- Knowledge Base Listing Page
- Veeam ONE v9.5 Required Ports and Permissions
Veeam ONE v9.5 Required Ports and Permissions
| KB ID: | 1731 |
| Product: | Veeam ONE |
| Version: | 9.5 |
| Published: | 2013-03-01 |
| Last Modified: | 2020-08-13 |
Cheers for trusting us with the spot in your mailbox!
Now you’re less likely to miss what’s been brewing in our knowledge base with this weekly digest
Purpose
Cause
Solution
Required Permissions
Connection to Virtual Servers
The account used to connect virtual servers must have at least the following permissions:
|
VI Object |
Required Permissions |
|
vCenter, ESX(i) host |
Note: Names of privileges are provided for the latest supported version of VMware vSphere, and may vary for different platform versions. |
|
Hyper-V host, Hyper-V cluster |
|
|
SCVMM |
|
1 Required for gathering of ESX(i) host hardware data.
2 Required for using VM Console and viewing snapshot information.
3 Required for collecting and updating tags on the vCenter Server side. The privileges must be assigned at the vCenter Server level.
4 Required for accessing VM console from Veeam ONE Monitor.
5 Required for collecting datastore details.
6 Required for collecting license information.
7 A domain account with local Administrator privileges on a host is required. If you connect a cluster, the account must have local Administrator privileges on all hosts in a cluster.
|
NOTE: If Windows-based virtual servers run on non-domain machines, or machines with an unelevated local Administrator account, you must complete additional configuration steps to allow Veeam ONE perform data collection. For details, see Connection Under UAC. |
Connection to Veeam Backup & Replication Servers
The account used for connecting to a Veeam backup server must have local Administrator permissions on the machines running:
- Veeam Backup Enterprise Manager
- Veeam Backup & Replication
- Backup proxy, backup repository, WAN Accelerator, tape server and cloud gateway components (required to collect performance data from these servers)
|
NOTE: If Veeam backup infrastructure components run on non-domain machines, or machines with an unelevated local Administrator account, you must complete additional configuration steps to allow Veeam ONE perform data collection. For details, see Connection Under UAC. |
Veeam ONE Service Account
Authorizing with Veeam ONE
To authorize with Veeam ONE software components (Veeam ONE Monitor, Reporter and Business View), a user must have the Allow log on locally privilege assigned.
By default, this privilege is assigned to users included in the local Administrators group. For users not included in the local Administrators group, you must assign this privilege manually. For details, see this Microsoft TechNet article.
|
NOTE: In the advanced deployment scenario, you must assign the Allow log on locally privilege on the machines that host the Veeam ONE Server and Veeam ONE Web UI architectural components. |
Connection to Microsoft SQL Server
The account used to connect to the Microsoft SQL Server hosting the Veeam ONE database must have the following permissions:
- Public role (default permissions)
- CREATE ANY DATABASE permissions
- db_owner role on the Veeam ONE database
- db_datareader permissions on the master database
- public, db_datareader, SQLAgentUserRole permissions on the msdb database
- [For Always-On Availability Groups] VIEW SERVER STATE permissions
Connection to Microsoft Hyper-V VM Guest OS
The account used to collect data from guest OSes of Microsoft Hyper-V Windows VMs, must have local Administrator permissions on the guest OS.
|
NOTE: To collect data from non-domain Windows VMs, or VMs with an unelevated local Administrator account, you must complete additional configuration steps to allow Veeam ONE perform data collection. For details, see Connection Under UAC. |
Connection Under UAC
Veeam ONE collects data from Microsoft Windows servers using WMI. For some configurations, UAC access token filtering can prevent running WMI commands on connected machines, which in turn will cause data collection failures.
The affected configurations are:
- Non-domain machines (machines in a workgroup)
- Machines with an unelevated local Administrator account (the account that is not Built-in Administrator)
To allow Veeam ONE collect data from these machines, perform the following steps on target virtual servers:
- Set the network location to private:
- Log on to a machine as Administrator.
- Open the Network and Sharing Center.
- In the list of active networks, click the necessary network and change its location to Private.
In some Windows OS versions, this location is called Home or Work.
- Configure Windows Remote Management.
To do so, in the command prompt, type winrm quickconfig and press [Enter].
For more details on UAC access token filtering, see User Account Control and WMI.
Authorizing with Veeam ONE
To authorize with Veeam ONE software components (Veeam ONE Monitor, Reporter and Business View), a user must have the Allow log on locally privilege assigned.
By default, this privilege is assigned to users included in the local Administrators group. For users not included in the local Administrators group, you must assign this privilege manually. For details, see this Microsoft TechNet article.
|
NOTE: In the advanced deployment scenario, you must assign the Allow log on locally privilege on the machines that host the Veeam ONE Server and Veeam ONE Web UI architectural components. |
Remote Access
To be able to access Veeam ONE software components installed on a remote machine, you can use one of the following options.
Remote Access to Veeam ONE Reporter and Business View through Web Browser
Veeam ONE Reporter and Business View consoles can be accessed using a web browser on a remote machine. To learn more on how to access Veeam ONE software components, see Accessing Veeam ONE Monitor, Reporter and Business View.
Veeam ONE Reporter and Business View consoles remotely, a user must be a member of the Veeam ONE Administrators or Veeam ONE Read-Only Users group on the machine where Veeam ONE Web UI component is installed. For details on Veeam ONEsecurity groups, see Security Groups.
Remote Access for Multi-Tenant Monitoring and Reporting
Veeam ONE supports multi-tenant access to its monitoring and reporting capabilities. Authorized users can remotely monitor a subset of the vCenter Server or vCloud Director infrastructure and create reports.
To monitor and report on a restricted scope of the virtual infrastructure, a user must have permissions assigned on objects of the vCenter Server or vCloud Director inventory hierarchy. For details, see Veeam ONE Multi-Tenant Monitoring and Reporting.
Required Ports
|
From |
To |
Protocol |
Port |
Notes |
|
Veeam ONE |
vCenter |
SSL |
4431 |
Required to collect data from vCenter Server/ ESX(i) hosts. |
|
TCP |
5989 |
Required to collect ESX(i) host hardware details via CIM XML. | ||
|
TCP |
10080 |
Default port used to access vCenter Inventory Service (HTTP or HTTPS) and collect vCenter Server tags. Required for vCenter Server 5.x only. | ||
|
Platform Services Controller (PSC) |
HTTPS |
443 |
Default port used to collect and assign VMware Tags data. Required for vCenter Server starting from version 6.5. | |
|
vCloud Director |
SSL |
4431 |
Required to collect data from vCloud Director. | |
|
SCVMM |
TCP |
8100 |
Default SCVMM Administrator Console to SCVMM server port (required by the Veeam ONE Service). | |
|
Hyper-V host |
TCP |
135, |
Required to collect data from Microsoft Hyper-V hosts through WMI. | |
|
TCP |
135 |
Required to gather CPU and memory performance data from Microsoft Hyper-V hosts.4 | ||
|
TCP |
445 |
Required to access remote registry. | ||
|
Veeam Backup & Replication |
TCP |
135, |
Required to collect data from Veeam backup servers through WMI. | |
|
TCP |
135 |
Required to gather CPU and memory performance data from Veeam Backup & Replication infrastructure servers.4 | ||
|
TCP |
445 |
Required to access remote registry. | ||
|
Veeam Backup Enterprise Manager |
TCP |
135, |
Required to collect data from Veeam Backup Enterprise Manager through WMI. | |
|
Veeam backup proxy |
TCP |
135 |
Required to gather CPU and memory performance data from backup infrastructure servers.4 | |
|
Veeam backup repository (Windows) |
TCP |
135 |
Required to gather CPU and memory performance data from backup infrastructure servers.4 | |
|
Veeam backup repository (Linux) |
TCP |
22 |
Default SSH port used to communicate with a Linux-based repository. | |
|
Veeam WAN accelerator |
TCP |
135 |
Required to gather CPU and memory performance data from backup infrastructure servers.4 | |
|
Veeam License Update Server (autolk.veeam.com) |
TCP |
443 |
Default port used for license auto-update. | |
|
Veeam ONE Server and Web UI |
Microsoft SQL Server |
TCP |
1433 |
Port used for communication with the Microsoft SQL Server on which the Veeam ONE database is deployed. |
|
Veeam ONE |
Veeam ONE Server |
TCP |
1393; |
Used by Veeam ONE Monitor Client to communicate with the Veeam ONE Server. |
|
UDP |
1373 | |||
|
Workstation |
Veeam ONE Reporter |
HTTPS |
1239 |
Required to access Veeam ONE Reporter console from a user workstation (a different port number can be chosen during setup). |
|
Veeam ONE |
HTTPS |
1340 |
Required to access Veeam ONE Business View console from a user workstation (a different port number can be chosen during setup). |
1 You must open these ports manually
2 To learn about enabling and disabling WMI traffic, see http://msdn.microsoft.com/en-us/library/aa389286(v=vs.85).aspx and http://msdn.microsoft.com/en-us/library/aa822854(v=vs.85).aspx
3 Associated with the File and Printer Sharing service
4 To gather performance data from Windows Server 2012 and 2012R2, you must additionally enable network discovery.
To report a typo on this page, highlight the typo with your mouse and press CTRL + Enter.
Spelling error in text
Thank you!
Your feedback has been received and will be reviewed.
Oops! Something went wrong.
Please try again later.
KB Feedback/Suggestion
This form is only for KB Feedback/Suggestions, if you need help with the software open a support case
Thank you!
Your feedback has been received and will be reviewed.