Veeam ONE v9.5 Required Ports and Permissions

KB ID: 1731
Product: Veeam ONE
Version: 9.5
Published:
Last Modified: 2017-10-18

Purpose

Ports and permissions must be configured for Veeam ONE to function properly.

Solution

Required Permissions

Connection to Virtual Servers

The account used to connect virtual servers must have at least the following permissions:

VI Object

Required Permissions

vCenter, ESX(i) host

  • Read-only
  • Host.CIM.CIM Interaction1
  • Host.Configuration.Connection1
  • Virtual machine.Interaction .Answer question2
  • vSphere Tagging.Assign or Unassign vSphere Tag3
  • vSphere Tagging.Create vSphere Tag3
  • vSphere Tagging.Create vSphere Tag Category3
  • Global.Global tag3 (not required for VMware vSphere 6.5)
  • Virtual machine.Interaction.Console interaction4
  • Datastore.Browse datastore5
  • Global.Licenses6

Note: Names of privileges are provided for the latest supported version of VMware vSphere, and may vary for different platform versions.

Hyper-V host, Hyper-V cluster

  • Administrator7

SCVMM

  • Delegated Administrator or Administrator

1 Required for gathering of ESX(i) host hardware data.
2 Required for using VM Console and viewing snapshot information.
3 Required for collecting and updating tags on the vCenter Server side. The privileges must be assigned at the vCenter Server level.
4 Required for accessing VM console from Veeam ONE Monitor.
5 Required for collecting datastore details.
6 Required for collecting license information.
7 A domain account with local Administrator privileges on a host is required. If you connect a cluster, the account must have local Administrator privileges on all hosts in a cluster.

NOTE: If Windows-based virtual servers run on non-domain machines, or machines with an unelevated local Administrator account, you must complete additional configuration steps to allow Veeam ONE perform data collection. For details, see Connection Under UAC.

Connection to Veeam Backup & Replication Servers

The account used for connecting to a Veeam backup server must have local Administrator permissions on the machines running:

  • Veeam Backup Enterprise Manager
  • Veeam Backup & Replication
  • Backup proxy, backup repository, WAN Accelerator, tape server and cloud gateway components (required to collect performance data from these servers)

NOTE: If Veeam backup infrastructure components run on non-domain machines, or machines with an unelevated local Administrator account, you must complete additional configuration steps to allow Veeam ONE perform data collection. For details, see Connection Under UAC.

Veeam ONE Service Account

The service account must have Local Administrator permissions on the machine where Veeam ONE is installed.

Authorizing with Veeam ONE

To authorize with Veeam ONE software components (Veeam ONE Monitor, Reporter and Business View), a user must have the Allow log on locally privilege assigned.

By default, this privilege is assigned to users included in the local Administrators group. For users not included in the local Administrators group, you must assign this privilege manually. For details, see this Microsoft TechNet article.

NOTE: In the advanced deployment scenario, you must assign the Allow log on locally privilege on the machines that host the Veeam ONE Server and Veeam ONE Web UI architectural components.

Connection to Microsoft SQL Server

The account used to connect to the Microsoft SQL Server hosting the Veeam ONE database must have the following permissions:

  • Public role (default permissions)
  • CREATE ANY DATABASE permissions
  • db_owner role on the Veeam ONE database
  • db_datareader permissions on the master database
  • public, db_datareader, SQLAgentUserRole permissions on the msdb database
  • [For Always-On Availability Groups] VIEW SERVER STATE permissions 

Connection to Microsoft Hyper-V VM Guest OS

The account used to collect data from guest OSes of Microsoft Hyper-V Windows VMs, must have local Administrator permissions on the guest OS.

NOTE: To collect data from non-domain Windows VMs, or VMs with an unelevated local Administrator account, you must complete additional configuration steps to allow Veeam ONE perform data collection. For details, see Connection Under UAC.

Connection Under UAC

Veeam ONE collects data from Microsoft Windows servers using WMI. For some configurations, UAC access token filtering can prevent running WMI commands on connected machines, which in turn will cause data collection failures.

The affected configurations are:

  • Non-domain machines (machines in a workgroup)
  • Machines with an unelevated local Administrator account (the account that is not Built-in Administrator)

To allow Veeam ONE collect data from these machines, perform the following steps on target virtual servers:

  1. Set the network location to private:
  1. Log on to a machine as Administrator.
  2. Open the Network and Sharing Center.
  3. In the list of active networks, click the necessary network and change its location to Private.

In some Windows OS versions, this location is called Home or Work.

  1. Configure Windows Remote Management.

To do so, in the command prompt, type winrm quickconfig and press [Enter].

For more details on UAC access token filtering, see User Account Control and WMI.

Authorizing with Veeam ONE

To authorize with Veeam ONE software components (Veeam ONE Monitor, Reporter and Business View), a user must have the Allow log on locally privilege assigned.

By default, this privilege is assigned to users included in the local Administrators group. For users not included in the local Administrators group, you must assign this privilege manually. For details, see this Microsoft TechNet article.

NOTE: In the advanced deployment scenario, you must assign the Allow log on locally privilege on the machines that host the Veeam ONE Server and Veeam ONE Web UI architectural components.

Remote Access

To be able to access Veeam ONE software components installed on a remote machine, you can use one of the following options.

Remote Access to Veeam ONE Reporter and Business View through Web Browser

Veeam ONE Reporter and Business View consoles can be accessed using a web browser on a remote machine. To learn more on how to access Veeam ONE software components, see Accessing Veeam ONE Monitor, Reporter and Business View.

Veeam ONE Reporter and Business View consoles remotely, a user must be a member of the Veeam ONE Administrators or Veeam ONE Read-Only Users group on the machine where Veeam ONE Web UI component is installed. For details on Veeam ONEsecurity groups, see Security Groups.

Remote Access for Multi-Tenant Monitoring and Reporting

Veeam ONE supports multi-tenant access to its monitoring and reporting capabilities. Authorized users can remotely monitor a subset of the vCenter Server or vCloud Director infrastructure and create reports.

To monitor and report on a restricted scope of the virtual infrastructure, a user must have permissions assigned on objects of the vCenter Server or vCloud Director inventory hierarchy. For details, see Veeam ONE Multi-Tenant Monitoring and Reporting.


Required Ports

The following table lists connection settings required for proper communication between Veeam ONE components, virtual infrastructure servers, vCloud Director servers and Veeam Backup & Replication servers.

From

To

Protocol

Port

Notes

Veeam ONE

vCenter
ESX(i)

SSL

4431

Required to collect data from vCenter Server/ ESX(i) hosts. 
To learn how to check the current state of the vSphere API port, see the VMware vSphere documentation.

TCP

5989

Required to collect ESX(i) host hardware details via CIM XML.

TCP

10080
10443

Default port used to access vCenter Inventory Service (HTTP or HTTPS) and collect vCenter Server tags.

Required for vCenter Server 5.x only.

vCloud Director

SSL

4431

Required to collect data from vCloud Director.

SCVMM

TCP

8100

Default SCVMM Administrator Console to SCVMM server port (required by the Veeam ONE Service).

Hyper-V host

TCP

135,
dynamically assigned ports2

Required to collect data from Microsoft Hyper-V hosts through WMI.

TCP

135
445

Required to gather CPU and memory performance data from Microsoft Hyper-V hosts.4

TCP

445

Required to access remote registry.

Veeam Backup & Replication

TCP

135,
dynamically assigned ports2

Required to collect data from Veeam backup servers through WMI.

TCP

135
445

Required to gather CPU and memory performance data from Veeam Backup & Replication infrastructure servers.4

TCP

445

Required to access remote registry.

Veeam Backup Enterprise Manager

TCP

135,
dynamically assigned ports2

Required to collect data from Veeam Backup Enterprise Manager through WMI.

Veeam backup proxy

TCP

135
445

Required to gather CPU and memory performance data from backup infrastructure servers.4

Veeam backup repository

TCP

135
445

Required to gather CPU and memory performance data from backup infrastructure servers.4

Veeam WAN accelerator

TCP

135
445

Required to gather CPU and memory performance data from backup infrastructure servers.4

Veeam License Update Server (autolk.veeam.com)

TCP

443

Default port used for license auto-update.

Veeam ONE
Monitor Client

Veeam ONE Server

TCP

1393; 
4453

Used by Veeam ONE Monitor Client to communicate with the Veeam ONE Server.

UDP

1373

Workstation 
Web Browser

Veeam ONE Reporter

HTTP

1239

Required to access Veeam ONE Reporter console from a user workstation (a different port number can be chosen during setup).

Veeam ONE
Business View

HTTP

1340

Required to access Veeam ONE Business View console from a user workstation (a different port number can be chosen during setup).

 

1 You must open these ports manually
2 To learn about enabling and disabling WMI traffic, see http://msdn.microsoft.com/en-us/library/aa389286(v=vs.85).aspx and http://msdn.microsoft.com/en-us/library/aa822854(v=vs.85).aspx 
3 Associated with the File and Printer Sharing service
4 To gather performance data from Windows Server 2012 and 2012R2, you must additionally enable network discovery.

5 / 5 (5 votes cast)

Couldn't find what you were looking for?

Below you can submit an idea for a new knowledge base article.

Request new content

Report a typo on this page:

Please select a spelling error or a typo on this page with your mouse and press CTRL + Enter to report this mistake to us. Thank you!

Orphus system