When you run the TLS Configurator utility in the vSphere environment, you can disable TLS across ports that use TLS on vCenter Server, Platform Services Controller, and ESXi hosts. You can disable TLS 1.0 or both TLS 1.0 and TLS 1.1.

The following table lists the ports. If a port is not included, the utility does not affect it.

Table 1. vCenter Server and Platform Services Controller Affected by the TLS Configurator Utility

Service

Name on Windows

Name on Linux

Port

VMware HTTP Reverse Proxy

rhttpproxy

vmware-rhttpproxy

443

VMware Directory Service

VMWareDirectoryService

vmdird

636

VMware Syslog Collector (*)

vmwaresyslogcollector (*)

rsyslogd

1514

vSphere Auto Deploy Waiter

vmware-autodeploy-waiter

vmware-rbd-watchdog

6501

6502

VMware Secure Token Service

VMwareSTS

vmware-stsd

7444

vSphere Update Manager Service (**)

vmware-ufad-vci (**)

vmware-updatemgr

8084

9087

vSphere Web Client

vspherewebclientsvc

vsphere-client

9443

VMware Directory Service

VMWareDirectoryService

vmdird

11712

(*)TLS is controlled by the cypher list for these services. Granular management is not possible. Only TLS 1.2 or all TLS 1.x versions are supported.

(**) On the vCenter Server Appliance, vSphere Update Manager is on the same system as vCenter Server. On vCenter Server on Windows, you configure TLS by editing configuration files. See Disable TLS Versions on vSphere Update Manager.

Table 2. ESXi Ports Affected by the TLS Configurator Utility

Service

Service Name

Port

VMware HTTP Reverse Proxy and Host Daemon

Hostd

443

VMware vSAN VASA Vendor Provider

vSANVP

8080

VMware Fault Domain Manager

FDM

8182

VMware vSphere API for IO Filters

ioFilterVPServer

9080

VMware Authorization Daemon

vmware-authd

902

Notes and Caveats

  • Ensure that the legacy ESXi hosts that are managed by vCenter Server support an enabled version of TLS, either TLS 1.1 and TLS 1.2 or only TLS 1.2. When you disable a TLS version on vCenter Server 6.5, vCenter Server can no longer manage legacy ESXi hosts 5.x and 6.0 hosts. Upgrade these hosts to versions that support TLS 1.1 or TLS 1.2.

  • You cannot use a TLS 1.2 only connection to an external Microsoft SQL Server or an external Oracle database.

  • Do not disable TLS 1.0 on a vCenter Server or Platform Services Controller instance that is running on Windows Server 2008. Windows 2008 supports only TLS 1.0. See the Microsoft TechNet Article TLS/SSL Settings in the Server Roles and Technologies Guide.

  • Under the following circumstances, you have to restart host services after applying TLS configuration changes.

    • If you apply the changes to the ESXi host directly.

    • If you apply the changes through cluster configuration by using host profiles.