Firewall ports (inbound) - x360Recover

Written By Tami Sutcliffe (Super Administrator)

Updated at September 15th, 2023

General Information 

This article describes inbound firewall ports and public NAT mappings required by x360Recover.

Note: It is best practice to place a hardware firewall between the internet and any device that requires inbound connections. Axcient vaults and portals should always be behind a hardware firewall, with inbound connections limited to the necessary ports listed below.

  • We recommend enabling lockdown mode from x360Recover Manager for all devices to improve security and enable multi-factor authentication
  • No inbound ports from the internet need to be opened at a customer location for appliances.  
  • Appliances connect to the cloud and establish secure tunnel services for remote access via Management Portal (Legacy) or x360Recover Manager.

For details on securing outbound communications, refer to this article.

Management Portal (Legacy)

Note: SSH is necessary to allow inbound connections from managed appliances and vaults. 

Ensure that (a) your user passwords for root and Replibit accounts have strong and complex passwords, or (b) disable password authentication and configure certificate-based authentication for your users 

The following inbound TCP ports must be NAT-mapped and allowed access to the Management Portal:

  • 22 SSH
  • 80 (HTTP is redirected to HTTPS)
  • 443 (HTTPS)
  • 10,000-10,000+N (Remote Management) - where N is the number of appliances and vaults communicating with the Management Portal.
  • 20000-20000 + N* (Axcient Remote Assist) is deprecated and is no longer needed 


The following inbound TCP ports must be NAT’d to the vault:

  • 80 (HTTP is redirected to HTTPS)
  • 443 (HTTPS)
  • 9079 (Endpoint Manager)
  • 9080 (Vault Transfer Service – Legacy)
  • 9081 (Vault Transfer Service – VT2)
  • 9082 (Cloudserver) 
  • 9083 (Disaster Recovery Access Layer) 
  • 9090 (Backup Manager)
  • 10000-11024 (FTP PASV)


Important Note: Appliances do not require any inbound connectivity from the internet.

Appliances should not have inbound port mapping from a public IP address. 

The inbound ports referenced here are solely for connections from agents located on the local LAN network.

The following TCP ports  must be open between the x360Recover backup agent and the appliance:  (Usually this only needs to be done if the backup agent and the appliance have a firewall between them.)

  • 80 (HTTP is redirected to HTTPS)
  • 443 (HTTPS)
  • 9079 (Endpoint Manager)
  • 9083 (Disaster Recovery Access Layer)
  • 9090 - 10100 (Cloudserver)
  • 15000 - 15999 (VNC Terminal Access)
  • 860 and 3260 (iSCSI connections to appliance)

NOTE: The following outbound TCP ports are available on Axcient-hosted Management Portals and vaults for email delivery of alerts and reporting

  • 465, 587 (ssh/tls) for outbound smtp traffic


Some firewalls/routers have very low TCP timeout settings by default. These can affect long-lived TCP connections such as the connection between the appliances and vaults to the Management Portal. Always set TCP timeout settings for all x360Recover services to the maximum allowable on the device. 

To increase the TCP timeout setting on SonicWall firewalls:

  • Login to your Sonicwall device
  • Go to the top-level menu item “Firewall”
  • Choose “TCP Settings”
  • Change the “Default TCP Connection Timeout” from its default value of 15 minutes to 720 minutes



 SUPPORT  | 720-204-4500 | 800-352-0248

750  |  1294  |  1567