Antivirus or third-party encryption programs may sometimes lock actively used files or folders of other applications. Specifically, anti-virus programs are known to lock files while running a real-time or on-access scan. If any such third party application locks Enterprise Workloads agent application files or folders that contain configuration or logs, it may result in the corruption or unexpected behavior. Hence, it is highly recommended to add exclusions for Druva and S3 URLs, and agent application and configuration paths.
Druva and S3 URLs
If a firewall is configured in your environment, ensure that the following patterns are allowed for seamless backups and restores.
*.druva.com
*s3.amazonaws.com/*
s3-*.amazonaws.com
s3*.*.amazonaws.com
Click to determine your deployment region
Click to determine your deployment region
To determine your deployment region, perform the following steps:
Log in to the Druva Cloud Platform console.
After logging in, check your URL:
If it starts with console.druva.com, your account is deployed in the US deployment region.
โ
โIf it starts with ap1-console.druva.com, your account is deployed in the APAC deployment region.
โ
URLs for the US deployment region
login.druva.com
globalapis.druva.com
phoenix.druva.com
downloads.druva.com
deviceapigw-phoenix.druva.com
backup-phoenix.druva.com
pub-devicemgmt-devicenotifier-dcp.druva.com
devicemgmt-reverseproxy-dcp.druva.com
๐ Note
You must configure the firewall rules to allow both the FQDN and Alias URLs.
Purpose | FQDN | Alias |
Log download | ||
Agent upgrade |
URLs for the APAC deployment region
login.druva.com
globalapis.druva.com
phoenix.druva.com
downloads.druva.com
deviceapigw-ap1-phoenix.druva.com
backup-ap1-phoenix.druva.com
pub-devicemgmt-devicenotifier-ap1-dcp.druva.com
devicemgmt-reverseproxy-ap1-dcp.druva.com
๐ Note
You must configure the firewall rules to allow both the FQDN and Alias URLs.
Purpose | FQDN | Alias |
Log download | ||
Agent upgrade |
Common storage URLs for agent version 7.0.0 and later
For Enterprise Workloads agents with version 7.0.0 or later, if you have configured firewall rules in your environment for workload agents and CloudCache R3, allow the following S3 URLs to access storage during backup and restore:
Storage Region | S3 FQDN | S3 Alias |
Hong Kong (ap-east-1) | ||
Mumbai (ap-south-1) | ||
Singapore (ap-southeast-1) | ||
Sydney (ap-southeast-2) | ||
Tokyo (ap-northeast-1) | ||
Northern Virginia (us-east-1) |
|
|
Northern California (us-west-1) | ||
Oregon (us-west-2) | ||
Montreal (ca-central-1) | ||
Frankfurt (eu-central-1) | ||
Ireland (eu-west-1) | ||
London (eu-west-2) | ||
Paris (eu-west-3) | ||
Stockholm (eu-north-1) | ||
Sรฃo Paulo (sa-east-1) |
Installation and configuration data paths of Cloud
C:\ProgramData\Phoenix (Server 2008 and above)
C:\Program Files\Druva\
C:\ProgramData\PhoenixCloudCache
C:\ProgramData\Druva
C:\ProgramData\phoenixupgrade
Data Volume folder path that is configured in CloudCache for exclusion. For more information on Data Volume configuration, see Configure CloudCache page.
root/Druva
/opt/Druva
/var/Druva
Application processes of Cloud
VMware
PhoenixIRAgent
HybridWorkloadUDA
PhoenixVMWareAgent
vmware
VMwareAgentPartner
VMwareFLRCleanupAll
VMwareFLRFuse
ProxyConf
VMwareGetVfatAttr
proxySetup
vsphere-discovery
dr-vmware
init.Druva-EnterpriseWorkloads
proxyFirstBoot
FLRDRSTCommandExecutor
PhoenixDRFailbackAgent
PhoenixFailbackRestServer
PhoenixFbcCli
PhoenixFbcSmbAgent
PhoenixVMWareAgent
cFuse
flrFuse
vmFuse
Druva-EnterpriseWorkloads.conf
Druva-EnterpriseWorkloads.service
Druva-HybridWorkloads.conf
Druva-HybidWorkloads.service
drst
Guestossvc
The following binaries reside on the proxy and run on the guest operating system:
HybridWorkloadScan.exe
HybridWorkloadScanx64
HybridWorkloadScanx86
HybridWorkloadUDA.exe
vguestossvc
guestossvc.exe
bring_disks_online.ps1
PhoenixSQLGuestPlugin.exe
PhoenixFbcWinGuestOSAgent.exe
PhoenixPreflight
File Server
PhoenixFSAgent.exe
fs.exe
PhoenixFSBackupAgent.exe
PhoenixFSRestoreAgent.exe
PhoenixFSSnapshot.exe
scanner-cli.exe
NAS
PhoenixNASAgent.exe
nas.exe
PhoenixNASBackupAgent.exe
PhoenixNASDtBackupAgent.exe
PhoenixNASRestoreAgent.exe
PhoenixNASDtRestoreAgent.exe
PhoenixNASDiscoveryAgent.exe
PhoenixNASControl.exe
PhoenixNasDicovery.exe
scanner-cli.exe
SQL
mssql.exe
sqldiscovery.exe
PhoenixSQLAgent.exe
PhoenixSQLGuestPlugin.exe
PhoenixSQLDownloader.exe
PhoenixSQLUploader.exe
CloudCache
PhoenixCacheWorker.exe
Phoenix CacheServerSVC.exe
PhoenixCacheControl.exe
PhoenixCacheServer.exe
Cloudcache
PhoenixIRService
PhoenixIRFS
Hyper-V
hyperv.exe
PhoenixHyperVAgent.exe
PhoenixHyperVControl.exe
Generic
Phoenix.exe
PhoenixCPHwnet64.exe (64-bit machines)
PhoenixCPHwnet.exe (32-bit machines)
PhoenixActivate.exe
HybridWorkloadsAgent.exe
HybridWorkloadsAgentApp.exe
HybridWorkloadsCheck.exe
PhoenixOtelPipeline.exe
CheckEngine
EnterpriseWorkloads
EnterpriseWorkloadsAgent
EnterpriseWorkloadsMigrator
EnterpriseWorkloadsUpgrader
EnterpriseWorkloads-*-amd64.deb
Guestossvc.exe
EnterpriseWorkloads-*.msi
EnterpriseWorkloads.exe
EnterpriseWorkloadsAgent.exe
EnterpriseWorkloadsMigrator.exe
EnterpriseWorkloadsUpgrader.exe
CheckEngine.exe
Ports and communication protocols
The following tables describe the ports and communication protocols used by Druva to ensure secure connections and communication during backup and restore operations.
VMware
Port | Communication protocol | Description |
443 | HTTPS+SSL | Druva uses Port 443 to establish a secure connection and communication between the following:
๐ Note |
902 | TCP/UDP | Druva uses port 902 to establish a connection between the backup proxy and ESXi host registered with Druva through vCenter Server.
By default, VMware uses the port 902 for the |
3542 | HTTPS+SSL | For application-aware backups, the backup proxy uses VMware Tools to inject two executables and a few supporting files such as certificates into the guest OS of the virtual machine. When the executables run, they start guest OS processes called |
3545 | HTTPS+SSL | For application-aware backups, the SQL executable service |
3389/22 | TCP/UDP | During the backup cycle, the backup proxy sends network packets to Windows virtual machines (where VMware tools are installed) on port 3389 to identify if the RDP port is open or not. For Linux virtual machines, the port is 22, which is used for SSH.
This is used for Disaster Recovery or DR restores. |
123 | UDP | Backup proxy accesses NTP server on Port 123 (UDP) for time synchronization. |
443 | HTTPS+TLS | Druva uses TLS 2.0 or a secure connection that happens between the following:
|
Disaster Recovery
AWS Proxy
AWS Proxy (Inbound rules)
Source | Type | Protocol | Port range | Target | Description |
My IP | SSH | TCP | 22 | AWS Proxy | This is an optional inbound rule. |
AWS Proxy ( Outbound rules)
Source | Type | Protocol | Port range | Target | Description |
AWS Proxy | HTTPS | TCP | 443 | 0.0.0.0/0 | Use to communicate with Druva Cloud and AWS Services |
Failover EC2 Instance
Linux Failover EC2 Instance (Inbound rules)
Source | Type | Protocol | Port range | Target | Description |
My IP (Post DR Failover Job) | SSH | TCP | 22 | Failover EC2 Instance | This is an optional inbound rule. You can use this rule to log into the Failover EC2 Instance via SSH client such as Putty. |
Destination VMware Network (Post DR Failback Job) | SSH | TCP | 22 | Destination VMware Failback VM | You need this inbound rule for DR Failback. Use this rule to transfer data during DR Failback from Failover EC2 Instance to VMware Failback VM. |
Linux Failover EC2 Instance (Outbound rules)
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | All Traffic | ALL | ALL | Anywhere IPv4 (0.0.0.0) | Use this outbound rule for DR Failback. |
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | SSH | TCP | 22 | Destination VMware Failback VM | You need this outbound rule for DR Failback. Use this rule to transfer data during DR Failback from Failover EC2 Instance to VMware Failback VM. |
Failover EC2 Instance | DNS | TCP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | DNS | UDP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | TCP | 389 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAPS | TCP | 636 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | UDP | 389 | Domain Controller Network | Use this outbound rule to log to the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job |
Failover EC2 Instance | custom TCP | TCP | 88 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | custom UDP | UDP | 88 | Domain Controller Network | Use this outbound rule to log to the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Windows Failover EC2 Instance (Inbound rules)
Source | Type | Protocol | Port range | Target | Description |
Destination VMware Network | SMB | TCP | 445 | Failover EC2 Instance | Use this inbound rule for DR Failback. This connection is used to communicate with the Failover EC2 Instance Admin Share. |
Destination VMware Network | Custom TCP | TCP | 50000 | Failover EC2 Instance | Use this inbound for DR Failback. |
My IP (Post DR Failover Job) | RDP | TCP | 3389 | Failover EC2 Instance | This is an optional inbound rule for DR Failover.
This rule is not required for DR Failback. |
Windows Failover EC2 Instance (Outbound rules)
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | All Traffic | ALL | ALL | Anywhere IPv4 (0.0.0.0) | Use this outbound rule for DR Failback. |
Source | Type | Protocol | Port range | Target | Description |
Failover EC2 Instance | DNS | TCP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | DNS | UDP | 53 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | TCP | 389 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | LDAP | UDP | 389 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | Kerberos | TCP | 88 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | Kerberos | UDP | 88 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
Failover EC2 Instance | SMB | TCP | 445 | Domain Controller Network | Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job. |
AWS SQS Endpoint
Source | Type | Protocol | Port range | Target | Description |
Private Subnet of the VPC | HTTPS | HTTPS | 443 | SQS Interface Endpoint | Make sure the Interface Endpoint allows 443 inbound rule. For more information, see Amazon ECS interface VPC endpoints (AWS PrivateLink). |
VMware ESX
Source | Type | Protocol | Port range | Target | Description |
VMware Proxy | Custom | TCP | 902 | VMware ESX | Use port 902 to establish a connection between the Backup proxy and ESXi host registered with Druva through vCenter Server. |
VMware Proxy
Source | Type | Protocol | Port range | Target | Description |
Failback VM | HTTPS | HTTP | 443 | VMware Proxy | Failback VM connects to the VMware Proxy over HTTPS 443 port for sending Failback progress updates. |
Hyper-V
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud. |
Nutanix AHV
Port | Communication protocol | Description |
9440 | HTTPS+SSL | Druva uses Port 9440 to establish a secure connection and communication between the Backup Proxy and Prism. |
443 | TLS | Backup Proxy to Druva Cloud. |
443 | TLS | Backup Proxy to S3 bucket. |
File Server
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud. |
NAS
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup proxy and Druva Cloud. |
MS SQL Servers
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud. |
Oracle PBS
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between PBS and Druva Cloud. |
Oracle DTC
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud. |
SAP HANA
Port | Communication protocol | Description |
443 | TLS | Druva uses Port 443 to establish a secure connection and communication between Backup agent and Druva Cloud. |
20000 to 20100 |
| Used for internal communication within the cluster |
21000 |
| Used for internal communication within the cluster |
๐ Note
Port 8082 is used for internal communications on the host for FS, NAS, Hyper-V, VMware, Oracle DTC, and MS SQL. If port 8082 is unavailable, other available ephemeral ports will be used.