Challenge

Ports and permissions must be configured for Veeam ONE to function properly.

Cause

The list of required ports and permissions can be found below.

Solution

Required Permissions

The service account must have Local Administrator permissions on the machine where Veeam ONE is installed.

Authorizing with Veeam ONE

To authorize with Veeam ONE software components (Veeam ONE Monitor, Reporter and Business View), a user must have the Allow log on locally privilege assigned.

By default, this privilege is assigned to users included in the local Administrators group. For users not included in the local Administrators group, you must assign this privilege manually. For details, see this Microsoft TechNet article.

NOTE: In the advanced deployment scenario, you must assign the Allow log on locally privilege on the machines that host the Veeam ONE Server and Veeam ONE Web UI architectural components.

Connection to Microsoft SQL Server

The account used to connect to the Microsoft SQL Server hosting the Veeam ONE database must have the following permissions:

• Public role (default permissions)
• CREATE ANY DATABASE permissions
• db_owner role on the Veeam ONE database
• db_datareader permissions on the master database
• public, db_datareader, SQLAgentUserRole permissions on the msdb database
• [For Always-On Availability Groups] VIEW SERVER STATE permissions 

Connection to Microsoft Hyper-V VM Guest OS

The account used to collect data from guest OSes of Microsoft Hyper-V Windows VMs, must have local Administrator permissions on the guest OS.

NOTE: To collect data from non-domain Windows VMs, or VMs with an unelevated local Administrator account, you must complete additional configuration steps to allow Veeam ONE perform data collection. For details, see Connection Under UAC.

Connection Under UAC

Veeam ONE collects data from Microsoft Windows servers using WMI. For some configurations, UAC access token filtering can prevent running WMI commands on connected machines, which in turn will cause data collection failures.

The affected configurations are:

• Non-domain machines (machines in a workgroup)
• Machines with an unelevated local Administrator account (the account that is not Built-in Administrator)

To allow Veeam ONE collect data from these machines, perform the following steps on target virtual servers:

1. Set the network location to private:

1. Log on to a machine as Administrator.
2. Open the Network and Sharing Center.
3. In the list of active networks, click the necessary network and change its location to Private.

In some Windows OS versions, this location is called Home or Work.

1. Configure Windows Remote Management.

To do so, in the command prompt, type winrm quickconfig and press [Enter].

For more details on UAC access token filtering, see User Account Control and WMI.

Authorizing with Veeam ONE

To authorize with Veeam ONE software components (Veeam ONE Monitor, Reporter and Business View), a user must have the Allow log on locally privilege assigned.

By default, this privilege is assigned to users included in the local Administrators group. For users not included in the local Administrators group, you must assign this privilege manually. For details, see this Microsoft TechNet article.

NOTE: In the advanced deployment scenario, you must assign the Allow log on locally privilege on the machines that host the Veeam ONE Server and Veeam ONE Web UI architectural components.

Remote Access

To be able to access Veeam ONE software components installed on a remote machine, you can use one of the following options.

Remote Access to Veeam ONE Reporter and Business View through Web Browser

Veeam ONE Reporter and Business View consoles can be accessed using a web browser on a remote machine. To learn more on how to access Veeam ONE software components, see Accessing Veeam ONE Monitor, Reporter and Business View.

Veeam ONE Reporter and Business View consoles remotely, a user must be a member of the Veeam ONE Administrators or Veeam ONE Read-Only Users group on the machine where Veeam ONE Web UI component is installed. For details on Veeam ONEsecurity groups, see Security Groups.

Remote Access for Multi-Tenant Monitoring and Reporting

Veeam ONE supports multi-tenant access to its monitoring and reporting capabilities. Authorized users can remotely monitor a subset of the vCenter Server or vCloud Director infrastructure and create reports.

To monitor and report on a restricted scope of the virtual infrastructure, a user must have permissions assigned on objects of the vCenter Server or vCloud Director inventory hierarchy. For details, see Veeam ONE Multi-Tenant Monitoring and Reporting.

Required Ports

From	To	Protocol	Port	Notes
Veeam ONE	vCenter ESX(i)	SSL	4431	Required to collect data from vCenter Server/ ESX(i) hosts.  To learn how to check the current state of the vSphere API port, see the VMware vSphere documentation.
		TCP	5989	Required to collect ESX(i) host hardware details via CIM XML.
		TCP	10080 10443	Default port used to access vCenter Inventory Service (HTTP or HTTPS) and collect vCenter Server tags. Required for vCenter Server 5.x only.
	Platform Services Controller (PSC)	HTTPS	443	Default port used to collect and assign VMware Tags data. Required for vCenter Server starting from version 6.5.
	vCloud Director	SSL	4431	Required to collect data from vCloud Director.
	SCVMM	TCP	8100	Default SCVMM Administrator Console to SCVMM server port (required by the Veeam ONE Service).
	Hyper-V host	TCP	135, dynamically assigned ports2	Required to collect data from Microsoft Hyper-V hosts through WMI.
		TCP	135 445	Required to gather CPU and memory performance data from Microsoft Hyper-V hosts.4
		TCP	445	Required to access remote registry.
	Veeam Backup & Replication	TCP	135, dynamically assigned ports2	Required to collect data from Veeam backup servers through WMI.
		TCP	135 445	Required to gather CPU and memory performance data from Veeam Backup & Replication infrastructure servers.4
		TCP	445	Required to access remote registry.
	Veeam Backup Enterprise Manager	TCP	135, dynamically assigned ports2	Required to collect data from Veeam Backup Enterprise Manager through WMI.
	Veeam backup proxy	TCP	135 445	Required to gather CPU and memory performance data from backup infrastructure servers.4
	Veeam backup repository (Windows)	TCP	135 445	Required to gather CPU and memory performance data from backup infrastructure servers.4
	Veeam backup repository (Linux)	TCP	22	Default SSH port used to communicate with a Linux-based repository.
	Veeam WAN accelerator	TCP	135 445	Required to gather CPU and memory performance data from backup infrastructure servers.4
	Veeam License Update Server (autolk.veeam.com)	TCP	443	Default port used for license auto-update.
Veeam ONE Server and Web UI	Microsoft SQL Server	TCP	1433	Port used for communication with the Microsoft SQL Server on which the Veeam ONE database is deployed. Additional ports may need to be open depending on your configuration. For details, see https://msdn.microsoft.com/en-us/library/cc646023(v=sql.120).aspx#BKMK_ssde.
Veeam ONE Monitor Client	Veeam ONE Server	TCP	1393;  4453	Used by Veeam ONE Monitor Client to communicate with the Veeam ONE Server.
		UDP	1373
Workstation  Web Browser	Veeam ONE Reporter	HTTPS	1239	Required to access Veeam ONE Reporter console from a user workstation (a different port number can be chosen during setup).
	Veeam ONE Business View	HTTPS	1340	Required to access Veeam ONE Business View console from a user workstation (a different port number can be chosen during setup).

 

1 You must open these ports manually
2 To learn about enabling and disabling WMI traffic, see http://msdn.microsoft.com/en-us/library/aa389286(v=vs.85).aspx and http://msdn.microsoft.com/en-us/library/aa822854(v=vs.85).aspx 
3 Associated with the File and Printer Sharing service
4 To gather performance data from Windows Server 2012 and 2012R2, you must additionally enable network discovery.