vCenter Server, ESXi hosts, and other network components are accessed using predetermined TCP and UDP ports. If you manage network components from outside a firewall, you might be required to reconfigure the firewall to allow access on the appropriate ports.

The table lists TCP and UDP ports, and the purpose and the type of each. Ports that are open by default at installation time are indicated by (Default).

TCP and UDP Ports



Traffic Type


SSH Server

Incoming TCP

53 (Default)

DNS Client

Incoming and outgoing UDP

68 (Default)

DHCP Client

Incoming and outgoing UDP

161 (Default)

SNMP Server

Incoming UDP

80 (Default)

vSphere Fault Tolerance (FT) (outgoing TCP, UDP)

HTTP access

The default non-secure TCP Web port typically used in conjunction with port 443 as a front end for access to ESXi networks from the Web. Port 80 redirects traffic to an HTTPS landing page (port 443).


Incoming TCP

Outgoing TCP, UDP

111 (Default)

RPC service used for the NIS register by vCenter Virtual Appliance

Incoming and outgoing TCP


NTP Client

Outgoing UDP

135 (Default)

For the vCenter Virtual Appliance, this port is designated for Active Directory authentication

For a vCenter Server Windows installation, this port is used for Linked Mode and port 88 is used for Active Directory authentication.

Incoming and outgoing TCP

427 (Default)

The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers.

Incoming and outgoing UDP

443 (Default)

HTTPS access

vCenter Server access to ESXi hosts

Default SSL Web port

vSphere Client access to vCenter Server

vSphere Client access to ESXi hosts


vSphere Client access to vSphere Update Manager

Third-party network management client connections to vCenter Server

Third-party network management clients access to hosts

Incoming TCP

513 (Default)

vCenter Virtual Appliance used for logging activity

Incoming UDP

902 (Default)

Host access to other hosts for migration and provisioning

Authentication traffic for ESXi and remote console traffic (xinetd/vmware-authd)

vSphere Client access to virtual machine consoles

(UDP) Status update (heartbeat) connection from ESXi to vCenter Server

Incoming and outgoing TCP, outgoing UDP


Remote console traffic generated by user access to virtual machines on a specific host.

vSphere Client access to virtual machine consoles

MKS transactions (xinetd/vmware-authd-mks)

Incoming TCP

1234, 1235 (Default)

vSphere Replication

Outgoing TCP


Transactions from NFS storage devices

This port is used on the VMkernel interface.

Incoming and outgoing TCP


Transactions to iSCSI storage devices

Outgoing TCP


RFB protocol, which is used by management tools such as VNC

Incoming and outgoing TCP

5988 (Default)

CIM transactions over HTTP

Incoming TCP

5989 (Default)

CIM XML transactions over HTTPS

Incoming and outgoing TCP

8000 (Default)

Requests from vMotion

Incoming and outgoing TCP


AJP connector port for vCenter Virtual Appliance communication with Tomcat

Outgoing TCP

8100, 8200 (Default)

Traffic between hosts for vSphere Fault Tolerance (FT)

Incoming and outgoing TCP, UDP


Traffic between hosts for vSphere High Availability (HA)

Incoming and outgoing TCP, incoming and outgoing UDP


Used to allow a vCenter Virtual Appliance to communicate with the vSphere Web Client

Incoming and outgoing TCP

In addition to the TCP and UDP ports, you can configure other ports depending on your needs.