accidental RDP port access

[Cragdoo]

Here's little gotcha (with simple fix) that people might not be aware off.


As per the Veeam Help center guide, https://helpcenter.veeam.com/docs/agent ... tml?ver=30 , the VAW requires access from the agent computer to a Windows based repo over TCP 2500 to 5000. So if you leave it as default and ask your network team to add rules to allow access through, then you will be inadvertently open up RDP access (3389) from your agent machine to your Windows repo server.

This might not be something people are aware off when setting up the VAW for the 1st time

Of course the easy fix is 2 firewall rules (Open up 2500-3387 and then 3390-5000)

[Dima P.]

Hello Craig,

Thanks for sharing your thoughts with the community. I'll discuss your feedback with RnD folks!

[Cragdoo]

Of course the other work around is to disable RDP access on your repo, as stated in the best practices

https://www.veeambp.com/infrastructure_ ... ry_windows

But not everyone is going to have access to a KVM-over-ip system

[hyvokar]

Hi,

as a workaround, you can also change the port that RDP listens

https://docs.microsoft.com/en-us/window ... ening-port

[Gostev]

As per the Veeam Help center guide, https://helpcenter.veeam.com/docs/agent ... tml?ver=30 , the VAW requires access from the agent computer to a Windows based repo over TCP 2500 to 5000.

This requirement is excessive anyway. As far as I know, ports are used (and reused) by data movers sequentially starting from 2500, 1 port for each concurrent tasks. For example, if your concurrent tasks limit on the backup repository is 100, you will only ever need to open ports 2500 to 2600. Thus, very few people out there should need the entire range we request

However, I'm afraid though that those who do have more than 887 concurrent tasks for the repository will experience failures with your workaround applied. For it to work, we need to teach the data mover not to attempt to use RDP ports.

Let me confirm this with the devs and follow up.

[Gostev]

So, my summary above was mostly correct - except the suggested workaround will in fact work, because our data mover already knows to skip occupied and unavailable ports.

We decided to update our default settings and documentation to require only ports TCP 2500 to 3000, as this should be more than enough for virtually any Veeam deployment out there. But we will also add a note explaining that you can open additional TCP ports in case you need more than 500 concurrent tasks for the given component.

Thanks for bringing this up, nice catch!

[saintdle]

Loving the quick response and action on this in your software This is what makes Veeam so great!

[Gostev]

Small update: in the end, actual default port range in v10 is TCP 2500 to 3300. This gives us a bit more head room for concurrency, but still without overlapping with the RDP port.