vCenter Server, ESXi hosts, and other network components are accessed using predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.

The table lists TCP and UDP ports, and the purpose and the type of each. Ports that are open by default at installation time are indicated by (Default). For an up to date list of ports of all vSphere components for the different versions of vSphere, see http://kb.vmware.com/kb/1012382.

Table 1. TCP and UDP Ports
Port Purpose Traffic Type
22 SSH Server (vSphere Client) Incoming TCP
53 (Default) DNS Client Incoming and outgoing UDP
68 (Default) DHCP Client Incoming and outgoing UDP
80 (Default) HTTP access

vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server instead of https://server

WS-Management (also requires port 443 to be open)

Incoming TCP

Outgoing TCP, UDP

88, 2013 Control interface RPC for Kerberos, used by vCenter Single Sign-On
111 (Default) RPC service that is used for the NIS register by the vCenter Server Appliance Incoming and outgoing TCP
123 NTP Client Outgoing UDP
135 (Default) For the vCenter Server Appliance, this port is designated for Active Directory authentication.

For a vCenter Server Windows installation, this port is used for Linked mode and port 88 is used for Active Directory authentication.

Incoming and outgoing TCP
161 (Default) SNMP Server Incoming UDP
443 (Default) The default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenter Server system to receive data from the vSphere Client, open port 443 in the firewall.

The vCenter Server system also uses port 443 to monitor data transfer from SDK clients.

This port is also used for the following services:
  • WS-Management (also requires port 80 to be open)
  • vSphere Client access to vSphere Update Manager
  • Third-party network management client connections to vCenter Server
  • Third-party network management clients access to hosts

Incoming TCP
427 (Default) The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers. Incoming and outgoing UDP
513 (Default) vCenter Server Appliance used for logging activity Incoming UDP
902 (Default)

The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.

Port 902 must not be blocked between the vSphere Client and the hosts. The vSphere Client uses this port to display virtual machine consoles.

Incoming and outgoing TCP, outgoing UDP
903 Access a virtual machine console from the vSphere Client when the vSphere Client is connected directly to the ESXi host (no vCenter Server).

MKS transactions (xinetd/vmware-authd-mks)

Incoming TCP
2012 Control interface RPC for vCenter Single Sign-On vmdir.
2014 RPC port for all VMCA (VMware Certificate Authority) APIs
2049 Transactions from NFS storage devices

This port is used on the VMkernel interface.

Incoming and outgoing TCP
31031 44046.(Default) vSphere Replication Outgoing TCP
3260 Transactions to iSCSI storage devices Outgoing TCP
5900-5964 RFB protocol, which is used by management tools such as VNC Incoming and outgoing TCP
5988 (Default) CIM transactions over HTTP Incoming TCP
5989 (Default) CIM XML transactions over HTTPS Incoming and outgoing TCP
7444 vCenter Single Sign-On HTTPS
8000 (Default) Requests from vMotion Incoming and outgoing TCP
8009 AJP connector port for vCenter Server Appliance communication with Tomcat Outgoing TCP
8100, 8200 (Default) Traffic between hosts for vSphere Fault Tolerance (FT) Incoming and outgoing TCP, UDP
8182 Traffic between hosts for vSphere High Availability (HA) Incoming and outgoing TCP, incoming and outgoing UDP
9009 Used to allow a vCenter Server Appliance to communicate with the vSphere Web Client Incoming and outgoing TCP
9090 Remote console traffic generated by user access to virtual machines on a specific host.

vSphere Web Client HTTPS access to virtual machine consoles

Incoming TCP
9443

vSphere Web Client HTTP access to ESXi hosts

Incoming TCP
11711 vCenter Single Sign-On LDAP
11712 vCenter Single Sign-On LDAPS
12721 VMware Identity Management service

In addition to the TCP and UDP ports, you can configure other ports depending on your needs.