The vCenter Server system, both on Windows and in the appliance, must be able to send data to every managed host and receive data from the vSphere Client and the Platform Services Controller services. To enable migration and provisioning activities between managed hosts, the source and destination hosts must be able to receive data from each other.
vCenter Server is accessed through predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports. For the list of all supported ports and protocols in vCenter Server, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/.
During installation, if a port is in use or is blocked using a denylist, the vCenter Server installer displays an error message. You must use another port number to proceed with the installation.
VMware uses designated ports for communication. Also, the managed hosts monitor designated ports for data from vCenter Server. If a built-in firewall exists between any of these elements, the installer opens the ports during the installation or upgrade process. For custom firewalls, you must manually open the required ports. If you have a firewall between two managed hosts and you want to perform source or target activities, such as migration or cloning, you must configure a means for the managed hosts to receive data.
To configure the vCenter Server system to use a different port to receive vSphere Client data, see the vCenter Server and Host Management documentation.
For more information about firewall configuration, see the vSphere Security documentation.