any clarification would be highly appreciated. Thank you!

Kind regards,
Timo

[PetrM]

Hi Timo,

I'm not aware of any case when the incoming connection is needed. Any chance it was a false-positive alarm happened after TCP handshake or a technical issue with AV reporting?

I would try to find an exact timestamp from AV logs and look for the same timestamp in our debug logs. One more idea is to run Wireshark on Veeam Server or on proxy and to check whether there are some incoming packets. I believe our support team can help with both of these tasks.

Thanks!

[Andreas Neufert]

Correct, there is no service from us operating on incoming TCP 902. Can you please ask the firewall team about the exact details of the connection drop.
Likely it was an asnwer to a malformed package header or so.

I would as well update to latest Veeam version and monitor it there.

[soncscy]

Was it actually a connection attempt blocked or was it just some signature alert that fired off?

If it's signature based scanning/reporting, almost certainly it's a false positive. If you don't see it happening repeatedly, I wouldn't spend the time chasing it down.

[Andreas Neufert]

I saw similar reporting in firewalls when ESXi sent misformed package as answer back to our attempt to work with NFC (TCP902 on the ESXi host). => Can be ignored as when we do not get answer we will ask again.