This article describes the local and offsite networking requirements and best practices for Datto appliances. This includes both the network speed requirements and requirements for open ports and DNS resolution.
This section explains the speed requirements for the following:
- Connections between protected machines and the Datto appliance over a LAN.
- Connections between protected machines and the Datto appliance over a WAN.
- Connections between the Datto appliance and the internet, for the purpose of synchronization with the Datto Cloud.
Connection between protected machines and the Datto appliance over a LAN
Since a 100 Mbps network cannot efficiently transfer large datasets between the protected machines and a Datto appliance, gigabit network connections are required between all protected machines and the Datto appliance over a LAN.
Connection between protected machines and the Datto appliance over a WAN
Datto strongly recommends placing the Datto appliance and all protected machines on the same LAN. However, if you need to set up backups over a WAN, you will need a 50-Mbps dedicated uplink for every terabyte of protected data. Otherwise, backups will not be reliable. Even if this requirement is met, the latency between endpoints will have a considerable influence on the speed of backups.
Connection between the Datto appliance and the internet
To reliably synchronize with the Datto Cloud, ensure that your connection is at least 1 Mbps (125 KBps) uplink per terabyte of protected data stored locally on the Datto device. To see how much data your Datto appliance is currently protecting, see the article Remote Web - Device Overview.
Router MTU Settings
The Datto appliance will most reliably be able to communicate with our monitoring servers when the router's MTU size is set to 1500 bytes. This will prevent packet fragmentation since the Datto appliance is also using a 1500 byte MTU size. Packet fragmentation may cause issues with communication to our monitoring servers.
Port Access and IP Whitelist Requirements
This section describes the port access and IP whitelist requirements for the protected machines and the Datto appliance. Refer to Figure 1 for a diagram of the required connections.
These requirements differ for Windows, Linux, and Mac machines.
On protected Windows machines:
- For the Datto Windows Agent, ensure that:
Ports 3262 (Mercury) and 3260 (iSCSI) are reachable and accessible on the device
Ports 3262 and 3260 outbound are allowed on the agent machine
Port 25568 is available and accessible on the agent machine
- For the ShadowSnap Agent:
The ShadowSnap agent needs bi-directional access to the Datto appliance through TCP ports 139 (SMB) and 25566. If a protected machine is using backup encryption, TCP port 3260 (iSCSI) must not be filtered by antivirus software or blocked in either direction between the protected machine and the Datto appliance. Finally, the protected machine must have access to storagecraft.com through TCP port 80 (HTTP) in order to verify the ShadowSnap agent's license.
On protected Linux machines, TCP ports 3260 (iSCSI) and 25567 must be open between the protected machine and the Datto appliance.
On protected Mac machines, TCP ports 3260 (iSCSI) and 25569 must be open between the protected machine and the Datto appliance.
Internet access requirements for protected machines
The Datto Windows, Mac and Linux agents require access to https://device.dattobackup.com on their initial setup run to generate the necessary certificates.
Requirements for the Datto Appliance
The Datto appliance must have access to the Datto Cloud for backup replication and remote device management. In addition, all ICMP packets must be allowed through the firewall. If you have a configuration in which you need specific ports and IP addresses to allow access to the Datto appliance, refer to Figure 1 and the sections below.
- TCP ports 22, 80, 443 and 2200-2250, as well as UDP port 123, must allow outbound communication between the Datto appliance and dattoremote.com.
- TCP ports 25567 and 25568 must be open inbound to the protected machine for agent calls.
- Port 3260 must be reachable from the protected machine to the Datto device.
- On Datto Windows Agent, port 3262 must also be reachable from the protected machine to the Datto device.
To synchronize time and download operating system updates, all Datto appliances must be able to resolve the following sites in the local DNS:
All Datto appliances must be able to access the following IP ranges for Cloud infrastructure, DNS failback, and device management:
- 220.127.116.11/32 port 5044
- 18.104.22.168/32 port 5044
- 22.214.171.124/24, port 443 and port 80
- 126.96.36.199/24, port 80 and port 2200
Depending on your country, the Datto appliance must have access to the following IP ranges for the offsite storage nodes:
- 188.8.131.52/28 (Ontario)
- 184.108.40.206/25 (Ontario)
- 220.127.116.11/24 (Alberta)
- 18.104.22.168/26 (UK)
- 22.214.171.124/24 (UK)
- 126.96.36.199/24 (Iceland)
- 188.8.131.52/24 (Germany)
ANZ (Australia and New Zealand)
- 184.108.40.206/25 (255.255.255.128)
If you want to find out which Cloud storage node your Datto appliance is connecting to, open the appliance's web interface. You will see the screen as shown in Figure 2.
Figure 2: Offsite Server IP address