Backup clients
|
DD system
|
111
|
TCP
|
No
|
Dynamic port detection and mapping. Used only for port verification, not for data.
|
Backup clients1
|
DD system
|
2049
|
Proprietary
|
TLS 1.2
|
Optional
DD Boost client TLS encryption.
|
Backup clients1
|
DD system
|
2052
|
TCP
|
No
|
NFS
mountd, not for data.
|
Backup clients
|
DD
Smart Scale
|
2053
|
TCP
|
TLS 1.2
|
DD Boost connection.
|
Backup clients1
|
PowerProtect Data Manager
|
8443
|
HTTPS
|
TLS 1.2
|
REST API service.
|
Backup clients
|
VMAX SE server
|
2707
|
Proprietary
|
TLS 1.2
|
Backup clients require access to the default port 2707 on the VMAX SE server. Applies to Storage Direct.
|
Callhome (SupportAssist)
|
PowerProtect Data Manager
|
22
|
SSH
|
TLS 1.2
|
SSH for support and administration. Encrypted by private key or optional certificates.
|
Callhome (SupportAssist)
|
PowerProtect Data Manager
|
443
|
HTTPS
|
TLS 1.2
|
SSH for remote support.
|
ESXi
|
DD system
|
111
|
TCP
|
No
|
Dynamic port detection and mapping. Used only for port verification, not for data.
|
ESXi
|
DD system2
|
2049
|
Proprietary
|
TLS 1.2
|
NFS datastore and
DD Boost. NFS is unencrypted.
DD Boost is encrypted.
|
ESXi
|
DD system2
|
2052
|
TCP
|
No
|
NFS
mountd, not for data.
|
Kubernetes cluster
|
DD system
|
111
|
TCP
|
No
|
Dynamic port detection and mapping. Used only for port verification, not for data.
|
Kubernetes cluster
|
DD system
|
2049
|
Proprietary
|
TLS 1.2
|
Optional
DD Boost client TLS encryption.
|
Kubernetes cluster
|
DD system
|
2052
|
TCP
|
TLS 1.2
|
NFS
mountd, not for data.
|
Kubernetes cluster
|
ESXi
|
902
|
TCP
|
TLS 1.2
|
vSphere client access for PVCs using VMware CSI. Not required for Tanzu Kubernetes Guest clusters.
|
Kubernetes cluster
|
Protection engine (Kubernetes)
|
9090
|
HTTPS
|
TLS 1.2/1.3
|
Required for Tanzu Kubernetes Guest clusters.
|
Kubernetes cluster
|
vCenter
|
443
|
HTTPS
|
TLS 1.2
|
Primary management interface for vSphere using the vCenter Server, including the vSphere client for PVCs using VMware CSI. Not required for Tanzu Kubernetes Guest clusters.
|
NAS protection engine
|
NAS appliance
|
443
|
HTTPS
|
TLS 1.2
|
Management access for Unity and PowerStore appliances.
|
NAS protection engine
|
NAS appliance
|
8080
|
HTTPS
|
TLS 1.2
|
Management access for PowerScale/Isilon appliances.
|
PowerProtect Data Manager
|
Backup clients
|
7000
|
HTTPS
|
TLS 1.2
|
Microsoft SQL Server, Oracle,
Microsoft Exchange Server, SAP HANA, and file system. Requirement applies to Application Direct and VM Direct.
|
PowerProtect Data Manager
|
Callhome (SupportAssist)
|
25
|
SMTP
|
TLS 1.2
|
TLS version in use depends on the mail server. TLS used where possible.
|
PowerProtect Data Manager
|
Callhome (SupportAssist)
|
465
|
TCP
|
TLS 1.2
|
|
PowerProtect Data Manager
|
Callhome (SupportAssist)
|
587
|
TCP
|
TLS 1.2
|
|
PowerProtect Data Manager
|
Callhome (SupportAssist)
|
9443
|
HTTPS
|
TLS 1.2
|
REST API for service notification.
|
PowerProtect Data Manager
|
DD system (server DR)
|
22
|
SSH
|
TLS 1.2
|
Server DR replication commands for the source
DD system.
|
PowerProtect Data Manager
|
DD system (server DR replica)3
|
22
|
SSH
|
TLS 1.2
|
Server DR replication commands for the target
DD system.
|
PowerProtect Data Manager
|
DD system
|
111
|
TCP
|
No
|
Dynamic port detection and mapping. Used only for port verification, not for data.
|
PowerProtect Data Manager
|
DD system
|
2049
|
Proprietary
|
No
|
Server DR NFS connections. Used only for metadata, client name, and indexing, not for backup data.
|
PowerProtect Data Manager
|
DD system
|
2052
|
TCP/UDP
|
No
|
NFS
mountd, not for data.
|
PowerProtect Data Manager
|
DD system
|
3009
|
HTTPS
|
TLS 1.2
|
Communication with
DDMC for configuration and discovery.
|
PowerProtect Data Manager
|
ESXi
|
443
|
HTTPS
|
TLS 1.2
|
Depends on ESXi configuration and version.
|
PowerProtect Data Manager
|
Kubernetes cluster
|
6443
|
Proprietary
|
TLS 1.2
|
Connects to the Kubernetes API server. Encryption depends on the Kubernetes cluster configuration.
PowerProtect Data Manager supports TLS 1.2.
|
PowerProtect Data Manager
|
LDAP server
|
389
|
TCP/UDP
|
No
|
Insecure LDAP port, outbound only. Use port 636 for encryption.
|
PowerProtect Data Manager
|
LDAP server
|
636
|
TCP
|
TLS 1.2
|
LDAPS, depending on LDAP configuration in use. Outbound only.
|
PowerProtect Data Manager
|
NAS appliance
|
443
|
HTTPS
|
TLS 1.2
|
Management access for Unity and PowerStore appliances.
|
PowerProtect Data Manager
|
NAS appliance
|
8080
|
HTTPS
|
TLS 1.2
|
Management access for PowerScale/Isilon appliances.
|
PowerProtect Data Manager
|
NAS share
|
139
|
TCP
|
TLS 1.2
|
Windows file server shares (CIFS).
|
PowerProtect Data Manager
|
NAS share
|
443
|
HTTPS
|
TLS 1.2
|
NetApp shares (NFS and CIFS). Also used for NAS share verification check.
|
PowerProtect Data Manager
|
NAS share
|
445
|
TCP
|
TLS 1.2
|
Windows file server shares (CIFS).
|
PowerProtect Data Manager
|
NAS share
|
2049
|
TCP
|
TLS 1.2
|
Linux file server shares (NFS).
|
PowerProtect Data Manager
|
NTP server
|
123
|
NTP
|
No
|
Time synchronization.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - Catalog
|
9760
|
TCP
|
|
Internal only. Blocked by firewall.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - Configuration Manager
|
55555
|
TCP
|
|
Internal only. Blocked by firewall.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - Elastic Search
|
9200
|
TCP
|
|
Internal only.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - Elastic Search
|
9300
|
TCP
|
|
Internal only.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - Embedded VM proxy
|
9095
|
TCP
|
|
Internal only. Blocked by firewall.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - Quorum peer
|
2181
|
TCP
|
|
Internal only. Blocked by firewall.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - RabbitMQ
|
5672
|
TCP
|
|
Internal only. Blocked by firewall.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - Secrets manager
|
9092
|
TCP
|
|
Internal only.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - VM Direct infrastructure manager
|
9097
|
TCP
|
|
Internal only. Blocked by firewall. Also required for protecting NAS workloads with
NAS protection engines.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - VM Direct orchestration
|
9096
|
TCP
|
|
Internal only. Blocked by firewall.
NAS protection engines use a separate port.
|
PowerProtect Data Manager
|
PowerProtect Data Manager - VM Direct orchestration for NAS
|
9098
|
TCP
|
|
Internal only. Blocked by firewall. Used for
NAS protection engines.
|
PowerProtect Data Manager
|
Protection engine (all)
|
22
|
SSH
|
TLS 1.2
|
SSH for support and administration. Encrypted by private key or optional certificates.
|
PowerProtect Data Manager
|
Protection engine (all)
|
9090
|
HTTPS
|
TLS 1.2
|
REST API service.
|
PowerProtect Data Manager
|
Protection engine (VM)
|
96134
|
Proprietary
|
TLS 1.2
|
|
PowerProtect Data Manager
|
Reporting Engine
|
9002
|
TCP
|
TLS 1.2
|
REST API service.
|
PowerProtect Data Manager
|
Reporting Engine
|
96134
|
Proprietary
|
TLS 1.2
|
Infrastructure node agent management of the
Reporting Engine.
|
PowerProtect Data Manager
|
Search Engine
|
9613
|
Proprietary
|
TLS 1.2
|
Infrastructure node agent management of
Search Engine nodes.
|
PowerProtect Data Manager
|
Search Engine
|
14251
|
Proprietary
|
TLS 1.2
|
Search query REST API endpoint.
|
PowerProtect Data Manager
|
SMI-S
|
5989
|
HTTPS
|
TLS 1.2
|
Communication with SMI-S provider. Discovery.
|
PowerProtect Data Manager
|
Storage Direct system
|
3009
|
HTTPS
|
TLS 1.2
|
Discovery.
|
PowerProtect Data Manager
|
Syslog server
|
514
|
TCP/UDP
|
TLS 1.2
|
Log forwarding to Syslog server.
|
PowerProtect Data Manager
|
Syslog server
|
6514
|
TCP
|
TLS 1.2
|
Log forwarding to Syslog server.
|
PowerProtect Data Manager
|
Syslog server
|
10514
|
TCP
|
TLS 1.2
|
Log forwarding to Syslog server.
|
PowerProtect Data Manager
|
UI
|
443
|
HTTPS
|
TLS 1.2
|
Between the browser host and the
PowerProtect Data Manager system.
|
PowerProtect Data Manager
|
Update Manager UI
|
14443
|
HTTPS
|
TLS 1.2
|
Connects the host that contains the update package to the
PowerProtect Data Manager system.
|
PowerProtect Data Manager
|
vCenter
|
443
|
HTTPS
|
TLS 1.2
|
vSphere API for direct restore, discovery, initiating Hot Add transport mode, and restores including Instant Access restore. Depends on vCenter configuration. Also required for protecting NAS workloads with
NAS protection engines.
|
PowerProtect Data Manager
|
vCenter
|
7444
|
Proprietary
|
TLS 1.2
|
vCenter single sign-on.
|
PowerProtect Data Manager
|
VMAX Solutions Enabler server
|
2707
|
Proprietary
|
TLS 1.2
|
Storage Direct functionality.
PowerProtect Data Manager uses the Solutions Enabler default server port for configuration steps and to control active snapshot management for SnapVX, including for PP-VMAX.
|
Protection engine (all)
|
DD system
|
111
|
TCP
|
No
|
Dynamic port detection and mapping. Used only for port verification, not for data.
|
Protection engine (all)
|
DD system
|
2049
|
Proprietary
|
TLS 1.2
|
Optional
DD Boost client TLS encryption.
|
Protection engine (all)
|
DD system
|
2052
|
TCP
|
No
|
NFS
mountd, not for data.
|
Protection engine (all)
|
DD system
|
3009
|
HTTPS
|
TLS 1.2
|
DD REST API service.
|
Protection engine (VM and Kubernetes)
|
ESXi
|
443
|
HTTPS
|
TLS 1.2
|
Client connections.
|
Protection engine (VM and Kubernetes)
|
ESXi
|
902
|
TCP
|
TLS 1.2
|
vSphere client access.
|
Protection engine (VM)
|
Guest VM
|
96134
|
Proprietary
|
TLS 1.2
|
VM Direct Agent provides capabilities for file-level restore and application-aware protection.
|
Protection engine (NAS)
|
NAS agent Docker container
|
443
|
HTTPS
|
TLS 1.2
|
Internal only. Blocked by firewall.
|
Protection engine (VM)
|
Search Engine
|
14251
|
TCP
|
TLS 1.2
|
Search query REST API endpoint.
|
Protection engine (VM and Kubernetes)
|
vCenter
|
443
|
HTTPS
|
TLS 1.2
|
Primary management interface for vSphere using the vCenter server, including the vSphere client.
|
Protection engine (VM and Kubernetes)
|
vCenter
|
7444
|
TCP
|
TLS 1.2
|
Secure token service.
|
Protection engine (all)
|
Protection engine - RabbitMQ
|
4369
|
TCP
|
|
Internal only. Blocked by firewall.
|
Protection engine (all)
|
Protection engine - RabbitMQ
|
5672
|
TCP
|
|
Internal only. Blocked by firewall.
|
Reporting engine
|
PowerProtect Data Manager
|
8443
|
TCP
|
TLS 1.2
|
REST API service for collecting reporting data.
|
Search Engine
|
DD system
|
111
|
TCP
|
No
|
Server DR. Dynamic port detection and mapping. Used only for port verification, not for data.
|
Search Engine
|
DD system
|
2049
|
Proprietary
|
No
|
Server DR NFS connections. Used only for metadata, client name, and indexing, not for backup data.
|
Search Engine
|
DD system
|
2052
|
TCP/UDP
|
No
|
Server DR. NFS mountd, not for data.
|
Source
DD system
|
Target
DD system
|
111
|
TCP
|
No
|
Dynamic port detection and mapping. Used only for port verification, not for data.
|
Source
DD system
|
Target
DD system
|
2049
|
Proprietary
|
TLS 1.2
|
|
Source
DD system
|
Target
DD system
|
2051
|
Proprietary
|
TLS 1.2
|
|
Source
DD system
|
Target
DD system
|
2052
|
TCP
|
No
|
NFS
mountd, not for data.
|
Target
DD system
|
Source
DD system
|
111
|
TCP
|
No
|
Dynamic port detection and mapping. Used only for port verification, not for data.
|
Target
DD system
|
Source
DD system
|
2049
|
Proprietary
|
TLS 1.2
|
|
Target
DD system
|
Source
DD system
|
2051
|
Proprietary
|
TLS 1.2
|
|
Target
DD system
|
Source
DD system
|
2052
|
TCP
|
No
|
NFS
mountd, not for data.
|
Update Manager UI
|
PowerProtect Data Manager
|
14443
|
HTTPS
|
TLS 1.2
|
Connects the host that contains the update package to the
PowerProtect Data Manager system.
|
User
|
PowerProtect Data Manager
|
22
|
SSH
|
TLS 1.2
|
SSH for support and administration. Encrypted by private key or optional certificates.
|
User
|
PowerProtect Data Manager
|
80
|
HTTP
|
No
|
Redirect to HTTPS.
|
User
|
PowerProtect Data Manager
|
443
|
HTTPS
|
TLS 1.2
|
Connects the browser host to the
PowerProtect Data Manager system.
|
User
|
PowerProtect Data Manager
|
8443
|
HTTPS
|
TLS 1.2
|
REST API service.
|
User
|
Reporting Engine
|
22
|
SSH
|
TLS 1.2
|
SSH for support and administration. Encrypted by private key or optional certificates.
|
User
|
Search Engine
|
22
|
SSH
|
TLS 1.2
|
SSH for support and administration. Encrypted by private key or optional certificates.
|
User
|
Protection engine (all)
|
22
|
SSH
|
TLS 1.2
|
SSH for support and administration. Encrypted by private key or optional certificates.
|
vCenter
|
ESXi
|
443
|
HTTPS
|
TLS 1.2
|
vSphere client to ESXi/ESX host management connection. Also required to deploy
NAS protection engines.
|
vCenter
|
PowerProtect Data Manager
|
443
|
HTTPS
|
TLS 1.2
|
vCenter plug-in UI.
|
vCenter
|
PowerProtect Data Manager
|
8443
|
HTTPS
|
TLS 1.2
|
REST API service.
|
vCenter
|
PowerProtect Data Manager
|
9009
|
HTTPS
|
TLS 1.2/1.3
|
vSphere APIs for Storage Awareness (VASA) provider, storage policy based management (SPBM) service within
PowerProtect Data Manager.
|