IBM Support

IBM Storage Defender Data Resiliency Service: Network requirements

Detailed System Requirements


Abstract

This document details the IBM Storage Defender Data Resiliency Service network requirements.

Content

To connect IBM Storage Defender Data Resiliency Service (DRS) as well as the IBM Storage Defender connection manager with storage systems, backup systems, workload hosts, and resources the connections need to be configured. This document provide a visualization of all possible connections and a table with the required network settings for those connections.

Use the following links to go to:


 

Visualization of all connections

  • Overall Architecture (Vertical Layout)
    High-level system overview showing data flow from user access through authentication, SaaS services, core components, agents, and infrastructure integrations.
    Overall Architecture (Vertical Layout)

    Notes: 
    - All authentication flows route through IBM Security Verify, even when using customer IdP 
    - Connection Manager requires internet access to DRS endpoints: *.storage-defender.ibm.com 
    - Clock synchronization via NTP is critical to prevent authentication failures


     

  • Storage Systems Integration
    Connection Manager integration with storage systems for metadata collection and governance.
    Storage Systems Integration

    Notes: 
    - Fiber Channel or iSCSI must be configured between Sentinel scanner engine and FlashSystem 
    - FlashSystem must be registered in IBM Storage Insights Pro 
    - Connection between DRS tenant and Storage Insights Pro tenant must be requested 
    - Metadata collection supports governance and test recovery operations


     

  • Backup & Protection Integration
    Connection Manager integration with backup and data protection systems.
    Backup & Protection Integration

    Notes: 
    - IBM Storage Protect port 1500 is default but configurable 
    - SAP HANA connection currently supports system databases only 
    - Data Protect replication ports used for backup data between clusters 
    - Archive to external target requires Storage Protect object agent 
    - SSH access (port 22) requires Ansible for Oracle client installation only 
    - Access to IBM Storage Protect server required for backup operations
    - Copy Data Management uses HTTPS (443) for metadata collection to support governance and test recovery operations


     

  • VMware vSphere Integration
    Connection Manager and Data Protect integration with VMware infrastructure for production and clean room environments.
    VMware vSphere Integration

    Notes: 
    - Production vCenter used for metadata collection and governance 
    - Clean room vCenter supports test recovery operations 
    - Fiber Channel or iSCSI must be configured between clean room ESXi hosts and FlashSystem 
    - Data Protect cluster requires direct access to ESXi hosts for VM operations 
    - NFC traffic (port 903) used for copying VM data during recovery operations


     

  • Security & SIEM Integration 
    Connection Manager integration with SIEM systems and sensor management.
    Security & SIEM Integration 

    Notes: 
    - Default sensor control node is included in Connection Manager 
    - Dedicated sensor control node is optional (Ansible Control Node) 
    - Sensors send heartbeats and alerts to Connection Manager via REST API 
    - SSH used for sensor installation on virtual machines 
    - Threat alerts forwarded to SIEM solutions for security monitoring 
    - Splunk HEC receives data over HTTPS on TCP port 8088


     


 

Table of network requirements for all connections

The following table details the IBM Storage Defender Data Resiliency Service (DRS) network requirements.

Added with versionDescriptionSource
component		Source
Internet Protocol (IP) or
Fully Qualified Domain Name (FQDN)		Target
component		Target
IP or FQDN		Target
Port		Comment
2.1.0Authentication to IBM Storage DefenderIBM Security VerifyRequired for IBM Security Verify core function:
ibmstoragedefender.verify.ibm.com idaas-us01a.ice.ibmcloud.com login.ibm.com
www.ibm.com

Required to enable fonts, analytics, and trust/consent: 
1.www.s81c.com awppcivuse1.advanced-web-analytics.com consent.truste.com		Customer web browserCustomer's end-user of
IBM Storage Defender
IP or FQDN		443 TCP (HTTPS)Allow the source URLs to enable login to IBM Storage Defender Services. This is required even when a customer-provided identity provider (IdP) is in use, because all IBM Storage Defender authentication flows are routed through IBM Security Verify.
2.1.0Dell PowerMaxIBM Storage Defender connection managerIBM& Storage Defender
connection manager
IP or FQDN		Dell Unisphere for PowerMaxDell Unisphere
IP or FQDN		443 TCP (HTTPS)To collect metadata from Dell PowerMax for governance using IBM Storage Defender.
2.1.0Domain Name Service (DNS)all related systems_DNS server_53 TCPThe connection manager must be able to resolve domain names.
2.1.0IBM Fusion Backup and RestoreIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNIBM Fusion Cluster OpenShift instanceIBM Fusion user interface IP or FQDN443 TCP (HTTPS)IBM Fusion Cluster URL
2.1.0IBM Storage Defender SentinelIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNIBM Storage Defender Sentinel scanner engineIBM Storage Defender Sentinel scanner engine IP or FQDN22 TCP 
443 TCP (HTTPS)		Fiber channel or iSCSI needs to be configured between the Sentinel scanner engine and FlashSystem.
2.1.0IBM Storage Defender Data ProtectIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNIBM Storage Defender Data Protect clusterall IBM Storage Defender Data Protect cluster node IPs and Virtual IPs or FQDN443 TCP (HTTPS)To collect metadata from connected IBM Storage Defender Data Protect cluster to support governance and enable test recovery operations.
2.1.0IBM Storage Defender Data& ProtectVMware vCenter and ESX hosts_IBM Storage Defender Data Protect clusterall IBM Storage Defender Data Protect cluster node IPs and Virtual IPs or FQDN111 UDP & TCP: NFS Portmapper Secure Shell (SSH) used for sensor installation REST API used for heartbeats and alerts between sensor and connection manager. Only used if a Defender sensor control node (Ansible Control Node) is used.
2.1.0IBM Storage Defender Data ProtectIBM Storage Defender Data Protect cluster_VMware vCenter and ESX hostsProduction and clean room VMware vCenter IP or FQDN443 TCP
902 TCP: VMware VIX, used for control traffic to ESXi hosts.
902 TCP & 903 TCP: Used for NFC (Network File Copy) traffic for copying VM data.		Fiber channel or iSCSI needs to be configured between the clean room ESXi host and FlashSystem.
2.1.0IBM Storage Defender Data Resiliency ServiceIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNIBM Storage Defender Data Managment Service SaaS Instance*.storage-defender.ibm.com,
demw09w5z99jx.cloudfront.net, 
cm-logbundle-us-east-2-prod.s3.us-east-2.amazonaws.com		443 TCP (HTTPS)IBM Storage Defender connection manager uses:
- WebSocket (Secure) protocol to talk to the DRS.
- HTTPS protocol to download updates from AWS CloudFront.
- HTTPS protocol to upload support log packages to AWS S3.
In all cases, the IBM Storage Defender connection manager must be able to connect to the internet endpoints on port 443 (HTTPS).
2.1.0IBM Storage Defender sensorVMs with IBM Storage Defender sensorsVirtual machines (used for sensor installation) IP or FQDNIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDN443 TCP (HTTPS)REST API used for heartbeats and alerts between sensor and connection manager. See Defender sensor control node.
2.1.0IBM Storage Defender sensor control node (optional)IBM Storage Defender sensor control nodeIBM Storage Defender< sensor control node IP or FQDNVMs with IBM Storage Defender sensorsIBM Storage Defender connection manager IP or FQDN22 TCP

443 TCP (HTTPS)		The default sensor control node is included in the connection manager. The dedicated control node is optional.
SSH used for sensor installation REST API used for heartbeats and alerts between sensor and connection manager. Only used if a IBM Storage Defender sensor control node (Ansible Control Node) is used.
2.1.0IBM Storage Insights (Production)IBM Storage FlashSystem_IBM Storage Insights Pro SaaS*.storageinsights.ibmcloud.com esupport.ibm.com443 HTTPS (TCP)Storage must be registered in IBM Storage Insights Pro. The connection between the IBM Storage Defender DRS tenant and IBM Storage Insights Pro tenant need to be requested.
2.1.0IBM Storage ProtectIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNIBM Storage Protect serverIBM Storage Protect server IP or FQDNTCP PORT (1500 as default)To collect metadata from connected IBM Storage Protect server to support governance and enable test recovery operations.
2.1.0IBM Storage Protect for Oracle clientIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNIBM Storage Protect for Oracle clientIBM Storage Protect system (used for the Oracle client installation) IP or FQDN22 TCPSSH is required by Ansible. Also require access to the IBM Storage Protect server used for backup.
2.1.0IBM Storage FlashSystemIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNIBM Storage FlashSystem management IPIBM Storage FlashSystem IP or FQDN443 TCP (HTTPS GUI)
7443 TCP (HTTPS GUI)		To collect metadata from connected IBM Storage FlashSystem to support governance and enable test recovery operations.
2.1.0Network Time Protocol (NTP)IBM Storage Defender connection managerIBM Storage Defender connection manager IPNTP server(s)NTP server IP or FQDN123 UDPResolving failure to connect to Data Resiliency due to clock skew
2.1.0Pure FlashArrayIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNPure Storage FlashArrayPure Storage FlashArray IP or FQDN443 TCP (HTTPS)To collect metadata from connected Pure FlashArray to support governance.
2.1.0SAP HANAIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNSAP HANASAP HANA DB server IP or FQDNSAP HANA system database PortPort: Currently DRS supports the connection to SAP HANA system databases only. Also require access to the IBM Storage Protect server used for backup.
2.1.0SIEMIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNSIEM: IBM QRadar syslogdQradar server IP or FQDN514 (UDP & TCP)Sending threat alerts to the SIEM solution.
2.1.0SIEMIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNSIEM: SplunkSplunk server IP or FQDN8088 TCP (HTTPS)Sending threat alerts to the SIEM solution.
HTTP Event Collector (HEC) receives data over HTTPS on TCP port.
2.1.0Single Sign-On (SSO) using customer-provided identity provider (IdP)IBM Security Verifyibmstoragedefender.verify.ibm.com idaas-us01a.ice.ibmcloud.comCustomer-provided identity provider (IdP)Identity provider (IdP) IP or FQDN443 TCP (HTTPS)Required to enable usage of customer-provided identity provider (IdP). Used to exchange of URLs, certificates, and configuration settings between IBM Security Verify and customer-provided identity provider.
2.1.0VMware vSphere (Clean room)IBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNClean room vCenterClean room VMware vCenter IP or FQDN443 TCP (HTTPS)To collect metadata from connected clean room VMware vCenter to support governance and enable test recovery operations.
2.1.0VMware vSphere (Production)IBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNProduction vCenterProduction VMware vCenter IP or FQDN443 TCP (HTTPS)To collect metadata from connected production VMware vCenter to support governance.
        
2.1.5IBM Storage Defender Copy Data ManagementIBM Storage Defender connection managerIBM Storage Defender connection manager IP or FQDNIBM Storage Defender Copy Data ManagementIBM Storage Defender Copy Data Management Server IP or FQDN443 TCP (HTTPS)To collect metadata from connected IBM Storage Defender Copy Data Management to support governance and enable test recovery operations.
2.1.5IBM Storage Defender Data Protect ReplicationIBM Storage Defender Data ProtectIBM Storage Defender Data Protect cluster IP or FQDNIBM Storage Defender Data ProtectIBM Storage Defender Data Protect cluster IP or FQDN443 TCP
111111 TCP
20000 TCP
23335 TCP
23336 TCP
244444 TCP		Backup data replication between IBM Storage Defender Data Protect clusters.
2.1.5IBM Storage Defender Data Protect ArchiveIBM Storage Defender Data ProtectIBM Storage Defender Data Protect cluster IP or FQDNIBM Storage Protect object agentIBM Storage Protect object agent IP or FQDN9000 TCPIBM Storage Defender Data Protect archive to external target IBM Storage Protect.
2.1.5IBM Storage Defender Data Protect SupportIBM Storage Defender Data ProtectIBM Storage Defender Data Protect cluster IP or FQDNCustomer support serversCustomer support servers IP or FQDN443 TCP (HTTPS)Access for support team.


 

[{"Type":"MASTER","Line of Business":{"code":"LOB69","label":"Storage TPS"},"Business Unit":{"code":"BU048","label":"IBM Software"},"Product":{"code":"SSDR5G6","label":"IBM Storage Defender"},"ARM Category":[{"code":"a8mKe0000008OJNIA2","label":"Support Ref\/CRF"}],"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":""}]

Document Information

Modified date:
25 June 2026

UID

ibm17245394

Page Feedback