The vSphere Web Client allows you to open and close firewall ports for each service or to allow traffic from selected IP addresses.

The following table lists the firewalls for services that are usually installed. If you install other VIBs on your host, additional services and firewall ports might become available.

Incoming Firewall Connections

Service

Port

Comment

CIM Server

5988 (TCP)

Server for CIM (Common Information Model).

CIM Secure Server

5989 (TCP)

Secure server for CIM.

CIM SLP

427 (TCP, UDP)

The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.

DHCPv6

546 (TCP, UDP)

DHCP client for IPv6.

DVSSync

8301, 8302 (UDP)

DVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open.

NFC

902 (TCP)

Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.

Virtual SAN Clustering Service

12345, 23451 (UDP)

Virtual SAN Cluster Monitoring and Membership Directory Service. Uses UDP-based IP multicast to establish cluster members and distribute Virtual SAN metadata to all cluster members. If disabled, Virtual SAN does not work.

DHCP Client

68 (UDP)

DHCP client for IPv4.

DNS Client

53 (UDP)

DNS client.

Fault Tolerance

8200, 8100, 8300 (TCP, UDP)

Traffic between hosts for vSphere Fault Tolerance (FT).

NSX Distributed Logical Router Service

6999 (UDP)

NSX Virtual Distributed Router service. The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open.

This service was called NSX Distributed Logical Router in earlier versions of the product.

Virtual SAN Transport

2233 (TCP)

Virtual SAN reliable datagram transport. Uses TCP and is used for Virtual SAN storage IO. If disabled, Virtual SAN does not work.

SNMP Server

161 (UDP)

Allows the host to connect to an SNMP server.

SSH Server

22 (TCP)

Required for SSH access.

vMotion

8000 (TCP)

Required for virtual machine migration with vMotion.

vSphere Web Client

902, 443 (TCP)

Client connections

vsanvp

8080 (TCP)

VSAN VASA Vendor Provider. Used by the Storage Management Service (SMS) that is part of vCenter to access information about Virtual SAN storage profiles, capabilities, and compliance. If disabled, Virtual SAN Storage Profile Based Management (SPBM) does not work.

vSphere Web Access

80 (TCP)

Welcome page, with download links for different interfaces.

RFB protocol

5900-5964 (TCP)

Used by management tools such as VNC.

Outgoing Firewall Connections

Service

Port

Comment

CIM SLP

427 (TCP, UDP)

The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.

DHCPv6

547 (TCP, UDP)

DHCP client for IPv6.

DVSSync

8301, 8302 (UDP)

DVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open.

HBR

44046, 31031 (TCP)

Used for ongoing replication traffic by vSphere Replication and VMware Site Recovery Manager.

NFC

902 (TCP)

Network File Copy (NFC) provides a file-type-aware FTP service for vSphere components. ESXi uses NFC for operations such as copying and moving data between datastores by default.

WOL

9 (UDP)

Used by Wake on LAN.

Virtual SAN Clustering Service

12345 23451 (UDP)

Cluster Monitoring, Membership, and Directory Service used by Virtual SAN.

DHCP Client

68 (UDP)

DHCP client.

DNS Client

53 (TCP, UDP)

DNS client.

Fault Tolerance

80, 8200, 8100, 8300 (TCP, UDP)

Supports VMware Fault Tolerance.

Software iSCSI Client

3260 (TCP)

Supports software iSCSI.

NSX Distributed Logical Router Service

6999 (UDP)

The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open.

rabbitmqproxy

5671 (TCP)

A proxy running on the ESXi host that allows applications running inside virtual machines to communicate to the AMQP brokers running in the vCenter network domain. The virtual machine does not have to be on the network, that is, no NIC is required. The proxy connects to the brokers in the vCenter network domain. Therefore, the outgoing connection IP addresses should at least include the current brokers in use or future brokers. Brokers can be added if customer would like to scale up.

Virtual SAN Transport

2233 (TCP)

Used for RDT traffic (Unicast peer to peer communication) between Virtual SAN nodes.

vMotion

8000 (TCP)

Required for virtual machine migration with vMotion.

VMware vCenter Agent

902 (UDP)

vCenter Server agent.

vsanvp

8080 (TCP)

Used for Virtual SAN Vendor Provider traffic.