The vSphere Web Client and the VMware Host Client allow you to open and close firewall ports for each service or to allow traffic from selected IP addresses.

The following table lists the firewalls for services that are usually installed. If you install other VIBs on your host, additional services and firewall ports might become available. The information is primarily for services that are visible in the vSphere Web Client but the table includes some other ports as well.

Table 1. Incoming Firewall Connections

Port

Protocol

Service

Description

5988

TCP

CIM Server

Server for CIM (Common Information Model).

5989

TCP

CIM Secure Server

Secure server for CIM.

427

TCP, UDP

CIM SLP

The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.

546

DHCPv6

DHCP client for IPv6.

8301, 8302

UDP

DVSSync

DVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open.

902

TCP

NFC

Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.

12345, 23451

UDP

Virtual SAN Clustering Service

Virtual SAN Cluster Monitoring and Membership Directory Service. Uses UDP-based IP multicast to establish cluster members and distribute Virtual SAN metadata to all cluster members. If disabled, Virtual SAN does not work.

68

UDP

DHCP Client

DHCP client for IPv4.

53

UDP

DNS Client

DNS client.

8200, 8100, 8300

TCP, UDP

Fault Tolerance

Traffic between hosts for vSphere Fault Tolerance (FT).

6999

UDP

NSX Distributed Logical Router Service

NSX Virtual Distributed Router service. The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open.

This service was called NSX Distributed Logical Router in earlier versions of the product.

2233

TCP

Virtual SAN Transport

Virtual SAN reliable datagram transport. Uses TCP and is used for Virtual SAN storage IO. If disabled, Virtual SAN does not work.

161

UDP

SNMP Server

Allows the host to connect to an SNMP server.

22

TCP

SSH Server

Required for SSH access.

8000

TCP

vMotion

Required for virtual machine migration with vMotion. ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic.

902, 443

TCP

vSphere Web Client

Client connections

8080

TCP

vsanvp

VSAN VASA Vendor Provider. Used by the Storage Management Service (SMS) that is part of vCenter to access information about Virtual SAN storage profiles, capabilities, and compliance. If disabled, Virtual SAN Storage Profile Based Management (SPBM) does not work.

80

TCP

vSphere Web Access

Welcome page, with download links for different interfaces.

5900 -5964

TCP

RFB protocol

80, 9000

TCP

vSphere Update Manager

Table 2. Outgoing Firewall Connections

Port

Protocol

Service

Description

427

TCP, UDP

CIM SLP

The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.

547

TCP, UDP

DHCPv6

DHCP client for IPv6.

8301, 8302

UDP

DVSSync

DVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open.

44046, 31031

TCP

HBR

Used for ongoing replication traffic by vSphere Replication and VMware Site Recovery Manager.

902

TCP

NFC

Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.

9

UDP

WOL

Used by Wake on LAN.

12345 23451

UDP

Virtual SAN Clustering Service

Cluster Monitoring, Membership, and Directory Service used by Virtual SAN.

68

UDP

DHCP Client

DHCP client.

53

TCP, UDP

DNS Client

DNS client.

80, 8200, 8100, 8300

TCP, UDP

Fault Tolerance

Supports VMware Fault Tolerance.

3260

TCP

Software iSCSI Client

Supports software iSCSI.

6999

UDP

NSX Distributed Logical Router Service

The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open.

5671

TCP

rabbitmqproxy

A proxy running on the ESXi host that allows applications running inside virtual machines to communicate to the AMQP brokers running in the vCenter network domain. The virtual machine does not have to be on the network, that is, no NIC is required. The proxy connects to the brokers in the vCenter network domain. Therefore, the outgoing connection IP addresses should at least include the current brokers in use or future brokers. Brokers can be added if customer would like to scale up.

2233

TCP

Virtual SAN Transport

Used for RDT traffic (Unicast peer to peer communication) between Virtual SAN nodes.

8000

TCP

vMotion

Required for virtual machine migration with vMotion.

902

UDP

VMware vCenter Agent

vCenter Server agent.

8080

TCP

vsanvp

Used for Virtual SAN Vendor Provider traffic.

9080

TCP

I/O Filter Service

Used by the I/O Filters storage feature

Table 3. Firewall Ports for Services that Are Not Visible in the UI By Default

Port

Protocol

Service

Comment

5900 -5964

TCP

RFB protocol

The RFB protocol is a simple protocol for remote access to graphical user interfaces.

8889

TCP

OpenWSMAN Daemon

Web Services Management (WS-Management is a DMTF open standard for the management of servers, devices, applications, and Web services.