To ensure smooth operation of Enterprise Workloads, it is crucial to configure appropriate exclusions within your environment. Antivirus software, third-party encryption programs, and network firewalls can sometimes interfere with application functionality by locking files, folders, or blocking network traffic. Antivirus programs, especially during real-time scanning, often lock files. If these programs lock files or folders used by the Enterprise Workloads agent, such as configuration or log files, it can interrupt backups and restores. We strongly recommend configuring exclusions for the Enterprise Workloads agent, Druva storage cluster URLs, AWS S3 storage region URLs, and relevant configuration paths.
Step 1: Allow URLs in the firewall rules
Depending on your deployment regions, US region or APAC region, you must allow the Druva storage cluster URLs and AWS S3 storage region URLs in the network firewall rules.
Determine your deployment region
Click here to determine your deployment region
Click here to determine your deployment region
To determine your deployment region, perform the following steps:
Log in to the Druva Cloud Platform console.
After logging in, check your URL:
URLs for the US deployment region
Click here to view the URLs
Click here to view the URLs
Allow the following Druva URLs in your network firewall rules:
login.druva.com
globalapis.druva.com
phoenix.druva.com
downloads.druva.com
deviceapigw-phoenix.druva.com
backup-phoenix.druva.com
pub-devicemgmt-devicenotifier-dcp.druva.com
devicemgmt-reverseproxy-dcp.druva.com
To download agent logs and upgrade Enterprise Workloads agents, you must configure the firewall rules to allow both the FQDN and Alias URLs.
Purpose | FQDN | Alias |
Log download |
|
|
Agent upgrade |
|
|
The URLs below represent Druva's regional storage clusters, each corresponding to a specific storage region and its associated storage service.
Storage Region | Storage Cluster URL | Storage Service URL |
Northern Virginia (us-east-1) |
|
|
Ohio (us-east-2) |
|
|
Northern California (us-west-1) |
|
|
Oregon (us-west-2) |
|
|
Ireland (eu-west-1) |
|
|
London (eu-west-2) |
|
|
Paris (eu-west-3) |
|
|
Stockholm (eu-north-1) |
|
|
Frankfurt (eu-central-1) |
|
|
Sรฃo Paulo (sa-east-1) |
|
|
Montreal (ca-central-1) |
|
|
For Enterprise Workloads agents version 7.0.0 or later, allow the following AWS S3 storage URLs to access storage during backups and restores. Ensure that you configure firewall rules to allow both FQDN and Alias URLs.
Storage Region | S3 FQDN | S3 Alias |
Northern Virginia (us-east-1) |
|
|
Ohio (us-east-2) |
|
|
Northern California (us-west-1) |
|
|
Oregon (us-west-2) |
|
|
Montreal (ca-central-1) |
|
|
Frankfurt (eu-central-1) |
|
|
Ireland (eu-west-1) |
|
|
London (eu-west-2) |
|
|
Paris (eu-west-3) |
|
|
Stockholm (eu-north-1) |
|
|
Sรฃo Paulo (sa-east-1) |
|
|
URLs for the APAC deployment region
Click here to view the URLs
Click here to view the URLs
Allow the following Druva URLs in your network firewall rules:
login.druva.com
globalapis.druva.com
phoenix.druva.com
downloads.druva.com
deviceapigw-ap1-phoenix.druva.com
backup-ap1-phoenix.druva.com
pub-devicemgmt-devicenotifier-ap1-dcp.druva.com
devicemgmt-reverseproxy-ap1-dcp.druva.com
To download agent logs and upgrade Enterprise Workloads agents, you must configure the firewall rules to allow both the FQDN and Alias URLs.
Purpose | FQDN | Alias |
Log download |
|
|
Agent upgrade |
|
|
The URLs below represent Druva's regional storage clusters, each corresponding to a specific storage region and its associated storage service.
Storage Region | Storage Cluster URL | Storage Service URL |
Singapore (ap-southeast-1) |
|
|
Hong Kong (ap-east-1) |
|
|
Mumbai (ap-south-1) |
|
|
Sydney (ap-southeast-2) |
|
|
Tokyo (ap-northeast-1) |
|
|
UAE (me-central-1) |
|
|
For Enterprise Workloads agents version 7.0.0 or later, allow the following AWS S3 storage URLs to access storage during backups and restores. Ensure that you configure firewall rules to allow both FQDN and Alias URLs.
Storage Region | S3 FQDN | S3 Alias |
Hong Kong (ap-east-1) |
|
|
Mumbai (ap-south-1) |
|
|
Singapore (ap-southeast-1) |
|
|
Sydney (ap-southeast-2) |
|
|
Tokyo (ap-northeast-1) |
|
|
UAE (me-central-1) |
|
|
Step 2. Exclusions for antivirus software and third-party encryption programs
If you use antivirus software, you must add the following paths to your antivirus exclusions. This will ensure smooth backup and restore operations by granting the antivirus software access to the agent binaries.
Click here to view the URLs
Click here to view the URLs
C:\ProgramData\Phoenix (Server 2008 and above)
C:\Program Files\Druva\
C:\ProgramData\PhoenixCloudCache
C:\ProgramData\Druva
C:\ProgramData\phoenixupgrade
Data Volume folder path that is configured in CloudCache for exclusion. For more information on Data Volume configuration, see Configure CloudCache page.
root/Druva
/opt/Druva
/var/Druva
Step 3. Exclusions for application processes of Cloud
Click the following lists to view application processes for each resource.
Common application processes
Click here to view the processes
Click here to view the processes
Phoenix.exe
PhoenixCPHwnet64.exe (64-bit machines)
PhoenixCPHwnet.exe (32-bit machines)
PhoenixActivate.exe
HybridWorkloadsAgent.exe
HybridWorkloadsAgentApp.exe
HybridWorkloadsCheck.exe
PhoenixOtelPipeline.exe
CheckEngine
EnterpriseWorkloads
EnterpriseWorkloadsAgent
EnterpriseWorkloadsMigrator
EnterpriseWorkloadsUpgrader
EnterpriseWorkloads-*-amd64.deb
Guestossvc.exe
EnterpriseWorkloads-*.msi
EnterpriseWorkloads.exe
EnterpriseWorkloadsAgent.exe
EnterpriseWorkloadsMigrator.exe
EnterpriseWorkloadsUpgrader.exe
CheckEngine.exe
VMware
Click here to view the processes
Click here to view the processes
PhoenixIRAgent
HybridWorkloadUDA
PhoenixVMWareAgent
vmware
VMwareAgentPartner
VMwareFLRCleanupAll
VMwareFLRFuse
ProxyConf
VMwareGetVfatAttr
proxySetup
vsphere-discovery
dr-vmware
init.Druva-EnterpriseWorkloads
proxyFirstBoot
FLRDRSTCommandExecutor
PhoenixDRFailbackAgent
PhoenixFailbackRestServer
PhoenixFbcCli
PhoenixFbcSmbAgent
PhoenixVMWareAgent
cFuse
flrFuse
vmFuse
Druva-EnterpriseWorkloads.conf
Druva-EnterpriseWorkloads.service
Druva-HybridWorkloads.conf
Druva-HybidWorkloads.service
drst
Guestossvc
The following binaries reside on the proxy and run on the guest operating system:
HybridWorkloadScan.exe
HybridWorkloadScanx64
HybridWorkloadScanx86
HybridWorkloadUDA.exe
vguestossvc
guestossvc.exe
bring_disks_online.ps1
PhoenixSQLGuestPlugin.exe
PhoenixFbcWinGuestOSAgent.exe
PhoenixPreflight
File Server
Click here to view the processes
Click here to view the processes
PhoenixFSAgent.exe
fs.exe
scanner-cli.exe
PhoenixFSDtBackupAgent.exe
PhoenixFSDtRestoreAgent.exe
PhoenixFSBackupAgent.exe
PhoenixFSRestoreAgent.exe
PhoenixFSSnapshot.exe
NAS
Click here to view the processes
Click here to view the processes
PhoenixNASAgent.exe
nas.exe
PhoenixNASBackupAgent.exe
PhoenixNASDtBackupAgent.exe
PhoenixNASRestoreAgent.exe
PhoenixNASDtRestoreAgent.exe
PhoenixNASDiscoveryAgent.exe
PhoenixNASControl.exe
PhoenixNasDicovery.exe
scanner-cli.exe
MS SQL Server
Click here to view the processes
Click here to view the processes
mssql.exe
sqldiscovery.exe
PhoenixSQLAgent.exe
PhoenixSQLGuestPlugin.exe
PhoenixSQLDownloader.exe
PhoenixSQLUploader.exe
sql-ioserver.exe
drst-ioserver.exe
Oracle DTC
Click here to view the processes
Click here to view the processes
oracle
ioserver
vfsserver
CloudCache
Click here to view the processes
Click here to view the processes
PhoenixCacheWorker.exe
Phoenix CacheServerSVC.exe
PhoenixCacheControl.exe
PhoenixCacheServer.exe
Cloudcache
PhoenixIRService
PhoenixIRFS
Hyper-V
Click here to view the processes
Click here to view the processes
hyperv.exe
PhoenixHyperVAgent.exe
PhoenixHyperVControl.exe
Step 4. Ports and communication protocols
Druva uses ports and communication protocols to ensure secure connections and communication during backup and restore operations.
๐ Note
โCommunication happens from a backup proxy to other parties on various ports. Here, the backup proxy is the communication initiator, which is unidirectional. These ports are used for outgoing (unidirectional) communication, not incoming communication. However, data in the form of a response can flow in the opposite direction. Standard system ports such as 22 (SSH) and 2049 (NFS-SERVER) are used for incoming requests.
VMware
Click to view the ports and protocols
Click to view the ports and protocols
Port | Communication protocol | Description |
443 | HTTPS+SSL | Druva uses Port 443 to establish a secure connection and communication between the following:
๐ Note |
902 | TCP/UDP | Druva uses port 902 to establish a connection between the backup proxy and ESXi host registered with Druva through vCenter Server.
By default, VMware uses the port 902 for the |
3542 | HTTPS+SSL | For application-aware backups, the backup proxy uses VMware Tools to inject two executables and a few supporting files such as certificates into the guest OS of the virtual machine. When the executables run, they start guest OS processes called |
3545 | HTTPS+SSL | For application-aware backups, the SQL executable service |
3389/22 | TCP/UDP | During the backup cycle, the backup proxy sends network packets to Windows virtual machines (where VMware tools are installed) on port 3389 to identify if the RDP port is open or not. For Linux virtual machines, the port is 22, which is used for SSH.
This is used for Disaster Recovery or DR restores. |
123 | UDP | Backup proxy accesses NTP server on Port 123 (UDP) for time synchronization. |
443 | HTTPS+TLS | Druva uses TLS 1.2 or a secure connection that happens between the following:
|
VMware ESX
Source | Type | Protocol | Port range | Target | Description |
VMware Proxy | Custom | TCP | 902 | VMware ESX | Use port 902 to establish a connection between the Backup proxy and ESXi host registered with Druva through vCenter Server. |
VMware Proxy
Source | Type | Protocol | Port range | Target | Description |
Failback VM | HTTPS | HTTP | 443 | VMware Proxy | Failback VM connects to the VMware Proxy over HTTPS 443 port for sending Failback progress updates. |
Disaster Recovery
Click to view the ports and protocols
Click to view the ports and protocols
AWS Proxy
AWS Proxy (Inbound rules)
Source | Type | Protocol | Port range | Target | Description |
My IP | SSH | TCP | 22 | AWS Proxy | This is an optional inbound rule. |
AWS Proxy ( Outbound rules)
Source | Type | Protocol | Port range | Target | Description |
AWS Proxy | HTTPS | TCP | 443 | 0.0.0.0/0 | Use to communicate with Druva Cloud and AWS Services |
Failover EC2 Instance
Linux Failover EC2 Instance (Inbound rules)
Source | Type | Protocol | Port range | Target | Description |
My IP (Post DR Failover Job) | SSH | TCP | 22 | Failover EC2 Instance | This is an optional inbound rule. You can use this rule to log into the Failover EC2 Instance via SSH client such as Putty. |
Destination VMware Network (Post DR Failback Job) | SSH | TCP | 22 | Destination VMware Failback VM | You need this inbound rule for DR Failback. Use this rule to transfer data during DR Failback from Failover EC2 Instance to VMware Failback VM. |
Linux Failover EC2 Instance (Outbound rules)
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | All Traffic | ALL | ALL | Anywhere IPv4 (0.0.0.0) | Use this outbound rule for DR Failback. |
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | SSH | TCP | 22 | Destination VMware Failback VM | You need this outbound rule for DR Failback. Use this rule to transfer data during DR Failback from Failover EC2 Instance to VMware Failback VM. |
Failover EC2 Instance | DNS | TCP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | DNS | UDP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | TCP | 389 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAPS | TCP | 636 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | UDP | 389 | Domain Controller Network | Use this outbound rule to log to the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job |
Failover EC2 Instance | custom TCP | TCP | 88 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | custom UDP | UDP | 88 | Domain Controller Network | Use this outbound rule to log to the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Windows Failover EC2 Instance (Inbound rules)
Source | Type | Protocol | Port range | Target | Description |
Destination VMware Network | SMB | TCP | 445 | Failover EC2 Instance | Use this inbound rule for DR Failback. This connection is used to communicate with the Failover EC2 Instance Admin Share. |
Destination VMware Network | Custom TCP | TCP | 50000 | Failover EC2 Instance | Use this inbound for DR Failback. |
My IP (Post DR Failover Job) | RDP | TCP | 3389 | Failover EC2 Instance | This is an optional inbound rule for DR Failover.
This rule is not required for DR Failback. |
Windows Failover EC2 Instance (Outbound rules)
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | All Traffic | ALL | ALL | Anywhere IPv4 (0.0.0.0) | Use this outbound rule for DR Failback. |
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | DNS | TCP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | DNS | UDP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | TCP | 389 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | UDP | 389 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | Kerberos | TCP | 88 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | Kerberos | UDP | 88 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | SMB | TCP | 445 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
AWS SQS Endpoint
Source | Type | Protocol | Port range | Target | Description |
Private Subnet of the VPC | HTTPS | HTTPS | 443 | SQS Interface Endpoint | Make sure the Interface Endpoint allows 443 inbound rule. For more information, see Amazon ECS interface VPC endpoints (AWS PrivateLink). |
Hyper-V
Click to view the ports and protocols
Click to view the ports and protocols
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud. |
Nutanix AHV
Click to view the ports and protocols
Click to view the ports and protocols
Port | Communication protocol | Description |
9440 | HTTPS+SSL | Druva uses Port 9440 to establish a secure connection and communication between the Backup Proxy and Prism. |
443 | TLS | Backup Proxy to Druva Cloud. |
443 | TLS | Backup Proxy to S3 bucket. |
File Server
Click to view the ports and protocols
Click to view the ports and protocols
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud. |
NAS
Click to view the ports and protocols
Click to view the ports and protocols
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup proxy and Druva Cloud. |
MS SQL Server
Click to view the ports and protocols
Click to view the ports and protocols
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud. |
Oracle PBS
Click to view the ports and protocols
Click to view the ports and protocols
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between PBS and Druva Cloud. |
Oracle DTC
Click to view the ports and protocols
Click to view the ports and protocols
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud. |
SAP HANA
Click to view the ports and protocols
Click to view the ports and protocols
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud. |
20000 to 20100 |
| Used for internal communication within the cluster |
21000 |
| Used for internal communication within the cluster |
CloudCache
Click to view the ports and protocols
Click to view the ports and protocols
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent, CloudCache agent, and Druva Cloud. |
๐ Note
Port 8082 is used for internal communications on the host for FS, NAS, Hyper-V, VMware, Oracle DTC, and MS SQL. If port 8082 is unavailable, other available ephemeral ports will be used.
Related keywords
Antivirus configuration, firewall settings, enterprise workloads, URL whitelisting, network ports, security processes, antivirus compatibility, firewall rules, network interference, agent optimization, threat protection, network security, port management, process monitoring, security exceptions, firewall configuration, antivirus troubleshooting, enterprise agent configuration, security best practices, system performance, network traffic, port forwarding, intrusion prevention, application whitelisting, process exclusions, security software, network protocols, secure connections, antivirus exclusion list, firewall policies, scannercli, scancli, scanner cli