Network Port Diagram vSphere

19-11-2020 VMware No Comments

I was troubleshooting an issue with an ESXi host and Update Manager for which I needed the firewall ports. In KB2131180 you can find a PDF document with a beautiful diagram and reference table. But getting all the required ports between a specific source and destination was not easy. So I created this table that is searchable…

Search for “ESXi” to get all the ports for ESXi. Combine this with “vCenter” (“ESXi vCenter”) to narrow your search. I know it’s not perfect but better than a static PDF I think.

PortProtocolSourceTargetPurpose
22TCPClient PCESXiSSH Server
53UDPESXiDNS ServerDNS Client
68UDPESXiDHCP ServerDHCP Client
80TCPClient PCESXiRedirect Web Browser to HTTPS Service (443)
88TCPESXiActive Directory ServerPAM Active Directory Authentication - Kerberos
111TCPESXiNFS ServerNFS Client – RPC Portmapper
111UDPESXiNFS ServerNFS Client – RPC Portmapper
123UDPESXiNTP Time ServerNTP Client
161UDPSNMP ServerESXiSNMP Polling. Not used in ESXi 3.x
162UDPESXiSNMP CollectorSNMP Trap Send
389TCP/UDPESXiLDAP ServerPAM Active Directory Authentication - Kerberos
427UDPvSphere ClientESXiCIM Service Location Protocol (SLP)
443TCPvSphere ClientESXivSphere Client to ESXi/ESX Host management connection
443TCPESXiESXiHost to host VM migration and provisioning
445UDPESXiMS Directory Services ServerPAM Active Directory Authentication
445TCPESXiMS Directory Services ServerPAM Active Directory Authentication
445TCPESXiSMB ServerSMB Server
464TCPESXiActive Directory ServerPAM Active Directory Authentication - Kerberos
514UDP/TCPESXiSyslog ServerRemote syslog logging
902TCP/UDPESXiESXiHost access to other hosts for migration and provisioning
902TCPvSphere ClientESXivSphere Client access to virtual machine consoles (MKS)
902TCP/UDPESXivCenter Server(UDP) Status update (heartbeat) connection from ESXi to vCenter Server
1024 (dynamic)TCP/UDPESXiActive Directory ServerBi-directional communication on TCP/UDP ports is required between the ESXi host and the Active Directory Domain Controller (via the netlogond process on the ESXi host). See Active Directory and Active Directory Domain Services Port Requirements and MS article 179442.
2049TCPESXiNFS ServerTransactions from NFS storage devices
2049UDPESXiNFS ServerTransactions from NFS storage devices
3260TCPESXiiSCSI storage serverTransactions to iSCSI storage devices
5900 to 5964TCPESXiESXiRFB protocol, which is used by management tools such as VNC
5989TCPCIM ServerESXiCIM transactions over HTTP
5989TCPvCenter ServerESXiCIM XML transactions over HTTPS
5989TCPESXivCenter ServerCIM XML transactions over HTTPS
8000TCPESXi (VM Target)ESXi (VM Source)Requests from vMotion
8000TCPESXi (VM Source)ESXi (VM Target)Requests from vMotion
8100TCP/UDPESXiESXiTraffic between hosts for vSphere Fault Tolerance (FT)
8182TCP/UDPESXiESXiTraffic between hosts for vSphere High Availability (vSphere HA)
8200,83TCP/UDPESXiESXiTraffic between hosts for vSphere Fault Tolerance (FT)
8301UDPESXiESXiDVS Port Information
8302UDPESXiESXiDVS Port Information
31100TCPvCenter ServerSPS ServerInternal Communication Port
31000TCPSPS ServervCenter ServerInternal Communication Port
6500UDPESXivCenter ServerNetwork coredump server
8000TCPESXivCenter ServerNetwork coredump web port
8001TCPESXivCenter ServerNetwork syslog server
25TCPvCenter ServerSMTP ServerEmail notifications
53UDPvCenter ServerDNS ServerDNS lookups
80TCPClient PCvCenter ServervCenter Server requires port 80 for direct HTTP connections.
80TCPvCenter ServerESXiDPM with IPMI (iLO/BMC) ASF Remote Management and Control Protocol
88UDPvCenter ServerActive Directory ServerAD Authentication
88TCPvCenter ServerActive Directory ServerAD Authentication
135TCPvCenter ServervCenter ServerLinked Mode
9084TCPvSphere ClientUpdate ManagerDownload of VUM client binary from VUM server machine to the VI client machine.
162UDPvCenter ServerSNMP ServerSNMP Trap Send
389TCP/UDPvCenter ServerLinked vCenter ServersThis is the LDAP port number for the Directory Services for the vCenter Server group. The vCenter Server system needs to bind to port 389, even if you are not joining this vCenter Server instance to a Linked Mode group. If another service is running on this port, you can run the LDAP service on any port from 1025 through 65535.
443TCPvSphere ClientvCenter ServervCenter Server system uses to listen for connections from the vSphere Client.
443TCPvCenter ServerESXivCenter Agent. Host DPM with HP iLO Remote Management and Control Protocol
623UDPvCenter ServerESXiDPM with IPMI (iLO/BMC) ASF Remote Management and Control Protocol
636TCPvCenter ServervCenter ServervCenter Server Linked Mode, this is the SSL port of the local instance.
902TCPvCenter ServerESXivCenter Server system uses to send data to managed hosts. This port must not be blocked by firewalls between the server and the hosts or between hosts.
902UDPvCenter ServerESXiManaged hosts send a regular heartbeat to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.
902TCP/UDPvSphere ClientESXivSphere Client uses this ports to display virtual machine consoles.
902TCP/UDPESXiESXiHost access to other hosts for migration and provisioning
5480TCPClient PCvCenter ServerOnly applicable for vCenter Server Virtual Appliance - used for accessing VAMI page of vCenter Server Appliance over HTTPS
1024 (dynamic)RPCLinked vCenter ServersLinked vCenter ServersBi-directional RPC communication on dynamic TCP ports is required between all vCenters that need to replicate (via ADAM). A VIC still needs a direct connection to all vCenters that own an object it needs to manage.
1433TCPvCenter ServerMicrosoft SQL ServerFor vCenter Microsoft SQL Server Database
1521TCPvCenter ServerOracle Database ServerFor vCenter Oracle Database
5988TCPESXivCenter ServerCIM transactions over HTTP
7500UDPvCenter ServervCenter ServerLinked Mode, Java Discovery Port
8000TCPvCenter ServerESXiRequests from vMotion
8005TCPvCenter ServervCenter ServerInternal Communication Port
8006TCPvCenter ServervCenter ServerInternal Communication Port
8009TCPvCenter ServervCenter ServerAJP Port
8080TCPClient PCvCenter ServerWeb Services HTTP. Used for the VMware VirtualCenter Management Web Services.
8083TCPvCenter ServervCenter ServerInternal Service Diagnostics
8085TCPvCenter ServervCenter ServerInternal Service Diagnostics/SDK
8086TCPvCenter ServervCenter ServerInternal Communication Port
8087TCPvCenter ServervCenter ServerInternal Service Diagnostics
8443TCPClient PCvCenter ServerWeb Services HTTPS. Used for the VMware VirtualCenter Management Web Services.
8443TCPvCenter ServervCenter ServerLinked Mode
9443TCPClient PCvCenter ServervSphere Web Client Access
10109TCPvCenter ServervCenter ServervCenter Inventory Service Service Management
10111TCPvCenter ServervCenter ServervCenter Inventory Service Linked Mode Communication
10443TCPClient PCvCenter ServervCenter Inventory Service HTTPS
7476 (51915)TCPESXivSphere Authentication ProxyThis is a web service, which is used to add host to Active Directory domain.
60099TCPvCenter ServervCenter ServerWeb Service change service notification port
7005TCPvCenter Server (Tomcat Server settings)vCenter Single Sign OnBase shutdown port. For more information, see Configuring VMware Tomcat Server Settings in vCenter Server 5.1.
7080TCPvCenter Server (Tomcat Server settings)vCenter Single Sign OnHTTP Port
7444TCPvCenter Server (Tomcat Server settings)vCenter Single Sign OnHTTPS Port
7009TCPvCenter Server (Tomcat Server settings)vCenter Single Sign OnAJP Port
10111TCPvCenter Inventory ServicevCenter ServervCenter Inventory Service Linked Mode Communication
25TCPVCO ServerSMTP ServerEmail notifications
389TCP/UDPVCO ServerLDAP ServerLDAP Authentication
443TCPVCO ServervCenter ServerUsed to obtain virtual infrastructure and virtual machine information from orchestrated vCenter Server(s) through the vCenter API
636TCPVCO ServerLDAP ServerVCO uses LDAP authentication and group membership to determine role authorization in LCM and access to VMs/requests. This is the SSL secured LDAP protocol LDAPS (the SSL pendent of 389). This is used for secured LDAP authentication
1433TCPVCO ServerMicrosoft SQL ServervCenter Orchestrator Server to Microsoft SQL Server for VCO Database
1521TCPVCO ServerOracle Database ServervCenter Orchestrator Server to Oracle for VCO Database
3306TCPVCO ServerMySQL ServervCenter Orchestrator Server to MySQL Server for VCO Database
5432TCPVCO ServerPostgresSQL ServervCenter Orchestrator Server to PostgresSQL Server for VCO Database
8230TCPVCO ClientVCO ServerLookup port – The main port to communicate with Orchestrator Configurator server (JNDI port). All other ports communicate with the Orchestrator Configurator smart client through this one. It is part of the JBoss Application server infrastructure
8240TCPVCO ClientVCO ServerCommand port – The application communication port (RMI container port), it is used for remote invocations. It is part of the JBoss Application server infrastructure.
8244TCPVCO ClientVCO ServerData port used to access all Orchestrator data models, such as workflows and policies. It is part of the JBoss application server infrastructure.
8250TCPVCO ClientVCO ServerMessaging port – The Java messaging port used to dispatch events. It is part of the JBoss Application server infrastructure
8280TCPVCO ServerVCO ServerPort used by VCO Server to connect to the Web front-end via HTTP
8281TCPVCO ServerVCO ServerPort used by VCO Server to connect to the Web front-end via HTTPS
8281TCPvCenter ServerVCO ServerPort used by VCO Server to connect to vCenter Server to communicate with the vCenter API
8282TCPVCO Client PCVCO ServerHTTP server port – Port used by the HTTP connector to connect to the Web frontend.
8283TCPVCO Client PCVCO ServerHTTPS server port – Port used by HTTP connector to connect to the Web frontend. Requires Jetty to be configured for SSL.
80TCPUpdate Manager Serverwww.vmware.com and xml.shavlik.comTo obtain metadata for the updates, Update Manager must be able to connect to http://www.vmware.com and http://xml.shavlik.com
80TCPESXiUpdate ManagerESXi/ESX Host to Update Manager Server. The reverse proxy forwards the request to port 9084
80TCPUpdate ManagervCenter ServerUpdate Manager to vCenter Server communication
443TCPUpdate Manager Serverwww.vmware.com and xml.shavlik.comTo obtain metadata for the updates, Update Manager must be able to connect to http://www.vmware.com and http://xml.shavlik.com
443TCPESXiUpdate ManagerESXi/ESX Host to Update Manager Server . The reverse proxy forwards the request to port 9084
443TCPvCenter ServerUpdate ManagervCenter Server to Update Manager Server. The reverse proxy forwards the request to port 8084
735TCPUpdate Manager ServerVirtual MachinesUpdate Manager listenerport (rdevServer.exe) part of theRemote Device Server used for virtual machine patching.
902TCPUpdate ManagerESXiTo push patches and updates from Update Manager to the ESXi/ESX Hosts to be updated
1433TCPUpdate Manager ServerMicrosoft SQL ServerUpdate Manager to Microsoft SQL Server connectivity (for UM Database)
1521TCPUpdate Manager ServerOracle Database ServerUpdate Manager to Oracle connectivity (for UM Database)
8084TCPUpdate ManagervCenter ServerSOAP between components of Update Manager Server and the vCenter Update Man ager client plug-in. Configurable at install.
9084TCPESXiUpdate ManagerESXi/ESX hosts connect to the VUM (VMware Update Manager) webserver listening for updates. Configurable at install.
9087TCPUpdate ManagervCenter ServerPort used for uploading host update files. Configurable at install.
9000 to 9100TCPESXiUpdate ManagerThis is the recommend port range from which to choose ports for Update Manager if ports 80 and 443 are already in use. Update Manager automatically opens these ports for ESX Host scanning and remediation.
111TCP/UDPvCloud Director CellNFS ServerNFS portmapper used by transfer service
920TCP/UDPvCloud Director CellNFS ServerNFS rpc.statd used by transfer service
61611TCPvCloud Director Cell (Message Bus)vCloud Director CellActiveMQ
61616TCPvCloud Director Cell (Message Bus)vCloud Director CellActiveMQ
25TCP/UDPvCloud Director CellSMTP ServerSMTP
53TCP/UDPvCloud Director CellDNS ServerDNS
123TCP/UDPvCloud Director CellNTP Time ServerNTP
389TCP/UDPvCloud Director CellLDAP ServerLDAP
443TCPvCloud Director CellESXi / vCentervCenter Server and ESXi connections
514UDPvCloud Director CellSyslog ServerOptional, enables syslog use
902TCPvCloud Director CellESXi / vCentervCenter Server and ESXi connections
903TCPvCloud Director CellESXi / vCentervCenter Server and ESXi connections
1433TCPvCloud Director CellSQL Server DatabaseDefault Microsoft SQL Server database port
1521TCPvCloud Director CellOracle Database ServerDefault Oracle database port
5672TCP/UDPvCloud Director CellAMQP RabbitMQOptional, AMQP messages for task extensions.
10109TCPvCenter ServervCenter ServervCenter Inventory Service Management
10111TCPvCenter ServervCenter ServervCenter Inventory Service Linked Mode Communication
10111TCPvCenter Inventory ServicevCenter ServervCenter Inventory Service Linked Mode Communication
10080TCPvSphere ClientvCenter ServervCenter Inventory Service HTTP
10443TCPvSphere ClientvCenter ServervCenter Inventory Service HTTPS
9443TCPClient PCWeb Client ServerWeb Client Server HTTPS connection
9090TCPClient PCWeb Client ServerWeb Client Server HTTP connection
443TCPWeb Client ServervCenter ServerWeb Client Server to vCenter Server connection
7444TCPWeb Client ServervCenter Single Sign OnSSO Lookup service connection
5988,8889TCPCIM ServerESXiCIM transactions over HTTP (only used in case of loopback – for the applications running locally)
12443TCPWeb Client ServerLog Browser ServiceFor accessing the logs
12221TCPLog Browser ProxyLog Browser ServiceInternal port for Log Browser adminitstration page. It opens a socket (only bound to localhost) to accept admin commands.
9UDPvCenter ServerVirtual VolumeUsed by the Virtual Volumes feature
546TCP/UDPDHCP ServerESXiDHCP client for IPv6
547TCP/UDPESXiDHCP ServerDHCP client for IPv6
2233TCPESXiVirtual SAN TransportUsed for RDT traffic (Unicast peer to peer communication) between Virtual SAN nodes.
12345,23451UDPESXiVirtual SAN Clustering ServiceCluster Monitoring, Membership, and Directory Service used by Virtual SAN.
2012TCPvCenter ServerSSOControl interface RPC for vCenter Single Sign-On(SSO).
2014TCPvCenter ServerSSORPC port for all VMCA (VMware Certificate Authority) APIs.
2020TCP/UDPvCenter ServervCenter ServerAuthentication framework management
6500TCP/UDPvCenter ServerESXiESXi Dump Collector port
443TCPvSphere Web ClientESXiClient connections

Joining ESXi hosts to AD using Authentication Proxy in vCenter 7 (updated 04-12-2020)

Using ADFS with vCenter 7
Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.