When you run the TLS Configurator utility in the vSphere environment, you can disable TLS across ports that use TLS on vCenter Server and ESXi hosts. You can disable TLS 1.0 or both TLS 1.0 and TLS 1.1.
Starting in vSphere 7.0, vCenter Server runs two reverse proxy services:
- VMware reverse proxy service,
Envoy is an open source edge and service proxy. Envoy owns port 443, and all incoming vCenter Server requests are routed through Envoy. In vSphere 7.0,
rhttpproxy serves as a configuration management server for Envoy. As a result, the TLS configuration is applied to
rhttpproxy, which in turn sends the configuration to Envoy.
vCenter Server and ESXi use ports that can be enabled or disabled for TLS protocols. The TLS Configuration utility
scan option displays which versions of TLS are enabled for each service. See Scan vCenter Server for Enabled TLS Protocols.
For the list of all supported ports and protocols in VMware products, including vSphere and vSAN, see the VMware Ports and Protocols Tool™ at https://ports.vmware.com/. You can search ports by VMware product, create a customized list of ports, and print or save port lists.
Notes and Caveats
- The vSphere 6.7 release was the final release of vCenter Server for Windows. See the vSphere Security documentation for the 6.7 version of the product for information about reconfiguring TLS for Update Manager ports on vCenter Server for Windows.
- You can use TLS 1.2 to encrypt the connection between vCenter Server and an external Microsoft SQL Server. You cannot use a TLS 1.2 only connection to an external Oracle database. See the VMware Knowledge Base article at https://kb.vmware.com/kb/2149745.
- For vSphere 6.7 and earlier releases, do not disable TLS 1.0 on a vCenter Server or Platform Services Controller instance that is running on Windows Server 2008. Windows 2008 supports only TLS 1.0. See the Microsoft TechNet Article TLS/SSL Settings in the Server Roles and Technologies Guide.
- If you change the TLS protocols, you must restart the ESXi host to apply the changes. You must restart the host even if you apply the changes through the cluster configuration by using host profiles. You can choose to restart the host immediately, or postpone the restart to a more convenient time.