Firewall ports (outbound)- x360Recover

Written By Tami Sutcliffe (Super Administrator)

Updated at November 7th, 2024

Overview 

This article describes outbound firewall ports and public NAT mappings required by x360Recover.

Note: Best practice calls for a hardware firewall between the internet and any device that requires inbound connections. Axcient vaults and portals should always be behind a hardware firewall, with inbound connections limited to the necessary ports listed below.

  • We recommend enabling lockdown mode from x360Recover Manager for all devices to improve security and enable multi-factor authentication
  • No inbound ports from the internet need to be opened at a customer location for appliances.  
  • Appliances connect to the cloud and establish secure tunnel services for remote access via Management Portal (Legacy) or x360Recover Manager.

For details on securing inbound communications, refer to this article.


[Full list: All supported hardware configurations and solutions for x360Recover]


Requirements for firewall ports (outbound):


Direct-to-Cloud (D2C) agent requirements

The x360Recover Direct-to-Cloud (D2C) agent requires the following firewall ports to be open for outbound communications on the internet:

TCP 80 (http)
TCP 443 (https)
TCP 9079 (Endpoint Manager)
TCP 9082 (Cloudserver)
TCP 9083 (Disaster Recovery Access Layer - DRAL )
TCP 9090 (Backup Manager)
TCP 9084 (Rsync)
TCP/UDP 10000 - 11024 (FTPS PASV - for FTP recovery from vault)

Note: the list of IP addresses within our datacenter to which the agent must communicate is dynamic and subject to change


Recovery Center requirements

x360Recover Recovery Center requires the following ports to be open:


Common requirements for appliances and vaults 

All x360Recover devices must be able to communicate with the following destinations and ports: 


 Distributed Tunnel Service
  • TCP/2222 - rb-prd-slcflow.slc.efscloud.net 

Cloud Key Management Services

  • TCP/443 (https) – Used to access API endpoints 
  • URL: appliances.efscloud.net
  • IP(s): 143.204.29.2/143.204.29.74/143.204.29.16/143.204.29.87
    Note: IP addresses subject to change
 

Telemetry Services

The  x360Recover telemetry service utilizes a highly-dispersed cloud data provider with a large list of volatile IP addresses.  A list of the current IP addresses in use can be found here

 

Update Manager

  • TCP/80 (http) - Used for package downloads and version updates
  • URL(s): pkgmgrrepo.replibit.net
  • IP(s): highly volatile (Amazon AWS S3 service)
 

Update Repository

  • TCP/443 (https) – Used for software updates and custom package distribution
  • URL: download.slc.efscloud.net
  • IP: 198.73.17.62
 

Ubuntu Package Mirror

  • URL: rb-mirror.slc.efscloud.net
  • IP: 198.73.17.51

Appliance requirements

The x360Recover appliance is typically deployed on the same LAN as the protected systems it is servicing. This means NO inbound firewall rules are generally required. (The appliance has its own internal firewall restricting inbound traffic at the device level.)

For details on in-bound ports, please refer to Firewall ports (inbound)

However, if you have deployed a firewall between your protected systems and your appliance, the following ports need to be accessible:

Outbound traffic

In addition to the common requirements for appliances and vaults detailed at the top of this article , the x360Recover appliance requires the following ports and destinations to be accessible:

 Management Portal 

Appliances must be able to communicate with the management portal on the following ports:

  • TCP/22 (ssh) – Used to establish secure tunnel for remote management and Remote Assist
  • TCP/443 (https) – Used for accessing API endpoints
 Vault 

Appliances must be able to communicate with all Vaults configured for Replication

  • TCP/443 (https) – Used for accessing API endpoints
  • TCP/9080 (vt1) – Legacy vault transfer client
  • TCP/9081 (vt2) – Enhanced vault transfer client
 Scale-Out Cloud 

Appliances must be able to communicate with all available Scale-Out Cloud storage nodes within the configured data center.  The URLs and IP addresses of the Scale-Out Cloud are dynamic and subject to change as nodes are added over time. IP addresses will always be within the range described at Axcient Cloud IP addresses and application port ranges

  • TCP/9081 (vt2) – Enhanced vault transfer client

Vault requirements

Most partners use Axcient-hosted cloud vaults, in which case all network security is fully managed by the Axcient cloud engineering team.

However, if you are self-hosting some or all of your vaults, refer to the following when configuring your firewall rules:

Outbound traffic

In addition to the common requirements list at the top of this article, the vault requires the following ports and destinations to be accessible:

 Management Portal 

Vaults must be able to communicate with the Management Portal on the following ports:

  • TCP/22 (ssh) – Used to establish secure tunnel for remote management and Remote Assist
  • TCP/443 (https) – Used for accessing API endpoints
For details on in-bound ports, please refer to Firewall ports (inbound)

Additional requirements


 Management Portal requirements


Most partners use an Axcient-hosted management portal, in which case all network security is fully managed by the Axcient cloud engineering team. 

If you are self-hosting your management portal, please refer to the following when configuring your firewall rules:

Outbound traffic

The Management Portal makes no unique outbound connections.  (Please take note of the common requirements of all devices described at the beginning of this article.)

For details on in-bound ports, please refer to Firewall ports (inbound)


 


SUPPORT  | 720-204-4500 | 800-352-0248

  • To learn more about any of our Axcient products,  sign up for free one-on-one training.
  • Please contact your Partner Success Manager or Support if you have specific technical questions.
  • Subscribe to the Axcient Status page for a list of status updates and scheduled maintenance.

750  |  1237  |  1295