What data passes through 51515?


What data passes through 51515?
View
Options
Author
Message
uit
uit
uit
posted 12 February 2023 6:20 AM
Talented Member
Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)
Group: Forum Members
Posts: 68, Visits: 99
For simplicity, thinking of opening 51515 only to specific IP's. Is there anything terribly secret (or secrets that are not encrypted) travelling through port 51515?
Reply Like 0
Alex
Alex
Alex
posted 13 February 2023 9:47 AM ANSWER
Macrium Representative
Macrium Representative (610 reputation)Macrium Representative (610 reputation)Macrium Representative (610 reputation)Macrium Representative (610 reputation)Macrium Representative (610 reputation)Macrium Representative (610 reputation)Macrium Representative (610 reputation)Macrium Representative (610 reputation)Macrium Representative (610 reputation)Macrium Representative (610 reputation)
Group: Macrium Moderators
Posts: 317, Visits: 1.1K
 
uit - 12 February 2023 6:20 AM
For simplicity, thinking of opening 51515 only to specific IP's. Is there anything terribly secret (or secrets that are not encrypted) travelling through port 51515?

Hi,
Port 51515 is the default control channel between site manager server and agent. All command and control information (Agent identities, backup commands, repository credentials) pass through this route. All comms is encrypted - each time an Agent connects to a server, a new AES-256 session key is generated and used to encrypt all comms. The initial crypto negotiation will use a crypto key derived from the Agent passphrase (as set in Settings -> Agent in the server) in order to prevent the possibility of an Agent connecting to a malicious server. 

Actual backup data is written over SMB direct to the repository - if encryption is set for the backup, then unencrypted data is not written to the repo.

It's also worth noting that the connection is always initiated by the Agent rather than the server, so only the server needs to have a firewall rule for incoming connections to port 51515.
As a spoiler for the upcoming 8.1 release, the PE recovery/restore environment will also perform comms over 51515 back to the Site Manager server, so you may want to bear that in mind for any blocking/port restrictions.

Kind Regards,

Alex

Macrium Development

Next Webinar

See our reviews on

Trustpilot Logo
Trustpilot Stars


Reply Like 1
uit
uit
uit
posted 13 February 2023 8:34 PM
Talented Member
Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)Talented Member (133 reputation)
Group: Forum Members
Posts: 68, Visits: 99
Wonderful! Thanks for the detailed explanation especially about encryption. We've made quite an investment in SM, so we're looking forward to continuing improvements.

Admittedly, my preference is to self-host, so I do prefer a future improvement including the ability to run all remote backup components on our own, instead of relying on multi-site. :-)  I see being self-reliant as critical, especially considering world events.
Reply Like 0
GO

Merge Selected

Merge into selected topic...



Merge into merge target...



Merge into a specific topic ID...



Submit

Post Quoted Reply
Reading This Topic

Powered by InstantForum 2017-1 Final © 2023
Execution: 0.000. 3 queries. Compression Enabled.

Login

Explore
Messages
Mentions
Search