Availability for the Always-On Enterprise
foggy
Veeam Software
Posts: 16689
Liked: 1343 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Port requirements clarfication

Post by foggy » Apr 12, 2018 1:38 pm

Hi Sebastien, what option to reduce RPC range 2500-5000 do you mean?

skrause
Expert
Posts: 355
Liked: 62 times
Joined: Dec 08, 2014 2:58 pm
Full Name: Steve Krause
Contact:

Re: Port requirements clarfication

Post by skrause » Apr 12, 2018 1:49 pm

swiniarz wrote:This post is very interesting because one of our customer want to firewall communication between Veaam Server and other component (Proxies, VMs, ...)

As said there's an option in Veeam to reduce RPC range 2500-5000 but is there also an option to reduce RPC range 49152-65535 ?
You can reduce the RPC range, but it is not a Veeam setting. You need to adjust the range used for RPC by Windows through registry changes. You will need to do this on all of your Windows servers to ensure that they can communicate and you want to make sure you leave the range large enough to allow the connections a server needs. Windows uses RPC as the source port for almost all outbound network connections (web, etc) so keep that in mind.

https://support.microsoft.com/en-us/hel ... -firewalls
Steve Krause
Veeam Certified Architect

swiniarz
Novice
Posts: 9
Liked: 1 time
Joined: Jul 06, 2016 11:39 am
Full Name: Sebastien Winiarz
Contact:

Re: Port requirements clarfication

Post by swiniarz » Apr 13, 2018 7:24 am

Hello,

Thanks for answer,

I'm talking about the option you can fin in credential tab -> Ports -> Data Transfer option -> port range when you add an Hyper-V host.
It allows you to customize range 2500 - 5000 but not range range 49152-65535.

Moreover, does this setting apply for all RPC connexion that Veeam B&R will initiate (runtime injection, service deployment, ...) or only for job data transfer ?

Regards

foggy
Veeam Software
Posts: 16689
Liked: 1343 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Port requirements clarfication

Post by foggy » Apr 13, 2018 11:32 am

Got it. Then you can limit that range according to Steve's advice. All types of connections that require ports from this range are listed in the corresponding user guide section.

JannieH
Lurker
Posts: 1
Liked: never
Joined: Apr 25, 2018 11:10 am
Full Name: Jannie Hanekom
Contact:

Re: Port requirements clarfication

Post by JannieH » Apr 25, 2018 11:32 am

swiniarz wrote:Hi all,
As said there's an option in Veeam to reduce RPC range 2500-5000 but is there also an option to reduce RPC range 49152-65535 ?
49152-65535 are dynamic client ports, typically used for "reply" traffic (review the MS KB article linked to from the Veeam KB article.) The originating Veeam component would use a "source" port of 49152+ and use port 2500 (for example) as destination. When the destination talks back, the TCP packets will be marked with a source port of 2500 and a destination of 49152+.

If you have a stateful firewall (read: any firewall other than "dumb" network switch ACLs), these would not typically need to be opened explicitly - the firewall would automatically maintain a state table and dynamically open and close these return ports as needed. This is not specific to Veeam; it is a core way of how TCP/IP functions, and applies to anything from your web browser to your ERP system to your VoIP calls.

odruard
Enthusiast
Posts: 39
Liked: 4 times
Joined: Jan 25, 2011 2:12 pm
Full Name: Olivier Druard
Contact:

[MERGED] Offsite Backup Copy with few ports opening

Post by odruard » Jun 26, 2018 2:26 pm

Hello,

We would like to secure our backup jobs with a backup copy to a remote physical server hosted by a provider. It is not a "cloud" as usually understood, but just a server in a secured area on a remote site with a private Wan link and firewalls on each side.

Our Veeam infrastructure on premise is installed on Windows servers.
However, we would avoid to open thousands of ports, especially RPC ports, between our local network and the remote network.
We would like to reduce even the 2500 ports needed for communication between source and backup repository.

Is there some document, white paper, best practice, explaining how to perform this ?
Can we install a target repository server running on Linux, if the source server is running on Windows ? It would allow us to open only port 22 instead the thousands of Microsoft ports.
For the 2500 ports between veeam servers (TCP/2500 to TCP/5000), helpcenter specify that one port is assigned to each TCP connection. However, how can we estimate the needed number of TCP connections ? How many connections needs each job ?

I hope I was clear (English is not my native language).
Thanks for any help.

Olivier Druard.

PTide
Veeam Software
Posts: 4247
Liked: 349 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Port requirements clarfication

Post by PTide » Jun 28, 2018 1:37 pm

Hi,

Is any of those repositories configured as Per-VM?

Thanks

odruard
Enthusiast
Posts: 39
Liked: 4 times
Joined: Jan 25, 2011 2:12 pm
Full Name: Olivier Druard
Contact:

Re: Port requirements clarfication

Post by odruard » Jul 16, 2018 8:39 am

Sorry, I was away for 2 weeks.
No, repositories are not configured as Per-VM.

O. Druard

PTide
Veeam Software
Posts: 4247
Liked: 349 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Port requirements clarfication

Post by PTide » Jul 18, 2018 12:38 pm

Ok, so, since neither source or target repos are configured as per-VM, then each Backup Copy Job will consume N+1 ports, where N is the amount of VM (not disks!) in the Backup Copy Job.
Also you have to keep outbound dynamic ports range 49152-65535 opened on the source. That is, for the case of "spherical horse in a vacuum":

Assuming that there are no other jobs running, a Backup Copy Job with 10 VMs in it will consume ports 2500,2501,2502, ... , 2510.

However, you should keep in mind, that if the backup copy job overlaps with another job, then the amount of ports required will increase.

Thanks

foggy
Veeam Software
Posts: 16689
Liked: 1343 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Port requirements clarfication

Post by foggy » Jul 18, 2018 1:09 pm

And yes, you can have a target repository on Linux if the source one is on Windows. This would still require opening ports according to the listed requirements, though.

odruard
Enthusiast
Posts: 39
Liked: 4 times
Joined: Jan 25, 2011 2:12 pm
Full Name: Olivier Druard
Contact:

Re: Port requirements clarfication

Post by odruard » Jul 18, 2018 2:19 pm

Thanks PTide and foggy.
I guess we'll try to copy to Linux, as it needs less opened ports than Windows, and reduce the Veeam ports to a few undreds.

Thanks a lot.
O. Druard

PTide
Veeam Software
Posts: 4247
Liked: 349 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Port requirements clarfication

Post by PTide » Jul 18, 2018 2:36 pm

Have you considered using Cloud Connect? Although the number of ports required is still greater than "1", it is much smaller than "2500".

Thanks

odruard
Enthusiast
Posts: 39
Liked: 4 times
Joined: Jan 25, 2011 2:12 pm
Full Name: Olivier Druard
Contact:

Re: Port requirements clarfication

Post by odruard » Jul 18, 2018 3:24 pm

No, we didn't considered using Cloud Connect because in my mind (but maybe I'm wrong) it is only usable with an actual Cloud Provider and through some gateway managed by provider (and we are not in this case).

O. Druard

PTide
Veeam Software
Posts: 4247
Liked: 349 times
Joined: May 19, 2015 1:46 pm
Contact:

Re: Port requirements clarfication

Post by PTide » Jul 18, 2018 3:36 pm

Depending on the size of your company, you might want to take a look at "Cloud Connect for Enterprise". VeeamPN is also VeeamPN worth checking.

Thanks

odruard
Enthusiast
Posts: 39
Liked: 4 times
Joined: Jan 25, 2011 2:12 pm
Full Name: Olivier Druard
Contact:

Re: Port requirements clarfication

Post by odruard » Jul 18, 2018 5:14 pm

OK, I will have a look to Cloud Connect and VeeamPN
Thanks

O. Druard

Post Reply

Who is online

Users browsing this forum: adamspn, Baidu [Spider] and 33 guests