vCenter Server is accessed through predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.

The table lists TCP and UDP ports, and the purpose and the type of each. Ports that are open by default at installation time are indicated by (Default). For an up-to-date list of ports of all vSphere components for the different versions of vSphere, see VMware Knowledge Base Article 1012382.

Table 1. vCenter Server TCP and UDP Ports

Port

Purpose

80 (Default)

HTTP access

vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server instead of https://server

WS-Management (also requires port 443 to be open)

88, 2013

Control interface RPC for Kerberos, used by vCenter Single Sign-On.

123

NTP Client

135 (Default)

For the vCenter Server Appliance, this port is designated for Active Directory authentication.

For a vCenter Server Windows installation, this port is used for Linked mode and port 88 is used for Active Directory authentication.

161 (Default)

SNMP Server. This is the default port on both an ESXi host and a vCenter Server Appliance.

389

vCenter Single Sign-On LDAP (6.0 and later)

636

vCenter Single Sign-On LDAPS (6.0 and later)

443 (Default)

vCenter Server systems use port 443 to monitor data transfer from SDK clients.

This port is also used for the following services:

  • WS-Management (also requires port 80 to be open)

  • Third-party network management client connections to vCenter Server

  • Third-party network management clients access to hosts

2012

RPC port for VMware Directory Service (vmdir).

2014

RPC port for VMware Certificate Authority (VMCA) service.

2020

RPC port for VMware Authentication Framework Service (vmafd).

31031, 44046 (Default)

vSphere Replication

7444

vCenter Single Sign-On HTTPS.

8093

The Client Integration Plug-in uses a local loopback hostname, and uses port 8093 and random ports in the range 50100 to 60099. The Client Integration Plug-in uses port 8093 only for local communication. The port can remain blocked by the firewall.

8109

VMware Syslog Collector.

9443

vSphere Web Client HTTP access to ESXi hosts.

10080

Inventory service.

11711

vCenter Single Sign-On LDAP (environments that are upgraded from vSphere 5.5)

11712

vCenter Single Sign-On LDAPS (environments that are upgraded from vSphere 5.5)

12721

VMware Identity Management service.

15005

ESX Agent Manager (EAM). An ESX Agent can be a virtual machine or an optional VIB. The agent extends the functions of an ESXi host to provide additional services that a vSphere solution such as NSX-v or vRealize Automation requires.

15007

vService Manager (VSM). This service registers vCenter Server extensions. Open this port only if required by extensions that you intend to use.

50100-60099

The Client Integration Plug-in uses a local loopback hostname, and uses port 8093 and random ports in the range 50100 to 60099. The Client Integration Plug-in uses this port range only for local communication. The port can remain blocked by the firewall.

In addition to these ports, you can configure other ports depending on your needs.