Firewall and Port Requirements
- 09 Jun 2022
- DarkLight
Firewall and Port Requirements
- Updated on 09 Jun 2022
- DarkLight
Article summary
Did you find this summary helpful?
Thank you for your feedback
Introduction
Communication between the Hybrid Extender VM and the Cohesity cluster is over secure gRPC and encrypted using mutual TLS. The Hybrid Extender VM handles all the outbound traffic from the Cohesity cluster to supported platforms (VMware vCenter, VMware ESXi, and to the “physical server”, and the inbound traffic of VMware backup ingest traffic from VMware ESXi (or physical server) to Cohesity cluster.
Ports Used by Hybrid Extender
For more information about ports used by Hybrid Extender, see below:
Incoming Traffic
| Source | Destination | Destination Port | Protocol | Usage Notes | Type of Traffic |
|---|---|---|---|---|---|
| Hybrid Extender | DNS | 53 | TCP/UDP | DNS, if an external DNS server is configured | Management |
| Client | Hybrid Extender | Serve DNS requests from an external source | |||
| SSH client | Hybrid Extender | 22 | TCP | Required for SSH server on Bifrost VM for Bifrost-RT | |
| Hybrid Extender | Organization (Tenant) | 29994 | The internal port used on the organization's network for debugging and uploading the configuration file on the Hybrid Extender VM | ||
| Server | Hybrid Extender | 445 | Required for SQL servers | Backup and Recovery | |
| MS SQL server (any port) | Hybrid Extender | 11113, 11117 | VDI-based backup and restore of MS SQL database (using RemoteWANSnapFS) | ||
| Hybrid Extender | Cohesity Cluster | 11117 | Required for Hybrid Extender with Oracle SBT | ||
| NFS Clients* | Hybrid Extender NFS target | 2049 | Required for NFS | Data Protection | |
| SMB Clients* | Hybrid Extender SMB target | 445 | SMB filer functionality and SMB and SMB2 restore | Data Access | |
| Linux VM | Hybrid Extender | 111, 2049 | File restore to Linux VM | Recovery | |
| ESXi host | File restore to Windows VM |
*NFS and SMB Clients are currently unsupported by Expedient.
Outgoing Traffic
| Source | Destination | Destination Port | Protocol | Usage Notes | Type of Traffic |
|---|---|---|---|---|---|
| Hybrid Extender | NTP Server | 123 | UDP | NTP, if an external NTP server is configured | Management |
| HTTP client | Hybrid Extender | 80 | TCP | HTTP | |
| Hybrid Extender | ESXi Host | 902 | Ensure that SSL communication for TCP port 902 to the ESXi host is enabled, otherwise backups will fail | Backup and Recovery | |
| Active Directory | 137 | Required only when initially joining the Cluster to Active Directory | Management | ||
| 139 | Required only when initially joining the Cluster to Active Directory (for the NetBIOS session service) | ||||
| 445 | Required only when initially joining the Cluster to Active Directory | ||||
| Kerberos Key Distribution Center (AD) | 88 | TCP/UDP | Required for Keberos if the cluster is configured to use Active Directory | ||
| LDAP | 389 | Required if the cluster is configured to use Active Directory or LDAP. | |||
| LDAPS | 636 |
Bidirectional Traffic
| Source | Destination | Destination Port | Protocol | Usage Notes | Type of Traffic |
|---|---|---|---|---|---|
| Hybrid Extender | DHCP Server | 67, 68 | TCP | DHCP, SMB/ICMP | Management |
| Cohesity cluster | 29991 | Used in a multi-tenant environment for interaction between the Hybrid Extender and Cohesity cluster | |||
| VMware vCenter, VMware Standalone ESXi Host, VMware vCloud Director, Remote Access Cluster | 443 | The Cohesity Dashboard uses HTTPS by default, Required for remote access to the Cluster, Required for Pure FlashBlade, Required for HTTPS/HTTPS(TLS) | Backup and Recovery, Replication | ||
| Isilon | 443 | Required for HTTPS connection with Isilon | Backup and Recovery | ||
| 445 | Required for SMB | ||||
| 111 | TCP/UDP | Required for RPC connection | |||
| 300, 302, 304, 2049 | Required for NFS | ||||
| 8080 | Required for HTTP connection | ||||
| Generic NAS | Hybrid Extender | 111 | Required for RPC connection | ||
| 635, 2049 | Required for NFS | ||||
| 445 | TCP | Required for SMB | |||
| Mount Target | 111 | TCP/UDP | NFS restores on Linux physical servers | ||
| Host | 50051 | TCP | Linux and Windows physical server backups (Use Node IPs unless VLANs are configured, use VLAN VIPs) | ||
| Hybrid Extender | Cohesity cluster | 29991 | Need this port for communication for Oracle Adapter, and NFS ports for mounting the Backup/Recovery Views | ||
| ESXi host | Hybrid Extender | 50051 | Required for persistent agent workflow for File level recovery and IVM | Recovery |
Was this article helpful?