Firewall and Port Requirements
  • 09 Jun 2022
  • Dark
    Light

Firewall and Port Requirements

  • Dark
    Light

Article summary

Introduction

Communication between the Hybrid Extender VM and the Cohesity cluster is over secure gRPC and encrypted using mutual TLS. The Hybrid Extender VM handles all the outbound traffic from the Cohesity cluster to supported platforms (VMware vCenter, VMware ESXi, and to the “physical server”, and the inbound traffic of VMware backup ingest traffic from VMware ESXi (or physical server) to Cohesity cluster.

Ports Used by Hybrid Extender

For more information about ports used by Hybrid Extender, see below:

Incoming Traffic

SourceDestinationDestination PortProtocolUsage NotesType of Traffic
Hybrid ExtenderDNS53TCP/UDPDNS, if an external DNS server is configuredManagement
ClientHybrid ExtenderServe DNS requests from an external source
SSH clientHybrid Extender22TCPRequired for SSH server on Bifrost VM for Bifrost-RT
Hybrid ExtenderOrganization (Tenant)29994The internal port used on the organization's network for debugging and uploading the configuration file on the Hybrid Extender VM
ServerHybrid Extender445Required for SQL serversBackup and Recovery
MS SQL server (any port)Hybrid Extender11113, 11117VDI-based backup and restore of MS SQL database (using RemoteWANSnapFS)
Hybrid ExtenderCohesity Cluster11117Required for Hybrid Extender with Oracle SBT
NFS Clients*Hybrid Extender NFS target2049Required for NFSData Protection
SMB Clients*Hybrid Extender SMB target445SMB filer functionality and SMB and SMB2 restoreData Access
Linux VMHybrid Extender111, 2049File restore to Linux VMRecovery
ESXi hostFile restore to Windows VM

*NFS and SMB Clients are currently unsupported by Expedient.

Outgoing Traffic

SourceDestinationDestination PortProtocolUsage NotesType of Traffic
Hybrid ExtenderNTP Server123UDPNTP, if an external NTP server is configuredManagement
HTTP clientHybrid Extender80TCPHTTP
Hybrid ExtenderESXi Host902Ensure that SSL communication for TCP port 902 to the ESXi host is enabled, otherwise backups will failBackup and Recovery
Active Directory137Required only when initially joining the Cluster to Active DirectoryManagement
139Required only when initially joining the Cluster to Active Directory (for the NetBIOS session service)
445Required only when initially joining the Cluster to Active Directory
Kerberos Key Distribution Center (AD)88TCP/UDPRequired for Keberos if the cluster is configured to use Active Directory
LDAP389Required if the cluster is configured to use Active Directory or LDAP.
LDAPS636

Bidirectional Traffic

SourceDestinationDestination PortProtocolUsage NotesType of Traffic
Hybrid ExtenderDHCP Server67, 68TCPDHCP, SMB/ICMPManagement
Cohesity cluster29991Used in a multi-tenant environment for interaction between the Hybrid Extender and Cohesity cluster
VMware vCenter, VMware Standalone ESXi Host, VMware vCloud Director, Remote Access Cluster443The Cohesity Dashboard uses HTTPS by default, Required for remote access to the Cluster, Required for Pure FlashBlade, Required for HTTPS/HTTPS(TLS)Backup and Recovery, Replication
Isilon443Required for HTTPS connection with Isilon
Backup and Recovery
445Required for SMB
111TCP/UDPRequired for RPC connection
300, 302, 304, 2049Required for NFS
8080Required for HTTP connection
Generic NASHybrid Extender111Required for RPC connection
635, 2049Required for NFS
445TCPRequired for SMB
Mount Target111TCP/UDPNFS restores on Linux physical servers
Host50051TCPLinux and Windows physical server backups (Use Node IPs unless VLANs are configured, use VLAN VIPs)
Hybrid ExtenderCohesity cluster29991Need this port for communication for Oracle Adapter, and NFS ports for mounting the Backup/Recovery Views
ESXi hostHybrid Extender50051Required for persistent agent workflow for File level recovery and IVMRecovery

Was this article helpful?