To allow Veeam Backup & Replication to manage and back up a Hyper-V host, you must open specific ports on the target Hyper-V host.
| Port(s) | Protocol | Purpose |
|---|---|---|
| 135, 445 | TCP | RPC Endpoint Mapper & SMB (Component deployment) |
| 137-139 | UDP/TCP | NetBIOS (Naming and discovery) |
| 6160 | TCP | Veeam Installer Service |
| 6162 | TCP | Veeam Transport Service |
| 6163 | TCP | Veeam Hyper-V Integration Service |
| 2500-3300 | TCP | Data transmission channels (VBR v10+) |
| 49152-65535 | TCP | Dynamic RPC ports for WMI management |
For more details, see the official Veeam Used Ports Guide.
Run the following script as an Administrator on the Hyper-V host to automate the creation of these firewall rules: Define port ranges and names
$VeeamPorts = @( @{Name="Veeam RPC & SMB"; Port="135,445"; Protocol="TCP"}, @{Name="Veeam NetBIOS"; Port="137-139"; Protocol="Any"}, @{Name="Veeam Services"; Port="6160,6162,6163"; Protocol="TCP"}, @{Name="Veeam Data Transfer"; Port="2500-3300"; Protocol="TCP"}, @{Name="Veeam Dynamic RPC"; Port="49152-65535"; Protocol="TCP"} ) foreach ($Rule in $VeeamPorts) { $params = @{ DisplayName = $Rule.Name Direction = "Inbound" Action = "Allow" Protocol = $Rule.Protocol LocalPort = $Rule.Port Description = "Required for Veeam Backup & Replication" Group = "Veeam Networking" } New-NetFirewallRule @params }
You can verify the rules are active by running this command:
Get-NetFirewallRule -Group "Veeam Networking" | Select-Object DisplayName, Enabled, Direction
Note: If your environment is a Workgroup, ensure you have also added the Veeam server to the host's TrustedHosts list.