The VMware vCenter Server system must be able to send data to every managed host and receive data from every vSphere Web Client. To enable migration and provisioning activities between managed hosts, the source and destination hosts must be able to receive data from each other.
For information about ports required for the vCenter Server Appliance, see Required Ports for the vCenter Server Appliance.
VMware uses designated ports for communication. Additionally, the managed hosts monitor designated ports for data from the vCenter Server system. If a firewall exists between any of these elements and Windows firewall service is in use, the installer opens the ports during the installation. For custom firewalls, you must manually open the required ports. If you have a firewall between two managed hosts and you want to perform source or target activities, such as migration or cloning, you must configure a means for the managed hosts to receive data.
|22||SSH Server (vSphere Client)|
|80||vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server instead of https://server.
WS-Management (also requires port 443 to be open)
If you use a custom Microsoft SQL database (not the bundled SQL Server 2008 database) that is stored on the same host machine as the vCenter Server, port 80 is used by the SQL Reporting Service. When you install vCenter Server, the installer will prompt you to change the HTTP port for vCenter Server. Change the vCenter Server HTTP port to a custom value to ensure a successful installation.
Microsoft Internet Information Services (IIS) also use port 80. See Conflict Between vCenter Server and IIS for Port 80.
|88||Control interface RPC for Kerberos, used by vCenter Single Sign-On|
|111||RPC service that is used for the NIS register by the vCenter Server Appliance|
|135||Used to join vCenter Virtual Appliance to an Active Directory domain.|
This port must be open on the local and all remote instances of vCenter Server. This is the LDAP port number for the Directory Services for the vCenter Server group. The vCenter Server system needs to bind to port 389, even if you are not joining this vCenter Server instance to a Linked Mode group. If another service is running on this port, it might be preferable to remove it or change its port to a different port. You can run the LDAP service on any port from 1025 through 65535.
If this instance is serving as the Microsoft Windows Active Directory, change the port number from 389 to an available port from 1025 through 65535.
|427||The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.|
The default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenter Server system to receive data from the vSphere Client, open port 443 in the firewall.
The vCenter Server system also uses port 443 to monitor data transfer from SDK clients.
This port is also used for the following services:
|513||vCenter Virtual Appliance used for logging activity|
|636||For vCenter Server Linked Mode, this is the SSL port of the local instance. If another service is running on this port, it might be preferable to remove it or change its port to a different port. You can run the SSL service on any port from 1025 through 65535.|
|902||The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.
Port 902 must not be blocked between the vSphere Client and the hosts. The vSphere Client uses this port to display virtual machine consoles
Access a virtual machine console from the vSphere Client when the vSphere Client is connected directly to the ESXi host (no vCenter Server).
MKS transactions (xinetd/vmware-authd-mks)
|1234, 1235||vSphere Replication|
|2012||Control interface RPC for vCenter Single Sign-On vmdir.|
|2013||Control interface RPC for Kerberos, used by vCenter Single Sign-On|
|2014||RPC port for all VMCA (VMware Certificate Authority) APIs|
Transactions from NFS storage devices
This port is used on the VMkernel interface.
|3260||Transactions to iSCSI storage devices|
|3268||Default port for Active Directory multi-domain controller deployments|
|3269||Default SSL port for Active Directory multi-domain controller deployments|
|5900-5964||RFB protocol, which is used by management tools such as VNC|
|5988||CIM transactions over HTTP|
|5989||CIM XML transactions over HTTPS|
|6501||Auto Deploy service|
|6502||Auto Deploy management|
|7005||vCenter Single Sign-On|
|7009||vCenter Single Sign-On|
|7080||vCenter Single Sign-On|
|7343||vSphere Web Client - HTML5 Remote Console|
|7444||vCenter Single Sign-On HTTPS|
|8000||Requests from vMotion|
|8009||AJP connector port for vCenter Server Appliance communication with Tomcat|
|8080||Web Services HTTP. Used for the VMware VirtualCenter Management Web Services.|
|8100||Traffic between hosts for vSphere Fault Tolerance (FT)|
|8182||Traffic between hosts for vSphere High Availability (HA)|
|8200||Traffic between hosts for vSphere Fault Tolerance (FT)|
|8443||Web Services HTTPS. Used for the VMware VirtualCenter Management Web Services.|
|9009||Used to allow a vCenter Server Appliance to communicate with the vSphere Web Client.|
|9090||vSphere Web Client HTTP|
|9443||vSphere Web Client HTTPS|
|9875 - 9877||vSphere Web Client Java Management Extension (JMX). Dynamically acquired upon the vSphere Web Client service starting.|
|10080||vCenter Inventory Service HTTP|
|10109||vCenter Inventory Service Management|
|10111||vCenter Inventory Service Linked Mode Communication|
|10443||vCenter Inventory Service HTTPS|
|11711||vCenter Single Sign-On LDAP|
|11712||vCenter Single Sign-On LDAPS|
|12721||VMware Identity Management service|
|49000 - 65000||vCenter Single Sign-On - VMware Identity Management Service. Dynamically acquired when the VMware Identity Management Service starts.|
|60099||Web Service change service notification port|
To have the vCenter Server system use a different port to receive vSphere Web Client data, see the vCenter Server and Host Management documentation.
For a discussion of firewall configuration, see the vSphere Security documentation.