Skip to main content

Ho voluto creare questo articolo anche per repository personale così da poter facilmente andare a verificare quali sono le porte di comunicazione da abilitare per permettere agli ESXi di funzionare correttamente. Questa lista viene molto utile soprattutto quando si hanno più reti di management isolate tra loro tramite firewall.


ESXi 7.0

PortProtocolSourceTargetPurpose
9UDPvCenter ServerESXi HostUsed by Wake on LAN.
22TCPSSH ClientESXi HostRequired for SSH access
53UDPESXi HostDNS ServerDNS client
68UDPDHCP ServerESXi HostDHCP client for IPv4
80TCPWeb BrowserESXi HostWelcome page, with download links for different interfaces
161UDPSNMP ServerESXi HostAllows the host to connect to an SNMP server
427TCP/UDPCIM ServerESXi HostThe CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers
546TCP/UDPDHCP ServerESXi HostDHCP client for IPv6
547TCP/UDPESXi HostDHCP ServerDHCP client for IPv6
902TCP/UDPVMware vCenter AgentESXi HostvCenter Server agent
2233TCPESXi HostvSAN TransportvSAN reliable datagram transport. Uses TCP and is used for vSAN storage IO. If disabled, vSAN does not work.
3260TCPESXi HostSoftware iSCSI Client Supports software iSCSI
5671TCPESXi HostrabbitmqproxyA proxy running on the ESXi host that allows applications running inside virtual machines to communicate to the AMQP brokers running in the vCenter network domain. The virtual machine does not have to be on the network, that is, no NIC is required. The proxy connects to the brokers in the vCenter network domain. Therefore, the outgoing connection IP addresses should at least include the current brokers in use or future brokers. Brokers can be added if customer would like to scale up.
5988,8889TCPCIM Server
8889- OpenWSMAN Daemon
ESXi Host5988-Server for CIM (Common Information Model)
8889-Web Services Management (WS-Management is a DMTF open standard for the management of servers, devices, applications, and Web services
5989TCPCIM Secure ServerESXi HostSecure server for CIM
6999UDPNSX Distributed Logical Router ServiceESXi HostNSX Virtual Distributed Router service. The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open.

This service was called NSX Distributed Logical Router in earlier versions of the product.
8000TCPESXi HostESXi HostvMotion-Required for a virtual machine migration with vMotion. ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic
8080TCPvsanvpESXi HostVSAN VASA Vendor Provider. Used by the Storage Management Service (SMS) that is part of vCenter to access information about Virtual SAN storage profiles, capabilities, and compliance. If disabled, Virtual SAN Storage Profile Based Management (SPBM) does not work.
8100,8200,8300TCP\UDPFault ToleranceESXi HostTraffic between hosts for vSphere Fault Tolerance (FT).
8301,8302UDPDVSSyncESXi HostDVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open.
12345, 23451UDPESXi HostvSAN Clustering ServiceCluster Monitoring, Membership, and Directory Service used by vSAN.
44046, 31031TCPESXi HostHBRUsed for ongoing replication traffic by vSphere Replication and VMware Site Recovery Manager.
80TCPESXi HostvCenter ServervSphere Lifecycle Manager
80TCPvCenter ServerESXi HostvSphere Lifecycle Manager

NOTE: Refer to ESXi 7.0 vSphere Security Guide

ESXi 6.x

PortProtocolSourceTargetPurpose
9UDPvCenter ServerESXi HostUsed by Wake on LAN.
22TCPSSH ClientESXi HostRequired for SSH access
53UDPESXi HostDNS ServerDNS client
68UDPDHCP ServerESXi HostDHCP client for IPv4
80TCPWeb BrowserESXi HostWelcome page, with download links for different interfaces
161UDPSNMP ServerESXi HostAllows the host to connect to an SNMP server
427TCP/UDPCIM ServerESXi HostThe CIM client uses the Service Location Protocol, version 2 (SLPv2) to find CIM servers
443TCPvSphere Web ClientESXi HostClient Connections
546TCP/UDPDHCP ServerESXi HostDHCP client for IPv6
547TCP/UDPESXi HostDHCP ServerDHCP client for IPv6
902TCP/UDPVMware vCenter AgentESXi HostvCenter Server agent
2233TCPESXi HostvSAN TransportvSAN reliable datagram transport. Uses TCP and is used for vSAN storage IO. If disabled, vSAN does not work.
3260TCPESXi HostSoftware iSCSI Client Supports software iSCSI
5671TCPESXi HostrabbitmqproxyA proxy running on the ESXi host that allows applications running inside virtual machines to communicate to the AMQP brokers running in the vCenter network domain. The virtual machine does not have to be on the network, that is, no NIC is required. The proxy connects to the brokers in the vCenter network domain. Therefore, the outgoing connection IP addresses should at least include the current brokers in use or future brokers. Brokers can be added if customer would like to scale up.
5988,8889TCPCIM Server
8889- OpenWSMAN Daemon
ESXi Host5988-Server for CIM (Common Information Model)
8889-Web Services Management (WS-Management is a DMTF open standard for the management of servers, devices, applications, and Web services
5989TCPCIM Secure ServerESXi HostSecure server for CIM
6999UDPNSX Distributed Logical Router ServiceESXi HostNSX Virtual Distributed Router service. The firewall port associated with this service is opened when NSX VIBs are installed and the VDR module is created. If no VDR instances are associated with the host, the port does not have to be open.

This service was called NSX Distributed Logical Router in earlier versions of the product.
8000TCPESXi HostESXi HostvMotion-Required for a virtual machine migration with vMotion. ESXi hosts listen on port 8000 for TCP connections from remote ESXi hosts for vMotion traffic
8080TCPvsanvpESXi HostVSAN VASA Vendor Provider. Used by the Storage Management Service (SMS) that is part of vCenter to access information about Virtual SAN storage profiles, capabilities, and compliance. If disabled, Virtual SAN Storage Profile Based Management (SPBM) does not work.
8100,8200,8300TCP\UDPFault ToleranceESXi HostTraffic between hosts for vSphere Fault Tolerance (FT).
8301,8302UDPDVSSyncESXi HostDVSSync ports are used for synchronizing states of distributed virtual ports between hosts that have VMware FT record/replay enabled. Only hosts that run primary or backup virtual machines must have these ports open. On hosts that are not using VMware FT these ports do not have to be open.
12345, 23451UDPESXi HostvSAN Clustering ServiceCluster Monitoring, Membership, and Directory Service used by vSAN.
44046, 31031TCPESXi HostHBRUsed for ongoing replication traffic by vSphere Replication and VMware Site Recovery Manager.
80,9000TCPESXi HostvCenter ServervSphere Update Manager

 NOTE: vSphere Security Guide
 ESXi 6.7 – vSphere Security Guide
 ESXi 6.5 – vSphere Security Guide
 ESXi 6.0 – vSphere Security Guide

ESXi 5.x

PortProtocolSourceTargetPurpose
22TCPClient PCESXi HostSSH Server
53UDPESXi 5.xDNS ServerDNS Client
68UDPESXi 5.xDHCP ServerDHCP Client
80TCPClient PCESXi HostRedirect Web Browser to HTTPS Service (443)
88TCPESXi hostActive Directory ServerPAM Active Directory Authentication – Kerberos
111TCPESXi/ESX HostNFS ServerNFS Client – RPC Portmapper
111UDPESXi/ESX HostNFS ServerNFS Client – RPC Portmapper
123UDPESXi/ESX HostNTP Time ServerNTP Client
161UDPSNMP ServerESXi HostSNMP Polling. Not used in ESXi 3.x
162UDPESXi HostSNMP CollectorSNMP Trap Send
389TCP/UDPESXi hostLDAP ServerPAM Active Directory Authentication – Kerberos
427UDPVI / vSphere ClientESXi/ESX HostCIM Service Location Protocol (SLP)
443TCPVI / vSphere ClientESXi/ESX HostVI / vSphere Client to ESXi/ESX Host management connection
445UDPESXi hostMS Directory Services ServerPAM Active Directory Authentication
445TCPESXi hostMS Directory Services ServerPAM Active Directory Authentication
445TCPESXi hostSMB ServerSMB Server
464TCPESXi hostActive Directory ServerPAM Active Directory Authentication – Kerberos
514UDP/TCPESXi 5.xSyslog ServerRemote syslog logging
902TCP/UDPESXi 5.xESXi HostHost access to other hosts for migration and provisioning
902TCPvSphere ClientESXi HostvSphere Client access to virtual machine consoles (MKS)
902UDPESXi 5.xvCenter Server(UDP) Status update. Managed hosts send a regular heartbeat to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.
1024 (dynamic)TCP/UDPESXi HostActive Directory ServerBi-directional communication on TCP/UDP ports is required between the ESXi host and the Active Directory Domain Controller (via the netlogond process on the ESXi host). See Active Directory and Active Directory Domain Services Port Requirements.
2049TCPESXi 5.xNFS ServerTransactions from NFS storage devices
2049UDPESXi 5.xNFS ServerTransactions from NFS storage devices
3260TCPESXi 5.xiSCSI storage serverTransactions to iSCSI storage devices
5900 to 5964TCPESXi 5.xESXi HostRFB protocol, which is used by management tools such as VNC
5988TCPCIM ServerESXi HostCIM transactions over HTTP
5989TCPvCenter ServerESXi HostCIM XML transactions over HTTPS
5989TCPESXi 5.xvCenter ServerCIM XML transactions over HTTPS
8000TCPESXi 5.x (VM Target)ESXi (VM Source)Requests from vMotion
8000TCPESXi 5.x (VM Source)ESXi (VM Target)Requests from vMotion
8100TCP/UDPESXi 5.xESXi HostTraffic between hosts for vSphere Fault Tolerance (FT)
8182TCP/UDPESXi 5.xESXi HostTraffic between hosts for vSphere High Availability (vSphere HA)
8200TCP/UDPESXi 5.xESXi HostTraffic between hosts for vSphere Fault Tolerance (FT)
8301UDPESXi 5.xESXi HostDVS Port Information
8302UDPESXi 5.xESXi HostDVS Port Information
31000TCPSPS ServervCenter ServerInternal Communication Port

 

Additional information on a port can be found at https://ports.vmware.com/home/vSphere

Leave a Reply

Giovanni Dominoni's Tech Blog