I am back with another PowerShell tip and again one more for the VB365 product.
This one shows you how you can run a simple script to create all the required Windows Firewall rules for the VB365 component servers.
You can check it out here - https://just-virtualization.tech/2025/06/03/powershell-tips-for-veeam-vb365-v8-firewall-rules/
PowerShell Tips for Veeam – VB365 v8.1 – Firewall Rules
Today, I will discuss another interesting PowerShell script that I created. It allows you to add the necessary firewall rules to each server component in your Veeam VB365 Backup environment.
Security is a necessity, especially when it comes to large projects for Government entities. So, the project I am working on needs to keep the Windows firewall turned on but allow all VB365 components to talk to each other on the required ports. That is where this script was born, and it also creates a group called “Veeam” to put the rules in so when you look in your firewall settings, you can sort by group and find all the Veeam-related rules.
Below is the script I used to create all the firewall rules required to allow components to communicate while allowing the Windows firewall to remain enabled.
Firewall Rules Script –
# Veeam Backup for Microsoft 365 - Windows Firewall Rules
# This script removes existing Veeam rules and creates new ones in a "Veeam" group
# Run this script as Administrator
# Author - Chris Childerhose, Version 1.0
Write-Host "Managing Veeam Backup for Microsoft 365 Firewall Rules..." -ForegroundColor Green
# Check if running as Administrator
if (-NOT (>Security.Principal.WindowsPrincipal] PSecurity.Principal.WindowsIdentity]::GetCurrent()).IsInRole()Security.Principal.WindowsBuiltInRole] "Administrator")) {
Write-Error "This script must be run as Administrator. Exiting..."
exit 1
}
# Remove existing Veeam-related firewall rules if existing
Write-Host "Removing existing Veeam firewall rules..." -ForegroundColor Red
try {
Get-NetFirewallRule | Where-Object {$_.DisplayName -like "*Veeam*" -or $_.Group -eq "Veeam"} | Remove-NetFirewallRule -ErrorAction SilentlyContinue
Write-Host "Existing Veeam rules removed successfully." -ForegroundColor Yellow
} catch {
Write-Host "No existing Veeam rules found or error removing rules." -ForegroundColor Yellow
}
Write-Host ""
Write-Host "Adding new Veeam firewall rules to 'Veeam' group..." -ForegroundColor Green
# Define the group name
$GroupName = "Veeam"
# Veeam VB365 Core Services
Write-Host "Adding Veeam VB365 Core Service Rules..." -ForegroundColor Yellow
# Veeam Backup for Microsoft 365 Console (TCP 9191)
New-NetFirewallRule -DisplayName "Veeam VB365 Console (In)" -Direction Inbound -Protocol TCP -LocalPort 9191 -Action Allow -Profile Any -Group $GroupName
New-NetFirewallRule -DisplayName "Veeam VB365 Console (Out)" -Direction Outbound -Protocol TCP -LocalPort 9191 -Action Allow -Profile Any -Group $GroupName
# Veeam Backup for Microsoft 365 RESTful API (TCP 4443)
New-NetFirewallRule -DisplayName "Veeam VB365 RESTful API HTTPS (In)" -Direction Inbound -Protocol TCP -LocalPort 4443 -Action Allow -Profile Any -Group $GroupName
New-NetFirewallRule -DisplayName "Veeam VB365 RESTful API HTTPS (Out)" -Direction Outbound -Protocol TCP -LocalPort 4443 -Action Allow -Profile Any -Group $GroupName
# Veeam Backup for Microsoft 365 PowerShell (TCP 9394)
New-NetFirewallRule -DisplayName "Veeam VB365 PowerShell (In)" -Direction Inbound -Protocol TCP -LocalPort 9394 -Action Allow -Profile Any -Group $GroupName
New-NetFirewallRule -DisplayName "Veeam VB365 PowerShell (Out)" -Direction Outbound -Protocol TCP -LocalPort 9394 -Action Allow -Profile Any -Group $GroupName
# Microsoft 365 Services (Outbound only)
Write-Host "Adding Microsoft 365 Service Rules..." -ForegroundColor Yellow
# HTTPS for Microsoft 365 APIs
New-NetFirewallRule -DisplayName "HTTPS to Microsoft 365 (Out)" -Direction Outbound -Protocol TCP -RemotePort 443 -Action Allow -Profile Any -Group $GroupName
# HTTP (for redirects)
New-NetFirewallRule -DisplayName "HTTP to Microsoft 365 (Out)" -Direction Outbound -Protocol TCP -RemotePort 80 -Action Allow -Profile Any -Group $GroupName
# Proxy Server Communication (if using proxy)
Write-Host "Adding Proxy Communication Rules..." -ForegroundColor Yellow
# Common proxy ports (adjust as needed for your environment)
New-NetFirewallRule -DisplayName "Proxy HTTP (Out)" -Direction Outbound -Protocol TCP -RemotePort 8080 -Action Allow -Profile Any -Group $GroupName
New-NetFirewallRule -DisplayName "Proxy HTTPS (Out)" -Direction Outbound -Protocol TCP -RemotePort 8443 -Action Allow -Profile Any -Group $GroupName
# Repository and Database Communication
Write-Host "Adding Repository and Database Rules..." -ForegroundColor Yellow
# SQL Server (if using remote SQL)
New-NetFirewallRule -DisplayName "SQL Server (Out)" -Direction Outbound -Protocol TCP -RemotePort 1433 -Action Allow -Profile Any -Group $GroupName
# SMB for repository access (if using SMB repositories)
New-NetFirewallRule -DisplayName "SMB Repository (Out)" -Direction Outbound -Protocol TCP -RemotePort 445 -Action Allow -Profile Any -Group $GroupName
New-NetFirewallRule -DisplayName "SMB Repository (In)" -Direction Inbound -Protocol TCP -LocalPort 445 -Action Allow -Profile Any -Group $GroupName
# Object Storage (S3-compatible) - Common ports
Write-Host "Adding Object Storage Rules..." -ForegroundColor Yellow
# HTTPS for object storage
New-NetFirewallRule -DisplayName "Object Storage HTTPS (Out)" -Direction Outbound -Protocol TCP -RemotePort 443 -Action Allow -Profile Any -Group $GroupName
# Custom object storage ports (adjust as needed)
New-NetFirewallRule -DisplayName "Object Storage Custom Port 9000 (Out)" -Direction Outbound -Protocol TCP -RemotePort 9000 -Action Allow -Profile Any -Group $GroupName
# DNS Resolution
Write-Host "Adding DNS Rules..." -ForegroundColor Yellow
# DNS (UDP and TCP)
New-NetFirewallRule -DisplayName "DNS UDP (Out)" -Direction Outbound -Protocol UDP -RemotePort 53 -Action Allow -Profile Any -Group $GroupName
New-NetFirewallRule -DisplayName "DNS TCP (Out)" -Direction Outbound -Protocol TCP -RemotePort 53 -Action Allow -Profile Any -Group $GroupName
# NTP for time synchronization
Write-Host "Adding NTP Rules..." -ForegroundColor Yellow
New-NetFirewallRule -DisplayName "NTP (Out)" -Direction Outbound -Protocol UDP -RemotePort 123 -Action Allow -Profile Any -Group $GroupName
# Veeam Backup & Replication Integration (if applicable)
Write-Host "Adding Veeam B&R Integration Rules..." -ForegroundColor Yellow
# Veeam Backup Service (TCP 9392)
New-NetFirewallRule -DisplayName "Veeam Backup Service (Out)" -Direction Outbound -Protocol TCP -RemotePort 9392 -Action Allow -Profile Any -Group $GroupName
# Veeam Mount Service (TCP 9393)
New-NetFirewallRule -DisplayName "Veeam Mount Service (Out)" -Direction Outbound -Protocol TCP -RemotePort 9393 -Action Allow -Profile Any -Group $GroupName
Write-Host ""
Write-Host "Veeam Backup for Microsoft 365 Firewall Rules Added Successfully!" -ForegroundColor Green
Write-Host "All rules have been organized under the 'Veeam' group." -ForegroundColor Cyan
Write-Host ""
Write-Host "Note: You may need to adjust the following based on your environment:" -ForegroundColor Cyan
Write-Host "- Proxy server ports and addresses" -ForegroundColor White
Write-Host "- Object storage endpoints and ports" -ForegroundColor White
Write-Host "- SQL Server instance ports" -ForegroundColor White
Write-Host "- Remote repository locations" -ForegroundColor White
Write-Host ""
Write-Host "Management Commands:" -ForegroundColor Cyan
Write-Host "View Veeam rules: Get-NetFirewallRule -Group 'Veeam'" -ForegroundColor White
Write-Host "Remove all Veeam rules: Get-NetFirewallRule -Group 'Veeam' | Remove-NetFirewallRule" -ForegroundColor White
Write-Host "Disable all Veeam rules: Get-NetFirewallRule -Group 'Veeam' | Set-NetFirewallRule -Enabled False" -ForegroundColor White
Write-Host "Enable all Veeam rules: Get-NetFirewallRule -Group 'Veeam' | Set-NetFirewallRule -Enabled True" -ForegroundColor WhiteI hope you have found this third blog on PowerShell commands helpful. It is a great way to quickly add the required firewall rules to your environment for the VB365 backup environment.
Until the next PowerShell tip, happy blogging.
