Why so many Ports?

Backup agent for Microsoft Windows servers and workstations (formerly Veeam Endpoint Backup FREE)

Why so many Ports?

Veeam Logoby Dreadnought » Tue Jul 04, 2017 8:36 am

Hi All,

Is anyone able to clarify the required ports for the Veeam Agent to connect to the B&R and Repo server as the Veeam documentation for this seems to not list everything required.

We need to lock the port list down as tight as possible, but it appears that we have to punch a huge hole through the firewalls to allow backups to work correctly. https://helpcenter.veeam.com/endpoint/1 ... ports.html

I'm backing up windows VM's from a customers network that is hosted on our private cloud platform to our Veeam platform and have a locked down rule on our Veeam platform firewall that only allows 10001 and 2500-5000 through, this allows the Veeam agent to backup to our platform without any problems at all, the problem with the 2500-5000 range though is this punches a massive hole through our firewall from that customer so to lock it down further we only allow from the source the dynamic range listed in the doc of 49152-65535.

With the dynamic source range added the backups now wont work and when i look at the logging on the firewall its listing ports being opened below this range all the way down to below 10000. How are we supposed to be able to establish a secure connection when Veeam needs to open almost every single port? Or is there a way to tell the Veeam agent to only use a set amount of ports?

cheers
Dreadnought
Service Provider
 
Posts: 24
Liked: 1 time
Joined: Wed May 03, 2017 3:36 pm
Full Name: Jerry Aherne

Re: Why so many Ports?

Veeam Logoby Dreadnought » Tue Jul 04, 2017 9:24 am

some additional information on this.

Did find a post on the forums that suggested all these additional ports where due to Exchange being installed so ive tested this on a server that is just a plain old DC/File server. source is locked down to 49152-65535 and destination is locked down to 10001, 2500-5000.

Firewall logs show ports being opened from as low as 3196 to as high as 64575 on the source to connect to 10001, and it eventually connects once it hits enough of the allowed source ports from the range of 49152-65535.

it then fails when trying to connect to one of the destination ports in the range of 2500-5000 due to it trying to establish a connection using ports 47055 and 33408 which are outside of the dynamic range of 49152-65535 which are the ports that are listed in the Veeam documentation.

its pretty much impossible to lock this down without having ports open that punch some very dangerous holes through our firewalls.

Is there anyway to force the Veeam Agent to only use the dynamic range that is in the documentation?
Dreadnought
Service Provider
 
Posts: 24
Liked: 1 time
Joined: Wed May 03, 2017 3:36 pm
Full Name: Jerry Aherne

Re: Why so many Ports?

Veeam Logoby Dreadnought » Tue Jul 04, 2017 12:48 pm 1 person likes this post

managed to resolve this now.

added a lockdown outbound rule on the customer firewall that only allows the 49152-65535 range to our Veeam platform and on our platform firewall set inbound rule that only allows 10001, 2500-5000.

This stops the server with the endpoint agent trying to use ports outside of the 49152-65535 dynamic range and also stops access to our platform from the customer side on the large number of ports in the 2500-5000 range that pose a security risk.
Dreadnought
Service Provider
 
Posts: 24
Liked: 1 time
Joined: Wed May 03, 2017 3:36 pm
Full Name: Jerry Aherne

Re: Why so many Ports?

Veeam Logoby Gostev » Tue Jul 04, 2017 9:34 pm

From 2500-5000 range, each job uses only one port (next available). Specifically, this is the port that the source data mover (running on a protected computer) talks to the target data mover (running on a backup repository) on. Basically, the first job to start will use 2500, the second one 2501, and the third job may use 2500 again (if the first job finishes by that time). This means that depending on the number of concurrent jobs you will be running, you could open only a few ports right above 2500.
Gostev
Veeam Software
 
Posts: 21385
Liked: 2348 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Why so many Ports?

Veeam Logoby Dreadnought » Wed Jul 05, 2017 7:08 am

Hi Gustav,

yep the problem was that we didnt have a rule on the customer firewall restricting outbound to the 49152:65535 range so the server was using ports below this range which were then being blocked by our platform firewall. once we added this range on the customer firewall its no longer able to communicate over anything except this range so the backups now complete correctly.

customer firewall locked down to 49152:65535
platform firewall locked down to 10001, 2500-5000

backups and restores now work with out issue.
Dreadnought
Service Provider
 
Posts: 24
Liked: 1 time
Joined: Wed May 03, 2017 3:36 pm
Full Name: Jerry Aherne


Return to Veeam Agent for Windows



Who is online

Users browsing this forum: No registered users and 7 guests