vCenter Server, ESXi hosts, and other network components are accessed using predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.

The table lists TCP and UDP ports, and the purpose and the type of each. Ports that are open by default at installation time are indicated by (Default). For an up to date list of ports of all vSphere components for the different versions of vSphere, see http://kb.vmware.com/kb/1012382.

Table 1. TCP and UDP Ports

Port

Purpose

Traffic Type

22

SSH Server (vSphere Client)

Incoming TCP

53 (Default)

DNS Client

Incoming and outgoing UDP

68 (Default)

DHCP Client

Incoming and outgoing UDP

80 (Default)

HTTP access

vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server instead of https://server

WS-Management (also requires port 443 to be open)

Incoming TCP

Outgoing TCP, UDP

88, 2013

Control interface RPC for Kerberos, used by vCenter Single Sign-On

111 (Default)

RPC service that is used for the NIS register by the vCenter Server Appliance

Incoming and outgoing TCP

123

NTP Client

Outgoing UDP

135 (Default)

For the vCenter Server Appliance, this port is designated for Active Directory authentication.

For a vCenter Server Windows installation, this port is used for Linked mode and port 88 is used for Active Directory authentication.

Incoming and outgoing TCP

161 (Default)

SNMP Server

Incoming UDP

443 (Default)

The default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenter Server system to receive data from the vSphere Client, open port 443 in the firewall.

The vCenter Server system also uses port 443 to monitor data transfer from SDK clients.

This port is also used for the following services:

  • WS-Management (also requires port 80 to be open)

  • vSphere Client access to vSphere Update Manager

  • Third-party network management client connections to vCenter Server

  • Third-party network management clients access to hosts

Incoming TCP

427 (Default)

The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.

Incoming and outgoing UDP

513 (Default)

vCenter Server Appliance used for logging activity

Incoming UDP

902 (Default)

The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.

Port 902 must not be blocked between the vSphere Client and the hosts. The vSphere Client uses this port to display virtual machine consoles.

Incoming and outgoing TCP, outgoing UDP

903

Access a virtual machine console from the vSphere Client when the vSphere Client is connected directly to the ESXi host (no vCenter Server).

MKS transactions (xinetd/vmware-authd-mks)

Incoming TCP

2012

Control interface RPC for vCenter Single Sign-On vmdir.

2014

RPC port for all VMCA (VMware Certificate Authority) APIs

2049

Transactions from NFS storage devices

This port is used on the VMkernel interface.

Incoming and outgoing TCP

31031 44046.(Default)

vSphere Replication

Outgoing TCP

3260

Transactions to iSCSI storage devices

Outgoing TCP

5900-5964

RFB protocol, which is used by management tools such as VNC

Incoming and outgoing TCP

5988 (Default)

CIM transactions over HTTP

Incoming TCP

5989 (Default)

CIM XML transactions over HTTPS

Incoming and outgoing TCP

7444

vCenter Single Sign-On HTTPS

8000 (Default)

Requests from vMotion

Incoming and outgoing TCP

8009

AJP connector port for vCenter Server Appliance communication with Tomcat

Outgoing TCP

8100, 8200 (Default)

Traffic between hosts for vSphere Fault Tolerance (FT)

Incoming and outgoing TCP, UDP

8182

Traffic between hosts for vSphere High Availability (HA)

Incoming and outgoing TCP, incoming and outgoing UDP

9009

Used to allow a vCenter Server Appliance to communicate with the vSphere Web Client

Incoming and outgoing TCP

9090

Remote console traffic generated by user access to virtual machines on a specific host.

vSphere Web Client HTTPS access to virtual machine consoles

Incoming TCP

9443

vSphere Web Client HTTP access to ESXi hosts

Incoming TCP

11711

vCenter Single Sign-On LDAP

11712

vCenter Single Sign-On LDAPS

12721

VMware Identity Management service

In addition to the TCP and UDP ports, you can configure other ports depending on your needs.