The vCenter Server system must be able to send data to every managed host and receive data from the vSphere Client. To enable migration and provisioning activities between managed hosts, the source and destination hosts must be able to receive data from each other.

If a port is in use or is blocked using a denylist, the vCenter Server installer displays an error message. You must use another port number to proceed with the installation. There are internal ports that are used only for inter-process communication.

VMware uses designated ports for communication. Additionally, the managed hosts monitor designated ports for data from vCenter Server. If a built-in firewall exists between any of these elements, the installer opens the ports during the installation or upgrade process. For custom firewalls, you must manually open the required ports. If you have a firewall between two managed hosts and you want to perform source or target activities, such as migration or cloning, you must configure a means for the managed hosts to receive data.

To configure the vCenter Server system to use a different port to receive vSphere Client data, see the vCenter Server and Host Management documentation.

Table 1. Ports Required for Communication Between Components
Port Protocol Description Used for Node-to-Node Communication
22 TCP System port for SSHD.
Important: This port must be open during the upgrade of the appliance. The upgrade process establishes an SSH connection to transfer the data from the existing to the new appliance.
No
53 DNS service No
80 TCP

vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server instead of https://server.

WS-Management (also requires port 443 to be open).

No
88 TCP Active Directory server. This port must be open for host to join Active Directory. If you use native Active Directory, the port must be open on vCenter Server. No
389 TCP/UDP

This port must be open on the local and all remote instances of vCenter Server. This port is the LDAP port number for the Directory Services for the vCenter Server group. If another service is running on this port, it might be preferable to remove it or change its port to a different port. You can run the LDAP service on any port from 1025 through 65535.

vCenter Server to vCenter Server
443 TCP

The default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenter Server system to receive data from the vSphere Client, open port 443 in the firewall.

The vCenter Server system also uses port 443 to monitor data transfer from SDK clients.

This port is also used for the following services:

  • WS-Management (also requires port 80 to be open)
  • Third-party network management client connections to vCenter Server
  • Third-party network management clients access to hosts
vCenter Server to vCenter Server
514 TCP/UDP vSphere Syslog Service port for the vCenter Server appliance. No
636 TCP

vCenter Single Sign-On LDAPS

For backward compatibility with vSphere 6.5 only.

During upgrade from vSphere 6.5 only.

902 TCP/UDP

The default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.

Port 902 must not be blocked between the VMware Host Client and the hosts. The VMware Host Client uses this port to display virtual machine consoles.

No
1514 TCP vSphere Syslog Service TLS port for the vCenter Server appliance. No
2012 TCP Control interface RPC for vCenter Single Sign-On No
2014 TCP RPC port for all VMCA (VMware Certificate Authority) APIs No
2015 TCP DNS management No
2020 TCP/UDP Authentication framework management No
5480 TCP

Appliance Management Interface

Open endpoint serving all HTTPS, XMLRPS, and JSON-RPC requests over HTTPS.

No
6500 TCP/UDP ESXi Dump Collector port No
6501 TCP Auto Deploy service No
6502 TCP Auto Deploy management No
7080, 12721 TCP Secure Token Service
Note: Internal ports
No
7081 TCP vSphere Client
Note: Internal port
No
7475, 7476 TCP VMware vSphere Authentication Proxy No
8200, 8201, 8300, 8301 TCP Appliance management
Note: Internal ports
No
8084 TCP

vSphere Lifecycle Manager SOAP port

The port used by vSphere Lifecycle Manager client plug-in to connect to the vSphere Lifecycle Manager SOAP server.

No
9084 TCP

vSphere Lifecycle Manager Web Server Port

The HTTP port used by ESXi hosts to access host patch files from vSphere Lifecycle Manager server.

No
9087 TCP

vSphere Lifecycle Manager Web SSL Port

The HTTPS port used by vSphere Lifecycle Manager client plug-in to upload host upgrade files to vSphere Lifecycle Manager server.

No
9443 TCP vSphere Client HTTPS No

For more information about firewall configuration, see the vSphere Security documentation.