Veeam Firewall Ports

[mythumbsclick]

Hi All

Be good to get some feedback on how you are configuring local firewalls to allow Veeam traffic. I have a Windows Server 2012R2/vSphere environment and configure Windows Firewall via group policy to secure our internal network.

Initially I copied the automatically generated Veeam firewall rules on Proxys/Repo/Mount/B+R etc into group policies and this worked fine. However on revisiting the rules they are pretty open. Example:

Veeam Data Mover (Veeam Transport Service) (In)
Allow Rule: C:\Program Files (x86)\Veeam\Backup Transport\x86\VeeamAgent.exe (All traffic allowed for this program)
No IP or port specifics.

I decided to have a go at manually configuring all rules and have a GP for Proxies, GP for Repo, GP for B+R etc with ports and IPs from the Veeam Ports Doc but I have got myself into a bit of a mess and am constantly tweaking rules so as not to block Veeam traffic.

My questions is, have you bothered to do the same or do you have a more general/open set of rules?

Thanks!

[Andreas Neufert]

I agree that our Port Matrix is a bit hard to understand and overloaded. Please check as well our Best Practices Guide. You will find some Visio diagrams that explain a bit more deeply the connections:
https://bp.veeam.expert/networking/readme.html (please click on the navigation menue on the right side to scroll through the diagrams).

[DRUMDUDESAN]

Hi,
My question would be what are the exe's to allow when you use Windows Firewall on the backup proxy server?
Is it just the C:\Program Files (x86)\Veeam\Backup Transport\x86\VeeamAgent.exe ?
To figure this out I did it this way:
1) I disabled the Firewall
2) Install the Veeam Backup Proxy on server.
3) Enabled the firewall.
I plugged these to the Domain Firewall and my backups were successful.
C:\Program Files (x86)\Veeam\Backup Transport\x64\VeeamAgent.exe
C:\Program Files (x86)\Veeam\Backup Transport\x64\VeeamPluginsHostX64
C:\Program Files (x86)\Veeam\Backup Transport\VeeamTransportSvc.exe
Thanks
Jeff

[Andreas Neufert]

Actually Veeam should take care on this.

But you need to allow remote RPC (see documentation) at the other servers so that we can connect and install our software if needed.

[Andreas Neufert]

This article could be interessting for you: https://univirt.wordpress.com/2018/03/0 ... m-backups/

[neilmurphy65]

I agree that our Port Matrix is a bit hard to understand and overloaded. Please check as well our Best Practices Guide. You will find some Visio diagrams that explain a bit more deeply the connections:
https://bp.veeam.expert/networking/readme.html (please click on the navigation menue on the right side to scroll through the diagrams).

This link seems to be broken. The new page on the best practices guide is https://bp.veeam.expert/appendices/networking. The pages following this one have the networking diagrams.

[Andreas Neufert]

Thanks for updating this here. It is the correct page in the Veeam best practices guide.

[Zew]

here https://www.veeam.com/kb1518 for particular services/tasks and their respective ports, every link in this thread is dead.

[neilmurphy65]

This link seems to be broken. The new page on the best practices guide is https://bp.veeam.expert/appendices/networking. The pages following this one have the networking diagrams.

Now the link has changed to https://bp.veeam.expert/networking