Professional Documents
Culture Documents
September 4, 2019
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
vSphere 6.7, 6.5 vSphere Web VMware Host 3260 TCP Software iSCSI Supports Outgoing
Client Client Client software iSCSI. Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 6999 UDP NSX Distributed The firewall port Outgoing
Client Client Logical Router associated with Firewall
Service this service is Connections
opened when
NSX VIBs are
installed and the
VDR module is
created. If no
VDR instances
are associated
with the host, the
port does not
have to be open.
vSphere 6.7, 6.5 vSphere Web VMware Host 5671 TCP rabbitmqproxy A proxy running Outgoing
Client Client on the ESXi host. Firewall
This proxy allows Connections
applications that
are running
inside virtual
machines to
communicate
with the AMQP
brokers that are
running in the
vCenter network
domain. The
virtual machine
does not have to
be on the
network, that is,
no NIC is
required. Ensure
that outgoing
connection IP
addresses
include at least
Page 2
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
the brokers in
use or future.
You can add
brokers later to
scale up.
vSphere 6.7, 6.5 vSphere Web VMware Host 2233 TCP vSAN Transport Used for RDT Outgoing
Client Client traffic (Unicast Firewall
peer to peer Connections
communication)
between vSAN
nodes.
vSphere 6.7, 6.5 vSphere Web VMware Host 8000 TCP vMotion Required for Outgoing
Client Client virtual machine Firewall
migration with Connections
vMotion.
vSphere 6.7, 6.5 vSphere Web VMware Host 902 UDP VMware vCenter vCenter Server Outgoing
Client Client Agent agent. Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 8080 TCP vsanvp Used for vSAN Outgoing
Client Client Vendor Provider Firewall
traffic. Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 9080 TCP I/O Filter Service Used by the I/O Outgoing
Client Client Filters storage Firewall
feature Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 5900 -5964 TCP RFB protocol -
Client Client The RFB
protocol is a
simple protocol
for remote
access to
graphical user
interfaces.
Note: This
Firewall Port for
Services is not
Visible in the UI
by Default
Page 3
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
vSphere 6.7, 6.5 vSphere Web VMware Host 8889 TCP OpenWSMAN -
Client Client Daemon Web Services
Management (W
S-Management
is a DMTF open
standard for the
management of
servers, devices,
applications,
andWeb
services.
Note: This
Firewall Port for
Services is not
Visible in the UI
by Default
vSphere 6.7, 6.5 - - 8084, 9084, TCP vCenter Server Used by vSphere -
9087 Update Manager.
Page 4
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
only if required
by extensions
that you intend to
vSphere 6.7, 6.5 - - 31031, 44046 TCP vCenter Server use.
vSphere -
(Default) Replication.
vSphere 6.7, 6.5 - - 5444, 5432 - vCenter Server Internal port for Internal
monitoring of
vPostgreSQL.
Page 5
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
Important: You
Page 6
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
vSphere 6.7, 6.5 vCenter Server Platform 389 TCP/UDP Windows This port must be -
or Services installations and open on the local
Platform Controller appliance and all remote
Services deployments of instances of
Controller Platform vCenter Server.
Services This is the LDAP
Controller port number for
the Directory
Services for the
vCenter Server
group. If another
service is
running on this
port, it might be
preferable to
remove it or
change its port to
a different port.
You can run the
LDAP service on
Page 7
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
If this instance is
serving as the
Microsoft
Windows Active
Directory, change
the port number
from 389 to an
available port
from 1025
vSphere 6.7, 6.5 vCenter Server vCenter Server 443 TCP Windows through 65535.
The default port -
or installations and that the vCenter
Platform Platform appliance Server system
Services Services deployments of uses to listen for
Controller Controller vCenter Server connections from
and Platform the vSphere Web
vCenter Server Services Client. To enable
Controller the vCenter
Server system to
receive data from
the vSphere Web
Client, open port
443 in the
firewall.
The vCenter
Server system
also uses port
443 to monitor
data transfer
from SDK clients.
Page 8
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
t (also requires
port 80 to be
open)
Third-party
network
management
client
connections to
vCenter Server
Third-party
network
management
clients access to
hosts
Important:
You only can
change this port
number during
the vCenter
Server and
Platform
Services
Controller
vSphere 6.7, 6.5 NA NA 514 TCP/UDP Windows installation.
vSphere Syslog -
installations and Collector port for
appliance vCenter Server
deployments of on Windows and
vCenter Server vSphere Syslog
and Platform Service port for
Services vCenter Server
Controller Appliance
Important:
You can change
this port number
during the
vCenter Server
and Platform
Services
Page 9
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
Controller
installations on
vSphere 6.7, 6.5 vCenter Server Platform 636 TCP Windows Windows.
vCenter Single -
6.0 Services installations and Sign-On LDAPS
Controller 6.5 appliance For backward
deployments of compatibility with
vCenter Server vSphere 6.0 only.
and Platform During upgrade
Services from vSphere 6.0
Controller only.
Important:
You can change
this port number
during the
vCenter Server
and Platform
Services
Controller
installations on
Windows.
vSphere 6.7, 6.5 vCenter Server Platform 2012 TCP Windows Control interface -
OR Services installations and RPC for vCenter
Platform Controller appliance Single Sign-On
Services Platform deployments of
Controller Services Platform
Controller Services
OR Controller
vCenter Server
Page 10
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
vSphere 6.7, 6.5 vCenter Server Platform 2014 TCP Windows RPC port for all -
Services installations and VMCA (VMware
Platform Controller appliance Certificate
Services deployments of Authority) APIs
Controller vCenter Server Platform
Services Important:
Controller You can change
this port number
during the
Platform
Services
Controller
installations on
Windows.
vSphere 6.7, 6.5 vCenter Server Platform 2020 TCP/UDP Windows Authentication -
Services installations and framework
Platform Controller appliance management
Services deployments of
Controller to vCenter Server vCenter Server Important:
and Platform You can change
Services this port number
Controller during the
vCenter Server
and Platform
Services
Controller
installations on
Windows.
Page 11
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
and Platform
Services Open endpoint
Controller serving all
HTTPS,
XMLRPS and
JSON-RPC
requests over
HTTPS.
vSphere 6.7, 6.5 - - 6500 TCP/UDP Windows ESXi Dump -
installations and Collector port
appliance
deployments of Important:
vCenter Server You can change
this port number
during the
vCenter Server
installations on
Windows.
vSphere 6.7, 6.5 - - 7081 TCP Windows VMware Platform Internal port
installations and Services
appliance Controller Web
deployments of Client
Platform
Services
Controller
vSphere 6.7, 6.5 vCenter Server - 7475, 7476 Platform Appliance VMware vSphere -
Services deployments of Authentication
Controller vCenter Server Proxy
Page 12
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
Page 13
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
deployments of
vCenter Server
vSphere 6.7, 6.5 vSphere Web VMware Host 5988 TCP CIM Server Server for CIM Incoming
Client Client (Common Firewall
Information Connections
Model).
vSphere 6.7, 6.5 vSphere Web VMware Host 5989 TCP CIM Secure Secure server for Incoming
Client Client Server CIM. Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 427 TCP, UDP CIM SLP The CIM client Incoming
Client Client uses the Service Firewall
Location Connections
Protocol, version
2 (SLPv2) to find
CIM servers.
vSphere 6.7, 6.5 vSphere Web VMware Host 546 - DHCPv6 DHCP client for Incoming
Client Client IPv6. Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 68 UDP DHCP Client DHCP client for Incoming
Client Client IPv4. Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 53 UDP DNS Client DNS client. Incoming
Client Client Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 8200, 8100, TCP, UDP Fault Tolerance Traffic between Incoming
Client Client 8300 hosts for Firewall
vSphere Fault Connections
Tolerance (FT).
vSphere 6.7, 6.5 vSphere Web VMware Host 161 UDP SNMP Server Allows the host Incoming
Client Client to connect to an Firewall
SNMP server. Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 22 TCP SSH Server Required for Incoming
Client Client SSH access. Firewall
Connections
Page 14
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
vSphere 6.7, 6.5 vSphere Web VMware Host 902, 443 TCP vSphere Web Client Incoming
Client Client Client connections Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 80 TCP vSphere Web Welcome page, Incoming
Client Client Access with download Firewall
links for different Connections
interfaces.
vSphere 6.7, 6.5 vSphere Web VMware Host 5900 -5964 TCP RFB protocol - Incoming
Client Client Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 80, 9000 TCP vSphere Update - Incoming
Client Client Manager Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 427 TCP, UDP CIM SLP The CIM client Outgoing
Client Client uses the Service Firewall
Location Connections
Protocol, version
2 (SLPv2) to find
CIM servers.
vSphere 6.7, 6.5 vSphere Web VMware Host 547 TCP, UDP DHCPv6 DHCP client for Outgoing
Client Client IPv6. Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 9 UDP WOL Used by Wake Outgoing
Client Client on LAN. Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 68 UDP DHCP Client DHCP client. Outgoing
Client Client Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 53 TCP, UDP DNS Client DNS client. Outgoing
Client Client Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 80, 8200, 8100, TCP, UDP Fault Tolerance Supports Outgoing
Client Client 8300 VMware Fault Firewall
Page 15
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
Tolerance. Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 3260 TCP Software iSCSI Supports Outgoing
Client Client Client software iSCSI. Firewall
Connections
vSphere 6.7, 6.5 - - 8000 TCP, UDP - ESXi Dump Internal Port
Collector
vSphere 6.7, 6.5 vSphere Web VMware Host 902 UDP VMware vCenter vCenter Server Outgoing
Client Client Agent agent. Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 8889 TCP OpenWSMAN -
Client Client Daemon Web Services
Management (W
S-Management
is a DMTF open
standard for the
management of
servers, devices,
applications,
andWeb
services.
Note: This
Firewall Port for
Services is not
Visible in the UI
by Default
Page 16
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
port must be
vSphere 6.7, 6.5 - - 135 UDP vCenter Server open.
For the vCenter -
Server
Appliance, this
port is
designated for
Active Directory
authentication.
For a vCenter
Server Windows
installation, this
port is used for
Linked Mode and
port 88 is used
for Active
Directory
authentication.
Page 17
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
not be blocked
by firewalls
between the
server and the
hosts or between
hosts.Port 902
must not be
blocked between
the VMware Host
Client and the
hosts. The
VMware Host
Client uses this
port to display
virtual machine
consoles.
Important: You
can change this
port number
during the
vCenter Server
installations on
Windows.
vSphere 6.7, 6.5 - - 6501 TCP Windows Auto Deploy -
installations and service.
appliance Important: You
deployments of can change this
vCenter Server port number
during the
vCenter Server
installations on
Windows.
vSphere 6.7, 6.5 - - 7080, 12721 TCP, UDP Windows Secure Token Internal ports
installations and Service
appliance
deployments of
Platform
Services
Controller
Page 18
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
vSphere 6.7, 6.5 - - 8200, 8201, TCP Appliance Appliance Internal ports
8300, 8301 deployments of management
vCenter Server
and Platform
Services
Controller
vSphere 6.7, 6.5 vSphere Web VMware Host 8301, 8302 UDP DVSSync DVSSync ports Incoming
Client Client are used for Firewall
synchronizing Connections
states of
distributed virtual
ports between
hosts that have
VMware FT
record/replay
enabled. Only
hosts that run
primary or
backup virtual
machines must
have these ports
open. On hosts
that are not using
VMware FT
these portsdo not
have to be open.
vSphere 6.7, 6.5 vSphere Web VMware Host 902 TCP NFC Network File Incoming
Client Client Copy (NFC) Firewall
provides a Connections
file-type-aware
FTP service for
vSphere
components.
ESXi uses NFC
for operations
such as copying
and moving data
between
datastores by
Page 19
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
default.
vSphere 6.7, 6.5 vSphere Web VMware Host 12345, 23451 UDP vSANClustering VMware vSAN Incoming
Client Client Service Cluster Firewall
Monitoring and Connections
Membership
Directory
Service. Uses
UDP-based IP
multicast to
establish cluster
members and
distribute vSAN
metadata to all
cluster members.
If disabled, vSAN
does not work.
vSphere 6.7, 6.5 vSphere Web VMware Host 6999 UDP NSX Distributed NSX Virtual Incoming
Client Client Logical Router Distributed Firewall
Service Router service. Connections
The firewall port
associated with
this service is
opened when
NSX VIBs are
installed and the
VDR module is
created. If no
VDR instances
are associated
with the host, the
port does not
have to be open.
This service was
called NSX
Distributed
Logical Router in
earlier versions
of the product.
vSphere 6.7, 6.5 vSphere Web VMware Host 2233 TCP vSAN Transport vSAN reliable Incoming
Page 20
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
vSphere 6.7, 6.5 vSphere Web VMware Host 8080 TCP vsanvp vSAN VASA Incoming
Client Client Vendor Provider. Firewall
Used by the Connections
Storage
Management
Service (SMS)
that is part of
vCenter to
access
information about
vSAN storage
profiles,
capabilities, and
compliance. If
disabled, vSAN
Storage Profile
Based
Management
(SPBM) does not
work.
vSphere 6.7, 6.5 vSphere Web VMware Host 8301, 8302 UDP DVSSync DVSSync ports Outgoing
Client Client are used for Firewall
Page 21
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
synchronizing Connections
states of
distributed virtual
ports between
hosts that have
VMware FT
record/replay
enabled. Only
hosts that run
primary or
backup virtual
machines must
have these ports
open. On hosts
that are not using
VMware FT
these ports do
not have to be
vSphere 6.7, 6.5 vSphere Web VMware Host 44046, 31031 TCP HBR open. for ongoing
Used Outgoing
Client Client replication traffic Firewall
by vSphere Connections
Replication and
VMware Site
Recovery
Manager.
vSphere 6.7, 6.5 vSphere Web VMware Host 902 TCP NFC Network File Outgoing
Client Client Copy (NFC) Firewall
provides a Connections
file-type-aware
FTP service for
vSphere
components.
ESXi uses NFC
for operations
such as copying
and moving data
between
datastores by
default.
Page 22
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
vSphere 6.7, 6.5 vSphere Web VMware Host 12345 23451 UDP vSANClustering Cluster Outgoing
Client Client Service Monitoring, Firewall
Membership, and Connections
Directory Service
used by vSAN.
vSphere 6.7, 6.5 vSphere Web VMware Host 6999 UDP NSX Distributed The firewall port Outgoing
Client Client Logical Router associated with Firewall
Service this service is Connections
opened when
NSX VIBs are
installed and the
VDR module is
created. If no
VDR instances
are associated
with the host, the
port does not
have to be open.
vSphere 6.7, 6.5 vSphere Web VMware Host 5671 TCP rabbitmqproxy A proxy running Outgoing
Client Client on the ESXi host. Firewall
This proxy allows Connections
applications that
are running
inside virtual
machines to
communicate
with the AMQP
brokers that are
running in the
vCenter network
domain. The
virtual machine
does not have to
be on the
network, that is,
no NIC is
required. Ensure
that outgoing
connection IP
Page 23
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
addresses
include at least
the brokers in
use or future.
You can add
brokers later to
scale up.
vSphere 6.7, 6.5 vSphere Web VMware Host 2233 TCP vSAN Transport Used for RDT Outgoing
Client Client traffic (Unicast Firewall
peer to peer Connections
communication)
between vSAN
nodes.
vSphere 6.7, 6.5 vSphere Web VMware Host 8080 TCP vsanvp Used for vSAN Outgoing
Client Client Vendor Provider Firewall
traffic. Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 5900 -5964 TCP RFB protocol The RFB Firewall Port
Client Client protocol is a
simple protocol
for remote
access to
graphical user
interfaces. Note:
This Firewall Port
for Services is
not Visible in the
UI by Default
vSphere 6.7, 6.5 - - 8085 TCP, UDP - Ports used by Internal Port
the vCenter
service (vpxd)
SDK.
Page 24
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
vSphere 6.7, 6.5 - - 8900 TCP, UDP - Monitoring API Internal Port
internal port.
vSphere 6.7, 6.5 - - 9090 TCP, UDP - Port forÿývSphere Internal Port
Web Client.
vSphere 6.7, 6.5 - - 10080 TCP, UDP - Inventory service Internal Port
internal port
vSphere 6.7, 6.5 - - 10201 TCP, UDP - Message Bus Internal Port
Configuration
Service internal
port.
vSphere 6.7, 6.5 - - 11080 TCP, UDP - vCenter Server A Internal Port
pplianceÿýinternal
ports for HTTP
and for splash
screen.
vSphere 6.7, 6.5 - - 12080 TCP, UDP - License service Internal Port
internal port.
vSphere 6.7, 6.5 - - 12346, 12347, TCP, UDP - Internal port for Internal Port
4298 VMware Cloud
Management
SDKs (vAPI).
vSphere 6.7, 6.5 - - 13080, 6070 TCP, UDP - Used internally Internal Port
by the
Performance
Charts service.
vSphere 6.7, 6.5 - - 14080 TCP, UDP - Used internally Internal Port
by the syslog
service.
vSphere 6.7, 6.5 - - 15005, 15006 TCP, UDP - ESX Agent Internal Port
Page 25
Product Version Source Destination Ports Protocols Purpose Service Classification
Description
Manager internal
port.
vSphere 6.7, 6.5 - - 16666, 16667 TCP, UDP - Content Library -
ports.
vSphere 6.7, 6.5 - - 32768 - 60999 TCP, UDP - vCenter Server Ephemeral ports
Appliance uses
for vPostgres
services.
vSphere 6.7, 6.5 - - 22 TCP System port for Between all three Firewall Port for
SSHD nodes VCHA Private IP
Bidirectional. table
vSphere 6.7, 6.5 - - 5432 TCP Postgres Between Primary Firewall Port for
and Secondary VCHA Private IP
Bidirectional. table
vSphere 6.7, 6.5 - - 8182 TCP Fault Domain Between all three Firewall Port for
Manager nodes VCHA Private IP
Bidirectional. table
vSphere 6.7, 6.5 - - 8182 UDP Fault Domain Between all three Firewall Port for
Manager nodes VCHA Private IP
Bidirectional. table
Page 26