Which Firewall Ports are Used by the Unitrends Appliance?

• What firewall ports are used by Unitrends Support to support your Recovery Series Appliance or UEB, Client to Appliance communications, Source to Target replication, and internal management of your Appliance/UEB?
• What servers does Unitrends Support use for supporting and communicating with a Unitrends Recovery Series Appliance?

Validate Open Ports

To test what ports are open on the target, run the following command:

nmap -P0 [targetIPaddress]

Additionally, a downloadable tool exists to run on a windows machine to validate target connectivity on specific provided OpenVPN ports.  See your Unitrends community site, under the training link, select the "catalogs" link and locate the Quick Demo's and Top Resources catalog.  Review the Unitrends install Onboarding training package for more information about connecting to Unitrends Cloud and prerequisite requirements. 
 

Internet - Between your Recovery Series Appliance\UB and Unitrends

For details on which Internet-facing (public) ports Unitrends requires for product functionality such as support tunnel, upgrade downloads, and SNMP notifications, please see:

What ports does Unitrends need open in my firewall?
 

Intranet - Between Your Clients and the Recovery Series Appliance\UB

The following ports are used to communicate between the Unitrends Appliance or UEB and Client Agents as well as to other Unitrends appliances. The ports may need to be opened depending on your company's security policies. Also consider local and group policy settings which may affect connectivity and communications between a Client and the Appliance or UEB.  Port connectivity to cloud providers including Amazon AWS/EC2, Azure, Rackspace, or others are not included in this list.  See 3rd party documentation for their requirements as they may vary by cloud provider. 
 

Port   Protocol - Reason 
NA         ICMP - required for many services including support tunnels, hot copy replication, openvpn, daily client inventory sync, and numerous cloud functions.  
1*          TCP - Only needed during setup of legacy vaulting (v6.4 and older)
21 (and 20) TCP - FTP for updates from repo.unitrends.com (both ports required!). It does us PASV FTP which opens an
                  ephemeral port and informs the FTP client to connect to that port before requesting data transfer
22          TCP - used for SSH access to the Unitrends appliance.  Also used by legacy vaulting
80          TCP - Redirect to https port (also used for some updates via http protocol)
111♦        TCP – Port mapping protocol used by the NFS service.
137         TCP – NetBIOS name service used this port to start sessions.
139         UDP - legacy client SMB access (Win 2000 and older)
161         TCP – SNMP
443♦        TCP – SSL Unitrends UI / Unitrends Image Level Agent. VMware backups. Used for updates to Docker engines (required after release 10.3)
445         TCP - SMB/CIFS - required for HVIR, Agent Push, NAS (CIFS), Oracle and Sharepoint backups.
873         TCP – RSYNC
888         TCP – 3WARE Web Admin Interface (RAID Controller)
902♦        TCP and UDP - VMWare vSphere ESXi hosts and vCenter Server agent.  Custom vSphere ports are not supported.  
1194*       UDP - OpenVPN (Default Hot Copy Replication only) NOTE: This will be different is you are Replicating to the Unitrends Cloud**
1743        TCP - Unitrends control port (between Client and Unitrends Appliance)
1744**      TCP - Unitrends Data Port using dynamically assigned high number port.
1745-1749** TCP - Unitrends Data Ports using the port assigned in the C:\PCBP\MASTER.ini (between Client and Unitrends Appliance) ^Linux uses 1745-1844.  
2049♦       TCP - For protecting a NAS or Cold Backup Copy using NFS. Oracle backups from some clients. Recovery to VMware. 
3260        TCP – iSCSI
4970        TCP – PostgreSQL 
5432        TCP – PostgreSQL
5721        TCP – Kasea VSA Agent 
5900-5910   TCP - VNC
9443        TCP - vSphere web API connectivity for VMWare backup
10000       TCP - NDMP
22024       TCP - VMware port for data recovery
55404       TCP - ELK Stack Telemetry
59200       TCP - ELK Stack Telemetry
49152-65535 TCP - Dynamic port range may be used by agent backups if default Data ports are not available

* Hot Backup Copy Replication

Unitrends recommends having the manager/replication Target be the OpenVPN Server and the manager / replication Source be the OpenVPN Client before remote management is configured.  OpenVPN use is a requirement of all hot copy replication since unitrends release 9.0.0-6.  (it was prior optional but no longer is).  OpenVPN allows for packet transmission retry and enforced packet ordering HTTPS alone does not supply, and though it has a small overhead of less than 0.5% it overall improves replication reliability and throughput greatly in excess of this overhead.  OpenVPN requires ICMP to establish connectivity.

** Client to Appliance Ports

Ports 1743 – 1749 are very important for the communication between your Clients (what your protect) and our Appliance.

In some cases, you may need to alter the port used (IE. Microsoft ISA and Forefront Firewall uses 1745). This change can be made on the Client station by editing the file (windows C:\PCBP\MASTER.ini  and for *NIX /usr/bp/bpinit/master.ini) and changing the value of data=1745.

The Unitrends Master.ini General Configuration value "data" is the communication data port to use on clients.  
The default value 1744 allows for a random available port number (unless the appliance firewall is set to "low" or higher), otherwise, a port must be chosen between 1745 and 1749 on Windows, or 1745 and 1844 on Linux.

If you require a static port, set data=  to a value between 1745 and 1749.

♦ VMware Protection
Unitrends uses VMware's VDDK to communicate via the vStorage API for Data Protection (VADP) when backing up VMware. If SAN-direct is not being used, the data will be send via Network Block Device (NBDSSL) using the Network File Copy (NFC) protocol. The VADP backup traffic is not done through vCenter server. vCenter is used only during: VM discovery, Snapshots requests or VM creations during recovery. The rest is done between the ESXi and Unitrends (which is why you should add the ESXi hosts as a Protected Asset). In absence of vCenter, all request are processed by the ESXi host. There are two ports used during the backup or restore:

 443 - between backup host and vCenter
 902 - between backup host and ESXi host
 111 - NFS mounts for Unitrends during recovery
2049 - NFS mounts for Unitrends during recovery

(New release of VMware may require additional ports.)