Overview:

Antivirus software, third-party encryption programs, or network firewalls may sometimes lock files, folders, or block network traffic that are actively utilized by other applications. Antivirus programs, in particular, frequently lock files during real-time or on-access scanning. If these third-party applications lock files or folders related to the Enterprise Workloads agent—such as those containing configurations or logs—it can result in file corruption or cause unexpected behavior. To prevent these issues, it is highly recommended to configure exclusions for the Druva Enterprise Workloads agent, Storage APIs, S3 URLs, and configuration paths.

Druva and S3 URLs

If a firewall is configured in your environment, ensure that the following patterns are allowed for seamless backups and restores.

*.druva.com
*s3.amazonaws.com/*
s3-*.amazonaws.com
s3*.*.amazonaws.com

Click to determine your deployment region

To determine your deployment region, perform the following steps:

Log in to the Druva Cloud Platform console.
After logging in, check your URL:
- If it starts with console.druva.com, your account is deployed in the US deployment region.
- If it starts with ap1-console.druva.com, your account is deployed in the APAC deployment region.

URLs for the US deployment region

login.druva.com
globalapis.druva.com
phoenix.druva.com
downloads.druva.com
deviceapigw-phoenix.druva.com
backup-phoenix.druva.com
pub-devicemgmt-devicenotifier-dcp.druva.com
devicemgmt-reverseproxy-dcp.druva.com

📝 Note

You must configure the firewall rules to allow both the FQDN and Alias URLs.

Purpose	FQDN	Alias
Log download	`https://dprod-devicestore-file.s3.us-east-1.amazonaws.com`	`https://druva-us0-devicefile-zqztwnudbwnx5u8j1bx4x6qbq8dmhuse1a-s3alias.s3.us-east-1.amazonaws.com`
Agent upgrade	`https://dprod-devicestore-package.s3.us-east-1.amazonaws.com`	`https://druva-us0-devicepack-mkpuot7uiirhb5wrphs1a9h946aeeuse1b-s3alias.s3.us-east-1.amazonaws.com`

Below URLs represent a regional storage cluster. Each URL corresponds to a specific region and is associated with the storage service.

Storage Region	Storage API URL
Northern Virginia (us-east-1)	`dtp-c0-us-east-1-phoenix.druva.com`
Northern California (us-west-1)	`dtp-c0-us-west-1-phoenix.druva.com`
Oregon (us-west-2)	`dtp-c0-us-west-2-phoenix.druva.com`
Ireland (eu-west-1)	`dtp-c0-eu-west-1-phoenix.druva.com`
London (eu-west-2)	`dtp-c0-eu-west-2-phoenix.druva.com`
Paris (eu-west-3)	`dtp-c0-eu-west-3-phoenix.druva.com`
Stockholm (eu-north-1)	`dtp-c0-eu-north-1-phoenix.druva.com`
Frankfurt (eu-central-1)	`dtp-c0-eu-central-1-phoenix.druva.com`
Hong Kong (ap-east-1)	`dtp-c0-ap-east-1-phoenix.druva.com`
Tokyo (ap-northeast-1)	`dtp-c0-ap-northeast-1-phoenix.druva.com`
Mumbai (ap-south-1)	`dtp-c0-ap-south-1-phoenix.druva.com`
Singapore (ap-southeast-1)	`dtp-c0-ap-southeast-1-phoenix.druva.com`
Sydney (ap-southeast-2)	`dtp-c0-ap-southeast-2-phoenix.druva.com`
São Paulo (sa-east-1)	`dtp-c0-sa-east-1-phoenix.druva.com`
Montreal (ca-central-1)	`dtp-c0-ca-central-1-phoenix.druva.com`
UAE (me-central-1)	`dtp-c0-me-central-1-phoenix.druva.com`

URLs for the APAC deployment region

login.druva.com
globalapis.druva.com
phoenix.druva.com
downloads.druva.com
deviceapigw-ap1-phoenix.druva.com
backup-ap1-phoenix.druva.com
pub-devicemgmt-devicenotifier-ap1-dcp.druva.com
devicemgmt-reverseproxy-ap1-dcp.druva.com

📝 Note

You must configure the firewall rules to allow both the FQDN and Alias URLs.

Purpose	FQDN	Alias
Log download	`https://ap1-dprod-devicestore-file.s3.ap-southeast-1.amazonaws.com`	`https://druva-ap1-devicefile-gkztbhmogjger59x4d8qps3gomasnaps1a-s3alias.s3.ap-southeast-1.amazonaws.com`
Agent upgrade	`https://ap1-dprod-devicestore-package.s3.ap-southeast-1.amazonaws.com`	`https://druva-ap1-devicepack-4bkkqwrp4harurgb7hrocaya9cme4aps1b-s3alias.s3.ap-southeast-1.amazonaws.com`

Below URLs represent a regional storage cluster. Each URL corresponds to a specific region and is associated with the storage service.

Storage Region	Storage API URL
Singapore (ap-southeast-1)	`dtp-c0-ap-southeast-1-ap1-phoenix.druva.com`
Hong Kong (ap-east-1)	`dtp-c0-ap-east-1-ap1-phoenix.druva.com`
Mumbai (ap-south-1)	`dtp-c0-ap-south-1-ap1-phoenix.druva.com`
Sydney (ap-southeast-2)	`dtp-c0-ap-southeast-2-ap1-phoenix.druva.com`
Tokyo (ap-northeast-1)	`dtp-c0-ap-northeast-1-ap1-phoenix.druva.com`
UAE (me-central-1)	`dtp-c0-me-central-1-ap1-phoenix.druva.com`

Common storage URLs for agent version 7.0.0 and later

For Enterprise Workloads agents with version 7.0.0 or later, if you have configured firewall rules in your environment for workload agents and CloudCache R3, allow the following S3 URLs to access storage during backup and restore:

📝 Note

You must configure the firewall rules to allow both the FQDN and Alias URLs.

Storage Region	S3 FQDN	S3 Alias
Hong Kong (ap-east-1)	`https://s3.ap-east-1.amazonaws.com/`	`https://druvaphn-ape1-3qpd1n8aqdth45hba5ghxpceb9thkape1a-s3alias.s3.ap-east-1.amazonaws.com/`
Mumbai (ap-south-1)	`https://s3.ap-south-1.amazonaws.com/`	`https://druvaphn-aps1-kuia8bkbftwcbn4y8ihzdhck3y4zgaps3a-s3alias.s3.ap-south-1.amazonaws.com/`
Singapore (ap-southeast-1)	`https://s3.ap-southeast-1.amazonaws.com/`	`https://druvaphn-apse1-9k6pu5kyjr3813xemeo14r9dioukwaps1a-s3alias.s3.ap-southeast-1.amazonaws.com/`
Sydney (ap-southeast-2)	`https://s3.ap-southeast-2.amazonaws.com/`	`https://druvaphn-apse2-xifjr44ehwn4skab8xgg4kwzgg1qcaps2a-s3alias.s3.ap-southeast-2.amazonaws.com/`
Tokyo (ap-northeast-1)	`https://s3.ap-northeast-1.amazonaws.com/`	`https://druvaphn-apne1-3tzzk6pokwpj7o3c8r3cquw8ithxoapn1a-s3alias.s3.ap-northeast-1.amazonaws.com/`
Northern Virginia (us-east-1)	`https://s3.amazonaws.com/` `https://s3.us-east-1.amazonaws.com/`	`https://druvaphn-use1-3eshkjg74za3gfuc3rqj51ab5m8c1use1a-s3alias.s3.amazonaws.com/` `https://druvaphn-use1-3eshkjg74za3gfuc3rqj51ab5m8c1use1a-s3alias.s3.us-east-1.amazonaws.com/`
Northern California (us-west-1)	`https://s3.us-west-1.amazonaws.com/`	`https://druvaphn-usw1-ak8kj98wzehr3qfiyepxt9ypq4yfrusw1a-s3alias.s3.us-west-1.amazonaws.com/`
Oregon (us-west-2)	`https://s3.us-west-2.amazonaws.com/`	`https://druvaphn-usw2-oxfxnrq6z6cjd5p7kbmefgzk6d73ausw2a-s3alias.s3.us-west-2.amazonaws.com/`
Montreal (ca-central-1)	`https://s3.ca-central-1.amazonaws.com/`	`https://druvaphn-cac1-acawpxxtj4ichfwxtxberrmj7w3jkcan1a-s3alias.s3.ca-central-1.amazonaws.com/`
Frankfurt (eu-central-1)	`https://s3.eu-central-1.amazonaws.com/`	`https://druvaphn-euc1-eiytn963i4jtmpue5xt1i9fdb9kjweuc1a-s3alias.s3.eu-central-1.amazonaws.com/`
Ireland (eu-west-1)	`https://s3.eu-west-1.amazonaws.com/`	`https://druvaphn-euw1-u39y9y4kon6oan1omsg9f9wjtmp4oeuw1a-s3alias.s3.eu-west-1.amazonaws.com/`
London (eu-west-2)	`https://s3.eu-west-2.amazonaws.com/`	`https://druvaphn-euw2-u8om1ejedb58a7oh4ad85p4qc7q3aeuw2a-s3alias.s3.eu-west-2.amazonaws.com/`
Paris (eu-west-3)	`https://s3.eu-west-3.amazonaws.com/`	`https://druvaphn-euw3-pswryckcmqamxuiicf7gjets9hafoeuw3a-s3alias.s3.eu-west-3.amazonaws.com/`
Stockholm (eu-north-1)	`https://s3.eu-north-1.amazonaws.com/`	`https://druvaphn-eun1-do7rfzp8s3xuz8nm7cwfjzcqbf3pgeun1a-s3alias.s3.eu-north-1.amazonaws.com/`
São Paulo (sa-east-1)	`https://s3.sa-east-1.amazonaws.com/`	`https://druvaphn-sa1-poghxe43kh71og6pghcfrzfuxziphsae1a-s3alias.s3.sa-east-1.amazonaws.com/`
UAE (me-central-1)	`https://s3.me-central-1.amazonaws.com/`	`https://druvaphn-mec1-hupms3wzwebgdbjgiyikzebx7mi84mec1a-s3alias.s3.me-central-1.amazonaws.com/`

Installation and configuration data paths of Cloud

C:\ProgramData\Phoenix (Server 2008 and above)
C:\Program Files\Druva\
C:\ProgramData\PhoenixCloudCache
C:\ProgramData\Druva
C:\ProgramData\phoenixupgrade
Data Volume folder path that is configured in CloudCache for exclusion. For more information on Data Volume configuration, see Configure CloudCache page.
root/Druva
/opt/Druva
/var/Druva

Application processes of Cloud

VMware

PhoenixIRAgent
HybridWorkloadUDA
PhoenixVMWareAgent
vmware
VMwareAgentPartner
VMwareFLRCleanupAll
VMwareFLRFuse
ProxyConf
VMwareGetVfatAttr
proxySetup
vsphere-discovery
dr-vmware
init.Druva-EnterpriseWorkloads
proxyFirstBoot
FLRDRSTCommandExecutor
PhoenixDRFailbackAgent
PhoenixFailbackRestServer
PhoenixFbcCli
PhoenixFbcSmbAgent
PhoenixVMWareAgent
cFuse
flrFuse
vmFuse
Druva-EnterpriseWorkloads.conf
Druva-EnterpriseWorkloads.service
Druva-HybridWorkloads.conf
Druva-HybidWorkloads.service
drst
Guestossvc

The following binaries reside on the proxy and run on the guest operating system:

HybridWorkloadScan.exe
HybridWorkloadScanx64
HybridWorkloadScanx86
HybridWorkloadUDA.exe
vguestossvc
guestossvc.exe
bring_disks_online.ps1
PhoenixSQLGuestPlugin.exe
PhoenixFbcWinGuestOSAgent.exe
PhoenixPreflight

File Server

PhoenixFSAgent.exe
fs.exe
scanner-cli.exe
PhoenixFSDtBackupAgent.exe
PhoenixFSDtRestoreAgent.exe
PhoenixFSBackupAgent.exe
PhoenixFSRestoreAgent.exe
PhoenixFSSnapshot.exe

NAS

PhoenixNASAgent.exe
nas.exe
PhoenixNASBackupAgent.exe
PhoenixNASDtBackupAgent.exe
PhoenixNASRestoreAgent.exe
PhoenixNASDtRestoreAgent.exe
PhoenixNASDiscoveryAgent.exe
PhoenixNASControl.exe
PhoenixNasDicovery.exe
scanner-cli.exe

SQL

mssql.exe
sqldiscovery.exe
PhoenixSQLAgent.exe
PhoenixSQLGuestPlugin.exe
PhoenixSQLDownloader.exe
PhoenixSQLUploader.exe
sql-ioserver.exe
drst-ioserver.exe

Oracle DTC

oracle
ioserver
vfsserver

CloudCache

PhoenixCacheWorker.exe
Phoenix CacheServerSVC.exe
PhoenixCacheControl.exe
PhoenixCacheServer.exe
Cloudcache
PhoenixIRService
PhoenixIRFS

Hyper-V

hyperv.exe
PhoenixHyperVAgent.exe
PhoenixHyperVControl.exe

Generic

Phoenix.exe
PhoenixCPHwnet64.exe (64-bit machines)
PhoenixCPHwnet.exe (32-bit machines)
PhoenixActivate.exe
HybridWorkloadsAgent.exe
HybridWorkloadsAgentApp.exe
HybridWorkloadsCheck.exe
PhoenixOtelPipeline.exe
CheckEngine
EnterpriseWorkloads
EnterpriseWorkloadsAgent
EnterpriseWorkloadsMigrator
EnterpriseWorkloadsUpgrader
EnterpriseWorkloads-*-amd64.deb
Guestossvc.exe
EnterpriseWorkloads-*.msi
EnterpriseWorkloads.exe
EnterpriseWorkloadsAgent.exe
EnterpriseWorkloadsMigrator.exe
EnterpriseWorkloadsUpgrader.exe
CheckEngine.exe

Ports and communication protocols

The following tables describe the ports and communication protocols used by Druva to ensure secure connections and communication during backup and restore operations.

VMware

Port	Communication protocol	Description
443	HTTPS+SSL	Druva uses Port 443 to establish a secure connection and communication between the following: Backup Proxy to Druva Cloud Backup Proxy to CloudCache Backup Proxy to vCenter Server 📝 Note Port 443 is required if the ESXi host is directly registered with Druva for backup. Backup proxy establishes connection with ESXi host over Port 443 only if it registered with Druva as Standalone ESXi. If the ESXi host is registered with Druva through vCenter Server, backup proxy communicates with the ESXi host over Port 902.
902	TCP/UDP	Druva uses port 902 to establish a connection between the backup proxy and ESXi host registered with Druva through vCenter Server. By default, VMware uses the port 902 for the `vixDiskLib` connection (All Transport Modes). You must use the `VixDiskLib` to access a virtual disk. All operations require a `VixDiskLib` connection to access virtual disk data.
3542	HTTPS+SSL	For application-aware backups, the backup proxy uses VMware Tools to inject two executables and a few supporting files such as certificates into the guest OS of the virtual machine. When the executables run, they start guest OS processes called `guestossvc` and `PhoenixSQLGuestPlugin` . The backup proxy uses the opened port 3542 on the guest OS so that it can communicate with `guestossvc` to run SQL Server backups. Ensure that this port is open on the guest OS. In addition, the backup proxy should reach the virtual machine directly over IPv4. The backup proxy also uses this port to restore databases to the virtual machine.
3545	HTTPS+SSL	For application-aware backups, the SQL executable service `PhoenixSQLGuestPlugin` queries the Microsoft VSS APIs to back up and restore SQL Server databases. The `guestossvc` service interacts with the `PhoenixSQLGuestPlugin` service using this port. The `PhoenixSQLGuestPlugin` service cannot directly communicate with the backup proxy.
3389/22	TCP/UDP	During the backup cycle, the backup proxy sends network packets to Windows virtual machines (where VMware tools are installed) on port 3389 to identify if the RDP port is open or not. For Linux virtual machines, the port is 22, which is used for SSH. This is used for Disaster Recovery or DR restores.
123	UDP	Backup proxy accesses NTP server on Port 123 (UDP) for time synchronization.
443	HTTPS+TLS	Druva uses TLS 1.2 or a secure connection that happens between the following: Backup proxy and Druva Cloud Backup proxy and CloudCache CloudCache and Druva Cloud

Disaster Recovery

AWS Proxy

AWS Proxy (Inbound rules)

Source	Type	Protocol	Port range	Target	Description
My IP	SSH	TCP	22	AWS Proxy	This is an optional inbound rule. You can use this inbound rule to log into the AWS Proxy via SSH client such as Putty.

AWS Proxy ( Outbound rules)

Source	Type	Protocol	Port range	Target	Description
AWS Proxy	HTTPS	TCP	443	0.0.0.0/0	Use to communicate with Druva Cloud and AWS Services

Failover EC2 Instance

Linux Failover EC2 Instance (Inbound rules)

Source	Type	Protocol	Port range	Target	Description
My IP (Post DR Failover Job)	SSH	TCP	22	Failover EC2 Instance	This is an optional inbound rule. You can use this rule to log into the Failover EC2 Instance via SSH client such as Putty.
Destination VMware Network (Post DR Failback Job)	SSH	TCP	22	Destination VMware Failback VM	You need this inbound rule for DR Failback. Use this rule to transfer data during DR Failback from Failover EC2 Instance to VMware Failback VM.

Linux Failover EC2 Instance (Outbound rules)

Source	Type	Protocol	Port range	Target	Description
Failover EC2 Instance	All Traffic	ALL	ALL	Anywhere IPv4 (0.0.0.0)	Use this outbound rule for DR Failback.

Source	Type	Protocol	Port range	Target	Description
Failover EC2 Instance	SSH	TCP	22	Destination VMware Failback VM	You need this outbound rule for DR Failback. Use this rule to transfer data during DR Failback from Failover EC2 Instance to VMware Failback VM.
Failover EC2 Instance	DNS	TCP	53	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	DNS	UDP	53	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	LDAP	TCP	389	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	LDAPS	TCP	636	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	LDAP	UDP	389	Domain Controller Network	Use this outbound rule to log to the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job
Failover EC2 Instance	custom TCP	TCP	88	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	custom UDP	UDP	88	Domain Controller Network	Use this outbound rule to log to the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Windows Failover EC2 Instance (Inbound rules)

Source	Type	Protocol	Port range	Target	Description
Destination VMware Network	SMB	TCP	445	Failover EC2 Instance	Use this inbound rule for DR Failback. This connection is used to communicate with the Failover EC2 Instance Admin Share.
Destination VMware Network	Custom TCP	TCP	50000	Failover EC2 Instance	Use this inbound for DR Failback. This connection is used to transfer data from Failover EC2 Instance to VMware Failback VM.
My IP (Post DR Failover Job)	RDP	TCP	3389	Failover EC2 Instance	This is an optional inbound rule for DR Failover. You can use this connection to log into the Failover EC2 Instance via RDP clients. This rule is not required for DR Failback.

Windows Failover EC2 Instance (Outbound rules)

Source	Type	Protocol	Port range	Target	Description
Failover EC2 Instance	All Traffic	ALL	ALL	Anywhere IPv4 (0.0.0.0)	Use this outbound rule for DR Failback.

Source	Type	Protocol	Port range	Target	Description
Failover EC2 Instance	DNS	TCP	53	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	DNS	UDP	53	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	LDAP	TCP	389	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	LDAP	UDP	389	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	Kerberos	TCP	88	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	Kerberos	UDP	88	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.
Failover EC2 Instance	SMB	TCP	445	Domain Controller Network	Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

AWS SQS Endpoint

Source	Type	Protocol	Port range	Target	Description
Private Subnet of the VPC	HTTPS	HTTPS	443	SQS Interface Endpoint	Make sure the Interface Endpoint allows 443 inbound rule. For more information, see Amazon ECS interface VPC endpoints (AWS PrivateLink).

VMware ESX

Source	Type	Protocol	Port range	Target	Description
VMware Proxy	Custom	TCP	902	VMware ESX	Use port 902 to establish a connection between the Backup proxy and ESXi host registered with Druva through vCenter Server.

VMware Proxy

Source	Type	Protocol	Port range	Target	Description
Failback VM	HTTPS	HTTP	443	VMware Proxy	Failback VM connects to the VMware Proxy over HTTPS 443 port for sending Failback progress updates.

Hyper-V

Port	Communication protocol	Description
443	TLS	Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud.

Nutanix AHV

Port	Communication protocol	Description
9440	HTTPS+SSL	Druva uses Port 9440 to establish a secure connection and communication between the Backup Proxy and Prism.
443	TLS	Backup Proxy to Druva Cloud.
443	TLS	Backup Proxy to S3 bucket.

File Server

Port	Communication protocol	Description
443	TLS	Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud.

NAS

Port	Communication protocol	Description
443	TLS	Druva uses Port 443 to establish a secure connection and communication between Backup proxy and Druva Cloud.

MS SQL Servers

Port	Communication protocol	Description
443	TLS	Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud.

Oracle PBS

Port	Communication protocol	Description
443	TLS	Druva uses Port 443 to establish a secure connection and communication between PBS and Druva Cloud.

Oracle DTC

Port	Communication protocol	Description
443	TLS	Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud.

SAP HANA

Port	Communication protocol	Description
443	TLS	Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud.
20000 to 20100		Used for internal communication within the cluster
21000		Used for internal communication within the cluster

CloudCache

Port	Communication protocol	Description
443	TLS	Druva uses Port 443 to establish a secure connection and communication between Backup agent, CloudCache agent, and Druva Cloud.

📝 Note

Port 8082 is used for internal communications on the host for FS, NAS, Hyper-V, VMware, Oracle DTC, and MS SQL. If port 8082 is unavailable, other available ephemeral ports will be used.

Related keywords

Antivirus configuration, firewall settings, enterprise workloads, URL whitelisting, network ports, security processes, antivirus compatibility, firewall rules, network interference, agent optimization, threat protection, network security, port management, process monitoring, security exceptions, firewall configuration, antivirus troubleshooting, enterprise agent configuration, security best practices, system performance, network traffic, port forwarding, intrusion prevention, application whitelisting, process exclusions, security software, network protocols, secure connections, antivirus exclusion list, firewall policies.

Firewall rules for protecting Enterprise Workloads

DR Failback Checks

Best Practices for Disaster Recovery as a Service

Disaster recovery errors

User Guide - Preparing your environment for successful Druva Disaster Recovery