30/5/25, 15:48
Ports - User Guide for VMware vSphere
Ports
On backup infrastructure components, Veeam Backup & Replication automatically creates firewall rules for the
required ports on Windows-based machines. If you are using a third-party firewall, these rules must be created
manually. These rules allow components to communicate with each other.
IMPORTANT
Some Linux distributions also require firewall and security rules to be created manually. For details, see this
Veeam KB article.
You can find the full list of the ports in this section.
Backup Server
The following table describes network ports that must be opened to ensure proper communication of the backup
server with backup infrastructure components.
From
To
Protocol
Port
Notes
443
Default port used for connections to
Communication with Virtualization Servers
Backup
vCenter
server
Server
TCP
vCenter Server.
Note: The backup server should have a
direct connection to vCenter Server.
HTTP/HTTPS proxy servers are not
supported.
If you use VMware Cloud Director,
make sure you open port 443 on
underlying vCenter Servers.
ESXi
TCP
server
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
443
Default port used for connections to
ESXi host.
1/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
This port is not required for VMware
Cloud on AWS.
TCP
902
Port used for data transfer to ESXi host.
It is also used during guest OS file
recovery if you recover files from
replicas.
This port is not required for VMware
Cloud on AWS.
VMware
TCP
443
Cloud
Default port used for connections to
VMware Cloud Director.
Director
Note: The backup server should have a
direct connection to VMware Cloud
Director. HTTP/HTTPS proxy servers
are not supported.
Other Communications
Backup
PostgreSQ
TCP
5432
Port used for communication with
server
L server
PostgreSQL server on which the
hosting
Veeam Backup & Replication
the
configuration database is deployed.
Veeam Ba
ckup & Re
plication
configurat
ion
database
Microsoft
TCP
1433
Port used for communication with
SQL
Microsoft SQL Server on which the
Server
Veeam Backup & Replication
hosting
configuration database is deployed (if
the
you use a Microsoft SQL Server default
Veeam Ba
instance).
ckup & Re
plication
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
2/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
configurat
Additional ports may need to be open
ion
depending on your configuration. For
database
more information, see Microsoft Docs.
DNS
UDP
53
server
Port used for communication with the
DNS Server.
with
forward/r
everse
name
resolution
of all
backup
servers
Veeam
TCP
443
Default port used to download
Update
information about available updates
Notificatio
from the Veeam Update Notification
n Server
Server over HTTPS.
Veeam Update Notification Server
endpoints:
dev.veeam.com
vbrad.butler.veeam.com
vbrce.butler.veeam.com
Veeam
TCP
443
Default port used to automatically
License
update license from the Veeam License
Update
Update Server over HTTPS. Veeam
Server
Threat Hunter and Veeam Data Cloud
Vault also require this communication
to work properly.
Veeam License Update Server
endpoints:
vbr.butler.veeam.com
autolk.veeam.com
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
3/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
80
Required for certificate validation when
Veeam Backup & Replication connects
to Veeam License Update Server to
check if the new license is available and
download it.
Certificate verification endpoints:
*.ss2.us
*.amazontrust.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
Certificate
TCP
80 or 443
Veeam Backup & Replication requires
Revocatio
access to the Certificate Revocation
n Lists
Lists (CRL) of the Certificate Authority
(CA) that issued the certificate for each
backup infrastructure component.
Note: The specific CRL endpoint that
must be connected to depends on the
CA that issued the certificate.
You can find the actual list of addresses
in the certificate details in the following
fields:
CRL Distribution Points
Authority Information Access
KMS
TCP
server
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
5696
Default port used for communication
with Key Management System server.
4/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Veeam
TCP
2741
ONE
Default port used for communication
with Veeam ONE internal Web API.
Server
Required for the Analytics view. For
more information, see Configuring
Analytics View.
Veeam
TCP
1239
ONE Web
Default port used by Veeam ONE Web
Services.
Services
Required for the Analytics view. For
more information, see Configuring
Analytics View.
Backup
TCP
server
9501
Port used locally on the backup server
(local)
for communication between Veeam
Broker Service and Veeam services and
components.
Note: Local ports do not require
specific firewall rules. Make sure that
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
Backup
TCP
server
6172
Port used to provide REST access to the
(local)
Veeam Backup & Replication database.
Note: Local ports do not require
specific firewall rules. Make sure that
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
Backup
TCP
server
9393
Default port used by the Veeam Guest
(local)
Catalog service for catalog replication.
Can be customized during
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
5/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Veeam Backup & Replication
installation.
Note: Local ports do not require
specific firewall rules. Make sure that
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
Managem
Backup
ent client
server
TCP
3389
Default port used by Remote Desktop
Services. If you use third-party
PC
solutions to connect to the backup
(remote
server, other ports may need to be
access)
open.
REST
Backup
client
server
TCP
9419
Default port for communication with
REST API service.
Backup & Replication Console
The following table describes network ports that must be opened to ensure proper communication with the
Veeam Backup & Replication console.
From
To
Protocol
Port
Notes
Veeam Ba
Backup
TCP
9392
Ports used by the
ckup & Re
server
9420
Veeam Backup & Replication console to
plication
communicate with the backup server.
console
Note that both ports are required.
TCP
9396
Port used by the
Veeam.Backup.UIService process for
managing database connections.
TCP
9401
[Remote console only] Port used by the
Veeam Backup & Replication console
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
6/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
during Windows file-level recovery.
Required to perform Copy to and
Mount to console operations.
TCP
10003
[Remote console only] Port used by the
Veeam Backup & Replication console to
connect to the backup server only
when managing the Veeam Cloud
Connect infrastructure.
Mount
TCP
server
2500 to
[Remote console only] Default range of
3300
ports used as data transmission
channels. For every TCP connection
that a job uses, one port from this
range is assigned.
This port is used if the mount server is
not located on the console.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Veeam AI
TCP
443
Assistant
Default port for communication with
the Veeam AI Assistant service.
(restai.veeam.c
om)
Nutanix
TCP
8543
Port used by the
AHV Plug-
Veeam Backup & Replication console to
in for
communicate with Nutanix AHV Plug-in
Veeam Ba
for Veeam Backup & Replication.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
7/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
ckup & Re
This port is opened by default after you
plication
install Veeam Backup & Replication. If
you do not use the plug-in, it is still
recommended that you keep this port
open to speed up the
Veeam Backup & Replication console
loading time.
oVirt KVM
TCP
8544
Port used by the
Plug-in for
Veeam Backup & Replication console to
Veeam Ba
communicate with oVirt KVM Plug-in
ckup & Re
for Veeam Backup & Replication.
plication
This port is opened by default after you
install Veeam Backup & Replication. If
you do not use the plug-in, it is still
recommended that you keep this port
open to speed up the
Veeam Backup & Replication console
loading time.
Proxmox
TCP
8545
Port used by the
Virtual
Veeam Backup & Replication console to
Environm
communicate with Proxmox Virtual
ent Plug-
Environment Plug-in for
in for
Veeam Backup & Replication.
Veeam Ba
This port is opened by default after you
ckup & Re
install Veeam Backup & Replication. If
plication
you do not use the plug-in, it is still
recommended that you keep this port
open to speed up the
Veeam Backup & Replication console
loading time.
AWS Plug-
TCP
9402
Port used by the
in for
Veeam Backup & Replication console to
Veeam Ba
communicate with AWS Plug-in for
ckup & Re
Veeam Backup & Replication.
plication
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
8/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
This port is opened by default after you
install Veeam Backup & Replication. If
you do not use the plug-in, it is still
recommended that you keep this port
open to speed up the
Veeam Backup & Replication console
loading time.
Google
TCP
9403
Port used by the
Cloud
Veeam Backup & Replication console to
Plug-in for
communicate with Google Cloud Plug-
Veeam Ba
in for Veeam Backup & Replication.
ckup & Re
This port is opened by default after you
plication
install Veeam Backup & Replication. If
you do not use the plug-in, it is still
recommended that you keep this port
open to speed up the
Veeam Backup & Replication console
loading time.
Kasten
TCP
9404
Port used by the
Plug-in for
Veeam Backup & Replication console to
Veeam Ba
communicate with Kasten Plug-in for
ckup & Re
Veeam Backup & Replication.
plication
This port is opened by default after you
install Veeam Backup & Replication. If
you do not use the plug-in, it is still
recommended that you keep this port
open to speed up the
Veeam Backup & Replication console
loading time.
Microsoft
TCP
20443
Port used by the
Azure
Veeam Backup & Replication console to
Plug-in for
communicate with Microsoft Azure
Veeam Ba
Plug-in for
ckup & Re
Veeam Backup & Replication.
plication
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
9/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
This port is opened by default after you
install Veeam Backup & Replication. If
you do not use the plug-in, it is still
recommended that you keep this port
open to speed up the
Veeam Backup & Replication console
loading time.
Backup Proxy
The following table describes network ports that must be opened to ensure proper communication of backup
proxies with other backup components. For more information about ports that must be opened between the
backup proxy and specific backup repository, see Backup Repositories.
From
To
Protocol
Port
Notes
445
Required for deploying
135
Veeam Backup & Replication
Communication with Backup Server
Backup
Backup
server
proxy
TCP
(Microsoft
components.
Windows)
TCP
6160
Default port used by Veeam Installer
Service.
TCP
6162
Default port used by Veeam Data
Mover Service.
TCP
49152 to
Dynamic RPC port range for Microsoft
65535
Windows 2008 and later. For more
information, see this Microsoft KB
article.
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
10/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
application-aware processing fails with
the "RPC function call failed" error, you
need to configure dynamic RPC ports.
For more information on how to
configure RPC dynamic port allocation
to work with firewalls, see this
Microsoft KB article.
Backup
TCP
22
proxy
Default SSH port used as a control
channel.
(Linux)
TCP
6160
Default port used by Veeam Installer
Service for Linux.
TCP
6162
Default port used by Veeam Data
Mover Service.
You can specify a different port while
adding the Linux server to the
Veeam Backup & Replication
infrastructure. Note that you can
specify a different port only if there is
no previously installed Veeam Data
Mover on this Linux server. For more
information, see Specify Credentials
and SSH Settings.
Backup
TCP
proxy
2500 to
Default range of ports used as data
3300
transmission channels and for
collecting log files. For every TCP
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
11/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
TCP
6210
Default port used by the Veeam Backup
VSS Integration Service for taking a VSS
snapshot during the SMB file share
backup.
Backup
Backup
proxy
server
TCP
2500 to
Default range of ports used for malware
3300
detection metadata transfer.
443
Default VMware web service port that
Communication with Virtualization Servers
Backup
vCenter
proxy
Server
ESXi
TCP
can be customized in vCenter settings.
TCP
902
server
Default VMware port used for data
transfer.
This port is not required for VMware
Cloud on AWS.
TCP
443
Default VMware web service port that
can be customized in ESXi host
settings. Not required if vCenter
connection is used.
This port is not required for VMware
Cloud on AWS.
Other Communications
Backup
Gateway
proxy
server
TCP
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
2500 to
Default range of ports used as
3300
transmission channels. For every TCP
12/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Backup
TCP
proxy
2500 to
Default range of ports used as
3300
transmission channels for replication
jobs. For every TCP connection that a
job uses, one port from this range is
assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Gateway Server
The following table describes network ports that must be opened to ensure proper communication with gateway
servers. For more information about ports that must be opened between the gateway server and specific backup
repository, see Backup Repositories.
From
To
Protocol
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
Port
Notes
13/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
Gateway
server
server
TCP
445
Required for deploying
135
Veeam Backup & Replication
(Microsoft
components.
Windows)
TCP
6160
Default port used by Veeam Installer
Service.
TCP
6162
Default port used by Veeam Data
Mover Service.
Gateway
TCP
22
server
Default SSH port used as a control
channel.
(Linux)
TCP
6160
Default port used by Veeam Installer
Service for Linux.
TCP
6162
Default port used by Veeam Data
Mover Service.
You can specify a different port while
adding the Linux server to the
Veeam Backup & Replication
infrastructure. Note that you can
specify a different port only if there is
no previously installed Veeam Data
Mover on this Linux server. For more
information, see Specify Credentials
and SSH Settings.
Gateway
TCP
server
2500 to
Default range of ports used as
3300
transmission channels and for
collecting log files. For every TCP
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
14/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Backup
Gateway
proxy
server
TCP
2500 to
Default range of ports used as
3300
transmission channels. For every TCP
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Backup Repositories
Microsoft Windows/Linux-based Backup Repository
NFS Backup Repository
SMB Backup Repository
Dell Data Domain System
ExaGrid
HPE StoreOnce
Quantum DXi
Fujitsu ETERNUS CS800
Infinidat InfiniGuard
Veeam Data Cloud Vault
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
15/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Object Storage Repository
External Repository
Archive Object Storage Repository
Microsoft Windows/Linux-based Backup Repository
The following table describes network ports that must be opened to ensure proper communication with Microsoft
Windows/Linux-based backup repositories.
From
To
Protocol
Port
Notes
Backup
Backup
TCP
445
Required for deploying
server
repository
135
Veeam Backup & Replication
(Microsoft
components.
Windows)
TCP
6160
Default port used by Veeam Installer
Service.
TCP
6162
Default port used by Veeam Data
Mover Service.
TCP
49152 to
Dynamic RPC port range for Microsoft
65535
Windows 2008 and later. For more
information, see this Microsoft KB
article.
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
application-aware processing fails with
the "RPC function call failed" error, you
need to configure dynamic RPC ports.
For more information on how to
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
16/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
configure RPC dynamic port allocation
to work with firewalls, see this
Microsoft KB article.
Backup
TCP
22
repository
Default SSH port used as a control
channel.
(Linux)
TCP
6160
Default port used by Veeam Installer
Service for Linux.
TCP
6162
Default port used by Veeam Data
Mover Service.
You can specify a different port while
adding the Linux server to the
Veeam Backup & Replication
infrastructure. Note that you can
specify a different port only if there is
no previously installed Veeam Data
Mover on this Linux server. For more
information, see Specify Credentials
and SSH Settings.
TCP
2500 to
Default range of ports used as
3300
transmission channels and for
collecting log files. For every TCP
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
17/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
Backup
repository
server
TCP
2500 to
Default range of ports used as
3300
transmission channels for copy backup
(Linux)
operations if the backup server is used
as the target backup repository. These
ports are also required for file copy
operations between the Linux backup
repository and the backup server.
For every TCP connection that a job
uses, one port from this range is
assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Veeam
TCP
443
Used by backup repositories created
Update
with the Veeam Hardened Repository
Repositor
ISO to download security and operating
y
system updates.
Veeam Update Repository endpoints:
repository.veeam.com
Backup
Backup
proxy
repository
TCP
2500 to
Default range of ports used as
3300
transmission channels. For every TCP
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
18/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Source
Target
backup
backup
repository
repository
TCP
2500 to
Default range of ports used as
3300
transmission channels for backup copy
jobs and copy backup operations. For
every TCP connection that a job uses,
one port from this range is assigned.
If the backup copy job utilizes WAN
accelerators, make sure that ports
specific for WAN accelerators are
opened.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
NFS Backup Repository
The following table describes network ports that must be opened to ensure proper communication with NFS shares
added as backup repositories.
From
To
Protocol
Port
Notes
Gateway
NFS
TCP, UDP
111, 2049
Standard NFS ports. Port 111 is used by
server or
backup
backup
repository
proxy
the port mapper service.
Also used as a transmission channel
from the gateway server to the target
NFS backup repository if a gateway
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
19/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
server is specified explicitly in NFS
backup repository settings.
Gateway
NFS
server or
backup
backup
repository
proxy
(NFS v3)
TCP, UDP
TCP, UDP
mountd_p
Dynamic port used for mountd service.
ort
Can be assigned statically.
statd_port
Dynamic port used for statd service.
Can be assigned statically.
TCP, UDP
lockd_port
Dynamic port used for lockd service.
Can be assigned statically.
SMB Backup Repository
The following table describes network ports that must be opened to ensure proper communication with SMB (CIFS)
shares added as backup repositories.
From
To
Protocol
Port
Notes
Gateway
SMB
TCP
445
Used as a transmission channel from
server or
(CIFS)
the gateway server to the target SMB
backup
backup
(CIFS) backup repository if a gateway
proxy
repository
server is specified explicitly in SMB
(Microsoft
(CIFS) backup repository settings.
Windows)
Dell Data Domain System
For more information, see Dell Documents.
From
To
Protocol
Port
Notes
Backup
Dell Data
TCP
111
Port used to assign a random port for
server or
Domain
the mountd service used by NFS and
gateway
DDBOOST. Mountd service port can be
server
statically assigned.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
20/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
TCP
2049
Main port used by NFS. Can be
modified using the ‘nfs set server-port’
command. Command requires SE
mode.
TCP
2052
Main port used by NFS MOUNTD. Can
be modified using the 'nfs set mountdport' command in SE mode.
ExaGrid
From
To
Protocol
Port
Notes
Backup
ExaGrid
TCP
22
Default command port used for
server
Backup
communication with ExaGrid.
ExaGrid
TCP
proxy
2500 to
Default range of ports used for
3300
communication with the backup
proxy.
Note: This range of ports
applies to newly installed
Veeam Backup & Replication
starting from version 10.0,
without upgrade from previous
versions. If you have upgraded
from an earlier version of the
product, the range of ports from
2500 to 5000 applies to the
already added components.
HPE StoreOnce
From
To
Protocol
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
Port
Notes
21/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
HPE
server
StoreOnce
TCP
9387
Default command port used for
communication with HPE StoreOnce.
or
gateway
9388
server
Default data port used for
communication with HPE StoreOnce.
Quantum DXi
From
To
Protocol
Port
Notes
Backup
Quantum
TCP
22
Default command port used for
server
DXi
communication with Quantum
DXi.
Backup
Quantum
proxy
DXi
TCP
2500 to
Default range of ports used for
3300
communication with the backup
proxy.
Note: This range of ports
applies to newly installed
Veeam Backup & Replication
starting from version 10.0,
without upgrade from previous
versions. If you have upgraded
from an earlier version of the
product, the range of ports from
2500 to 5000 applies to the
already added components.
Fujitsu ETERNUS CS800
From
To
Protocol
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
Port
Notes
22/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
Fujitsu
server
ETERNUS
communication with Fujitsu
CS800
ETERNUS CS800.
Backup
Fujitsu
proxy
ETERNUS
TCP
TCP
22
Default command port used for
2500 to
Default range of ports used for
3300
communication with the backup
CS800
proxy.
Note: This range of ports
applies to newly installed
Veeam Backup & Replication
starting from version 10.0,
without upgrade from previous
versions. If you have upgraded
from an earlier version of the
product, the range of ports from
2500 to 5000 applies to the
already added components.
Infinidat InfiniGuard
From
To
Protocol
Port
Notes
Backup
Infinidat
TCP
22
Default command port used for
server
InfiniGuar
communication with Infinidat
d
InfiniGuard.
Backup
Infinidat
proxy
InfiniGuar
TCP
d
2500 to
Default range of ports used for
3300
communication with the backup
proxy.
Note: This range of ports
applies to newly installed
Veeam Backup & Replication
starting from version 10.0,
without upgrade from previous
versions. If you have upgraded
from an earlier version of the
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
23/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
product, the range of ports from
2500 to 5000 applies to the
already added components.
Veeam Data Cloud Vault
The following table describes network ports and endpoints that must be opened to ensure proper communication
with Veeam Data Cloud Vault. Note that a connection between the backup server and Veeam License Update
Server is also required. For more information, see Backup Server.
From
To
Protocol
Port
Notes
Backup
Veeam
TCP
443
Used to communicate with the
server
Data
Microsoft Azure object storage
Cloud
through the following endpoints:
Vault
<storageaccount>.blob.core.wind
ows.net
<storageaccount>.blob.storage.a
zure.net
Consider that the <storageaccount> part of the address must
be replaced with the location name
of your storage account. You can
find the location name in the Cloud
Management > Vault
Subscriptions section of your
Veeam Data Cloud account.
80
Used to verify the certificate status
through the following endpoints:
ocsp.digicert.com
ocsp.msocsp.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
24/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
servers) are subject to change. You
can find the actual list of addresses
in the certificate details in the
following fields:
CRL Distribution Points
Authority Information
Access
Gateway
Veeam
TCP
443
server
Data
Microsoft Azure object storage
Cloud
through the following endpoints:
Vault
Used to communicate with the
<storageaccount>.blob.core.wind
ows.net
<storageaccount>.blob.storage.a
zure.net
Consider that the <storageaccount> part of the address must
be replaced with the location name
of your storage account. You can
find the location name in the Cloud
Management > Vault
Subscriptions section of your
Veeam Data Cloud account.
80
Used to verify the certificate status
through the following endpoints:
ocsp.digicert.com
ocsp.msocsp.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You
can find the actual list of addresses
in the certificate details in the
following fields:
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
25/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
CRL Distribution Points
Authority Information
Access
Object Storage Repository
The following table describes network ports and endpoints that must be opened to ensure proper communication
with object storage repositories. For more information, see Object Storage Repository.
From
To
Protocol
Port
Notes
Gateway
Backup
TCP
2500 to
Default range of ports used as
server
proxy
3300
transmission channels. For every TCP
(direct
connection that a job uses, one port
connectio
from this range is assigned.
n)/Gatewa
Note: This range of ports applies to
y server or
newly installed
backup
Veeam Backup & Replication starting
server
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Backup
Amazon
TCP
proxy
S3 object
S3 object storage through the following
(direct
storage
endpoints:
connectio
n)/Gatewa
y server or
backup
server
443
Used to communicate with the Amazon
*.amazonaws.com (for both
Global and Government regions)
*.amazonaws.com.cn (for China
region)
All AWS service endpoints are specified
in the AWS documentation.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
26/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
80
Used to verify the certificate status
through the following endpoints:
*.amazontrust.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
Microsoft
TCP
443
Used to communicate with the
Azure
Microsoft Azure object storage through
object
the following endpoints:
storage
<storageaccount>.blob.core.windows
.net (for Global region)
<storageaccount>.blob.storage.azur
e.net (for Global region)
<storageaccount>.blob.core.chinacl
oudapi.cn (for China region)
<storageaccount>.blob.core.usgovcl
oudapi.net (for Government
region)
Consider that the <storageaccount> part of the address must be
replaced with your actual storage
account URL that can be found in the
Azure management portal.
80
Used to verify the certificate status
through the following endpoints:
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
27/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
ocsp.digicert.com
ocsp.msocsp.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
For more details, see also this Microsoft
article.
Google
TCP
443
Used to communicate with Google
Cloud
Cloud storage through the following
storage
endpoints:
storage.googleapis.com
All cloud endpoints are specified in this
Google article.
80
Used to verify the certificate status
through the following endpoints:
ocsp.pki.goog
pki.goog
crl.pki.goog
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
28/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
IBM Cloud
TCP
Depends
Used to communicate with IBM Cloud
object
on device
object storage.
storage
configurat
ion
S3
TCP
Depends
Used to communicate with S3
compatibl
on device
compatible object storage.
e object
configurat
storage
ion
External Repository
The following table describes network ports and endpoints that must be opened to ensure proper communication
with external repositories. For more information, see External Repository.
From
To
Protocol
Port
Notes
Source
Gateway
TCP
2500 to
Default range of ports used as
object
server or
3300
transmission channels. For every TCP
storage
backup
connection that a job uses, one port
repository
server
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Gateway
Amazon
TCP
server or
S3 object
S3 object storage through the following
backup
storage
endpoints:
server
443
Used to communicate with the Amazon
*.amazonaws.com (for both
Global and Government regions)
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
29/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
*.amazonaws.com.cn (for China
region)
All AWS service endpoints are specified
in the AWS documentation.
80
Used to verify the certificate status
through the following endpoints:
*.amazontrust.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
Microsoft
TCP
443
Used to communicate with the
Azure
Microsoft Azure object storage through
object
the following endpoints:
storage
<storageaccount>.blob.core.windows
.net (for Global region)
<storageaccount>.blob.storage.azur
e.net (for Global region)
<storageaccount>.blob.core.chinacl
oudapi.cn (for China region)
<storageaccount>.blob.core.usgovcl
oudapi.net (for Government
region)
Consider that the <storageaccount> part of the address must be
replaced with your actual storage
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
30/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
account URL that can be found in the
Azure management portal.
80
Used to verify the certificate status
through the following endpoints:
ocsp.digicert.com
ocsp.msocsp.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
For more details, see also this Microsoft
article.
Google
TCP
443
Used to communicate with Google
Cloud
Cloud storage through the following
storage
endpoints:
storage.googleapis.com
All cloud endpoints are specified in this
Google article.
80
Used to verify the certificate status
through the following endpoints:
ocsp.pki.goog
pki.goog
crl.pki.goog
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
31/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
Archive Object Storage Repository
The following table describes network ports and endpoints that must be opened to ensure proper communication
with object storage repositories used as a part of Archive Tier. For more information, see Archive Tier.
From
To
Protocol
Port
Notes
Gateway
Amazon
TCP
443
Used by default to communicate with
server or
EC2
the Amazon EC2 helper appliance
backup
helper
through public/private IPv4 addresses
server
appliance
of EC2 appliances.
If you use Amazon S3 Glacier object
storage, the gateway server should
have direct connection to AWS service
endpoints. HTTP/HTTPS proxy servers
are not supported.
If there is no gateway server selected,
the backup server will be used as a
gateway server.
TCP
22
Default SSH port used as a control
channel.
Microsoft
TCP
443
Used by default to communicate with
Azure
the Microsoft Azure helper appliance
proxy
through public/private IPv4 addresses
appliance
of Azure appliances.
If there is no gateway server selected,
the backup server will be used as a
gateway server.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
32/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
TCP
22
Default SSH port used as a control
channel.
Amazon
Amazon
TCP
443
EC2
S3 object
S3 object storage through the following
helper
storage
endpoints:
appliance
Used to communicate with the Amazon
*.amazonaws.com (for both
Global and Government regions)
*.amazonaws.com.cn (for China
region)
All AWS service endpoints are specified
in the AWS documentation
TCP
80
Used to verify the certificate status
through the following endpoints:
*.amazontrust.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
Microsoft
Microsoft
TCP
443
Used to communicate with the
Azure
Azure
Microsoft Azure object storage through
proxy
object
the following endpoints:
appliance
storage
<storageaccount>.blob.core.windows
.net (for Global region)
<storageaccount>.blob.storage.azur
e.net (for Global region)
<storageaccount>.blob.core.chinacl
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
33/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
oudapi.cn (for China region)
<storageaccount>.blob.core.usgovcl
oudapi.net (for Government
region)
Consider that the <storageaccount> part of the address must be
replaced with your actual storage
account URL that can be found in the
Azure management portal.
TCP
80
Used to verify the certificate status
through the following endpoints:
ocsp.digicert.com
ocsp.msocsp.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
For more details, see also this Microsoft
article.
Storage Systems
Dell VNX(e) Storage
Dell Unity XT, Unity Storage
Dell PowerScale (Formerly Isilon) Storage
HPE 3PAR StoreServ Storage
HPE Alletra MP, Alletra 9000, Primera Storage
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
34/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
HPE StoreVirtual (formerly LeftHand/P4000 Series) and StoreVirtual VSA Storage
HPE Alletra 5000, Alletra 6000, Nimble Storage
Lenovo ThinkSystem DM/DG Series Storage
NetApp ONTAP Storage
Nutanix Files Storage
Universal Storage API Integrated System
Dell VNX(e) Storage
From
To
Protocol
Port
Notes
Backup
VNX File
TCP
22
Default command port used for
server
communication with Dell VNX File over
SSH.
VNX Block
TCP
443
with Dell VNX Block/Dell VNXe over
VNXe
Backup
proxy
VNX Block
Default port used for communication
HTTPS and sending REST API calls.
TCP
3260
Default iSCSI target port.
TCP, UDP
111, 2049
Standard NFS ports. Port 111 is used by
VNXe
VNX File
the port mapper service.
VNXe
Dell Unity XT, Unity Storage
From
To
Protocol
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
Port
Notes
35/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
Dell Unity
TCP
443
Default port used for communication
server
XT/Unity
with Dell Unity XT/Unity over HTTPS
storage
and sending REST API calls.
system
Backup
Dell Unity
proxy
XT/Unity
storage
system
TCP
3260
Default iSCSI target port.
TCP, UDP
111, 2049
Standard NFS ports. Port 111 is used by
the port mapper service.
Dell PowerScale (Formerly Isilon) Storage
From
To
Protocol
Port
Notes
Backup
Dell
TCP
8080
Default port used for communication
server
PowerScal
with Dell PowerScale over HTTPS and
e storage
sending REST API calls.
system
Backup
Dell
proxy
PowerScal
TCP, UDP
111, 2049
Standard NFS ports. Port 111 is used by
the port mapper service.
e storage
system
TCP
445
Standard SMB port.
HPE 3PAR StoreServ Storage
From
To
Protocol
Port
Notes
Backup
HPE 3PAR
TCP
8008
Default port used for communication
server
StoreServ
with HPE 3PAR StoreServ over HTTP.
storage
system
TCP
8080
Default port used for communication
with HPE 3PAR StoreServ over HTTPS.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
36/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
TCP
22
Default command port used for
communication with HPE 3PAR
StoreServ over SSH.
Backup
HPE 3PAR
proxy
StoreServ
TCP
3260
Default iSCSI target port.
storage
system
HPE Alletra MP, Alletra 9000, Primera Storage
From
To
Protocol
Port
Notes
Backup
HPE
TCP
443
Default port used for communication
server
Alletra
with HPE Alletra MP/Alletra
MP/Alletra
9000/Primera over HTTPS.
9000/Pri
mera
storage
TCP
22
communication with HPE Alletra
system
Backup
HPE
proxy
Alletra
Default command port used for
MP/Alletra 9000/Primera over SSH.
TCP
3260
Default iSCSI target port.
MP/Alletra
9000/Pri
mera
storage
system
HPE StoreVirtual (formerly LeftHand/P4000 Series) and StoreVirtual VSA Storage
From
To
Protocol
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
Port
Notes
37/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
HPE
TCP
16022
Default command port used for
server
StoreVirtu
communication with HPE
al/LeftHan
StoreVirtual/LeftHand/P4000 series.
d/P4000
series
storage
system
Backup
HPE
proxy
StoreVirtu
TCP
3260
Default iSCSI target port.
al/LeftHan
d/P4000
series
storage
system
HPE Alletra 5000, Alletra 6000, Nimble Storage
From
To
Protocol
Port
Notes
Backup
HPE
TCP
5392
Default command port used for
server
Alletra
communication with HPE Alletra
5000/Alle
5000/Alletra 6000/Nimble.
tra
6000/Ni
mble
storage
system
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
38/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
HPE
proxy
Alletra
TCP
3260
Default iSCSI target port.
5000/Alle
tra
6000/Ni
mble
storage
system
Lenovo ThinkSystem DM/DG Series Storage
From
To
Protocol
Port
Notes
Backup
Lenovo
TCP
80
Default command port used for
server
ThinkSyst
communication with Lenovo
em
ThinkSystem DM/DG Series over HTTP.
DM/DG
Series
storage
TCP
443
Default command port used for
communication with Lenovo
system
ThinkSystem DM/DG Series over
HTTPS.
Backup
Lenovo
proxy
ThinkSyst
TCP, UDP
111, 2049
Standard NFS ports. Port 111 is used by
the port mapper service.
em
DM/DG
Series
TCP
445
Standard SMB port.
TCP
3260
Default iSCSI target port.
Protocol
Port
Notes
storage
system
NetApp ONTAP Storage
From
To
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
39/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
NetApp
TCP
80
Default command port used for
server
ONTAP
communication with NetApp ONTAP
storage
over HTTP.
system
TCP
443
Default command port used for
communication with NetApp ONTAP
over HTTPS.
Backup
NetApp
proxy
ONTAP
TCP, UDP
111, 2049
Standard NFS ports. Port 111 is used by
the port mapper service.
storage
system
TCP
445
Standard SMB port.
TCP
3260
Default iSCSI target port.
Nutanix Files Storage
From
To
Protocol
Port
Notes
Backup
Nutanix
TCP
9440
Default port used for communication
server
Files
with Nutanix Files and sending REST
storage
API calls.
system
Backup
Nutanix
proxy
Files
TCP, UDP
111, 2049
Standard NFS ports. Port 111 is used by
the port mapper service.
storage
system
TCP
445
Standard SMB port.
Universal Storage API Integrated System
The following tables describe network ports that must be opened to ensure proper communication with Universal
Storage API integrated systems:
DataCore SANsymphony
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
40/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Dell SC Series
Dell PowerMax
Dell PowerStore
Fujitsu ETERNUS DX/AF
Hitachi VSP/VSP One Block
HPE XP
IBM FlashSystem (formerly Spectrum Virtualize) Storage
INFINIDAT InfiniBox
NEC Storage M Series
NEC Storage V Series
NetApp SolidFire/HCI
Pure Storage FlashArray
Tintri IntelliFlash (formerly Western Digital IntelliFlash, Tegile)
DataCore SANsymphony
From
To
Protocol
Port
Notes
Backup
DataCore
TCP
443
Default command port used for
server
SANsymp
communication with DataCore
hony
SANsymphony over HTTPS.
storage
system
Backup
DataCore
proxy
SANsymp
TCP
3260
Default iSCSI target port.
hony
storage
system
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
41/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Dell SC Series
From
To
Protocol
Port
Notes
Backup
Dell SC
TCP
3033
Default command port used for
server
Series
communication with Dell SC Series over
storage
HTTPS.
system
Backup
Dell SC
proxy
Series
TCP
3260
Default iSCSI target port.
storage
system
Dell PowerMax
From
To
Protocol
Port
Notes
Backup
Dell
TCP
8443
Default command port used for
server
PowerMax
communication with Dell PowerMax
storage
over HTTPS.
system
Backup
Dell
proxy
PowerMax
TCP
3260
Default iSCSI target port.
Protocol
Port
Notes
storage
system
Dell PowerStore
From
To
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
42/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
Dell
TCP
443
Default command port used for
server
PowerStor
communication with Dell PowerStore
e storage
over HTTPS.
system
Backup
Dell
proxy
PowerStor
TCP
3260
Default iSCSI target port.
e storage
system
Fujitsu ETERNUS DX/AF
From
To
Protocol
Port
Notes
Backup
Fujitsu
TCP
22
Default command port used for
server
ETERNUS
communication with Fujitsu ETERNUS
DX/AF
DX/AF over SSH.
storage
system
Backup
Fujitsu
proxy
ETERNUS
TCP
3260
Default iSCSI target port.
DX/AF
storage
system
Hitachi VSP/VSP One Block
From
To
Protocol
Port
Notes
Backup
Hitachi
TCP
443
Default command port used for
server
VSP/VSP
communication with Hitachi VSP/VSP
One Block
One Block over HTTPS.
storage
system
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
43/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
Hitachi
proxy
VSP/VSP
TCP
3260
Default iSCSI target port.
One Block
storage
system
HPE XP
From
To
Protocol
Port
Notes
Backup
HPE XP
TCP
443
Default command port used for
server
storage
communication with HPE XP over
system
HTTPS.
Backup
HPE XP
proxy
storage
TCP
3260
Default iSCSI target port.
system
IBM FlashSystem (formerly Spectrum Virtualize) Storage
From
To
Protocol
Port
Notes
Backup
IBM
TCP
22
Default command port used for
server
FlashSyste
communication with IBM FlashSystem
m storage
over SSH.
system
Backup
IBM
proxy
FlashSyste
TCP
3260
Default iSCSI target port.
m storage
system
INFINIDAT InfiniBox
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
44/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
From
To
Protocol
Port
Notes
Backup
INFINIDAT
TCP
443
Default command port used for
server
InfiniBox
communication with INFINIDAT
storage
InfiniBox over HTTPS.
system
Backup
INFINIDAT
proxy
InfiniBox
TCP
3260
Default iSCSI target port.
storage
system
NEC Storage M Series
From
To
Protocol
Port
Notes
Backup
NEC
TCP
22
Default command port used for
server
Storage M
communication with NEC Storage M
Series
Series over SSH.
storage
system
Backup
NEC
proxy
Storage M
TCP
3260
Default iSCSI target port.
Series
storage
system
NEC Storage V Series
From
To
Protocol
Port
Notes
Backup
NEC
TCP
443
Default command port used for
server
Storage V
communication with NEC Storage V
Series
Series over HTTPS.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
45/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
storage
system
Backup
NEC
proxy
Storage V
TCP
3260
Default iSCSI target port.
Series
storage
system
NetApp SolidFire/HCI
From
To
Protocol
Port
Notes
Backup
NetApp
TCP
443
Default command port used for
server
SolidFire/
communication with NetApp
HCI
SolidFire/HCI over HTTPS.
storage
system
Backup
NetApp
proxy
SolidFire/
TCP
3260
Default iSCSI target port.
HCI
storage
system
Pure Storage FlashArray
From
To
Protocol
Port
Notes
Backup
Pure
TCP
443
Default command port used for
server
Storage
communication with Pure Storage
FlashArray
FlashArray over HTTPS.
system
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
46/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
Pure
proxy
Storage
TCP
3260
Default iSCSI target port.
FlashArray
system
Tintri IntelliFlash (formerly Western Digital IntelliFlash, Tegile)
From
To
Protocol
Port
Notes
Backup
Tintri
TCP
443
Default command port used for
server
IntelliFlash
communication with Tintri IntelliFlash
system
over HTTPS.
Backup
Tintri
proxy
IntelliFlash
TCP
3260
Default iSCSI target port.
TCP, UDP
111, 2049
Standard NFS ports. Port 111 is used by
system
Tintri
IntelliFlash
the port mapper service.
system
Unstructured Data Backup Components
The following tables describe network ports that must be opened to ensure proper communication between
unstructured data backup components.
File Share Connections
Cache Repository Connections
Archive Repository Connections
File Share Connections
From
To
Protocol
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
Port
Notes
47/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
File server
TCP
proxy
2500 to
Default range of ports used as
3300
transmission channels. For every TCP
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
NAS filer
TCP, UDP
111, 2049
(NetApp
Standard NFS ports. Port 111 is used by
the port mapper service.
Data
ONTAP or
Lenovo
TCP
445
Standard SMB port.
TCP
3260
Default iSCSI target port.
TCP
80, 443
Used by NetApp SnapDiff when
ThinkSyst
em
DM/DG
Series
storage
changed file tracking (CFT) is enabled.
system)
NAS filer
TCP, UDP
111, 2049
(Dell
Standard NFS ports. Port 111 is used by
the port mapper service.
PowerScal
e
(formerly
Isilon) or
Nutanix
Files
TCP
445
Standard SMB port.
storage
system)
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
48/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
NFS share
TCP, UDP
111, 2049
proxy or
Standard NFS ports. Port 111 is used by
the port mapper service.
tape
server
SMB share
TCP
445
Standard SMB port.
Amazon
TCP
443
Used to communicate with the Amazon
S3 object
S3 object storage through the following
storage
endpoints:
*.amazonaws.com (for both
Global and Government regions)
*.amazonaws.com.cn (for China
region)
All AWS service endpoints are specified
in the AWS documentation.
TCP
80
Used to verify the certificate status
through the following endpoints:
*.amazontrust.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
Microsoft
TCP
443
Used to communicate with the
Azure
Microsoft Azure object storage through
object
the following endpoints:
storage
<storageaccount>.blob.core.windows
.net (for Global region)
<storageaccount>.blob.storage.azur
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
49/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
e.net (for Global region)
<storageaccount>.blob.core.chinacl
oudapi.cn (for China region)
<storageaccount>.blob.core.usgovcl
oudapi.net (for Government
region)
Consider that the <storageaccount> part of the address must be
replaced with your actual storage
account URL that can be found in the
Azure management portal.
TCP
80
Used to verify the certificate status
through the following endpoints:
ocsp.digicert.com
ocsp.msocsp.com
Consider that certificate verification
endpoints (CRL URLs and OCSP
servers) are subject to change. You can
find the actual list of addresses in the
certificate details in the following fields:
CRL Distribution Points
Authority Information Access
For more details, see also this Microsoft
article.
S3
TCP
Depends
Used to communicate with S3
compatibl
on device
compatible object storage.
e object
configurat
storage
ion
Cache Repository Connections
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
50/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
From
To
Protocol
Port
Notes
Backup
Cache
TCP
2500 to
Default range of ports used as
proxy
repository
3300
transmission channels. For every TCP
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Cache
Backup
repository
proxy
TCP
2500 to
Default range of ports used as
3300
transmission channels. For every TCP
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Primary or
TCP
secondary
2500 to
Default range of ports used as
3300
transmission channels for file share
backup
backup restore jobs. For every TCP
repository
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
51/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Archive Repository Connections
From
To
Protocol
Port
Notes
Primary
Archive
TCP
2500 to
Default range of ports used as
backup
repository
3300
transmission channels. For every TCP
repository
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Tape Server
The following table describes network ports that must be opened to ensure proper communication with tape
servers.
From
To
Protocol
Port
Notes
Backup
Tape
TCP
445, 135
Required for deploying
server
server
Veeam Backup & Replication
components.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
52/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
TCP
2500 to
Default range of ports used as data
3300
transmission channels and for
collecting log files. For every TCP
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
TCP
6160
Default port used by Veeam Installer
Service.
TCP
6162
Default port used by Veeam Data
Mover Service.
TCP
6166
Controlling port for RPC calls.
TCP
49152 to
Dynamic RPC port range for Microsoft
65535
Windows 2008 and later. For more
information, see this Microsoft KB
article.
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
application-aware processing fails with
the "RPC function call failed" error, you
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
53/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
need to configure dynamic RPC ports.
For more information on how to
configure RPC dynamic port allocation
to work with firewalls, see this
Microsoft KB article.
Tape
Backup
server
server
TCP
2500 to
Default range of ports used as data
3300
transmission channels. For every TCP
connection that a job uses, one port
from this range is assigned.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Backup
TCP
repository
2500 to
Default range of ports used as data
3300
transmission channels. For every TCP
or
connection that a job uses, one port
gateway
from this range is assigned.
server
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
NFS share
TCP, UDP
111, 2049
Standard NFS ports. Port 111 is used by
the port mapper service.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
54/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
SMB share
TCP
445
Standard SMB port.
WAN Accelerator
The following table describes network ports that must be opened to ensure proper communication between WAN
accelerators used in backup copy jobs and replication jobs.
From
To
Protocol
Port
Notes
Backup
WAN
TCP
445, 135
Required for deploying
server
accelerato
Veeam Backup & Replication
r
components.
(source
and
target)
TCP
6160
Default port used by Veeam Installer
Service.
TCP
6162
Default port used by Veeam Data
Mover Service.
TCP
6164
Controlling port for RPC calls.
TCP
6220
Port used for traffic control (throttling)
for tenants that use WAN accelerators.
This port is required only in the Veeam
Cloud Connect infrastructure.
TCP
49152 to
Dynamic RPC port range for Microsoft
65535
Windows 2008 and later. For more
information, see this Microsoft KB
article.
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
55/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
application-aware processing fails with
the "RPC function call failed" error, you
need to configure dynamic RPC ports.
For more information on how to
configure RPC dynamic port allocation
to work with firewalls, see this
Microsoft KB article.
WAN
Backup
accelerato
repository
r (target)
(target)
TCP
2500 to
Default range of ports used as data
3300
transmission channels. For every TCP
connection that a job uses, one port
from this range is selected dynamically.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
WAN
Backup
accelerato
repository
r (source)
(source)
TCP
2500 to
Default range of ports used as data
3300
transmission channels. For every TCP
connection that a job uses, one port
from this range is selected dynamically.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
56/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
WAN
WAN
accelerato
accelerato
r (source
r (source
and
and
target)
target)
TCP
6164
Controlling port for RPC calls.
TCP
6165
Default port used for data transfer
between WAN accelerators. Ensure this
port is open in firewall between sites
where WAN accelerators are deployed.
Guest Processing Components
Connections with Non-Persistent Runtime Components
The following tables describe network ports that must be opened to ensure proper communication of the backup
server and backup infrastructure components with the non-persistent runtime components deployed inside the VM
guest OS for application-aware processing and indexing.
From
To
Protocol
Port
Notes
Backup
VM
TCP
22
Default SSH port used as a control
server
guest
channel.
OS
(Linux)
Guest
TCP
6190
interacti
Used for communication with the guest
interaction proxy.
on
proxy
TCP
6290
Used as a control channel for
communication with the guest interaction
proxy.
Guest
ESXi
interactio
server
TCP
445
Port used as a transmission channel.
TCP
443
Default port used for connections to ESXi
n proxy
host.
[For VMware vSphere earlier than 6.5]
Not required if vCenter connection is
used. In VMware vSphere versions 6.5
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
57/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
and later, port 443 is required by vCenter
Web Services.
Network ports described in the following table are NOT required when working in networkless mode over VMware
VIX/vSphere Web Services.
From
To
Protocol
Port
Notes
Guest
VM
TCP
445
Required to deploy the runtime
interactio
guest
135
coordination process on the VM guest OS.
n proxy
OS
2500 to
Default range of ports used as
3300
transmission channels for log shipping.
(Micros
oft
TCP
Window
Note: This range of ports applies to newly
s)
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
TCP
49152 to
Dynamic RPC port range for Microsoft
65535
Windows 2008 and later. For more
information, see this Microsoft KB article.
Used by the runtime process deployed
inside the VM for guest OS interaction
(when working over the network, not
over VIX API).
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
58/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
application-aware processing fails with
the "RPC function call failed" error, you
need to configure dynamic RPC ports. For
more information on how to configure
RPC dynamic port allocation to work with
firewalls, see this Microsoft KB article.
VM
TCP
22
guest
Default SSH port used as a control
channel.
OS
(Linux)
TCP
2500 to
Default range of ports used as
3300
transmission channels for log shipping.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
VM guest
Guest
OS
interacti
TCP
2500 to
Default range of ports used as
3300
transmission channels for log shipping.
on
proxy
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
Connections with Persistent Agent Components
The following table describes network ports that must be opened to ensure proper communication of the backup
server with the persistent agent components deployed inside the VM guest OS for application-aware processing
and indexing.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
59/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
From
To
Protocol
Port
Notes
Backup
VM
TCP
6160
Default port used by Veeam Installer
server
guest
Service for Linux.
OS
(Linux)
TCP
6162
Default Management Agent port.
Required if it is used as a control channel
instead of SSH.
Guest
VM
interactio
guest
n proxy
OS
TCP
TCP
6160
Default port and failover port used by
11731
Veeam Installer Service.
6173
Used by the Veeam Guest Helper for
2500
guest OS processing and file-level restore.
Log Shipping Components
The following tables describe network ports that must be opened to ensure proper communication between log
shipping components.
Log Shipping Server Connections
MS SQL Guest OS Connections
Oracle Guest OS Connections
PostgreSQL Guest OS Connections
Log Shipping Server Connections
From
To
Protocol
Port
Notes
Backup
Log
TCP
445
Required for deploying
server
shippin
135
Veeam Backup & Replication
g server
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
components.
60/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
TCP
6160
Default port used by Veeam Installer
Service.
TCP
6162
Default port used by Veeam Data Mover
Service.
TCP
49152 to
Dynamic RPC port range for Microsoft
65535
Windows 2008 and later. For more
information, see this Microsoft KB article.
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
application-aware processing fails with
the "RPC function call failed" error, you
need to configure dynamic RPC ports. For
more information on how to configure
RPC dynamic port allocation to work with
firewalls, see this Microsoft KB article.
Log
Backup
shipping
reposito
server
ry or
TCP
2500 to
Default range of ports used for
3300
communication with a backup repository
gatewa
y server
and transfer log backups.
By default, the log shipping server
connects to the backup repository.
However, if the target repository uses a
gateway server, the connection will be
established with that instead. For more
information, see Gateway Servers.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
61/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
MS SQL Guest OS Connections
From
To
Protocol
Port
Notes
Guest
MS SQL
TCP
445
[Non-persistent runtime components
interactio
VM
135
only] Required for deploying
n proxy
guest
Veeam Backup & Replication components
OS
including Veeam Log Shipper runtime
component.
These ports are NOT required when
working in networkless mode over
VMware VIX/vSphere Web Services.
TCP
2500 to
Default range of ports used for
3300
communication with a guest OS.
These ports are NOT required when
working in networkless mode over
VMware VIX/vSphere Web Services.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
TCP
49152 to
[Non-persistent runtime components
65535
only] Dynamic RPC port range for
Microsoft Windows 2008 and later. For
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
62/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
more information, see this Microsoft KB
article.
These ports are NOT required when
working in networkless mode over
VMware VIX/vSphere Web Services.
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
application-aware processing fails with
the "RPC function call failed" error, you
need to configure dynamic RPC ports. For
more information on how to configure
RPC dynamic port allocation to work with
firewalls, see this Microsoft KB article.
TCP
6160
[Persistent agent components only]
11731
Default port and failover port used by
Veeam Installer Service.
TCP
6167
Used by the Veeam Log Shipping Service
for preparing the database and taking
logs.
MS SQL
Guest
VM guest
interacti
OS
on
TCP
2500 to
Default range of ports used for
3300
communication with a guest interaction
proxy
proxy.
These ports are NOT required when
working in networkless mode over
VMware VIX/vSphere Web Services.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
63/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
MS SQL
Backup
VM guest
reposito
OS
ry
TCP
2500 to
Default range of ports used for
3300
communication with a backup repository
and transfer log backups. Should be
opened if log shipping servers are not
used in the infrastructure and the MS SQL
server has a direct connection to the
backup repository.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
MS SQL
Log
VM guest
shippin
OS
g server
TCP
2500 to
Default range of ports used for
3300
communication with a log shipping server
and transfer log backups.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
Oracle Guest OS Connections
From
To
Protocol
Port
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
Notes
64/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Guest
Oracle
TCP
445
[Non-persistent runtime components
interactio
VM
135
only] Required for deploying
n proxy
guest
Veeam Backup & Replication components
OS
including Veeam Log Shipper runtime
(Micros
component.
oft
These ports are NOT required when
Window
working in networkless mode over
s)
VMware VIX/vSphere Web Services.
TCP
2500 to
Default range of ports used for
3300
communication with a guest OS.
These ports are NOT required when
working in networkless mode over
VMware VIX/vSphere Web Services.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
TCP
49152 to
[Non-persistent runtime components
65535
only] Dynamic RPC port range for
Microsoft Windows 2008 and later. For
more information, see this Microsoft KB
article.
These ports are NOT required when
working in networkless mode over
VMware VIX/vSphere Web Services.
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
65/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
application-aware processing fails with
the "RPC function call failed" error, you
need to configure dynamic RPC ports. For
more information on how to configure
RPC dynamic port allocation to work with
firewalls, see this Microsoft KB article.
TCP
6160
[Persistent agent components only]
11731
Default port and failover port used by
Veeam Installer Service.
TCP
6167
Used by the Veeam Log Shipping Service
for preparing the database and taking
logs.
Oracle
TCP
22
[Non-persistent runtime components
VM
only] Default SSH port used as a control
guest
channel.
OS
This port is NOT required when working
(Linux)
in networkless mode over VMware
VIX/vSphere Web Services.
TCP
6162
[Persistent agent components only]
Default Management Agent port.
Required if it is used as a control channel
instead of SSH.
TCP
2500 to
Default range of ports used for
3300
communication with a guest OS.
These ports are NOT required when
working in networkless mode over
VMware VIX/vSphere Web Services.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
66/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
Oracle VM
Guest
guest OS
interacti
TCP
2500 to
Default range of ports used for
3300
communication with a guest interaction
on
proxy.
proxy
These ports are NOT required when
working in networkless mode over
VMware VIX/vSphere Web Services.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
Oracle VM
Backup
guest OS
reposito
TCP
2500 to
Default range of ports used for
3300
communication with a backup repository
ry
and transfer log backups. Should be
opened if log shipping servers are not
used in the infrastructure and the Oracle
server has a direct connection to the
backup repository.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
67/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Oracle VM
Log
guest OS
shippin
TCP
2500 to
Default range of ports used for
3300
communication with a log shipping server
g server
and transfer log backups.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
PostgreSQL Guest OS Connections
From
To
Protocol
Port
Notes
Guest
Postgre
TCP
22
[Non-persistent runtime components
interactio
SQL VM
only] Default SSH port used as a control
n proxy
guest
channel.
OS
This port is NOT required when working
in networkless mode over vSphere Web
Services.
TCP
6162
[Persistent agent components only]
Default Management Agent port.
Required if it is used as a control channel
instead of SSH.
TCP
2500 to
Default range of ports used for
3300
communication with a guest OS.
This port is NOT required when working
in networkless mode over vSphere Web
Services.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
68/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
PostgreSQ
Guest
L VM
interacti
guest OS
on
TCP
2500 to
Default range of ports used for
3300
communication with a guest interaction
proxy.
proxy
This port is NOT required when working
in networkless mode over vSphere Web
Services.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
PostgreSQ
Backup
L VM
reposito
guest OS
ry
TCP
2500 to
Default range of ports used for
3300
communication with a backup repository
and transfer log backups. Should be
opened if log shipping servers are not
used in the infrastructure and the
PostgreSQL server has a direct
connection to the backup repository.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
69/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
PostgreSQ
Log
L VM
shippin
guest OS
g server
TCP
2500 to
Default range of ports used for
3300
communication with a log shipping server
and transfer log backups.
Note: This range of ports applies to newly
installed Veeam Backup & Replication
starting from version 10.0, without
upgrade from previous versions. If you
have upgraded from an earlier version of
the product, the range of ports from
2500 to 5000 applies to the already
added components.
CDP Components
The following table describes network ports that must be opened to ensure proper communication of Veeam CDP
components with other backup components.
From
To
Protocol
Port
Notes
ESXi host
CDP proxy
TCP
33032
Default port used as a transmission
(source)
(source)
ESXi host
channel to the source CDP proxy.
TCP
(source)
33033
Port used locally on the source ESXi
(local)
host for data transfer between I/O filter
components.
Note: Local ports do not require
specific firewall rules. Make sure that
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
ESXi host
TCP
(source)
33035
Port used locally on the source ESXi
(local)
host for data transfer between I/O filter
components over shared-memory.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
70/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Note: Local ports do not require
specific firewall rules. Make sure that
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
ESXi host
TCP
33036
(source)
Port used on the source ESXi host for
communication between CDP
components over HTTPS without HTTP
Reverse Proxy.
ESXi host
TCP
(source)
33038
Port used locally on the source ESXi
(local)
host for communication between CDP
components over HTTPS.
Note: Local ports do not require
specific firewall rules. Make sure that
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
ESXi host
TCP
(source)
33039
Port used locally on the source ESXi
(local)
host for control notifications between
I/O filter components.
Note: Local ports do not require
specific firewall rules. Make sure that
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
CDP proxy
CDP proxy
(source)
(target)
ESXi host
TCP
33033
Default port used as a transmission
channel to the target CDP proxy.
TCP
(source
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
902
Default VMware port used for data
transfer. Used during initial
71/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
and
synchronization and restore
target)
operations.
vCenter
TCP
443
Default VMware web service port that
Server
can be customized in vCenter settings.
(source
Used during initial synchronization and
and
restore operations.
target)
CDP proxy
ESXi host
(target)
(target)
ESXi host
TCP
33032
Default port used as a transmission
channel to the target ESXi host.
TCP
902
Default VMware port used for data
(source
transfer. Used during initial
and
synchronization and restore
target)
operations.
vCenter
TCP
443
Default VMware web service port that
Server
can be customized in vCenter settings.
(source
Used during initial synchronization and
and
restore operations.
target)
ESXi host
ESXi host
(target)
(target)
TCP
33034
Port used locally on the target ESXi
(local)
host for communication between the
I/O filter components during failover.
Note: Local ports do not require
specific firewall rules. Make sure that
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
ESXi host
TCP
(target)
33036
Port used on the target ESXi host for
communication between CDP
components over HTTPS without HTTP
Reverse Proxy.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
72/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
ESXi host
TCP
(target)
33038
Port used locally on the target ESXi
(local)
host for communication between CDP
components over HTTPS.
Note: Local ports do not require
specific firewall rules. Make sure that
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
Backup
ESXi host
server
(source
TCP
443
Port used as a control channel.
TCP
33035
Port used to install I/O filter
and
target)
ESXi host
(source
components on the ESXi hosts.
and
target)
vCenter
TCP
443
Port used as a control channel.
TCP
6182
Port used as a control channel.
TCP
9509
Port used locally on the backup server
(local)
for communication between Veeam
Server
(source
and
target)
CDP proxy
(source
and
target)
Backup
server
Backup Service and Veeam CDP
Coordinator Service.
Note: Local ports do not require
specific firewall rules. Make sure that
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
73/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
ESXi host
Backup
(source
server
TCP
33034
Port used for communication with
Veeam CDP Coordinator Service.
and
target)
TCP
33035
Port used to install I/O filter
components on the ESXi hosts.
vCenter
Backup
Server
server
TCP
33034
Port used for communication with
Veeam CDP Coordinator Service.
(source
and
TCP
target)
33035
Port used to install I/O filter
components on the vCenter servers.
CDP proxy
Backup
(source
server
TCP
33034
Port used for communication with
Veeam CDP Coordinator Service.
and
target)
Recovery Components
Guest OS File Recovery
Veeam vPower NFS Service
SureBackup
SureReplica Recovery Verification
Veeam U-AIR
Microsoft Active Directory Domain Controller Connections During Application Item Restore
Microsoft Exchange Server Connections During Application Item Restore
Microsoft SQL Server Connections During Application Item Restore
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
74/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Restore to Amazon EC2
Restore to Google Cloud
Restore to Microsoft Azure
Guest OS File Recovery
The following table describes network ports that must be opened to ensure proper communication between
components for guest OS file recovery.
Mount Server Connections
Helper Appliance Connections
Helper Host Connections
Guest OS Connections
Mount Server Connections
From
To
Protocol
Port
Notes
Mount
Backup
TCP
9401
Used for communication with the
server
server
Backup
Veeam Backup Service.
TCP
repository
2500 to
Default range of ports used for
3300
communication with a backup
repository.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
75/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
ESXi host
TCP
443
Default port used for connections to
the ESXi host if Windows file-level
restore is performed over VIX API.
vCenter
TCP
443
server
Default port used for connections to
the vCenter server if Windows file-level
restore is performed using vCenter
Web Services.
Veeam
TCP
443
Default port used by Veeam Threat
Signature
Hunter to download information about
Update
new malware signatures from the
Server
Veeam Signature Update Server over
HTTPS.
Veeam Signature Update Server
endpoints:
avupdate.veeam.com
Mount
TCP
server
6175
Used locally for communication with
(local)
the Veeam Threat Hunter Service.
Note: Local ports do not require
specific firewall rules. Make sure that
this port is not used by another
software. Otherwise, this can affect
Veeam Backup & Replication
functionality.
Backup
Mount
server
server
TCP
445
Required for deploying
Veeam Backup & Replication
components.
TCP
2500 to
Default range of ports used for
3300
communication with a mount server
and for collecting log files.
Note: This range of ports applies to
newly installed
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
76/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
TCP
6160
Default port used by Veeam Installer
Service including checking the
compatibility between components
before starting the recovery process.
TCP
6162
Default port used by Veeam Data
Mover Service.
TCP
6170
Used for communication with a local or
remote Mount Service.
TCP
49152 to
Dynamic RPC port range for Microsoft
65535
Windows 2008 and later. For more
information, see this Microsoft KB
article.
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
application-aware processing fails with
the "RPC function call failed" error, you
need to configure dynamic RPC ports.
For more information on how to
configure RPC dynamic port allocation
to work with firewalls, see this
Microsoft KB article.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
77/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Helper Appliance Connections
From
To
Protocol
Port
Notes
Helper
Backup
TCP
2500 to
Default range of ports used for
appliance
repository
3300
communication with a backup
repository.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Helper
ESXi
appliance
server
TCP
443
Default port used for connections to
the ESXi host if restore is performed
over VIX API/ Web Services.
[For VMware vSphere earlier than 6.5]
Not required if vCenter connection is
used. In VMware vSphere versions 6.5
and later, port 443 is required by
vSphere Web Services.
Backup
Helper
server
appliance
TCP
22
Default SSH port used as a control
channel.
TCP
2500 to
Default range of ports used for
3300
communication with a helper
appliance.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
78/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Mount
Helper
server
appliance
TCP
22
Default SSH port used as a control
channel.
TCP
2500 to
Default range of ports used for
3300
communication with a helper
appliance.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Helper Host Connections
From
To
Protocol
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
Port
Notes
79/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Helper
Backup
host
repository
TCP
2500 to
Default range of ports used for
3300
communication with a backup
repository.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Helper
ESXi
host
server
TCP
443
Default port used for connections to
the ESXi host if restore is performed
over VIX API/vSphere Web Services.
[For VMware vSphere earlier than 6.5]
Not required if vCenter connection is
used. In VMware vSphere versions 6.5
and later, port 443 must also be open
to vSphere Web Services.
Backup
Helper
server
host
TCP
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
22
Default SSH port used as a control
channel.
80/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
TCP
2500 to
Default range of ports used for
3300
communication with a helper host and
for collecting log files.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
TCP
6162
Default port used by Veeam Data
Mover Service.
TCP
32768 to
Dynamic port range for Linux
60999
distributions. Used for communication
with a helper host. For more
information, see the Linux kernel
documentation.
Mount
Helper
server
host
TCP
22
Default SSH port used as a control
channel.
TCP
2500 to
Default range of ports used for
3300
communication with a helper host.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
81/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
TCP
32768 to
Dynamic port range for Linux
60999
distributions. Used for communication
with a helper host. For more
information, see the Linux kernel
documentation.
Guest OS Connections
From
To
Protocol
Port
Notes
VM guest
Helper
TCP
21
Default port used for protocol control
OS
appliance
messages if FTP server is enabled.
(Linux/Uni
x)
Helper
VM guest
appliance
OS
TCP
20
Default port used for data transfer if
FTP server is enabled.
(Linux/Uni
x)
TCP
2500 to
Default range of ports used for
3300
communication with a VM guest OS.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Helper
VM guest
host
OS
TCP
(Linux/Uni
x)
2500 to
Default range of ports used for
3300
communication with a VM guest OS.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
82/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Backup
VM guest
server
OS
TCP
22
Default SSH port used as a control
channel.
(Linux/Uni
x)
Mount
VM guest
server
OS
TCP
445
Required to deploy the runtime
135
coordination process on the VM guest
(Microsoft
OS.
Windows)
TCP
TCP
6160
Default port and failover port used by
11731
Veeam Installer Service.
6173
Used by the Veeam Guest Helper for
2500
guest OS processing and file-level
restore if persistent agent components
are deployed inside the VM guest OS.
TCP
49152 to
Dynamic RPC port range for Microsoft
65535
Windows 2008 and later. For more
information, see this Microsoft KB
article.
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
application-aware processing fails with
the "RPC function call failed" error, you
need to configure dynamic RPC ports.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
83/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
For more information on how to
configure RPC dynamic port allocation
to work with firewalls, see this
Microsoft KB article.
Backup
VM guest
server
OS
TCP
2500 to
Default range of ports used for
3300
communication with a VM guest OS.
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Veeam vPower NFS Service
From
To
Protocol
Port
Notes
Backup
Microsoft
TCP
6160
Default port used by Veeam Installer
server
Windows
Service.
server
with the
mount
server role
running
vPower
NFS
TCP
6161
Service
ESXi host
Default port used by the Veeam
vPower NFS Service.
Microsoft
TCP
Windows
UDP
111
Standard port used by the port mapper
service.
server
with the
mount
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
84/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
server role
running
vPower
TCP
1058+ or
Default mount port. The number of
UDP
1063+
port depends on where the vPower
NFS Service is located:
NFS
Service
1058+: If the vPower NFS Service is
located on the backup server.
1063+: If the vPower NFS Service is
located on a separate Microsoft
Windows machine.
If port 1058/1063 is occupied, the
succeeding port numbers will be used.
TCP
2049+
UDP
Standard NFS port. If port 2049 is
occupied, the succeeding port numbers
will be used.
Backup
Microsoft
TCP
2500 to
Default range of ports used as
repository
Windows
3300
transmission channels during Instant
or
server
Recovery, SureBackup or Linux file-
gateway
with the
level recovery.
server
mount
working
server role
with
running
backup
vPower
repository
NFS
Note: This range of ports applies to
Service
newly installed
For every TCP connection that a job
uses, one port from this range is
assigned.
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
Microsoft
Backup
TCP
Windows
repository
server
or
Recovery, SureBackup or Linux file-
with the
gateway
level recovery.
mount
server
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
2500 to
Default range of ports used as
3300
transmission channels during Instant
85/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
server role
working
For every TCP connection that a job
running
with
uses, one port from this range is
vPower
backup
assigned.
NFS
repository
Note: This range of ports applies to
Service
newly installed
Veeam Backup & Replication starting
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
SureBackup
The following table describes network ports that must be opened to ensure proper communication between
SureBackup components.
From
To
Protocol
Port
Notes
Backup
Proxy
TCP
443
Used for communication with the
server
appliance
Applicatio
proxy appliance in the virtual lab.
—
—
Application-specific ports to perform
ns on VMs
port probing test. For example, to
in the
verify a DC,
virtual lab
Veeam Backup & Replication probes
port 389 for a response.
Internet-
VMs in the
facing
virtual lab
TCP
8080
Used to let VMs in the virtual lab access
the Internet.
proxy
server
Microsoft
Backup
Windows
repository
server
or
TCP
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
2500 to
Default range of ports used as
3300
transmission channels during
SureBackup.
86/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
with the
gateway
For every TCP connection that a job
mount
server
uses, one port from this range is
server role
working
assigned.
running
with
vPower
backup
NFS
repository
Note: This range of ports applies to
newly installed
Veeam Backup & Replication starting
Service
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
ESXi
TCP
443
server
Default port used for connections to
ESXi host.
Backup
Microsoft
TCP
2500 to
Default range of ports used as
repository
Windows
3300
transmission channels during
or
server
gateway
with the
server
mount
working
server role
with
running
backup
vPower
Note: This range of ports applies to
repository
NFS
newly installed
Service
Veeam Backup & Replication starting
SureBackup.
For every TCP connection that a job
uses, one port from this range is
assigned.
from version 10.0, without upgrade
from previous versions. If you have
upgraded from an earlier version of the
product, the range of ports from 2500
to 5000 applies to the already added
components.
SureReplica Recovery Verification
The following table describes network ports that must be opened to ensure proper communication between
SureReplica components.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
87/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
From
To
Protocol
Port
Notes
Backup
Proxy
TCP
443
Used for communication with the
server
appliance
Applicatio
proxy appliance in the virtual lab.
—
—
Application-specific ports to perform
ns on VMs
port probing test. For example, to
in the
verify a DC,
virtual lab
Veeam Backup & Replication probes
port 389 for a response.
Internet-
VMs in the
facing
virtual lab
TCP
8080
Used to let VMs in the virtual lab access
the Internet.
proxy
server
Veeam U-AIR
The following table describes network ports that must be opened to ensure proper communication of U-AIR
wizards with other components.
From
To
Protocol
Port
Notes
U-AIR
Veeam
TCP
9394
Used by default for communication
wizards
Backup
with Veeam Backup Enterprise
Enterprise
Manager. Can be customized during
Manager
Veeam Backup Enterprise Manager
installation.
Microsoft Active Directory Domain Controller Connections During Application Item Restore
The following table describes network ports that must be opened to ensure proper communication of the backup
server with the Microsoft Active Directory VM during application-item restore.
From
To
Protocol
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
Port
Notes
88/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
Microsoft
server
Active
TCP
135
Used for communication between the
domain controller and backup server.
Directory
VM guest
OS
TCP,
389
LDAP connections.
636,
LDAP connections.
UDP
TCP
3268,
3269
TCP
49152 to
Dynamic RPC port range for Microsoft
65535
Windows 2008 and later used by the
runtime coordination process deployed
inside the VM guest OS for applicationaware processing (when working over
the network, not over VIX API). For
more information, see this Microsoft
KB article.
Note: If you use default Microsoft
Windows firewall settings, you do not
need to configure dynamic RPC ports.
During setup,
Veeam Backup & Replication
automatically creates a firewall rule for
the runtime process. If you use firewall
settings other than default ones or
application-aware processing fails with
the "RPC function call failed" error, you
need to configure dynamic RPC ports.
For more information on how to
configure RPC dynamic port allocation
to work with firewalls, see this
Microsoft KB article.
Microsoft Exchange Server Connections During Application Item Restore
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
89/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
The following table describes network ports that must be opened to ensure proper communication of the Veeam
backup server with the Microsoft Exchange Server system during application-item restore.
From
To
Protocol
Port
Notes
Backup
Microsoft
TCP
80, 443
WebDAV connections.
server
Exchange
TCP
443
Microsoft Exchange Web Services
2003/20
07 CAS
Server
Microsoft
Exchange
Connections.
2010/201
3/2016/2
019 CAS
Server
Microsoft SQL Server Connections During Application Item Restore
The following table describes network ports that must be opened to ensure proper communication of the backup
server with the VM guest OS system during application-item restore.
From
To
Protocol
Port
Notes
Backup
Microsoft
TCP
1433,
Used for communication with the
server
SQL VM
1434 and
Microsoft SQL Server installed inside
guest OS
other
the VM.
Port numbers depends on
configuration of your Microsoft SQL
server. For more information, see this
Microsoft article.
UDP
1434
Used by the Microsoft SQL Server
Browser service.
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
90/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
For more information, see this
Microsoft article.
Restore to Amazon EC2
From
To
Protocol
Port
Notes
Backup
Helper
TCP
22
Used as a communication channel to
server or
appliance
the helper appliance.
backup
repository
TCP
443
Default redirector port. You can change
the port in helper appliance settings.
For details, see the Specify Helper
Appliance section in Restore to
Amazon EC2.
Restore to Google Cloud
From
To
Protocol
Port
Notes
Backup
Helper
TCP
22
Used as a communication channel to
server or
appliance
the helper appliance.
backup
repository
TCP
443
Default redirector port. You can change
the port in helper appliance settings.
For details, see the Specify Helper
Appliance section in Restore to Google
Cloud.
Restore to Microsoft Azure
From
To
Protocol
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
Port
Notes
91/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Backup
Helper
server
appliance
TCP
22
Used by default as a communication
channel to the helper appliance when
restoring Linux workloads. Can be
changed during helper appliance
deployment. For details, see
Configuring Helper Appliances.
Microsoft
TCP
443
Azure
Default management and data
transport port required for
communication with Microsoft Azure.
Azure
TCP
443
Used by Veeam Backup & Replication
Windows
to install the Azure Windows VM agent
VM agent
on the restored VM through the
distributio
following URLs:
n server
go.microsoft.com
aka.ms (additional components
required for the Azure Windows
VM agent installation)
github.com (additional
components required for the Azure
Windows VM agent installation)
objects.githubusercontent.
com (additional components
required for the Azure Windows
VM agent installation)
Consider that these URLs are subject to
change. For more information, see this
Microsoft article.
Azure
TCP
Stack Hub
443,
Default management and data
30024
transport port required for
communication with Azure Stack Hub.
Backup
Azure
TCP
server or
restore
transport port required for
proxy
communication with the Azure restore
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
443
Default management and data
92/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
backup
appliance
proxy appliance. The port must be
repository
(former
opened on the backup server and
Azure
backup repository storing VM backups.
proxy)
Can be changed in the settings of the
Azure restore proxy appliance. For
details, see Specify Credentials and
Transport Port.
Veeam Backup Enterprise Manager
Veeam Backup Enterprise Manager Connections
Veeam Explorers
Veeam Explorer for Microsoft Active Directory Connections
Veeam Explorer for Microsoft Exchange Connections
Veeam Explorer for Microsoft SharePoint and Veeam Explorer for Microsoft OneDrive for Business
Connections
Veeam Explorer for Microsoft SQL Server Connections
Veeam Explorer for Microsoft Teams Connections
Veeam Explorer for Oracle Connections
Veeam Explorer for PostgreSQL Connections
Veeam Cloud Connect
Veeam Cloud Connect Connections
Veeam Agents
Veeam Agent for Microsoft Windows
Connections for Veeam Agent for Microsoft Windows Operating in Managed Mode
Connections for Veeam Agent for Microsoft Windows Operating in Standalone Mode
Veeam Agent for Linux
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
93/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Connections for Veeam Agent for Linux Operating in Managed Mode
Connections for Veeam Agent for Linux Operating in Standalone Mode
Veeam Agent for Mac
Connections for Veeam Agent for Mac Operating in Managed Mode
Connections for Veeam Agent for Mac Operating in Standalone Mode
Veeam Plug-ins for Enterprise Applications
Veeam Plug-in for SAP HANA Connections
Veeam Plug-in for Oracle RMAN Connections
Veeam Plug-in for SAP on Oracle Connections
Veeam Plug-in for Microsoft SQL Server Connections
Veeam Plug-ins for Cloud Solutions
AWS Plug-in for Veeam Backup & Replication
Microsoft Azure Plug-in for Veeam Backup & Replication
Google Cloud Plug-in for Veeam Backup & Replication
Kasten
Veeam Kasten Plug-in for Veeam Backup & Replication
Virtualization Platforms
Veeam Backup for Oracle Linux Virtualization Manager and Red Hat Virtualization Connections
Veeam Backup for Nutanix AHV Connections
Veeam Backup for Proxmox VE Connections
Nutanix Mine with Veeam
Nutanix Mine with Veeam 4.0 Connections
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
94/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
Other Connections
NDMP Servers
The following table describes network ports that must be opened to ensure proper communication with NDMP
servers.
From
To
Protocol
Port
Notes
Gateway
NDMP
NDMP
10000
Default port used to manage the NMDP
server
server
server.
Note: The port range used for data
transfer depends on your NDMP server
configuration. For more information,
contact your hardware vendor.
Mail Servers
The following table describes network ports that must be opened to ensure proper communication of the backup
server with mail servers.
From
To
Protocol
Port
Notes
Backup
SMTP
TCP
25
Used by the SMTP server.
server
server
TCP
587
Used by the SMTP server if SSL is
enabled.
Gmail
TCP
443
REST API
Used to communicate with Google Mail
services.
(gmail.goo
gleapis.co
m)
Microsoft
TCP
Graph
443
Used to communicate with Microsoft
Exchange Online organizations.
REST API
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
95/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
(graph.mi
crosoft.co
m,
login.micr
osoftonlin
e.com)
Event Forwarding Components
The following table describes network ports that must be opened to ensure proper communication with event
forwarding components.
From
To
Protocol
Port
Notes
Backup
Syslog
TCP
514
Default port used to communicate with
server
server
UDP
TLS
the syslog server.
6514
Default port used to communicate with
the syslog server over TLS.
Internet Connections
If you use an HTTP/HTTPS proxy server to access the Internet, make sure that WinHTTP settings are properly
configured on Microsoft Windows machines with Veeam backup infrastructure components. For information on
how to configure WinHTTP settings, see Microsoft Docs.
NOTE
Tenants cannot access Veeam Cloud Connect infrastructure components through HTTP/HTTPS proxy
servers. For information on supported protocols for Veeam Cloud Connect, see the Ports section in the
Veeam Cloud Connect Guide.
Page updated 5/28/2025
Page content applies to build 12.3.1.1139
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
96/97
30/5/25, 15:48
Ports - User Guide for VMware vSphere
https://helpcenter.veeam.com/docs/backup/vsphere/used_ports.html?ver=120
97/97