When you run the TLS Configurator utility in the vSphere environment, you can disable TLS across ports that use TLS on vCenter Server and ESXi hosts. You can disable TLS 1.0 or both TLS 1.0 and TLS 1.1.

Starting in vSphere 7.0, vCenter Server runs two reverse proxy services:

  • VMware reverse proxy service, rhttpproxy
  • Envoy

Envoy is an open source edge and service proxy. Envoy owns port 443, and all incoming vCenter Server requests are routed through Envoy. In vSphere 7.0, rhttpproxy serves as a configuration management server for Envoy. As a result, the TLS configuration is applied to rhttpproxy, which in turn sends the configuration to Envoy.

The following table lists the ports. If a port is not included, the utility does not affect it.
Table 1. vCenter Server Ports Affected by the TLS Configurator Utility
Service vCenter Server Port
VMware HTTP Reverse Proxy vmware-envoy 443
VMware vCenter Server Service vmware-vpxd 8089
VMware Directory Service vmdird 636
VMware Syslog Collector rsyslogd 1514
vCenter Server Management Interface vami-lighttp 5480
vSphere Auto Deploy Waiter vmware-rbd-watchdog 6501

6502

vSphere Authentication Proxy vmcam 7475

7476

vSphere Lifecycle Manager vmware-updatemgr 8084

9087

vSphere Client vsphere-ui 5443
VMware vSphere Profile-Driven Storage Service vmware-sps Random port greater than 1024
Table 2. ESXi Ports Affected by the TLS Configurator Utility
Service Service Name Port
VMware HTTP Reverse Proxy and Host Daemon rhttpproxy 443
VMware vSAN VASA Vendor Provider vSANVP 8080
VMware Fault Domain Manager FDM 8182
VMware vSphere API for IO Filters ioFilterVPServer 9080
ESXi WBEM Service sfcbd-watchdog 5989
ESXi vVold Client Service vvold Random port greater than 1024

Notes and Caveats

  • The vSphere 6.7 release was the final release of vCenter Server for Windows. See the vSphere Security documentation for the 6.7 version of the product for information about reconfiguring TLS for Update Manager ports on vCenter Server for Windows.
  • You can use TLS 1.2 to encrypt the connection between vCenter Server and an external Microsoft SQL Server. You cannot use a TLS 1.2 only connection to an external Oracle database. See the VMware Knowledge Base article at https://kb.vmware.com/kb/2149745.
  • For vSphere 6.7 and earlier releases, do not disable TLS 1.0 on a vCenter Server or Platform Services Controller instance that is running on Windows Server 2008. Windows 2008 supports only TLS 1.0. See the Microsoft TechNet Article TLS/SSL Settings in the Server Roles and Technologies Guide.
  • If you change the TLS protocols, you must restart the ESXi host to apply the changes. You must restart the host even if you apply the changes through the cluster configuration by using host profiles. You can choose to restart the host immediately, or postpone the restart to a more convenient time.