vCenter Server is accessed through predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.

Required Ports for vCenter Server and Platform Services Controller lists ports that are opened by the installer as part of a default installation. Some additional ports are required for certain services, such as NTP, or applications that are commonly installed with vCenter Server.

In addition to these ports, you can configure other ports depending on your needs.

Table 1. vCenter Server TCP and UDP Ports

Port

Protocol

Description

123 (UDP)

UDP

NTP Client. If you are deploying the vCenter Server Appliance on an ESXi host, the two must be time synchronized, usually through an NTP server, and the corresponding port must be open.

135

UDP

For the vCenter Server Appliance, this port is designated for Active Directory authentication.

For a vCenter Server Windows installation, this port is used for Linked Mode and port 88 is used for Active Directory authentication.

161

UDP

SNMP Server.

636

TCP

vCenter Single Sign-On LDAPS (6.0 and later)

8084, 9084, 9087

TCP

Used by vSphere Update Manager.

8109

TCP

VMware Syslog Collector. This service is needed if you want to centralize log collection.

15007, 15008

TCP

vService Manager (VSM). This service registers vCenter Server extensions. Open this port only if required by extensions that you intend to use.

31031, 44046 (Default)

TCP

vSphere Replication.

5355

UDP

The systemd-resolve process uses this port to resolve domain names, IPv4 and IPv6 addresses, DNS resource records and services.

The following ports are used only internally.

Table 2. vCenter Server TCP and UDP Ports

Port

Description

5443

vCenter Server graphical user interface internal port.

5444, 5432

Internal port for monitoring of vPostgreSQL.

5090

vCenter Server graphical user interface internal port.

7080

Secure Token Service internal port.

7081

Platform Services Controller internal port.

8000

ESXi Dump Collector internal port.

8006

Used for Virtual SAN health monitoring.

8085

Internal ports used by the vCenter service (vpxd) SDK.

8095

VMware vCenter services feed port.

8098, 8099

Used by VMware Image Builder Manager.

8190, 8191, 22000, 22100, 21100

VMware vSphere Profile-Driven Storage Service.

8200, 8201, 5480

Appliance management internal ports.

8300, 8301

Appliance management reserved ports.

8900

Monitoring API internal port.

9090

Internal port for vSphere Web Client.

10080

Inventory service internal port

10201

Message Bus Configuration Service internal port.

11080

vCenter Server Appliance internal ports for HTTP and for splash screen.

12721

Secure Token Service internal port.

12080

License service internal port.

12346, 12347, 4298

Internal port for VMware Cloud Management SDKs (vAPI).

13080, 6070

Used internally by the Performance Charts service.

14080

Used internally by the syslog service.

15005, 15006

ESX Agent Manager internal port.

16666, 16667

Content Library ports.

18090

Content Manager internal port.

18091

Component Manager internal port.

In addition, the vCenter Server Appliance uses ephemeral ports from 32768 through 60999 for vPostgres services.

The following ports are required between vCenter High Availability (VCHA) nodes.

Table 3. Firewall Port Requirement for VCHA Private IP

Port

Protocol

Nodes

Description

22

TCP

Between all three nodes Bidirectional.

System port for SSHD

5432

TCP

Between Primary and Secondary Bidirectional.

Postgres

8182

TCP

Between all three nodes Bidirectional.

Fault Domain Manager

8182

UDP

Between all three nodes Bidirectional.

Fault Domain Manager