Scribd Logo
Upload

Welcome to Scribd!

  • Vmware Ports

    Uploaded by

    mikbigdisk
    209 views26 pages
    This document lists the ports and protocols used by various VMware vSphere products and services. It provides the product version, source and destination of network traffic, port numbers, protocols, purpose and service description for each entry. Common ports listed include 3260 for iSCSI, 6999 for NSX distributed logical router service, 5671 for RabbitMQ proxy, 2233 for vSAN transport, and 8000 for vMotion. The document serves as a reference for firewall configuration to allow outbound traffic from vSphere components.

    Original Description:

    Vmware Ports vsphere 6x

    Copyright

    © © All Rights Reserved

    Available Formats

    PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    This document lists the ports and protocols used by various VMware vSphere products and services. It provides the product version, source and destination of network traffic, port numbers, protocols, purpose and service description for each entry. Common ports listed include 3260 for iSCSI, 6999 for NSX distributed logical router service, 5671 for RabbitMQ proxy, 2233 for vSAN transport, and 8000 for vMotion. The document serves as a reference for firewall configuration to allow outbound traffic from vSphere components.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    209 views26 pages

    Vmware Ports

    Uploaded by

    mikbigdisk
    This document lists the ports and protocols used by various VMware vSphere products and services. It provides the product version, source and destination of network traffic, port numbers, protocols, purpose and service description for each entry. Common ports listed include 3260 for iSCSI, 6999 for NSX distributed logical router service, 5671 for RabbitMQ proxy, 2233 for vSAN transport, and 8000 for vMotion. The document serves as a reference for firewall configuration to allow outbound traffic from vSphere components.

    Copyright:

    © All Rights Reserved
    Download as PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 26

    VMware VMware Ports and Pr

    September 4, 2019
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    vSphere 6.7, 6.5 vSphere Web VMware Host 3260 TCP Software iSCSI Supports Outgoing
    Client Client Client software iSCSI. Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 6999 UDP NSX Distributed The firewall port Outgoing
    Client Client Logical Router associated with Firewall
    Service this service is Connections
    opened when
    NSX VIBs are
    installed and the
    VDR module is
    created. If no
    VDR instances
    are associated
    with the host, the
    port does not
    have to be open.

    vSphere 6.7, 6.5 vSphere Web VMware Host 5671 TCP rabbitmqproxy A proxy running Outgoing
    Client Client on the ESXi host. Firewall
    This proxy allows Connections
    applications that
    are running
    inside virtual
    machines to
    communicate
    with the AMQP
    brokers that are
    running in the
    vCenter network
    domain. The
    virtual machine
    does not have to
    be on the
    network, that is,
    no NIC is
    required. Ensure
    that outgoing
    connection IP
    addresses
    include at least

    Page 2
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    the brokers in
    use or future.
    You can add
    brokers later to
    scale up.
    vSphere 6.7, 6.5 vSphere Web VMware Host 2233 TCP vSAN Transport Used for RDT Outgoing
    Client Client traffic (Unicast Firewall
    peer to peer Connections
    communication)
    between vSAN
    nodes.

    vSphere 6.7, 6.5 vSphere Web VMware Host 8000 TCP vMotion Required for Outgoing
    Client Client virtual machine Firewall
    migration with Connections
    vMotion.

    vSphere 6.7, 6.5 vSphere Web VMware Host 902 UDP VMware vCenter vCenter Server Outgoing
    Client Client Agent agent. Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 8080 TCP vsanvp Used for vSAN Outgoing
    Client Client Vendor Provider Firewall
    traffic. Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 9080 TCP I/O Filter Service Used by the I/O Outgoing
    Client Client Filters storage Firewall
    feature Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 5900 -5964 TCP RFB protocol -
    Client Client The RFB
    protocol is a
    simple protocol
    for remote
    access to
    graphical user
    interfaces.
    Note: This
    Firewall Port for
    Services is not
    Visible in the UI
    by Default

    Page 3
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    vSphere 6.7, 6.5 vSphere Web VMware Host 8889 TCP OpenWSMAN -
    Client Client Daemon Web Services
    Management (W
    S-Management
    is a DMTF open
    standard for the
    management of
    servers, devices,
    applications,
    andWeb
    services.
    Note: This
    Firewall Port for
    Services is not
    Visible in the UI
    by Default

    vSphere 6.7, 6.5 - - 161 UDP vCenter Server SNMP Server -

    vSphere 6.7, 6.5 - - 636 TCP vCenter Server vCenter Single -


    Sign-On LDAPS
    (6.0 and later)

    vSphere 6.7, 6.5 - - 8084, 9084, TCP vCenter Server Used by vSphere -
    9087 Update Manager.

    vSphere 6.7, 6.5 - - 8109 TCP vCenter Server VMware Syslog -


    Collector. This
    service is
    needed if you
    want to
    centralize log
    collection.

    vSphere 6.7, 6.5 - - 15007, 15008 TCP vCenter Server vService -


    Manager (VSM).
    This service
    registers vCenter
    Server
    extensions.
    Open this port

    Page 4
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    only if required
    by extensions
    that you intend to
    vSphere 6.7, 6.5 - - 31031, 44046 TCP vCenter Server use.
    vSphere -
    (Default) Replication.

    vSphere 6.7, 6.5 - - 5355 UDP vCenter Server The -


    systemd-resolve
    process uses this
    port to resolve
    domain names,
    IPv4 and IPv6
    addresses, DNS
    resource records
    and services.

    vSphere 6.7, 6.5 - - 5444, 5432 - vCenter Server Internal port for Internal
    monitoring of
    vPostgreSQL.

    vSphere 6.7, 6.5 NA NA 22 TCP System port for -


    Appliance SSHD.
    deployments of
    vCenter Server
    Platform
    Services
    Controller

    vSphere 6.7, 6.5 NA NA 53 - Windows DNS service -


    installations and
    appliance
    deployments of
    Platform
    Services
    Controller

    vSphere 6.7, 6.5 NA NA 80 TCP Windows vCenter Server -


    installations and requires port 80
    appliance for direct HTTP
    deployments of connections. Port
    vCenter Server 80 redirects

    Page 5
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    and Platform requests to


    Services HTTPS port 443.
    Controller This redirection
    is useful if you
    accidentally use
    http://server
    instead of
    https://server.
    WS-Managemen
    t (also requires
    port 443 to be
    open).
    If you use a
    Microsoft SQL
    database that is
    stored on the
    same virtual
    machine or
    physical server
    as the vCenter
    Server, port 80 is
    used by the SQL
    Reporting
    Service. When
    you install or
    upgrade vCenter
    Server, the
    installer prompts
    you to change
    the HTTP port for
    vCenter Server.
    Change the
    vCenter Server
    HTTP port to a
    custom value to
    ensure a
    successful
    installation or
    upgrade.

    Important: You

    Page 6
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    can only change


    this port number
    during the
    vCenter Server
    and Platform
    Services
    Controller
    vSphere 6.7, 6.5 NA NA 88 TCP Windows Active Directory
    installation. -
    installations and server. This port
    appliance must be open for
    deployments of host to join
    Platform Active Directory.
    Services If you use native
    Controller Active Directory,
    the port must be
    open on both
    vCenter Server
    and Platform
    Services
    Controller.

    vSphere 6.7, 6.5 vCenter Server Platform 389 TCP/UDP Windows This port must be -
    or Services installations and open on the local
    Platform Controller appliance and all remote
    Services deployments of instances of
    Controller Platform vCenter Server.
    Services This is the LDAP
    Controller port number for
    the Directory
    Services for the
    vCenter Server
    group. If another
    service is
    running on this
    port, it might be
    preferable to
    remove it or
    change its port to
    a different port.
    You can run the
    LDAP service on

    Page 7
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    any port from


    1025 through
    65535.

    If this instance is
    serving as the
    Microsoft
    Windows Active
    Directory, change
    the port number
    from 389 to an
    available port
    from 1025
    vSphere 6.7, 6.5 vCenter Server vCenter Server 443 TCP Windows through 65535.
    The default port -
    or installations and that the vCenter
    Platform Platform appliance Server system
    Services Services deployments of uses to listen for
    Controller Controller vCenter Server connections from
    and Platform the vSphere Web
    vCenter Server Services Client. To enable
    Controller the vCenter
    Server system to
    receive data from
    the vSphere Web
    Client, open port
    443 in the
    firewall.

    The vCenter
    Server system
    also uses port
    443 to monitor
    data transfer
    from SDK clients.

    This port is also


    used for the
    following
    services:
    WS-Managemen

    Page 8
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    t (also requires
    port 80 to be
    open)
    Third-party
    network
    management
    client
    connections to
    vCenter Server
    Third-party
    network
    management
    clients access to
    hosts

    Important:
    You only can
    change this port
    number during
    the vCenter
    Server and
    Platform
    Services
    Controller
    vSphere 6.7, 6.5 NA NA 514 TCP/UDP Windows installation.
    vSphere Syslog -
    installations and Collector port for
    appliance vCenter Server
    deployments of on Windows and
    vCenter Server vSphere Syslog
    and Platform Service port for
    Services vCenter Server
    Controller Appliance

    Important:
    You can change
    this port number
    during the
    vCenter Server
    and Platform
    Services

    Page 9
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    Controller
    installations on
    vSphere 6.7, 6.5 vCenter Server Platform 636 TCP Windows Windows.
    vCenter Single -
    6.0 Services installations and Sign-On LDAPS
    Controller 6.5 appliance For backward
    deployments of compatibility with
    vCenter Server vSphere 6.0 only.
    and Platform During upgrade
    Services from vSphere 6.0
    Controller only.

    vSphere 6.7, 6.5 - - 1514 TCP Windows vSphere Syslog -


    installations and Collector TLS
    appliance port for vCenter
    deployments of Server on
    vCenter Server Windows and
    and Platform vSphere Syslog
    Services Service TLS port
    Controller for vCenter
    Server Appliance

    Important:
    You can change
    this port number
    during the
    vCenter Server
    and Platform
    Services
    Controller
    installations on
    Windows.

    vSphere 6.7, 6.5 vCenter Server Platform 2012 TCP Windows Control interface -
    OR Services installations and RPC for vCenter
    Platform Controller appliance Single Sign-On
    Services Platform deployments of
    Controller Services Platform
    Controller Services
    OR Controller
    vCenter Server

    Page 10
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    vSphere 6.7, 6.5 vCenter Server Platform 2014 TCP Windows RPC port for all -
    Services installations and VMCA (VMware
    Platform Controller appliance Certificate
    Services deployments of Authority) APIs
    Controller vCenter Server Platform
    Services Important:
    Controller You can change
    this port number
    during the
    Platform
    Services
    Controller
    installations on
    Windows.

    vSphere 6.7, 6.5 Platform Platform 2015 TCP Windows DNS -


    Services Services installations and management
    Controller Controller appliance
    deployments of
    Platform
    Services
    Controller

    vSphere 6.7, 6.5 vCenter Server Platform 2020 TCP/UDP Windows Authentication -
    Services installations and framework
    Platform Controller appliance management
    Services deployments of
    Controller to vCenter Server vCenter Server Important:
    and Platform You can change
    Services this port number
    Controller during the
    vCenter Server
    and Platform
    Services
    Controller
    installations on
    Windows.

    vSphere 6.7, 6.5 - - 5480 TCP Appliance Appliance -


    deployments of Management
    vCenter Server Interface

    Page 11
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    and Platform
    Services Open endpoint
    Controller serving all
    HTTPS,
    XMLRPS and
    JSON-RPC
    requests over
    HTTPS.
    vSphere 6.7, 6.5 - - 6500 TCP/UDP Windows ESXi Dump -
    installations and Collector port
    appliance
    deployments of Important:
    vCenter Server You can change
    this port number
    during the
    vCenter Server
    installations on
    Windows.

    vSphere 6.7, 6.5 - - 6502 TCP Auto Deploy Windows -


    management installations and
    appliance
    Important: deployments of
    You can change vCenter Server
    this port number
    during the
    vCenter Server
    installations on
    Windows.

    vSphere 6.7, 6.5 - - 7081 TCP Windows VMware Platform Internal port
    installations and Services
    appliance Controller Web
    deployments of Client
    Platform
    Services
    Controller

    vSphere 6.7, 6.5 vCenter Server - 7475, 7476 Platform Appliance VMware vSphere -
    Services deployments of Authentication
    Controller vCenter Server Proxy

    Page 12
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    vSphere 6.7, 6.5 - - 8084 TCP Appliance vSphere Update -


    deployments of Manager SOAP
    vCenter Server port

    The port used by


    vSphere Update
    Manager client
    plug-in to
    connect to the
    vSphere Update
    Manager SOAP
    server.

    vSphere 6.7, 6.5 - - 9084 TCP Appliance vSphere Update -


    deployments of Manager Web
    vCenter Server Server Port

    The HTTP port


    used by ESXi
    hosts to access
    host patch files
    from vSphere
    Update Manager
    server.

    vSphere 6.7, 6.5 - - 9087 TCP Appliance vSphere Update -


    deployments of Manager Web
    vCenter Server SSL Port

    The HTTPS port


    used by vSphere
    Update Manager
    client plug-in to
    upload host
    upgrade files to
    vSphere Update
    Manager server.

    vSphere 6.7, 6.5 - - 9443 TCP Windows vSphere Web -


    installations and Client HTTPS
    appliance

    Page 13
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    deployments of
    vCenter Server
    vSphere 6.7, 6.5 vSphere Web VMware Host 5988 TCP CIM Server Server for CIM Incoming
    Client Client (Common Firewall
    Information Connections
    Model).

    vSphere 6.7, 6.5 vSphere Web VMware Host 5989 TCP CIM Secure Secure server for Incoming
    Client Client Server CIM. Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 427 TCP, UDP CIM SLP The CIM client Incoming
    Client Client uses the Service Firewall
    Location Connections
    Protocol, version
    2 (SLPv2) to find
    CIM servers.

    vSphere 6.7, 6.5 vSphere Web VMware Host 546 - DHCPv6 DHCP client for Incoming
    Client Client IPv6. Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 68 UDP DHCP Client DHCP client for Incoming
    Client Client IPv4. Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 53 UDP DNS Client DNS client. Incoming
    Client Client Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 8200, 8100, TCP, UDP Fault Tolerance Traffic between Incoming
    Client Client 8300 hosts for Firewall
    vSphere Fault Connections
    Tolerance (FT).

    vSphere 6.7, 6.5 vSphere Web VMware Host 161 UDP SNMP Server Allows the host Incoming
    Client Client to connect to an Firewall
    SNMP server. Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 22 TCP SSH Server Required for Incoming
    Client Client SSH access. Firewall
    Connections

    Page 14
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    vSphere 6.7, 6.5 vSphere Web VMware Host 902, 443 TCP vSphere Web Client Incoming
    Client Client Client connections Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 80 TCP vSphere Web Welcome page, Incoming
    Client Client Access with download Firewall
    links for different Connections
    interfaces.

    vSphere 6.7, 6.5 vSphere Web VMware Host 5900 -5964 TCP RFB protocol - Incoming
    Client Client Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 80, 9000 TCP vSphere Update - Incoming
    Client Client Manager Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 427 TCP, UDP CIM SLP The CIM client Outgoing
    Client Client uses the Service Firewall
    Location Connections
    Protocol, version
    2 (SLPv2) to find
    CIM servers.

    vSphere 6.7, 6.5 vSphere Web VMware Host 547 TCP, UDP DHCPv6 DHCP client for Outgoing
    Client Client IPv6. Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 9 UDP WOL Used by Wake Outgoing
    Client Client on LAN. Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 68 UDP DHCP Client DHCP client. Outgoing
    Client Client Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 53 TCP, UDP DNS Client DNS client. Outgoing
    Client Client Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 80, 8200, 8100, TCP, UDP Fault Tolerance Supports Outgoing
    Client Client 8300 VMware Fault Firewall

    Page 15
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    Tolerance. Connections
    vSphere 6.7, 6.5 vSphere Web VMware Host 3260 TCP Software iSCSI Supports Outgoing
    Client Client Client software iSCSI. Firewall
    Connections

    vSphere 6.7, 6.5 - - 8000 TCP, UDP - ESXi Dump Internal Port
    Collector

    vSphere 6.7, 6.5 vSphere Web VMware Host 902 UDP VMware vCenter vCenter Server Outgoing
    Client Client Agent agent. Firewall
    Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 8889 TCP OpenWSMAN -
    Client Client Daemon Web Services
    Management (W
    S-Management
    is a DMTF open
    standard for the
    management of
    servers, devices,
    applications,
    andWeb
    services.
    Note: This
    Firewall Port for
    Services is not
    Visible in the UI
    by Default

    vSphere 6.7, 6.5 - - 123 UDP vCenter Server NTP Client. If -


    you are
    deploying the
    vCenter Server
    Appliance on an
    ESXi host, the
    two must be time
    synchronized,
    usually through
    an NTP server,
    and the
    corresponding

    Page 16
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    port must be
    vSphere 6.7, 6.5 - - 135 UDP vCenter Server open.
    For the vCenter -
    Server
    Appliance, this
    port is
    designated for
    Active Directory
    authentication.
    For a vCenter
    Server Windows
    installation, this
    port is used for
    Linked Mode and
    port 88 is used
    for Active
    Directory
    authentication.

    vSphere 6.7, 6.5 - - 5443 - vCenter Server vCenter Server Internal


    graphical user
    interface internal
    port.

    vSphere 6.7, 6.5 - - 5090 - vCenter Server vCenter Server Internal


    graphical user
    interface internal
    port.

    vSphere 6.7, 6.5 - - 902 TCP/UDP Windows The default port -


    installations and that the vCenter
    appliance Server system
    deployments of uses to send
    vCenter Server data to managed
    hosts. Managed
    hosts also send
    a regular
    heartbeat over
    UDP port 902 to
    the vCenter
    Server system.
    This port must

    Page 17
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    not be blocked
    by firewalls
    between the
    server and the
    hosts or between
    hosts.Port 902
    must not be
    blocked between
    the VMware Host
    Client and the
    hosts. The
    VMware Host
    Client uses this
    port to display
    virtual machine
    consoles.
    Important: You
    can change this
    port number
    during the
    vCenter Server
    installations on
    Windows.
    vSphere 6.7, 6.5 - - 6501 TCP Windows Auto Deploy -
    installations and service.
    appliance Important: You
    deployments of can change this
    vCenter Server port number
    during the
    vCenter Server
    installations on
    Windows.

    vSphere 6.7, 6.5 - - 7080, 12721 TCP, UDP Windows Secure Token Internal ports
    installations and Service
    appliance
    deployments of
    Platform
    Services
    Controller

    Page 18
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    vSphere 6.7, 6.5 - - 8200, 8201, TCP Appliance Appliance Internal ports
    8300, 8301 deployments of management
    vCenter Server
    and Platform
    Services
    Controller

    vSphere 6.7, 6.5 vSphere Web VMware Host 8301, 8302 UDP DVSSync DVSSync ports Incoming
    Client Client are used for Firewall
    synchronizing Connections
    states of
    distributed virtual
    ports between
    hosts that have
    VMware FT
    record/replay
    enabled. Only
    hosts that run
    primary or
    backup virtual
    machines must
    have these ports
    open. On hosts
    that are not using
    VMware FT
    these portsdo not
    have to be open.

    vSphere 6.7, 6.5 vSphere Web VMware Host 902 TCP NFC Network File Incoming
    Client Client Copy (NFC) Firewall
    provides a Connections
    file-type-aware
    FTP service for
    vSphere
    components.
    ESXi uses NFC
    for operations
    such as copying
    and moving data
    between
    datastores by

    Page 19
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    default.
    vSphere 6.7, 6.5 vSphere Web VMware Host 12345, 23451 UDP vSANClustering VMware vSAN Incoming
    Client Client Service Cluster Firewall
    Monitoring and Connections
    Membership
    Directory
    Service. Uses
    UDP-based IP
    multicast to
    establish cluster
    members and
    distribute vSAN
    metadata to all
    cluster members.
    If disabled, vSAN
    does not work.

    vSphere 6.7, 6.5 vSphere Web VMware Host 6999 UDP NSX Distributed NSX Virtual Incoming
    Client Client Logical Router Distributed Firewall
    Service Router service. Connections
    The firewall port
    associated with
    this service is
    opened when
    NSX VIBs are
    installed and the
    VDR module is
    created. If no
    VDR instances
    are associated
    with the host, the
    port does not
    have to be open.
    This service was
    called NSX
    Distributed
    Logical Router in
    earlier versions
    of the product.

    vSphere 6.7, 6.5 vSphere Web VMware Host 2233 TCP vSAN Transport vSAN reliable Incoming

    Page 20
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    Client Client datagram Firewall


    transport. Uses Connections
    TCP and is used
    for vSAN storage
    IO. If disabled,
    vSAN does not
    vSphere 6.7, 6.5 vSphere Web VMware Host 8000 TCP vMotion work.
    Required for Incoming
    Client Client virtual machine Firewall
    migration with Connections
    vMotion. ESXi
    hosts listen on
    port 8000 for
    TCP connections
    from remote
    ESXi hosts for
    vMotion traffic.

    vSphere 6.7, 6.5 vSphere Web VMware Host 8080 TCP vsanvp vSAN VASA Incoming
    Client Client Vendor Provider. Firewall
    Used by the Connections
    Storage
    Management
    Service (SMS)
    that is part of
    vCenter to
    access
    information about
    vSAN storage
    profiles,
    capabilities, and
    compliance. If
    disabled, vSAN
    Storage Profile
    Based
    Management
    (SPBM) does not
    work.

    vSphere 6.7, 6.5 vSphere Web VMware Host 8301, 8302 UDP DVSSync DVSSync ports Outgoing
    Client Client are used for Firewall

    Page 21
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    synchronizing Connections
    states of
    distributed virtual
    ports between
    hosts that have
    VMware FT
    record/replay
    enabled. Only
    hosts that run
    primary or
    backup virtual
    machines must
    have these ports
    open. On hosts
    that are not using
    VMware FT
    these ports do
    not have to be
    vSphere 6.7, 6.5 vSphere Web VMware Host 44046, 31031 TCP HBR open. for ongoing
    Used Outgoing
    Client Client replication traffic Firewall
    by vSphere Connections
    Replication and
    VMware Site
    Recovery
    Manager.

    vSphere 6.7, 6.5 vSphere Web VMware Host 902 TCP NFC Network File Outgoing
    Client Client Copy (NFC) Firewall
    provides a Connections
    file-type-aware
    FTP service for
    vSphere
    components.
    ESXi uses NFC
    for operations
    such as copying
    and moving data
    between
    datastores by
    default.

    Page 22
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    vSphere 6.7, 6.5 vSphere Web VMware Host 12345 23451 UDP vSANClustering Cluster Outgoing
    Client Client Service Monitoring, Firewall
    Membership, and Connections
    Directory Service
    used by vSAN.

    vSphere 6.7, 6.5 vSphere Web VMware Host 6999 UDP NSX Distributed The firewall port Outgoing
    Client Client Logical Router associated with Firewall
    Service this service is Connections
    opened when
    NSX VIBs are
    installed and the
    VDR module is
    created. If no
    VDR instances
    are associated
    with the host, the
    port does not
    have to be open.

    vSphere 6.7, 6.5 vSphere Web VMware Host 5671 TCP rabbitmqproxy A proxy running Outgoing
    Client Client on the ESXi host. Firewall
    This proxy allows Connections
    applications that
    are running
    inside virtual
    machines to
    communicate
    with the AMQP
    brokers that are
    running in the
    vCenter network
    domain. The
    virtual machine
    does not have to
    be on the
    network, that is,
    no NIC is
    required. Ensure
    that outgoing
    connection IP

    Page 23
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    addresses
    include at least
    the brokers in
    use or future.
    You can add
    brokers later to
    scale up.
    vSphere 6.7, 6.5 vSphere Web VMware Host 2233 TCP vSAN Transport Used for RDT Outgoing
    Client Client traffic (Unicast Firewall
    peer to peer Connections
    communication)
    between vSAN
    nodes.

    vSphere 6.7, 6.5 vSphere Web VMware Host 8080 TCP vsanvp Used for vSAN Outgoing
    Client Client Vendor Provider Firewall
    traffic. Connections

    vSphere 6.7, 6.5 vSphere Web VMware Host 5900 -5964 TCP RFB protocol The RFB Firewall Port
    Client Client protocol is a
    simple protocol
    for remote
    access to
    graphical user
    interfaces. Note:
    This Firewall Port
    for Services is
    not Visible in the
    UI by Default

    vSphere 6.7, 6.5 - - 8085 TCP, UDP - Ports used by Internal Port
    the vCenter
    service (vpxd)
    SDK.

    vSphere 6.7, 6.5 - - 8095 TCP, UDP - VMware vCenter -


    services feed
    port.

    vSphere 6.7, 6.5 - - 8098, 8099 TCP, UDP - Used by VMware -


    Image Builder
    Manager.

    Page 24
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    vSphere 6.7, 6.5 - - 8190, 8191, TCP, UDP - VMware vSphere -


    22000, 22100, Profile-Driven
    21100 Storage Service.

    vSphere 6.7, 6.5 - - 8900 TCP, UDP - Monitoring API Internal Port
    internal port.

    vSphere 6.7, 6.5 - - 9090 TCP, UDP - Port forÿývSphere Internal Port
    Web Client.

    vSphere 6.7, 6.5 - - 10080 TCP, UDP - Inventory service Internal Port
    internal port

    vSphere 6.7, 6.5 - - 10201 TCP, UDP - Message Bus Internal Port
    Configuration
    Service internal
    port.

    vSphere 6.7, 6.5 - - 11080 TCP, UDP - vCenter Server A Internal Port
    pplianceÿýinternal
    ports for HTTP
    and for splash
    screen.

    vSphere 6.7, 6.5 - - 12080 TCP, UDP - License service Internal Port
    internal port.

    vSphere 6.7, 6.5 - - 12346, 12347, TCP, UDP - Internal port for Internal Port
    4298 VMware Cloud
    Management
    SDKs (vAPI).

    vSphere 6.7, 6.5 - - 13080, 6070 TCP, UDP - Used internally Internal Port
    by the
    Performance
    Charts service.

    vSphere 6.7, 6.5 - - 14080 TCP, UDP - Used internally Internal Port
    by the syslog
    service.

    vSphere 6.7, 6.5 - - 15005, 15006 TCP, UDP - ESX Agent Internal Port

    Page 25
    Product Version Source Destination Ports Protocols Purpose Service Classification
    Description

    Manager internal
    port.
    vSphere 6.7, 6.5 - - 16666, 16667 TCP, UDP - Content Library -
    ports.

    vSphere 6.7, 6.5 - - 32768 - 60999 TCP, UDP - vCenter Server Ephemeral ports
    Appliance uses
    for vPostgres
    services.

    vSphere 6.7, 6.5 - - 22 TCP System port for Between all three Firewall Port for
    SSHD nodes VCHA Private IP
    Bidirectional. table

    vSphere 6.7, 6.5 - - 5432 TCP Postgres Between Primary Firewall Port for
    and Secondary VCHA Private IP
    Bidirectional. table

    vSphere 6.7, 6.5 - - 8182 TCP Fault Domain Between all three Firewall Port for
    Manager nodes VCHA Private IP
    Bidirectional. table

    vSphere 6.7, 6.5 - - 8182 UDP Fault Domain Between all three Firewall Port for
    Manager nodes VCHA Private IP
    Bidirectional. table

    Page 26

    You might also like