When you run the TLS Configurator utility in the vSphere environment, you can disable TLS across ports that use TLS on vCenter Server, Platform Services Controller, and ESXi hosts. You can disable TLS 1.0 or both TLS 1.0 and TLS 1.1.
vCenter Server and ESXi use ports that can be enabled or disabled for TLS protocols. The TLS Configuration utility scan option displays which versions of TLS are enabled for each service. See Scan vCenter Server for Enabled TLS Protocols.
For the list of all supported ports and protocols in VMware products, including vSphere and vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can search ports by VMware product, create a customized list of ports, and print or save port lists.
Notes and Caveats
- You can reconfigure the following services only on the vCenter Server Appliance.
- VMware Syslog Collector
- VMware Appliance Management Interface
- vSphere Update Manager Service
- On vCenter Server on Windows, you reconfigure the TLS for Update Manager ports by editing configuration files. See Enable or Disable TLS Versions on vSphere Update Manager on Windows.
- Starting with vSphere 6.7, you can use TLS 1.2 to encrypt the connection between vCenter Server and an external Microsoft SQL Server. You cannot use a TLS 1.2 only connection to an external Oracle database. See VMware Knowledge Base article 2149745.
- Do not disable TLS 1.0 on a vCenter Server or Platform Services Controller instance that is running on Windows Server 2008. Windows 2008 supports only TLS 1.0. See the Microsoft TechNet Article TLS/SSL Settings in the Server Roles and Technologies Guide.
- If you change the TLS protocols, you must restart the ESXi host to apply the changes. You must restart the host even if you apply the changes through cluster configuration by using host profiles. You can choose to restart the host immediately, or postpone the restart to a more convenient time.