When you run the TLS Configurator utility in the vSphere environment, you can disable TLS across ports that use TLS on vCenter Server, Platform Services Controller, and ESXi hosts. You can disable TLS 1.0 or both TLS 1.0 and TLS 1.1.

The following table lists the ports. If a port is not included, the utility does not affect it.
Table 1. vCenter Server and Platform Services Controller Affected by the TLS Configurator Utility
Service Windows-based vCenter Server vCenter Server Virtual Appliance Port
VMware HTTP Reverse Proxy rhttpproxy vmware-rhttpproxy 443
VMware vCenter Server Service vpxd vmware-vpxd 443
VMware Directory Service VMWareDirectoryService vmdird 636
VMware Syslog Collector vmwaresyslogcollector rsyslogd (*) 1514
VMware Appliance Management Interface N.A. vami-lighttp (*) 5480
vSphere Auto Deploy Waiter vmware-autodeploy-waiter vmware-rbd-watchdog 6501

6502

VMware Secure Token Service VMwareSTS vmware-stsd 7444
vSphere Authentication Proxy VMWareCAMService vmcam 7475

7476

vSphere Update Manager Service vmware-ufad-vci vmware-updatemgr (*) 8084

9087

vSphere Web Client vspherewebclientsvc vsphere-client 9443
VMware vSphere Profile-Driven Storage Service vimPBSM vmware-sps Random port greater than 1024

(*) You can reconfigure these services only on vCenter Server Virtual Appliance. On vCenter Server on Windows, you reconfigure TLS for Update Manager ports by editing configuration files. See Enable or Disable TLS Versions on vSphere Update Manager on Windows.

Table 2. ESXi Ports Affected by the TLS Configurator Utility
Service Service Name Port
VMware HTTP Reverse Proxy and Host Daemon Hostd 443
VMware vSAN VASA Vendor Provider vSANVP 8080
VMware Fault Domain Manager FDM 8182
VMware vSphere API for IO Filters ioFilterVPServer 9080
ESXi WBEM Service sfcbd-watchdog 5989
ESXi vVold Client Service vvold Random port greater than 1024

Notes and Caveats

  • Starting with vSphere 6.7, you can use TLS 1.2 to encrypt the connection between vCenter Server and an external Microsoft SQL Server. You cannot use a TLS 1.2 only connection to an external Oracle database. See VMware Knowledge Base article 2149745.
  • Do not disable TLS 1.0 on a vCenter Server or Platform Services Controller instance that is running on Windows Server 2008. Windows 2008 supports only TLS 1.0. See the Microsoft TechNet Article TLS/SSL Settings in the Server Roles and Technologies Guide.
  • If you change the TLS protocols, you must restart the ESXi host to apply the changes. You must restart the host even if you apply the changes through cluster configuration by using host profiles. You can choose to restart the host immediately, or postpone the restart to a more convenient time.