Firewall ports (outbound)- x360Recover

Written By Tami Sutcliffe (Super Administrator)

Updated at September 29th, 2021

Common Requirements: All devices

All x360Recover devices must be able to communicate with the following destinations and ports:  


x360Recover License Portal
 

Cloud Key Management Services

  • TCP/443 (https) – Used to access API endpoints 
  • URL: appliances.efscloud.net
  • IP(s): 143.204.29.2/143.204.29.74/143.204.29.16/143.204.29.87
    Note: IP addresses subject to change
 

Telemetry Services

The  x360Recover telemetry service utilizes a highly-dispersed cloud data provider with a large list of volatile IP addresses.  A list of the current IP addresses in use can be found here

 

Update Manager

  • TCP/80 (http) - Used for package downloads and version updates
  • TCP/443 (https) - Used for package downloads and version updates
  • URL(s): pkgmgrrepo.replibit.net
  • IP(s): highly volatile (Amazon AWS S3 service)
 

Update Repository

  • TCP/443 (https) – Used for software updates and custom package distribution
  • URL: download.slc.efscloud.net
  • IP: 198.73.17.62
 

Ubuntu Package Mirror

  • URL: rb-mirror.slc.efscloud.net
  • IP: 198.73.17.51

Additional requirements:


 Management Portal requirements


Most partners use an Axcient-hosted management portal, in which case all network security is fully managed by the Axcient cloud engineering team. 

If you are self-hosting your management portal, please refer to the following when configuring your firewall rules:

Inbound traffic

The x360Recover Management Portal must have a public IP address, preferably with a fully qualified DNS domain name ‘A’ record in place to make referencing it more user friendly.

The following inbound ports must be accessible from the Internet at large to the Management Portal:

  • TCP/22 (ssh) – Used by all managed devices to establish secure tunnels for remote management
  • TCP/80 (http) – (Optional) Used only for redirection to port 443 (https)
  • TCP/443 (https) – Used to access the user interface and API endpoints of the Management Portal
  • TCP/10000-10000+n – Used to access managed devices, n equals the number of devices configured for management
  • TCP/20000-20000+n – Used for Remote Assist connections to managed devices by the Axcient support team.  (Port mappings mirror the 10000+ mappings used by remote management.)
Outbound traffic

The Management Portal makes no unique outbound connections.  (Please take note of the common requirements of all devices described at the beginning of this article.)

 


Appliance requirements


The x360Recover appliance is typically deployed on the same LAN as the protected systems it is servicing. This means NO inbound firewall rules are generally required. (The appliance has its own internal firewall restricting inbound traffic at the device level.)

However, if you have deployed a firewall between your protected systems and your appliance, the following ports need to be accessible:

Inbound traffic
  • TCP/80 (http) – (Optional) Used only for redirection to port 443 (https)
  • TCP/443 (https) – Used for accessing the user interface and API endpoints of the device
  • TCP/860 (iscsi) – Used for accessing iSCSI targets exported by the device
  • TCP/3260 (iscsi) – Used for iSCSI discovery when accessing targets exported by the device
  • TCP/9090-10100 (agent) – Used by the x360Recover agent for data transfers during backups
  • TCP/15000-15999 – Randomly assigned port range for VNC console connections to running VM’s

Outbound traffic

In addition to the common network ports listed at the top of this article, the x360Recover appliance requires the following ports and destinations to be accessible:

 Management Portal 

Appliances must be able to communicate with the management portal on the following ports:

  • TCP/22 (ssh) – Used to establish secure tunnel for remote management and Remote Assist
  • TCP/443 (https) – Used for accessing API endpoints

 Vault 

Appliances must be able to communicate with all Vaults configured for Replication

  • TCP/443 (https) – Used for accessing API endpoints
  • TCP/9080 (vt1) – Legacy vault transfer client
  • TCP/9081 (vt2) – Enhanced vault transfer client

 Scale-Out Cloud 

Appliances must be able to communicate with all available Scale-Out Cloud storage nodes within the configured data center.  The URLs and IP addresses of the Scale-Out Cloud are dynamic and subject to change as nodes are added over time.

  • TCP/9081 (vt2) – Enhanced vault transfer client

 


Vault requirements


Most partners use Axcient-hosted cloud vaults, in which case all network security is fully managed by the Axcient cloud engineering team.

However, if you are self-hosting some or all of your vaults, refer to the following when configuring your firewall rules:

Inbound traffic
  • TCP/80 (http) – (Optional) Used only for redirection to port 443 (https)
  • TCP/443 (https) – Used for accessing API endpoints
  • TCP/9080 (vt1) – Legacy vault transfer client
  • TCP/9081 (vt2) – Enhanced vault transfer client 
Outbound traffic

In addition to the common network ports listed at the beginning of this article, the vault requires the following ports and destinations to be accessible:

 Management Portal 

Vaults must be able to communicate with the Management Portal on the following ports:

  • TCP/22 (ssh) – Used to establish secure tunnel for remote management and Remote Assist
  • TCP/443 (https) – Used for accessing API endpoints

 

SUPPORT  | 720-204-4500 | 800-352-0248

  • To learn more about any of our Axcient products,  sign up for free one-on-one training.
  • Please contact your Partner Success Manager or Support if you have specific technical questions.
  • Subscribe to the Axcient Status page for a list of status updates and scheduled maintenance.