2. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
3260 TCP Software iSCSI
Client
Supports
software iSCSI.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
6999 UDP NSX Distributed
Logical Router
Service
The firewall port
associated with
this service is
opened when
NSX VIBs are
installed and the
VDR module is
created. If no
VDR instances
are associated
with the host, the
port does not
have to be open.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
5671 TCP rabbitmqproxy A proxy running
on the ESXi host.
This proxy allows
applications that
are running
inside virtual
machines to
communicate
with the AMQP
brokers that are
running in the
vCenter network
domain. The
virtual machine
does not have to
be on the
network, that is,
no NIC is
required. Ensure
that outgoing
connection IP
addresses
include at least
Outgoing
Firewall
Connections
Page 2
3. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
the brokers in
use or future.
You can add
brokers later to
scale up.
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
2233 TCP vSAN Transport Used for RDT
traffic (Unicast
peer to peer
communication)
between vSAN
nodes.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
8000 TCP vMotion Required for
virtual machine
migration with
vMotion.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
902 UDP VMware vCenter
Agent
vCenter Server
agent.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
8080 TCP vsanvp Used for vSAN
Vendor Provider
traffic.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
9080 TCP I/O Filter Service Used by the I/O
Filters storage
feature
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
5900 -5964 TCP RFB protocol
The RFB
protocol is a
simple protocol
for remote
access to
graphical user
interfaces.
Note: This
Firewall Port for
Services is not
-
Page 3
4. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
Visible in the UI
by Default
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
8889 TCP OpenWSMAN
Daemon Web Services
Management (W
S-Management
is a DMTF open
standard for the
management of
servers, devices,
applications,
andWeb
services.
Note: This
Firewall Port for
Services is not
Visible in the UI
by Default
-
vSphere 6.7, 6.5 - - 161 UDP vCenter Server SNMP Server -
vSphere 6.7, 6.5 - - 636 TCP vCenter Server vCenter Single
Sign-On LDAPS
(6.0 and later)
-
vSphere 6.7, 6.5 - - 8084, 9084,
9087
TCP vCenter Server Used by vSphere
Update Manager.
-
vSphere 6.7, 6.5 - - 8109 TCP vCenter Server VMware Syslog
Collector. This
service is
needed if you
want to
centralize log
collection.
-
vSphere 6.7, 6.5 - - 15007, 15008 TCP vCenter Server vService
Manager (VSM).
This service
registers vCenter
-
Page 4
5. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
Server
extensions.
Open this port
only if required
by extensions
that you intend to
use.
vSphere 6.7, 6.5 - - 31031, 44046
(Default)
TCP vCenter Server vSphere
Replication.
-
vSphere 6.7, 6.5 - - 5355 UDP vCenter Server The
systemd-resolve
process uses this
port to resolve
domain names,
IPv4 and IPv6
addresses, DNS
resource records
and services.
-
vSphere 6.7, 6.5 - - 5444, 5432 - vCenter Server Internal port for
monitoring of
vPostgreSQL.
Internal
vSphere 6.7, 6.5 NA NA 22 TCP
Appliance
deployments of
vCenter Server
Platform
Services
Controller
System port for
SSHD.
-
vSphere 6.7, 6.5 NA NA 53 - Windows
installations and
appliance
deployments of
Platform
Services
Controller
DNS service -
Page 5
6. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
vSphere 6.7, 6.5 NA NA 80 TCP Windows
installations and
appliance
deployments of
vCenter Server
and Platform
Services
Controller
vCenter Server
requires port 80
for direct HTTP
connections. Port
80 redirects
requests to
HTTPS port 443.
This redirection
is useful if you
accidentally use
http://server
instead of
https://server.
WS-Managemen
t (also requires
port 443 to be
open).
If you use a
Microsoft SQL
database that is
stored on the
same virtual
machine or
physical server
as the vCenter
Server, port 80 is
used by the SQL
Reporting
Service. When
you install or
upgrade vCenter
Server, the
installer prompts
you to change
the HTTP port for
vCenter Server.
Change the
vCenter Server
HTTP port to a
custom value to
ensure a
-
Page 6
7. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
successful
installation or
upgrade.
Important: You
can only change
this port number
during the
vCenter Server
and Platform
Services
Controller
installation.
vSphere 6.7, 6.5 NA NA 88 TCP Windows
installations and
appliance
deployments of
Platform
Services
Controller
Active Directory
server. This port
must be open for
host to join
Active Directory.
If you use native
Active Directory,
the port must be
open on both
vCenter Server
and Platform
Services
Controller.
-
vSphere 6.7, 6.5 vCenter Server
or
Platform
Services
Controller
Platform
Services
Controller
389 TCP/UDP Windows
installations and
appliance
deployments of
Platform
Services
Controller
This port must be
open on the local
and all remote
instances of
vCenter Server.
This is the LDAP
port number for
the Directory
Services for the
vCenter Server
group. If another
service is
running on this
-
Page 7
8. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
port, it might be
preferable to
remove it or
change its port to
a different port.
You can run the
LDAP service on
any port from
1025 through
65535.
If this instance is
serving as the
Microsoft
Windows Active
Directory, change
the port number
from 389 to an
available port
from 1025
through 65535.
vSphere 6.7, 6.5 vCenter Server
Platform
Services
Controller
vCenter Server
or
Platform
Services
Controller
vCenter Server
443 TCP Windows
installations and
appliance
deployments of
vCenter Server
and Platform
Services
Controller
The default port
that the vCenter
Server system
uses to listen for
connections from
the vSphere Web
Client. To enable
the vCenter
Server system to
receive data from
the vSphere Web
Client, open port
443 in the
firewall.
The vCenter
Server system
also uses port
443 to monitor
-
Page 8
9. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
data transfer
from SDK clients.
This port is also
used for the
following
services:
WS-Managemen
t (also requires
port 80 to be
open)
Third-party
network
management
client
connections to
vCenter Server
Third-party
network
management
clients access to
hosts
Important:
You only can
change this port
number during
the vCenter
Server and
Platform
Services
Controller
installation.
vSphere 6.7, 6.5 NA NA 514 TCP/UDP Windows
installations and
appliance
deployments of
vCenter Server
and Platform
Services
vSphere Syslog
Collector port for
vCenter Server
on Windows and
vSphere Syslog
Service port for
vCenter Server
-
Page 9
10. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
Controller Appliance
Important:
You can change
this port number
during the
vCenter Server
and Platform
Services
Controller
installations on
Windows.
vSphere 6.7, 6.5 vCenter Server
6.0
Platform
Services
Controller 6.5
636 TCP Windows
installations and
appliance
deployments of
vCenter Server
and Platform
Services
Controller
vCenter Single
Sign-On LDAPS
For backward
compatibility with
vSphere 6.0 only.
During upgrade
from vSphere 6.0
only.
-
vSphere 6.7, 6.5 - - 1514 TCP Windows
installations and
appliance
deployments of
vCenter Server
and Platform
Services
Controller
vSphere Syslog
Collector TLS
port for vCenter
Server on
Windows and
vSphere Syslog
Service TLS port
for vCenter
Server Appliance
Important:
You can change
this port number
during the
vCenter Server
and Platform
Services
Controller
-
Page 10
11. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
installations on
Windows.
vSphere 6.7, 6.5 vCenter Server
OR
Platform
Services
Controller
Platform
Services
Controller
Platform
Services
Controller
OR
vCenter Server
2012 TCP Windows
installations and
appliance
deployments of
Platform
Services
Controller
Control interface
RPC for vCenter
Single Sign-On
-
vSphere 6.7, 6.5 vCenter Server
Platform
Services
Controller
Platform
Services
Controller
vCenter Server
2014 TCP Windows
installations and
appliance
deployments of
Platform
Services
Controller
RPC port for all
VMCA (VMware
Certificate
Authority) APIs
Important:
You can change
this port number
during the
Platform
Services
Controller
installations on
Windows.
-
vSphere 6.7, 6.5 Platform
Services
Controller
Platform
Services
Controller
2015 TCP Windows
installations and
appliance
deployments of
Platform
Services
Controller
DNS
management
-
vSphere 6.7, 6.5 vCenter Server
Platform
Services
Controller to
Platform
Services
Controller
vCenter Server
2020 TCP/UDP Windows
installations and
appliance
deployments of
vCenter Server
and Platform
Authentication
framework
management
Important:
You can change
-
Page 11
12. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
Services
Controller
this port number
during the
vCenter Server
and Platform
Services
Controller
installations on
Windows.
vSphere 6.7, 6.5 - - 5480 TCP Appliance
deployments of
vCenter Server
and Platform
Services
Controller
Appliance
Management
Interface
Open endpoint
serving all
HTTPS,
XMLRPS and
JSON-RPC
requests over
HTTPS.
-
vSphere 6.7, 6.5 - - 6500 TCP/UDP Windows
installations and
appliance
deployments of
vCenter Server
ESXi Dump
Collector port
Important:
You can change
this port number
during the
vCenter Server
installations on
Windows.
-
vSphere 6.7, 6.5 - - 6502 TCP Auto Deploy
management
Important:
You can change
this port number
during the
vCenter Server
installations on
Windows
installations and
appliance
deployments of
vCenter Server
-
Page 12
13. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
Windows.
vSphere 6.7, 6.5 - - 7081 TCP Windows
installations and
appliance
deployments of
Platform
Services
Controller
VMware Platform
Services
Controller Web
Client
Internal port
vSphere 6.7, 6.5 vCenter Server - 7475, 7476 Platform
Services
Controller
Appliance
deployments of
vCenter Server
VMware vSphere
Authentication
Proxy
-
vSphere 6.7, 6.5 - - 8084 TCP Appliance
deployments of
vCenter Server
vSphere Update
Manager SOAP
port
The port used by
vSphere Update
Manager client
plug-in to
connect to the
vSphere Update
Manager SOAP
server.
-
vSphere 6.7, 6.5 - - 9084 TCP Appliance
deployments of
vCenter Server
vSphere Update
Manager Web
Server Port
The HTTP port
used by ESXi
hosts to access
host patch files
from vSphere
Update Manager
server.
-
vSphere 6.7, 6.5 - - 9087 TCP Appliance
deployments of
vSphere Update
Manager Web
-
Page 13
14. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
vCenter Server SSL Port
The HTTPS port
used by vSphere
Update Manager
client plug-in to
upload host
upgrade files to
vSphere Update
Manager server.
vSphere 6.7, 6.5 - - 9443 TCP Windows
installations and
appliance
deployments of
vCenter Server
vSphere Web
Client HTTPS
-
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
5988 TCP CIM Server Server for CIM
(Common
Information
Model).
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
5989 TCP CIM Secure
Server
Secure server for
CIM.
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
427 TCP, UDP CIM SLP The CIM client
uses the Service
Location
Protocol, version
2 (SLPv2) to find
CIM servers.
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
546 - DHCPv6 DHCP client for
IPv6.
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
68 UDP DHCP Client DHCP client for
IPv4.
Incoming
Firewall
Connections
Page 14
15. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
53 UDP DNS Client DNS client. Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
8200, 8100,
8300
TCP, UDP Fault Tolerance Traffic between
hosts for
vSphere Fault
Tolerance (FT).
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
161 UDP SNMP Server Allows the host
to connect to an
SNMP server.
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
22 TCP SSH Server Required for
SSH access.
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
902, 443 TCP vSphere Web
Client
Client
connections
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
80 TCP vSphere Web
Access
Welcome page,
with download
links for different
interfaces.
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
5900 -5964 TCP RFB protocol - Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
80, 9000 TCP vSphere Update
Manager
- Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
427 TCP, UDP CIM SLP The CIM client
uses the Service
Location
Protocol, version
2 (SLPv2) to find
CIM servers.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 547 TCP, UDP DHCPv6 DHCP client for Outgoing
Page 15
16. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
Client Client IPv6. Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
9 UDP WOL Used by Wake
on LAN.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
68 UDP DHCP Client DHCP client. Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
53 TCP, UDP DNS Client DNS client. Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
80, 8200, 8100,
8300
TCP, UDP Fault Tolerance Supports
VMware Fault
Tolerance.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
3260 TCP Software iSCSI
Client
Supports
software iSCSI.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 - - 8000 TCP, UDP - ESXi Dump
Collector
Internal Port
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
902 UDP VMware vCenter
Agent
vCenter Server
agent.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
8889 TCP OpenWSMAN
Daemon Web Services
Management (W
S-Management
is a DMTF open
standard for the
management of
servers, devices,
applications,
andWeb
services.
Note: This
-
Page 16
17. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
Firewall Port for
Services is not
Visible in the UI
by Default
vSphere 6.7, 6.5 - - 123 UDP vCenter Server NTP Client. If
you are
deploying the
vCenter Server
Appliance on an
ESXi host, the
two must be time
synchronized,
usually through
an NTP server,
and the
corresponding
port must be
open.
-
vSphere 6.7, 6.5 - - 135 UDP vCenter Server For the vCenter
Server
Appliance, this
port is
designated for
Active Directory
authentication.
For a vCenter
Server Windows
installation, this
port is used for
Linked Mode and
port 88 is used
for Active
Directory
authentication.
-
vSphere 6.7, 6.5 - - 5443 - vCenter Server vCenter Server
graphical user
interface internal
port.
Internal
Page 17
18. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
vSphere 6.7, 6.5 - - 5090 - vCenter Server vCenter Server
graphical user
interface internal
port.
Internal
vSphere 6.7, 6.5 - - 902 TCP/UDP Windows
installations and
appliance
deployments of
vCenter Server
The default port
that the vCenter
Server system
uses to send
data to managed
hosts. Managed
hosts also send
a regular
heartbeat over
UDP port 902 to
the vCenter
Server system.
This port must
not be blocked
by firewalls
between the
server and the
hosts or between
hosts.Port 902
must not be
blocked between
the VMware Host
Client and the
hosts. The
VMware Host
Client uses this
port to display
virtual machine
consoles.
Important: You
can change this
port number
during the
vCenter Server
installations on
Windows.
-
Page 18
19. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
vSphere 6.7, 6.5 - - 6501 TCP Windows
installations and
appliance
deployments of
vCenter Server
Auto Deploy
service.
Important: You
can change this
port number
during the
vCenter Server
installations on
Windows.
-
vSphere 6.7, 6.5 - - 7080, 12721 TCP, UDP Windows
installations and
appliance
deployments of
Platform
Services
Controller
Secure Token
Service
Internal ports
vSphere 6.7, 6.5 - - 8200, 8201,
8300, 8301
TCP Appliance
deployments of
vCenter Server
and Platform
Services
Controller
Appliance
management
Internal ports
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
8301, 8302 UDP DVSSync DVSSync ports
are used for
synchronizing
states of
distributed virtual
ports between
hosts that have
VMware FT
record/replay
enabled. Only
hosts that run
primary or
backup virtual
machines must
have these ports
open. On hosts
Incoming
Firewall
Connections
Page 19
20. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
that are not using
VMware FT
these portsdo not
have to be open.
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
902 TCP NFC Network File
Copy (NFC)
provides a
file-type-aware
FTP service for
vSphere
components.
ESXi uses NFC
for operations
such as copying
and moving data
between
datastores by
default.
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
12345, 23451 UDP vSANClustering
Service
VMware vSAN
Cluster
Monitoring and
Membership
Directory
Service. Uses
UDP-based IP
multicast to
establish cluster
members and
distribute vSAN
metadata to all
cluster members.
If disabled, vSAN
does not work.
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
6999 UDP NSX Distributed
Logical Router
Service
NSX Virtual
Distributed
Router service.
The firewall port
associated with
Incoming
Firewall
Connections
Page 20
21. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
this service is
opened when
NSX VIBs are
installed and the
VDR module is
created. If no
VDR instances
are associated
with the host, the
port does not
have to be open.
This service was
called NSX
Distributed
Logical Router in
earlier versions
of the product.
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
2233 TCP vSAN Transport vSAN reliable
datagram
transport. Uses
TCP and is used
for vSAN storage
IO. If disabled,
vSAN does not
work.
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
8000 TCP vMotion Required for
virtual machine
migration with
vMotion. ESXi
hosts listen on
port 8000 for
TCP connections
from remote
ESXi hosts for
vMotion traffic.
Incoming
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
8080 TCP vsanvp vSAN VASA
Vendor Provider.
Used by the
Incoming
Firewall
Connections
Page 21
22. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
Storage
Management
Service (SMS)
that is part of
vCenter to
access
information about
vSAN storage
profiles,
capabilities, and
compliance. If
disabled, vSAN
Storage Profile
Based
Management
(SPBM) does not
work.
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
8301, 8302 UDP DVSSync DVSSync ports
are used for
synchronizing
states of
distributed virtual
ports between
hosts that have
VMware FT
record/replay
enabled. Only
hosts that run
primary or
backup virtual
machines must
have these ports
open. On hosts
that are not using
VMware FT
these ports do
not have to be
open.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 44046, 31031 TCP HBR Used for ongoing Outgoing
Page 22
23. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
Client Client replication traffic
by vSphere
Replication and
VMware Site
Recovery
Manager.
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
902 TCP NFC Network File
Copy (NFC)
provides a
file-type-aware
FTP service for
vSphere
components.
ESXi uses NFC
for operations
such as copying
and moving data
between
datastores by
default.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
12345 23451 UDP vSANClustering
Service
Cluster
Monitoring,
Membership, and
Directory Service
used by vSAN.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
6999 UDP NSX Distributed
Logical Router
Service
The firewall port
associated with
this service is
opened when
NSX VIBs are
installed and the
VDR module is
created. If no
VDR instances
are associated
with the host, the
port does not
have to be open.
Outgoing
Firewall
Connections
Page 23
24. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
5671 TCP rabbitmqproxy A proxy running
on the ESXi host.
This proxy allows
applications that
are running
inside virtual
machines to
communicate
with the AMQP
brokers that are
running in the
vCenter network
domain. The
virtual machine
does not have to
be on the
network, that is,
no NIC is
required. Ensure
that outgoing
connection IP
addresses
include at least
the brokers in
use or future.
You can add
brokers later to
scale up.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
2233 TCP vSAN Transport Used for RDT
traffic (Unicast
peer to peer
communication)
between vSAN
nodes.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web
Client
VMware Host
Client
8080 TCP vsanvp Used for vSAN
Vendor Provider
traffic.
Outgoing
Firewall
Connections
vSphere 6.7, 6.5 vSphere Web VMware Host 5900 -5964 TCP RFB protocol The RFB Firewall Port
Page 24
25. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
Client Client protocol is a
simple protocol
for remote
access to
graphical user
interfaces. Note:
This Firewall Port
for Services is
not Visible in the
UI by Default
vSphere 6.7, 6.5 - - 8085 TCP, UDP - Ports used by
the vCenter
service (vpxd)
SDK.
Internal Port
vSphere 6.7, 6.5 - - 8095 TCP, UDP - VMware vCenter
services feed
port.
-
vSphere 6.7, 6.5 - - 8098, 8099 TCP, UDP - Used by VMware
Image Builder
Manager.
-
vSphere 6.7, 6.5 - - 8190, 8191,
22000, 22100,
21100
TCP, UDP - VMware vSphere
Profile-Driven
Storage Service.
-
vSphere 6.7, 6.5 - - 8900 TCP, UDP - Monitoring API
internal port.
Internal Port
vSphere 6.7, 6.5 - - 9090 TCP, UDP - Port forÿývSphere
Web Client.
Internal Port
vSphere 6.7, 6.5 - - 10080 TCP, UDP - Inventory service
internal port
Internal Port
vSphere 6.7, 6.5 - - 10201 TCP, UDP - Message Bus
Configuration
Service internal
port.
Internal Port
Page 25
26. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
vSphere 6.7, 6.5 - - 11080 TCP, UDP - vCenter Server A
pplianceÿýinternal
ports for HTTP
and for splash
screen.
Internal Port
vSphere 6.7, 6.5 - - 12080 TCP, UDP - License service
internal port.
Internal Port
vSphere 6.7, 6.5 - - 12346, 12347,
4298
TCP, UDP - Internal port for
VMware Cloud
Management
SDKs (vAPI).
Internal Port
vSphere 6.7, 6.5 - - 13080, 6070 TCP, UDP - Used internally
by the
Performance
Charts service.
Internal Port
vSphere 6.7, 6.5 - - 14080 TCP, UDP - Used internally
by the syslog
service.
Internal Port
vSphere 6.7, 6.5 - - 15005, 15006 TCP, UDP - ESX Agent
Manager internal
port.
Internal Port
vSphere 6.7, 6.5 - - 16666, 16667 TCP, UDP - Content Library
ports.
-
vSphere 6.7, 6.5 - - 32768 - 60999 TCP, UDP - vCenter Server
Appliance uses
for vPostgres
services.
Ephemeral ports
vSphere 6.7, 6.5 - - 22 TCP System port for
SSHD
Between all three
nodes
Bidirectional.
Firewall Port for
VCHA Private IP
table
vSphere 6.7, 6.5 - - 5432 TCP Postgres Between Primary
and Secondary
Bidirectional.
Firewall Port for
VCHA Private IP
table
Page 26
27. Product Version Source Destination Ports Protocols Purpose Service
Description
Classification
vSphere 6.7, 6.5 - - 8182 TCP Fault Domain
Manager
Between all three
nodes
Bidirectional.
Firewall Port for
VCHA Private IP
table
vSphere 6.7, 6.5 - - 8182 UDP Fault Domain
Manager
Between all three
nodes
Bidirectional.
Firewall Port for
VCHA Private IP
table
Page 27