Ho voluto creare questo articolo anche per repository personale così da poter facilmente andare a verificare quali sono le porte di comunicazione da abilitare per permettere agli ESXi di funzionare correttamente. Questa lista viene molto utile soprattutto quando si hanno più reti di management isolate tra loro tramite firewall.
ESXi 7.0
Port | Protocol | Source | Target | Purpose |
9 | UDP | vCenter Server | ESXi Host | Used by Wake on LAN. |
22 | TCP | SSH Client | ESXi Host | Required for SSH access |
53 | UDP | ESXi Host | DNS Server | DNS client |
68 | UDP | DHCP Server | ESXi Host | DHCP client for IPv4 |
80 | TCP | Web Browser | ESXi Host | Welcome page, with download links for different interfaces |
161 | UDP | SNMP Server | ESXi Host | Allows the host to connect to an SNMP server |
427 | TCP/UDP | CIM Server | ESXi Host | The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers |
546 | TCP/UDP | DHCP Server | ESXi Host | DHCP client for IPv6 |
547 | TCP/UDP | ESXi Host | DHCP Server | DHCP client for IPv6 |
902 | TCP/UDP | VMware vCenter Agent | ESXi Host | vCenter Server agent |
2233 | TCP | ESXi Host | vSAN Transport | vSAN reliable datagram transport. Uses TCP and is used for vSAN storage IO. If disabled, vSAN does not work. |
3260 | TCP | ESXi Host | Software iSCSI Client | Supports software iSCSI |
5671 | TCP | ESXi Host | rabbitmqproxy | A proxy running on the ESXi host that allows applications running inside virtual machines to communicate to the AMQP brokers running in the vCenter network domain. The virtual machine does not have to be on the network, that is, no NIC is required. The proxy connects to the brokers in the vCenter network domain. Therefore, the outgoing connection IP addresses should at least include the current brokers in use or future brokers. Brokers can be added if customer would like to scale up. |
5988,8889 | TCP | CIM Server 8889- OpenWSMAN Daemon | ESXi Host | 5988-Server for CIM (Common Information Model) 8889-Web Services Management (WS-Management is a DMTF open standard for the management of servers, devices, applications, and Web services |
5989 | TCP | CIM Secure Server | ESXi Host | Secure server for CIM |
6999 | UDP | NSX Distributed Logical Router Service | ESXi Host | NSX Virtual Distributed Router service. The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open. This service was called NSX Distributed Logical Router in earlier versions of the product. |
8000 | TCP | ESXi Host | ESXi Host | vMotion-Required for a virtual machine migration with vMotion. ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic |
8080 | TCP | vsanvp | ESXi Host | VSAN VASA Vendor Provider. Used by the Storage Management Service (SMS) that is part of vCenter to access information about Virtual SAN storage profiles, capabilities, and compliance. If disabled, Virtual SAN Storage Profile Based Management (SPBM) does not work. |
8100,8200,8300 | TCP\UDP | Fault Tolerance | ESXi Host | Traffic between hosts for vSphere Fault Tolerance (FT). |
8301,8302 | UDP | DVSSync | ESXi Host | DVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open. |
12345, 23451 | UDP | ESXi Host | vSAN Clustering Service | Cluster Monitoring, Membership, and Directory Service used by vSAN. |
44046, 31031 | TCP | ESXi Host | HBR | Used for ongoing replication traffic by vSphere Replication and VMware Site Recovery Manager. |
80 | TCP | ESXi Host | vCenter Server | vSphere Lifecycle Manager |
80 | TCP | vCenter Server | ESXi Host | vSphere Lifecycle Manager |
NOTE: Refer to ESXi 7.0 vSphere Security Guide
ESXi 6.x
Port | Protocol | Source | Target | Purpose |
9 | UDP | vCenter Server | ESXi Host | Used by Wake on LAN. |
22 | TCP | SSH Client | ESXi Host | Required for SSH access |
53 | UDP | ESXi Host | DNS Server | DNS client |
68 | UDP | DHCP Server | ESXi Host | DHCP client for IPv4 |
80 | TCP | Web Browser | ESXi Host | Welcome page, with download links for different interfaces |
161 | UDP | SNMP Server | ESXi Host | Allows the host to connect to an SNMP server |
427 | TCP/UDP | CIM Server | ESXi Host | The CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers |
443 | TCP | vSphere Web Client | ESXi Host | Client Connections |
546 | TCP/UDP | DHCP Server | ESXi Host | DHCP client for IPv6 |
547 | TCP/UDP | ESXi Host | DHCP Server | DHCP client for IPv6 |
902 | TCP/UDP | VMware vCenter Agent | ESXi Host | vCenter Server agent |
2233 | TCP | ESXi Host | vSAN Transport | vSAN reliable datagram transport. Uses TCP and is used for vSAN storage IO. If disabled, vSAN does not work. |
3260 | TCP | ESXi Host | Software iSCSI Client | Supports software iSCSI |
5671 | TCP | ESXi Host | rabbitmqproxy | A proxy running on the ESXi host that allows applications running inside virtual machines to communicate to the AMQP brokers running in the vCenter network domain. The virtual machine does not have to be on the network, that is, no NIC is required. The proxy connects to the brokers in the vCenter network domain. Therefore, the outgoing connection IP addresses should at least include the current brokers in use or future brokers. Brokers can be added if customer would like to scale up. |
5988,8889 | TCP | CIM Server 8889- OpenWSMAN Daemon | ESXi Host | 5988-Server for CIM (Common Information Model) 8889-Web Services Management (WS-Management is a DMTF open standard for the management of servers, devices, applications, and Web services |
5989 | TCP | CIM Secure Server | ESXi Host | Secure server for CIM |
6999 | UDP | NSX Distributed Logical Router Service | ESXi Host | NSX Virtual Distributed Router service. The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open. This service was called NSX Distributed Logical Router in earlier versions of the product. |
8000 | TCP | ESXi Host | ESXi Host | vMotion-Required for a virtual machine migration with vMotion. ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic |
8080 | TCP | vsanvp | ESXi Host | VSAN VASA Vendor Provider. Used by the Storage Management Service (SMS) that is part of vCenter to access information about Virtual SAN storage profiles, capabilities, and compliance. If disabled, Virtual SAN Storage Profile Based Management (SPBM) does not work. |
8100,8200,8300 | TCP\UDP | Fault Tolerance | ESXi Host | Traffic between hosts for vSphere Fault Tolerance (FT). |
8301,8302 | UDP | DVSSync | ESXi Host | DVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open. |
12345, 23451 | UDP | ESXi Host | vSAN Clustering Service | Cluster Monitoring, Membership, and Directory Service used by vSAN. |
44046, 31031 | TCP | ESXi Host | HBR | Used for ongoing replication traffic by vSphere Replication and VMware Site Recovery Manager. |
80,9000 | TCP | ESXi Host | vCenter Server | vSphere Update Manager |
NOTE: vSphere Security Guide
ESXi 6.7 – vSphere Security Guide
ESXi 6.5 – vSphere Security Guide
ESXi 6.0 – vSphere Security Guide
ESXi 5.x
Port | Protocol | Source | Target | Purpose |
22 | TCP | Client PC | ESXi Host | SSH Server |
53 | UDP | ESXi 5.x | DNS Server | DNS Client |
68 | UDP | ESXi 5.x | DHCP Server | DHCP Client |
80 | TCP | Client PC | ESXi Host | Redirect Web Browser to HTTPS Service (443) |
88 | TCP | ESXi host | Active Directory Server | PAM Active Directory Authentication – Kerberos |
111 | TCP | ESXi/ESX Host | NFS Server | NFS Client – RPC Portmapper |
111 | UDP | ESXi/ESX Host | NFS Server | NFS Client – RPC Portmapper |
123 | UDP | ESXi/ESX Host | NTP Time Server | NTP Client |
161 | UDP | SNMP Server | ESXi Host | SNMP Polling. Not used in ESXi 3.x |
162 | UDP | ESXi Host | SNMP Collector | SNMP Trap Send |
389 | TCP/UDP | ESXi host | LDAP Server | PAM Active Directory Authentication – Kerberos |
427 | UDP | VI / vSphere Client | ESXi/ESX Host | CIM Service Location Protocol (SLP) |
443 | TCP | VI / vSphere Client | ESXi/ESX Host | VI / vSphere Client to ESXi/ESX Host management connection |
445 | UDP | ESXi host | MS Directory Services Server | PAM Active Directory Authentication |
445 | TCP | ESXi host | MS Directory Services Server | PAM Active Directory Authentication |
445 | TCP | ESXi host | SMB Server | SMB Server |
464 | TCP | ESXi host | Active Directory Server | PAM Active Directory Authentication – Kerberos |
514 | UDP/TCP | ESXi 5.x | Syslog Server | Remote syslog logging |
902 | TCP/UDP | ESXi 5.x | ESXi Host | Host access to other hosts for migration and provisioning |
902 | TCP | vSphere Client | ESXi Host | vSphere Client access to virtual machine consoles (MKS) |
902 | UDP | ESXi 5.x | vCenter Server | (UDP) Status update. Managed hosts send a regular heartbeat to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts. |
1024 (dynamic) | TCP/UDP | ESXi Host | Active Directory Server | Bi-directional communication on TCP/UDP ports is required between the ESXi host and the Active Directory Domain Controller (via the netlogond process on the ESXi host). See Active Directory and Active Directory Domain Services Port Requirements. |
2049 | TCP | ESXi 5.x | NFS Server | Transactions from NFS storage devices |
2049 | UDP | ESXi 5.x | NFS Server | Transactions from NFS storage devices |
3260 | TCP | ESXi 5.x | iSCSI storage server | Transactions to iSCSI storage devices |
5900 to 5964 | TCP | ESXi 5.x | ESXi Host | RFB protocol, which is used by management tools such as VNC |
5988 | TCP | CIM Server | ESXi Host | CIM transactions over HTTP |
5989 | TCP | vCenter Server | ESXi Host | CIM XML transactions over HTTPS |
5989 | TCP | ESXi 5.x | vCenter Server | CIM XML transactions over HTTPS |
8000 | TCP | ESXi 5.x (VM Target) | ESXi (VM Source) | Requests from vMotion |
8000 | TCP | ESXi 5.x (VM Source) | ESXi (VM Target) | Requests from vMotion |
8100 | TCP/UDP | ESXi 5.x | ESXi Host | Traffic between hosts for vSphere Fault Tolerance (FT) |
8182 | TCP/UDP | ESXi 5.x | ESXi Host | Traffic between hosts for vSphere High Availability (vSphere HA) |
8200 | TCP/UDP | ESXi 5.x | ESXi Host | Traffic between hosts for vSphere Fault Tolerance (FT) |
8301 | UDP | ESXi 5.x | ESXi Host | DVS Port Information |
8302 | UDP | ESXi 5.x | ESXi Host | DVS Port Information |
31000 | TCP | SPS Server | vCenter Server | Internal Communication Port |
Additional information on a port can be found at https://ports.vmware.com/home/vSphere