vCenter Server, ESXi hosts, and other network components are accessed using predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.
The table lists TCP and UDP ports, and the purpose and the type of each. Ports that are open by default at installation time are indicated by (Default). For an up to date list of ports of all vSphere components for the different versions of vSphere, see http://kb.vmware.com/kb/1012382.
|22||SSH Server (vSphere Client)||Incoming TCP|
|53 (Default)||DNS Client||Incoming and outgoing UDP|
|68 (Default)||DHCP Client||Incoming and outgoing UDP|
|80 (Default)|| HTTP access
vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server instead of https://server
WS-Management (also requires port 443 to be open)
Outgoing TCP, UDP
|88, 2013||Control interface RPC for Kerberos, used by vCenter Single Sign-On|
|111 (Default)||RPC service that is used for the NIS register by the vCenter Server Appliance||Incoming and outgoing TCP|
|123||NTP Client||Outgoing UDP|
|135 (Default)||For the vCenter Server Appliance, this port is designated for Active Directory authentication.
For a vCenter Server Windows installation, this port is used for Linked mode and port 88 is used for Active Directory authentication.
|Incoming and outgoing TCP|
|161 (Default)||SNMP Server||Incoming UDP|
|443 (Default)|| The default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenter Server system to receive data from the vSphere Client, open port 443 in the firewall.
The vCenter Server system also uses port 443 to monitor data transfer from SDK clients.
This port is also used for the following services:
|427 (Default)||The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.||Incoming and outgoing UDP|
|513 (Default)||vCenter Server Appliance used for logging activity||Incoming UDP|
The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.
Port 902 must not be blocked between the vSphere Client and the hosts. The vSphere Client uses this port to display virtual machine consoles.
|Incoming and outgoing TCP, outgoing UDP|
|903||Access a virtual machine console from the vSphere Client when the vSphere Client is connected directly to the ESXi host (no vCenter Server).
MKS transactions (xinetd/vmware-authd-mks)
|2012||Control interface RPC for vCenter Single Sign-On vmdir.|
|2014||RPC port for all VMCA (VMware Certificate Authority) APIs|
|2049|| Transactions from NFS storage devices
This port is used on the VMkernel interface.
|Incoming and outgoing TCP|
|31031 44046.(Default)||vSphere Replication||Outgoing TCP|
|3260||Transactions to iSCSI storage devices||Outgoing TCP|
|5900-5964||RFB protocol, which is used by management tools such as VNC||Incoming and outgoing TCP|
|5988 (Default)||CIM transactions over HTTP||Incoming TCP|
|5989 (Default)||CIM XML transactions over HTTPS||Incoming and outgoing TCP|
|7444||vCenter Single Sign-On HTTPS|
|8000 (Default)||Requests from vMotion||Incoming and outgoing TCP|
|8009||AJP connector port for vCenter Server Appliance communication with Tomcat||Outgoing TCP|
|8100, 8200 (Default)||Traffic between hosts for vSphere Fault Tolerance (FT)||Incoming and outgoing TCP, UDP|
|8182||Traffic between hosts for vSphere High Availability (HA)||Incoming and outgoing TCP, incoming and outgoing UDP|
|9009||Used to allow a vCenter Server Appliance to communicate with the vSphere Web Client||Incoming and outgoing TCP|
|9090||Remote console traffic generated by user access to virtual machines on a specific host.
vSphere Web Client HTTPS access to virtual machine consoles
vSphere Web Client HTTP access to ESXi hosts
|11711||vCenter Single Sign-On LDAP|
|11712||vCenter Single Sign-On LDAPS|
|12721||VMware Identity Management service|
In addition to the TCP and UDP ports, you can configure other ports depending on your needs.