Skip to main content
All CollectionsKnowledge BaseEnterprise WorkloadsHow To - Enterprise Workloads
Avoiding third party/antivirus interference with Enterprise Workloads Agent
Avoiding third party/antivirus interference with Enterprise Workloads Agent
Updated this week

Overview

Antivirus or third-party encryption programs may sometimes lock actively used files or folders of other applications. Specifically, anti-virus programs are known to lock files while running a real-time or on-access scan.

If any such third party application locks Enterprise Workloads agent application files or folders that contain configuration or logs, it may result in the corruption or unexpected behavior. Hence, it is highly recommended to add exclusions for Enterprise Workloads agent application and configuration paths.

Installation and configuration data paths of Cloud

  • C:\ProgramData\Phoenix (Server 2008 and above)

  • C:\Program Files\Druva\

  • C:\ProgramData\PhoenixCloudCache

  • C:\ProgramData\Druva

  • C:\ProgramData\phoenixupgrade

  • Data Volume folder path that is configured in CloudCache for exclusion. For more information on Data Volume configuration, see Configure CloudCache page.

  • root/Druva

  • /opt/Druva

  • /var/Druva

Application processes of Cloud

VMware

  • PhoenixIRAgent

  • HybridWorkloadUDA

  • PhoenixVMWareAgent

  • vmware

  • VMwareAgentPartner

  • VMwareFLRCleanupAll

  • VMwareFLRFuse

  • ProxyConf

  • VMwareGetVfatAttr

  • proxySetup

  • vsphere-discovery

  • dr-vmware

  • init.Druva-EnterpriseWorkloads

  • proxyFirstBoot

  • FLRDRSTCommandExecutor

  • PhoenixDRFailbackAgent

  • PhoenixFailbackRestServer

  • PhoenixFbcCli

  • PhoenixFbcSmbAgent

  • PhoenixVMWareAgent

  • cFuse

  • flrFuse

  • vmFuse

  • Druva-EnterpriseWorkloads.conf

  • Druva-EnterpriseWorkloads.service

  • Druva-HybridWorkloads.conf

  • Druva-HybidWorkloads.service

  • drst

  • Guestossvc

The following binaries reside on the proxy and run on the guest operating system:

  • HybridWorkloadScan.exe

  • HybridWorkloadScanx64

  • HybridWorkloadScanx86

  • HybridWorkloadUDA.exe

  • vguestossvc

  • guestossvc.exe

  • bring_disks_online.ps1

  • PhoenixSQLGuestPlugin.exe

  • PhoenixFbcWinGuestOSAgent.exe

  • PhoenixPreflight

File Server

  • PhoenixFSAgent.exe

  • fs.exe

  • PhoenixFSBackupAgent.exe

  • PhoenixFSRestoreAgent.exe

  • PhoenixFSSnapshot.exe

  • scanner-cli.exe

NAS

  • PhoenixNASAgent.exe

  • nas.exe

  • PhoenixNASBackupAgent.exe

  • PhoenixNASDtBackupAgent.exe

  • PhoenixNASRestoreAgent.exe

  • PhoenixNASDtRestoreAgent.exe

  • PhoenixNASDiscoveryAgent.exe

  • PhoenixNASControl.exe

  • PhoenixNasDicovery.exe

  • scanner-cli.exe

SQL

  • mssql.exe

  • sqldiscovery.exe

  • PhoenixSQLAgent.exe

  • PhoenixSQLGuestPlugin.exe

  • PhoenixSQLDownloader.exe

  • PhoenixSQLUploader.exe

CloudCache

  • PhoenixCacheWorker.exe

  • Phoenix CacheServerSVC.exe

  • PhoenixCacheControl.exe

  • PhoenixCacheServer.exe

  • Cloudcache

  • PhoenixIRService

  • PhoenixIRFS

Hyper-V

  • hyperv.exe

  • PhoenixHyperVAgent.exe

  • PhoenixHyperVControl.exe

Generic

  • Phoenix.exe

  • PhoenixCPHwnet64.exe (64-bit machines)

  • PhoenixCPHwnet.exe (32-bit machines)

  • PhoenixActivate.exe

  • HybridWorkloadsAgent.exe

  • HybridWorkloadsAgentApp.exe

  • HybridWorkloadsCheck.exe

  • PhoenixOtelPipeline.exe

  • CheckEngine

  • EnterpriseWorkloads

  • EnterpriseWorkloadsAgent

  • EnterpriseWorkloadsMigrator

  • EnterpriseWorkloadsUpgrader

  • EnterpriseWorkloads-*-amd64.deb

  • Guestossvc.exe

  • EnterpriseWorkloads-*.msi

  • EnterpriseWorkloads.exe

  • EnterpriseWorkloadsAgent.exe

  • EnterpriseWorkloadsMigrator.exe

  • EnterpriseWorkloadsUpgrader.exe

  • CheckEngine.exe

Druva and S3 URLs

If a firewall is configured in your environment, ensure that the following patterns are allowed for seamless backups and restores.

  • *.druva.com

  • *s3.amazonaws.com/*

  • s3-*.amazonaws.com

  • s3*.*.amazonaws.com

For Enterprise Workloads agents with version 7.0.1 or later, if you have configured firewall rules in your environment for workload agents and CloudCache R3, allow the following S3 URLs to access storage during backup and restore:

Ports and communication protocols

The following tables describe the ports and communication protocols used by Druva to ensure secure connections and communication during backup and restore operations.

VMware

Port

Communication protocol

Description

443

HTTPS+SSL

Druva uses Port 443 to establish a secure connection and communication between the following:

  • Backup Proxy to Druva Cloud

  • Backup Proxy to CloudCache

  • Backup Proxy to vCenter Server


📝 Note
Port 443 is required if the ESXi host is directly registered with Druva for backup. Backup proxy establishes connection with ESXi host over Port 443 only if it registered with Druva as Standalone ESXi. If the ESXi host is registered with Druva through vCenter Server, backup proxy communicates with the ESXi host over Port 902.


902

TCP/UDP

Druva uses port 902 to establish a connection between the backup proxy and ESXi host registered with Druva through vCenter Server.

By default, VMware uses the port 902 for the vixDiskLib connection (All Transport Modes). You must use the VixDiskLib to access a virtual disk. All operations require a VixDiskLib connection to access virtual disk data.

3542

HTTPS+SSL

For application-aware backups, the backup proxy uses VMware Tools to inject two executables and a few supporting files such as certificates into the guest OS of the virtual machine. When the executables run, they start guest OS processes called guestossvc and PhoenixSQLGuestPlugin . The backup proxy uses the opened port 3542 on the guest OS so that it can communicate with guestossvc to run SQL Server backups. Ensure that this port is open on the guest OS. In addition, the backup proxy should reach the virtual machine directly over IPv4.

The backup proxy also uses this port to restore databases to the virtual machine.

3545

HTTPS+SSL

For application-aware backups, the SQL executable service PhoenixSQLGuestPlugin queries the Microsoft VSS APIs to back up and restore SQL Server databases. The guestossvc service interacts with the PhoenixSQLGuestPlugin service using this port. The PhoenixSQLGuestPlugin service cannot directly communicate with the backup proxy.

3389/22

TCP/UDP

During the backup cycle, the backup proxy sends network packets to Windows virtual machines (where VMware tools are installed) on port 3389 to identify if the RDP port is open or not. For Linux virtual machines, the port is 22, which is used for SSH.

This is used for Disaster Recovery or DR restores.

123

UDP

Backup proxy accesses NTP server on Port 123 (UDP) for time synchronization.

443

HTTPS+TLS

Druva uses TLS 2.0 or a secure connection that happens between the following:

  • Backup proxy and Druva Cloud

  • Backup proxy and CloudCache

  • CloudCache and Druva Cloud

Disaster Recovery

AWS Proxy

AWS Proxy (Inbound rules)

Source

Type

Protocol

Port range

Target

Description

My IP

SSH

TCP

22

AWS Proxy

This is an optional inbound rule.
You can use this inbound rule to log into the AWS Proxy via SSH client such as Putty.

AWS Proxy ( Outbound rules)

Source

Type

Protocol

Port range

Target

Description

AWS Proxy

HTTPS

TCP

443

0.0.0.0/0

Use to communicate with Druva Cloud and AWS Services

Failover EC2 Instance

Linux Failover EC2 Instance (Inbound rules)

Source

Type

Protocol

Port range

Target

Description

My IP (Post DR Failover Job)

SSH

TCP

22

Failover EC2 Instance

This is an optional inbound rule. You can use this rule to log into the Failover EC2 Instance via SSH client such as Putty.

Destination VMware Network (Post DR Failback Job)

SSH

TCP

22

Destination VMware Failback VM

You need this inbound rule for DR Failback. Use this rule to transfer data during DR Failback from Failover EC2 Instance to VMware Failback VM.

Linux Failover EC2 Instance (Outbound rules)

Source

Type

Protocol

Port range

Target

Description

Failover EC2 Instance

All Traffic

ALL

ALL

Anywhere IPv4 (0.0.0.0)

Use this outbound rule for DR Failback.

Source

Type

Protocol

Port range

Target

Description

Failover EC2 Instance

SSH

TCP

22

Destination VMware Failback VM

You need this outbound rule for DR Failback. Use this rule to transfer data during DR Failback from Failover EC2 Instance to VMware Failback VM.

Failover EC2 Instance

DNS

TCP

53

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

DNS

UDP

53

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

LDAP

TCP

389

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

LDAPS

TCP

636

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

LDAP

UDP

389

Domain Controller Network

Use this outbound rule to log to the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job

Failover EC2 Instance

custom TCP

TCP

88

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

custom UDP

UDP

88

Domain Controller Network

Use this outbound rule to log to the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Windows Failover EC2 Instance (Inbound rules)

Source

Type

Protocol

Port range

Target

Description

Destination VMware Network

SMB

TCP

445

Failover EC2 Instance

Use this inbound rule for DR Failback. This connection is used to communicate with the Failover EC2 Instance Admin Share.

Destination VMware Network

Custom TCP

TCP

50000

Failover EC2 Instance

Use this inbound for DR Failback.
This connection is used to transfer data from Failover EC2 Instance to VMware Failback VM.

My IP (Post DR Failover Job)

RDP

TCP

3389

Failover EC2 Instance

This is an optional inbound rule for DR Failover.
You can use this connection to log into the Failover EC2 Instance via RDP clients.

This rule is not required for DR Failback.

Windows Failover EC2 Instance (Outbound rules)

Source

Type

Protocol

Port range

Target

Description

Failover EC2 Instance

All Traffic

ALL

ALL

Anywhere IPv4 (0.0.0.0)

Use this outbound rule for DR Failback.

Source

Type

Protocol

Port range

Target

Description

Failover EC2 Instance

DNS

TCP

53

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

DNS

UDP

53

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

LDAP

TCP

389

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

LDAP

UDP

389

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

Kerberos

TCP

88

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

Kerberos

UDP

88

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

Failover EC2 Instance

SMB

TCP

445

Domain Controller Network

Use this outbound rule to log into the Failover EC2 Instance using your domain credentials after the DR Failover job completes or during the DR Failback job.

AWS SQS Endpoint

Source

Type

Protocol

Port range

Target

Description

Private Subnet of the VPC

HTTPS

HTTPS

443

SQS Interface Endpoint

Make sure the Interface Endpoint allows 443 inbound rule. For more information, see Amazon ECS interface VPC endpoints (AWS PrivateLink).

VMware ESX

Source

Type

Protocol

Port range

Target

Description

VMware Proxy

Custom

TCP

902

VMware ESX

Use port 902 to establish a connection between the Backup proxy and ESXi host registered with Druva through vCenter Server.

VMware Proxy

Source

Type

Protocol

Port range

Target

Description

Failback VM

HTTPS

HTTP

443

VMware Proxy

Failback VM connects to the VMware Proxy over HTTPS 443 port for sending Failback progress updates.

Hyper-V

Port

Communication protocol

Description

443

TLS

Nutanix AHV

Port

Communication protocol

Description

9440

HTTPS+SSL

Druva uses Port 9440 to establish a secure connection and communication between the Backup Proxy and Prism.

443

TLS

Backup Proxy to Druva Cloud.

443

TLS

Backup Proxy to S3 bucket.

Azure

Port

Communication protocol

Description

File Server

Port

Communication protocol

Description

443

TLS

NAS

Port

Communication protocol

Description

443

TLS

MS SQL Servers

Port

Communication protocol

Description

Oracle PBS

Port

Communication protocol

Description

443

TLS

Oracle DTC

Port

Communication protocol

Description

443

TLS

SAP HANA

Port

Communication protocol

Description

443

TLS

20000 to 20100

Used for internal communication within the cluster

21000

Used for internal communication within the cluster

.

Did this answer your question?