Veeam firewall traffic ESXi -> Veeam incoming port 111?

[pirx]

We are currently implementing new firewall rules and I'm seeing connections that I can not see in Veeam's used ports documentation.

For example: random ESXi hosts to Veeam Windows proxy/mount servers ports 111 (NFS/portmapper). I know that mount server provides powerNFS for instant restore etc. But the direction is from ESXi in HQ to Windows servers in a remote location (which has it's own proxy/mount server). Or other connections that not really make sense. It looks purely random and there are a lot of them.

[foggy]

Make sure that the correct mount server is being utilized (by default it is a repository server itself but another server could be configured for the repository during its creation).

[pirx]

mount servers are fixed in repository extent configuration. Still an ESXi host at location A is connecting to Veeam mount server at location B on port 111.

[WMUDLeV]

I was wondering if you found a solution to this.

We recently changed out our ESXi servers and put them on their own VLAN. The Veeam server has access to that VLAN. This morning I'm seeing notifications in our Meraki Dashboard about this same portmapper traffic. It appears the EXSi servers are trying to reach out to the Veeam server. This only happens during the SureBackup processes.

Just curious what your solution was.

[david.domask]

Hi WMUDLeV, welcome to the forums.

111 is one of the NFS port mapper endpoints, and we document this in our User Guide. Surebackup utilizes vPowerNFS to instantly recovery the machines for SureBackup, and that's why you're seeing it.

More details on the vPower NFS service can be found here.

So in short, expected behavior.

[WMUDLeV]

Thanks,

While I understand this is expected behavior, it never presented itself when all of the machines were on the same vlan. Currently Veeam has two connections one to the old flat lan everything WAS in and a second into the new vlan where these hosts are. The notification is that the ESXi host on the NEW vlan is trying to reach Veeam server still on the other network. I'm wondering if there is a setting somewhere in Veeam that I have to tell it to use the new network exclusively.

My plan is to sever Veeam from the flat network in the near future.

[david.domask]

Understood, but where is the mount server for the repository hosting the backups located? In the old or new VLAN?

You can confirm the mount server for the repository by going to Backup Infrastructure tab > Backup Repositories > right-click and select Properties and check the Mount Server tab in the Repository Wizard.

[WMUDLeV]

Thanks. The backup repository is directly connected to the Veeam server via NFS. The Mount Server specified for the backup repository is the Veeam server. No IP is specified on this screen.

[david.domask]

Aha, I suppose it's because it's mounted with the old mount info.

Try unmounting the vPowerNFS datastore from vSphere client and follow the manual mount instructions here with the correct connection info (on new VLAN): https://www.veeam.com/kb1284