When you run the TLS Configurator utility in the vSphere environment, you can disable TLS across ports that use TLS on vCenter Server, Platform Services Controller, and ESXi hosts. You can disable TLS 1.0 or both TLS 1.0 and TLS 1.1.
vCenter Server and ESXi use ports that can be enabled or disabled for TLS protocols.
For the list of all supported ports and protocols in VMware products, including vSphere and vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can search ports by VMware product, create a customized list of ports, and print or save port lists.
On the vCenter Server Appliance, vSphere Update Manager is on the same system as vCenter Server. On vCenter Server on Windows, you configure TLS by editing configuration files. See Disable TLS Versions on vSphere Update Manager.
Notes and Caveats
- Ensure that the legacy ESXi hosts that are managed by vCenter Server support an enabled version of TLS, either TLS 1.1 and TLS 1.2 or only TLS 1.2. When you disable a TLS version on vCenter Server 6.5, vCenter Server can no longer manage legacy ESXi hosts 5.x and 6.0 hosts. Upgrade these hosts to versions that support TLS 1.1 or TLS 1.2.
- You can use a TLS 1.2 only connection to an external Microsoft SQL Server or an external Oracle database.
- Do not disable TLS 1.0 on a vCenter Server or Platform Services Controller instance that is running on Windows Server 2008. Windows 2008 supports only TLS 1.0. See the Microsoft TechNet Article TLS/SSL Settings in the Server Roles and Technologies Guide.
- Under the following circumstances, you have to restart host services after applying TLS configuration changes.
- If you apply the changes to the ESXi host directly.
- If you apply the changes through cluster configuration by using host profiles.