The vSphere Web Client and the VMware Host Client allow you to open and close firewall ports for each service or to allow traffic from selected IP addresses.
The following table lists the firewalls for services that are installed by default. If you install other VIBs on your host, additional services and firewall ports might become available. The information is primarily for services that are visible in the vSphere Web Client but the table includes some other ports as well.
| Port | Protocol | Service | Description |
|---|---|---|---|
| 5988 | TCP | CIM Server | Server for CIM (Common Information Model). |
| 5989 | TCP | CIM Secure Server | Secure server for CIM. |
| 427 | TCP, UDP | CIM SLP | The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers. |
| 546 | DHCPv6 | DHCP client for IPv6. | |
| 8301, 8302 | UDP | DVSSync | DVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open. |
| 902 | TCP | NFC | Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default. |
| 12345, 23451 | UDP | vSANClustering Service | VMware vSAN Cluster Monitoring and Membership Directory Service. Uses UDP-based IP multicast to establish cluster members and distribute vSAN metadata to all cluster members. If disabled, vSAN does not work. |
| 68 | UDP | DHCP Client | DHCP client for IPv4. |
| 53 | UDP | DNS Client | DNS client. |
| 8200, 8100, 8300 | TCP, UDP | Fault Tolerance | Traffic between hosts for vSphere Fault Tolerance (FT). |
| 6999 | UDP | NSX Distributed Logical Router Service | NSX Virtual Distributed Router service. The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open. This service was called NSX Distributed Logical Router in earlier versions of the product. |
| 2233 | TCP | vSAN Transport | vSAN reliable datagram transport. Uses TCP and is used for vSAN storage IO. If disabled, vSAN does not work. |
| 161 | UDP | SNMP Server | Allows the host to connect to an SNMP server. |
| 22 | TCP | SSH Server | Required for SSH access. |
| 8000 | TCP | vMotion | Required for virtual machine migration with vMotion. ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic. |
| 902, 443 | TCP | vSphere Web Client | Client connections |
| 8080 | TCP | vsanvp | vSAN VASA Vendor Provider. Used by the Storage Management Service (SMS) that is part of vCenter to access information about vSAN storage profiles, capabilities, and compliance. If disabled, vSAN Storage Profile Based Management (SPBM) does not work. |
| 80 | TCP | vSphere Web Access | Welcome page, with download links for different interfaces. |
| 5900 -5964 | TCP | RFB protocol | |
| 80, 9000 | TCP | vSphere Update Manager | |
| 9080 | TCP | I/O Filter Service | Used by the I/O Filters storage feature |
| Port | Protocol | Service | Description |
|---|---|---|---|
| 427 | TCP, UDP | CIM SLP | The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers. |
| 547 | TCP, UDP | DHCPv6 | DHCP client for IPv6. |
| 8301, 8302 | UDP | DVSSync | DVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open. |
| 44046, 31031 | TCP | HBR | Used for ongoing replication traffic by vSphere Replication and VMware Site Recovery Manager. |
| 902 | TCP | NFC | Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default. |
| 9 | UDP | WOL | Used by Wake on LAN. |
| 12345 23451 | UDP | vSAN Clustering Service | Cluster Monitoring, Membership, and Directory Service used by vSAN. |
| 68 | UDP | DHCP Client | DHCP client. |
| 53 | TCP, UDP | DNS Client | DNS client. |
| 80, 8200, 8100, 8300 | TCP, UDP | Fault Tolerance | Supports VMware Fault Tolerance. |
| 3260 | TCP | Software iSCSI Client | Supports software iSCSI. |
| 6999 | UDP | NSX Distributed Logical Router Service | The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open. |
| 5671 | TCP | rabbitmqproxy | A proxy running on the ESXi host. This proxy allows applications that are running inside virtual machines to communicate with the AMQP brokers that are running in the vCenter network domain. The virtual machine does not have to be on the network, that is, no NIC is required. Ensure that outgoing connection IP addresses include at least the brokers in use or future. You can add brokers later to scale up. |
| 2233 | TCP | vSAN Transport | Used for RDT traffic (Unicast peer to peer communication) between vSAN nodes. |
| 8000 | TCP | vMotion | Required for virtual machine migration with vMotion. |
| 902 | UDP | VMware vCenter Agent | vCenter Server agent. |
| 8080 | TCP | vsanvp | Used for vSAN Vendor Provider traffic. |
| Port | Protocol | Service | Comment |
|---|---|---|---|
| 5900 -5964 | TCP | RFB protocol | The RFB protocol is a simple protocol for remote access to graphical user interfaces. |
| 8889 | TCP | OpenWSMAN Daemon | Web Services Management (WS-Management is a DMTF open standard for the management of servers, devices, applications, and Web services. |
