VeeamGuestHelper.exe tries to make a firewall exception

[signal]

I'm working with a very security oriented setup with UAC, AppLocker, Windows firewalls overridden by central policies and network firewalls. When the Guest Interaction Proxy connects to a Windows 2012 R2 VM (client) to run VSS for application aware backups there is a file uploaded being renamed to C:\WINDOWS\VeeamVssSupport\VeeamGuestHelper.exe. This tries to open the Windows firewall for the application. Adding a central exclusion is a way to go, but locking it to a specified port would be better. Support (case # 01968734) has yet to be of any help. They only send me this link, https://helpcenter.veeam.com/backup/vsp ... html#guest, which has nothing specified for the guest helper.

My problem is that I either need to lock this to a specific port or small set of ports or get some piece of documentation that tells me which ports are being used. If not there is no way to traverse networks without using Guest Interaction Proxies everywhere, and on some networks this might not be what a customer wants.

[foggy]

Actually the link provided by support contains both ports required to deploy this process:

TCP, UDP 135, 137-139, 445 Ports required to deploy the runtime coordination process on the VM guest OS.

and ports used for its operation:

TCP 49152-65535 (for Microsoft Windows 2008 and newer) Dynamic RPC port range used by the runtime process deployed inside the VM for guest OS interaction

[signal]

Well, it does'nt mention the attempted opening of the firewall.

Is there any way to restrict the ports used by the helper process? I have customers that restrict the ports used by RPC due to security concerns.

[foggy]

Well, it does'nt mention the attempted opening of the firewall.

At the very beginning of the page, it mentions that firewall rules are automatically created during installation. This applies to all Veeam B&R components.

Is there any way to restrict the ports used by the helper process? I have customers that restrict the ports used by RPC due to security concerns.

Yes, you can set the dynamic port range as required.

[Geniek.73]

Yes, you can set the dynamic port range as required.

Do we have to configure those port range on VMs being backed up or also on guest interaction proxy? In our situation guest interation proxy is the backup server itself (physical machine).
Some VMs are in DMZ network. For this (app aware backups) to work do we have to make necessary changes on VMs in DMZ and backup server or VMs only?

rgrds

[foggy]

These are the ports required for the guest VM OS. The link contained in the first post of this thread mentions ports required for the guest interaction proxy as well.