A common question for deployment, what ports are required to be opened for access the Unitrends appliance will generally require
- What Ports does the Unitrends appliance require opened in our firewall?
- My appliance is unable to receive updates.
- Support informed me the tunnel I opened is not accessible.
There are several addresses you should permit for all deployments. All of these ports are outgoing connections from the Unitrends Appliance, we do not require incoming NAT of ports or exposing the unit to a public IP, only outgoing communication from a local source Unitrends appliance is needed.
NOTE: NEVER expose the appliance Web UI or SSH connections to open external ports. Doing so may void your support agreement until the appliance can be secured properly. NEVER deploy the Unitrends appliance on a public IP. All incoming ports to a unitrends appliance MUST be firewall protected.
Product Updates: ALL of the following are REQUIRED to perform standard appliance updates
- updateftp.unitrends.com on FTP and HTTP (ports 20 and 21 and 80 BOTH required)
This is used for the main software repository for updates seen in the update UI.
- repo.unitrends.com on FTP and HTTP and HTTPS (ports 20 and 21, 80 AND 443 ALL required)
This is used to pull updates from a software repository mirror which is closest geographically.
- ftp.unitrends.com on FTP (20 and 21)
This is used for several scripts and utilities in the appliance for proactive management, repository alignment, and used heavily by support. Several components in the appliance automatically check and update from this location. Some updates on the main site will not be available if this second system is not accessible. This address is also used for some services that check daily for critical system messages. Should Unitrends identify a critical defect in a release, we may use files at this location to cause your appliance to prompt critical messages on login. Failure to be able to reach this address may result in failure to communicate critical messages. (we also send those by email, but that is a less reliable technology as you may block, filter, or opt-out of such messages).
Note: The FTP connections are PASV FTP and may require dynamic return ports to be accepted and allocated by your firewall to connect. Most firewalls can be configured to allow ephemeral ports to be dynamically allocated for FTP connections. On some firewalls which do not allow for automatic temporary ftp port assignment, it may be necessary to allow all ports between 49152 and 65535 to be allowed outgoing to our ftp sites in addition to port 20 and 21.
If FTP access cannot be enabled, Unitrends offers downloadable media to upgrade the appliance. However, not every release is produced in downloadable form, and these releases often trail GA releases by several weeks. Hotfixes or patches may also be difficult or impossible to provide without FTP and/or remote access. It is strongly recommended tat appliances receive updates online.
- notifications.unitrends.com ports 161 and 162 UDP
- es.telemetry.unitrends.com ports 161 and 162 UDP and 9243 TCP
NOTE: SNMP cannot be tested using Telnet as it is a UDP, one way protocol. You can use Microsoft's portqry tool if you wish to test if you can communicate with notifications.unitrends.com.
Remote Support Services
- support-itivity.unitrends.com on 80 and 443
Our primary remote support system
All Unitrends Technical Support Engineers are skilled at utilizing the remote access capabilities of applicable Unitrends products. Remote System Access, often referred to by the Technical Support Engineers as a “Support Tunnel”, is required to ensure successful and timely resolution to reported issues. Remote access is controlled from the appliance and is enabled and disabled at will of the appliance operator. Unitrends cannot access appliances remotely unless the service is opened manually by the ens user, and this access remains in the control of the end user and can be disabled again at will. All remote access is logged. Per the Unitrends Support Handbook Remote access is a requirement for timely resolution of customer issues, and without it, the Unitrends Customer Support Engineer may also be severely limited in options for how to resolve issues.
Of special note: Should a unit require it's license key to be reset (common for a UEB if the MAC changes or the system UUID changes - which can occur if a UEB is moved to a different virtual host, or for physical appliances if ETH0 is disabled or fails), remote access through a tunnel is required to reset this condition. This process will not be permitted through a Webex or other remote connection under any circumstances and expressly requires direct support connectivity. If a license failure occurs and this port cannot be temporarily opened, a redeployment of the unit may be required to resolve.
Other ports:For Unitrends Replication as well as for information about client to system requirements for backup that may also pass through a firewall, please see this article: What firewall ports are used by Unitrends Support to support your Appliance or UEB, Client to Appliance communications, Source to Target replication, and internal management of your Appliance/UEB?
Additionally, if using CloudHook services with Google Nearline or Amazon S3 storage or potentially other providers, please see the provider documentation for ports and addresses that are required for use.
Corporate firewalls may be configured in such a way as to be very restrictive and prevent key functionality of the Unitrends appliance from operating correctly.
Today's security appliances include multiple points of control for maximum security. You will need to review your network and security solution's logs and support documents for ways to monitor and manage the various controls which many include anything from the physical layer to the application layer of the OSI model.