The vSphere Web Client and the VMware Host Client allow you to open and close firewall ports for each service or to allow traffic from selected IP addresses.

The following table lists the firewalls for services that are installed by default. If you install other VIBs on your host, additional services and firewall ports might become available. The information is primarily for services that are visible in the vSphere Web Client but the table includes some other ports as well.

Table 1. Incoming Firewall Connections
Port Protocol Service Description
5988 TCP CIM Server Server for CIM (Common Information Model).
5989 TCP CIM Secure Server Secure server for CIM.
427 TCP, UDP CIM SLP The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.
546 DHCPv6 DHCP client for IPv6.
8301, 8302 UDP DVSSync DVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open.
902 TCP NFC Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.
12345, 23451 UDP vSANClustering Service VMware vSAN Cluster Monitoring and Membership Directory Service. Uses UDP-based IP multicast to establish cluster members and distribute vSAN metadata to all cluster members. If disabled, vSAN does not work.
68 UDP DHCP Client DHCP client for IPv4.
53 UDP DNS Client DNS client.
8200, 8100, 8300 TCP, UDP Fault Tolerance Traffic between hosts for vSphere Fault Tolerance (FT).
6999 UDP NSX Distributed Logical Router Service NSX Virtual Distributed Router service. The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open.

This service was called NSX Distributed Logical Router in earlier versions of the product.

2233 TCP vSAN Transport vSAN reliable datagram transport. Uses TCP and is used for vSAN storage IO. If disabled, vSAN does not work.
161 UDP SNMP Server Allows the host to connect to an SNMP server.
22 TCP SSH Server Required for SSH access.
8000 TCP vMotion Required for virtual machine migration with vMotion. ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic.
902, 443 TCP vSphere Web Client Client connections
8080 TCP vsanvp vSAN VASA Vendor Provider. Used by the Storage Management Service (SMS) that is part of vCenter to access information about vSAN storage profiles, capabilities, and compliance. If disabled, vSAN Storage Profile Based Management (SPBM) does not work.
80 TCP vSphere Web Access Welcome page, with download links for different interfaces.
5900 -5964 TCP RFB protocol
80, 9000 TCP vSphere Update Manager
Table 2. Outgoing Firewall Connections
Port Protocol Service Description
427 TCP, UDP CIM SLP The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.
547 TCP, UDP DHCPv6 DHCP client for IPv6.
8301, 8302 UDP DVSSync DVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open.
44046, 31031 TCP HBR Used for ongoing replication traffic by vSphere Replication and VMware Site Recovery Manager.
902 TCP NFC Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.
9 UDP WOL Used by Wake on LAN.
12345 23451 UDP vSAN Clustering Service Cluster Monitoring, Membership, and Directory Service used by vSAN.
68 UDP DHCP Client DHCP client.
53 TCP, UDP DNS Client DNS client.
80, 8200, 8100, 8300 TCP, UDP Fault Tolerance Supports VMware Fault Tolerance.
3260 TCP Software iSCSI Client Supports software iSCSI.
6999 UDP NSX Distributed Logical Router Service The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open.
5671 TCP rabbitmqproxy A proxy running on the ESXi host. This proxy allows applications that are running inside virtual machines to communicate with the AMQP brokers that are running in the vCenter network domain.

The virtual machine does not have to be on the network, that is, no NIC is required. Ensure that outgoing connection IP addresses include at least the brokers in use or future. You can add brokers later to scale up.

2233 TCP vSAN Transport Used for RDT traffic (Unicast peer to peer communication) between vSAN nodes.
8000 TCP vMotion Required for virtual machine migration with vMotion.
902 UDP VMware vCenter Agent vCenter Server agent.
8080 TCP vsanvp Used for vSAN Vendor Provider traffic.
9080 TCP I/O Filter Service Used by the I/O Filters storage feature
Table 3. Firewall Ports for Services That Are Not Visible in the UI by Default
Port Protocol Service Comment
5900 -5964 TCP RFB protocol The RFB protocol is a simple protocol for remote access to graphical user interfaces.
8889 TCP OpenWSMAN Daemon Web Services Management (WS-Management is a DMTF open standard for the management of servers, devices, applications, and Web services.