vCenter Server, ESXi hosts, and other network components are accessed using predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.

The table lists TCP and UDP ports, and the purpose and the type of each. Ports that are open by default at installation time are indicated by (Default). For an up to date list of ports of all vSphere components for the different versions of vSphere, see

Table 1. TCP and UDP Ports



Traffic Type


SSH Server (vSphere Client)

Incoming TCP

53 (Default)

DNS Client

Incoming and outgoing UDP

68 (Default)

DHCP Client

Incoming and outgoing UDP

80 (Default)

HTTP access

vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server instead of https://server

WS-Management (also requires port 443 to be open)

Incoming TCP

Outgoing TCP, UDP

88, 2013

Control interface RPC for Kerberos, used by vCenter Single Sign-On

111 (Default)

RPC service that is used for the NIS register by the vCenter Server Appliance

Incoming and outgoing TCP


NTP Client

Outgoing UDP

135 (Default)

For the vCenter Server Appliance, this port is designated for Active Directory authentication.

For a vCenter Server Windows installation, this port is used for Linked mode and port 88 is used for Active Directory authentication.

Incoming and outgoing TCP

161 (Default)

SNMP Server

Incoming UDP

443 (Default)

The default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenter Server system to receive data from the vSphere Client, open port 443 in the firewall.

The vCenter Server system also uses port 443 to monitor data transfer from SDK clients.

This port is also used for the following services:

  • WS-Management (also requires port 80 to be open)

  • vSphere Client access to vSphere Update Manager

  • Third-party network management client connections to vCenter Server

  • Third-party network management clients access to hosts

Incoming TCP

427 (Default)

The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.

Incoming and outgoing UDP

513 (Default)

vCenter Server Appliance used for logging activity

Incoming UDP

902 (Default)

The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.

Port 902 must not be blocked between the vSphere Client and the hosts. The vSphere Client uses this port to display virtual machine consoles.

Incoming and outgoing TCP, outgoing UDP


Access a virtual machine console from the vSphere Client when the vSphere Client is connected directly to the ESXi host (no vCenter Server).

MKS transactions (xinetd/vmware-authd-mks)

Incoming TCP


Control interface RPC for vCenter Single Sign-On vmdir.


RPC port for all VMCA (VMware Certificate Authority) APIs


Transactions from NFS storage devices

This port is used on the VMkernel interface.

Incoming and outgoing TCP

31031 44046.(Default)

vSphere Replication

Outgoing TCP


Transactions to iSCSI storage devices

Outgoing TCP


RFB protocol, which is used by management tools such as VNC

Incoming and outgoing TCP

5988 (Default)

CIM transactions over HTTP

Incoming TCP

5989 (Default)

CIM XML transactions over HTTPS

Incoming and outgoing TCP


vCenter Single Sign-On HTTPS

8000 (Default)

Requests from vMotion

Incoming and outgoing TCP


AJP connector port for vCenter Server Appliance communication with Tomcat

Outgoing TCP

8100, 8200 (Default)

Traffic between hosts for vSphere Fault Tolerance (FT)

Incoming and outgoing TCP, UDP


Traffic between hosts for vSphere High Availability (HA)

Incoming and outgoing TCP, incoming and outgoing UDP


Used to allow a vCenter Server Appliance to communicate with the vSphere Web Client

Incoming and outgoing TCP


Remote console traffic generated by user access to virtual machines on a specific host.

vSphere Web Client HTTPS access to virtual machine consoles

Incoming TCP


vSphere Web Client HTTP access to ESXi hosts

Incoming TCP


vCenter Single Sign-On LDAP


vCenter Single Sign-On LDAPS


VMware Identity Management service

In addition to the TCP and UDP ports, you can configure other ports depending on your needs.