Backup Agent Firewall Rules


To provide additional security for assets with backup agents installed, this knowledge article serves as a reference to set up whitelisting of appliances connecting to assets while restricting all other IPs from connecting to ports where Unitrends agent services are running.

Windows-based assets

Steps to further increase security on protected assets running on a Windows OS:

Firewall rules need to be created on Windows assets to whitelist the local IP address of your physical or virtual Recovery Series appliance to ports 1743:1749 over TCP. A script is provided below for configuring Windows Defender Firewall.  

If you use another firewall solution, create rules to only allow access from the local IP address of your physical or virtual Recovery Series appliance to ports 1743:1749 over TCP. 

 

Script for Windows Defender Firewall: 

Download 

Supported OS list

  • Windows 8

  • Windows 8.1

  • Windows 10

  • Windows Server 2008R2

  • Windows Server 2012

  • Windows Server 2012 R2

  • Windows Server 2016

  • Windows Server 2019

Pre-Requirements:

You must "Set-ExecutionPolicy Unrestricted" before running this script.

After running this script you can "Set-ExecutionPolicy Restricted"
This script works only on systems with installed Unitrends Agent software. If the Unitrends agent is not installed the script will immediately exit.

Firewall Rules

DenyRuleName = "Deny Unknown Unitrends Agent Inbound Traffic"
Blocks inbound TCP traffic into ports range from 1743 to 1749 for all IP addresses.

Only appliances which are protecting the windows asset will be able to connect to the Unitrends service ports


 

Suggested Usage

Windows Server 2016-2019 and Windows 10

Create allow inbound traffic to Unitrends applications from IPs in appliances.ini

Appliances.ini file will have this IP only after inventory sync

setup_unitrends_firewall_rules.ps1 -Action Protect

Windows Server 2008-2012 and Windows 8.1 or older

Create allow inbound traffic to Unitrends applications, the IP of the appliance must be defined, in this example the IP of the appliance is 192.168.1.121

setup_unitrends_firewall_rules.ps1 -Action Allow -Ip 192.168.1.121

Additional Usage:

Block all traffic to Unitrends ports - creates a deny rule for inbound TCP traffic to ports 1743-1745 (this will block all backups from running)

setup_unitrends_firewall_rules.ps1 -Action Block

Remove the block

setup_unitrends_firewall_rules.ps1 -Action Unblock

Remove any changes

setup_unitrends_firewall_rules.ps1 -Action Unprotect

 

Linux-based assets

Steps to further increase security on protected assets running on a Linux OS:
Firewall rules need to be created on Linux assets to whitelist access to ports 1743:1749 to only the appliance protecting these assets.

Case 1: If ports 1743:1749 are closed, use the following commands to open the port range 1743:1749 for the <ApplianceIP>

sudo iptables -A INPUT -p tcp -s <ApplianceIP> --dport 1743:1749 -m state --state NEW,ESTABLISHED -j ACCEPT 
sudo iptables -A OUTPUT -p tcp --sport 1743:1749 -m state --state ESTABLISHED -j ACCEPT

Case 2: If ports 1743:1749 are already open, use the following command to deny access from any IP other than <ApplianceIP>, change <ApplianceIP> to the IP of the appliance protecting these assets:

sudo iptables -A INPUT -p tcp ! -s <ApplianceIP> --dport 1743:1749 -m state --state NEW,ESTABLISHED -j DROP

Save ip tables on Ubuntu

Make sure iptables-persistent package is installed, and run the following commands :

sudo /etc/init.d/iptables-persistent save 
sudo /etc/init.d/iptables-persistent reload

Save ip tables on CentOS / RedHat

service iptables save

 

Was this article helpful?
0 out of 0 found this helpful
Have more questions? Contact us