Network Port Considerations

Firewall Ports

For CommCell components to communicate across a firewall, the network TCP port numbers you select must be configured on your firewall. This specifically includes tunnel ports and additional ports.

Tunnel Port: This is the incoming port number through which the CommServe receives bidirectional tunnel connections. Port 8403 is the default for Commvault software, but it can be configured to another port number. The incoming connections port is in the Override default tunnel port box. For information about accessing the Override default tunnel port box, see Updating Incoming Ports on the CommServe and MediaAgent.

Additional Open Ports: You can speed up data transfer for components that handle it (for example, MediaAgent or File System Agent), by opening additional bidirectional ports on the firewall, and configuring them as open in this dialog. Specify the range of ports in the Additional open ports area, in the From and To fields. Click Add to add the ports. To remove a port from the listing, select the port and then click Delete. The ports must be within the range of 1024 to 65535. Ensure that the ports specified here are not used by other applications.

For more information on additional open ports, see Opening Additional Ports.

The following tables list bidirectional network ports that must be opened for proper functionality of Commvault software when firewalls or port restrictions are in place.



Port (Protocol)


Clients (all)

MediaAgent/CommServe server

8400 (TCP)


Clients (all)

Network gateway

8403 (TCP)

Network gateway tunnel port
(see Setting Up a Network Gateway Connection Using a Predefined Network Topology)

MediaAgent/CommServe server

Network gateway

8403 (TCP)

Network gateway tunnel port
(see Setting Up a Network Gateway Connection Using a Predefined Network Topology)

CommServe server

Network gateway

8403 (TCP)

Network gateway tunnel port

Clients (all)


8500 to 8600 (TCP)

Data transfer
(see Optimizing Backup and Restore Operations Using Additional Ports)

Note: You may use third-party port mappings to avoid opening the ports listed in the preceding table.

TCP Port Types

Commvault TCP ports can be statically or dynamically assigned.

Static Ports

Several services used by the software listen for incoming network traffic on predefined network ports. The CommServe server, MediaAgents, and agents within the CommCell group communicate with each other through these ports. Essential CommServe server services are automatically assigned registered, static port numbers during installation. MediaAgents, agents, and other software components can use the same default static port numbers or any static port numbers specified during installation.

For the services listed, the software registers the following ports by default:

Note: If there is a firewall between the client and the CommServe server or MediaAgent, make sure that CVD port and the CVD plus 3 port open bidirectionally.


Port Number


Commvault Communications Service (GxCVD, found in all client computers)



Commvault Server Event Manager (GxEvMgrS, available in CommServe)



Commvault Firewall (GxFWD, tunnel port for HTTP/HTTPS)




  • For the CommServe computer: The CommServe cvfwd.exe process is hard-coded to bind to port 8403. This is done so that laptop clients can create a tracking tunnel towards the Commserve on this port when a firewall is not configured explicitly between the CommServe and the client. The laptop clients use this tracking tunnel to inform the CommServe about client online messages.
  • For CommServe computers using the LiveSync operation for disaster recovery, the production and standby CommServe hosts communicate with each other using port 8408 on the SQL client instance. A default topology, Firewall Topology created for failover clients, is created for communication between the production and standby CommServe hosts using port 8408. This topology is created irrespective of the option selected for communication.
  • For all other clients: The cvfwd.exe process is hard-coded to bind to a tunnel port. The tunnel port is by default configured to use the port number of the CVD plus 3. For example, if the port number of the CVD is 8400, then the tunnel port equals 8403 (that is, 8400 plus 3). The tunnel port is used for automatic tunneling.
  • For automatic tunneling, note the following:
    • Whenever there is a port restriction in place, Commvault automatically creates an on-demand tunnel to the destination client as long as the CVD port and tunnel port are open bidirectionally between source and destination clients. Therefore, you do not need to create a two-way network route even when there is a port restriction in place. [Note: The CVD port (default = 8400) and the tunnel port (CVD plus 3; default = 8403) are open bidirectionally.]
    • Automatic tunneling uses the Raw tunnel protocol. For more information, see Configuring Outgoing Tunnel Connections.
    • Automatic tunneling will not work if the Force SSL authentication in incoming tunnel connections option is enabled on remote clients or remote client groups. For more information, see Network Routes: Options.

For information on binding services to static ports, see Binding Services to Static Ports.

Dynamic Ports

Dynamic ports are opened and closed by the running Commvault software to permit certain types of transient traffic.

The GxCVD service dynamically uses free ports between 49152 and 65535 to communicate during data protection and data recovery jobs. The system dynamically assigns a number of free ports to be used by each job to allow parallel data movement. After the job is finished, if no other job is pending, the dynamic ports are released.

If you have a large CommCell environment and you want to increase the range of dynamic ports, log on to the CommServe computer, open the command prompt, and then enter the following command:

netsh int ipversion set dynamicportrange transportprotocol start=startnumber num=totalnumber store=storevalue


  • ipversion is the IP protocol (IPv4 or IPv6)
  • transportprotocol is the transport protocol (TCP or UDP)
  • startnumber is the starting port number (for example, 10000)
  • totalnumber is the total number of ports (for example, 1000)
  • storevalue is active (store until next boot) or persistent (store permanently)


  • Network TCP port requirements remain the same whether the IPv4 or IPv6 protocol family is used.
  • Dynamic port range can be used by a client for internal and external communication.
  • Use of dynamic port range by Commvault services may be restricted internally by binding services to open ports. For more information, see Binding Services to Open Ports.
  • If use of dynamic ports for external communication is restricted by firewall, see Network Routes for more information.

SQL Server Ports

The default instance of a SQL server listens for incoming network traffic using static ports (1433 and 1434). But named instances, such as those used by this software, are configured by default to listen for incoming network traffic using dynamic ports. If a SQL Server instance is configured to listen for network traffic using dynamic ports, the instance will obtain an available port from the operating system and create an endpoint for that port. Incoming connections must then request that port number in order to connect to the software.

You have the option of configuring named instances to use static ports. For instructions, see Microsoft's TechNet article, Configure a Server to Listen on a Specific TCP Port (SQL Server Configuration Manager). If you do configure static ports for SQL Server, be sure to configure your firewall to allow TCP on port 1433 and UDP on port 1434.

Since a dynamic port number can change each time SQL Server launches, the SQL server software provides the SQL Server Browser Service to monitor ports and direct incoming network traffic to the current port used by the default instance. This capability ensures that all port traffic between the SQL Server and the software can be traced at any given time, which is especially useful in network troubleshooting scenarios.

Note: Changing this behavior manually may require additional configuration changes to the DSN (data source name) settings installed by the software. Therefore, we recommended that this behavior not be changed unless absolutely necessary.

Multi Instancing

Multi instancing requires that each instance of the same agent (for example, the SQL Server Agent) or MediaAgent have a unique set of static TCP port numbers assigned. For more information, see Considerations for Multi-Instance Installations.


For a given cluster server, the MediaAgent, agent, or other software component installed on every physical node in a cluster that is configured to host that cluster server must have the same port numbers configured. For example, if you have a cluster server named VS1, and three physical computers configured to host VS1, all three computers must have the same Network TCP port numbers configured for the network interface used by VS1.

Consider the following example:

  • Node A is configured to host cluster server VS1. Instance001 has the Informix Agent installed to protect Informix data on VS1. During install, Port 8502 was specified for the Communications Service (CVD).
  • Node B is also configured to host VS1. Instance003 has the Informix Agent installed to protect Informix data on VS1. During the Agent install, Port 8502 must be specified for the Communications Service (CVD) to match the Network TCP port number configuration of Node A.


  • When specifying Network TCP port numbers, it is essential to choose Network TCP ports that are unassigned and unused. The software requires the ability to open the same ports across when the operating system or applications are restarted, and these ports must not be in use by other resources. All effort should be made to ensure that no other resource expects the specified ports to be open, as a port conflict will cause an application failure.
  • When specifying a Network TCP Port Number other than 8400 for a MediaAgent's Communications Service (GxCVD), which may be necessary when more than one instance of the MediaAgent is installed on a computer, bear in mind that clients with an earlier release may not be able to communicate through that port. Therefore, when specifying a non-default port number in such cases, you should ensure that all clients using the MediaAgent support the Multi Instancing feature, and non-default network TCP port numbers.

If you need to change the network port numbers of a client or MediaAgent, see Changing Network Ports.

Last modified: 6/23/2020 9:00:46 PM