The VMware Knowledge Base provides support solutions, error messages and troubleshooting guides
Required ports for vCenter Server 5.5 (2051575)
Note: For information on the required ports for vCenter Server Appliance 5.x, see Required ports for vCenter Server Appliance 5.x (2012773).
VMware uses designated ports for communication. Additionally, the managed hosts monitor designated ports for data from the vCenter Server system. If a firewall exists between any of these elements and the Windows firewall service is in use, the installer opens the ports during the installation process. For custom firewalls, you must manually open the required ports. If you have a firewall between two managed hosts and you want to perform source or target activities such as migration or cloning, you must configure a means for the managed hosts to receive data.
Note: In Microsoft Windows Server 2008, a firewall is enabled by default.
This table outlines the ports required for communication between components:
vCenter Server requires port 80 for direct HTTP connections. Port 80 redirects requests to HTTPS port 443. This redirection is useful if you accidentally use http://server instead of https://server.
Note: Microsoft Internet Information Services (IIS) also use port 80. For more information, see the Conflict Between vCenter Server and IIS for Port 80 section in the vSphere Installation and Setup guide.
|vCenter Single Sign-On - VMware Kdc Service|
This port must be open in the local and all remote instances of vCenter Server. This is the LDAP port number for the Directory Services for the vCenter Server group. The vCenter Server system needs to bind to port 389, even if you are not joining this vCenter Server instance to a Linked Mode group. If another service is running on this port, it might be preferable to remove it or change its port to a different port. You can run the LDAP service on any port from 1025 through 65535.
If this instance is serving as the Microsoft Windows Active Directory, change the port number from 389 to an available port from 1025 through 65535.
|443||TCP||The default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenter Server system to receive data from the vSphere Client, open port 443 in the firewall.|
The vCenter Server system also uses port 443 to monitor data transfer from SDK clients.
This port is also used for the these services:
This is the SSL port of the local instance for vCenter Server Linked Mode. If another service is running on this port, it might be preferable to remove it or change its port. You can run the SSL service on any port from 1025 through 65535.
This is the default port used by the vCenter Server system to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.
|903||TCP||Access a virtual machine console from the vSphere Client when the vSphere Client is connected directly to the ESXi host (no vCenter Server).|
|1234, 1235||TCP||vSphere Replication|
|vCenter Single Sign-On - VMware Directory Service|
|vCenter Single Sign-On - VMware Kdc Service|
|vCenter Single Sign-On - VMware Certificate Service|
Web Services HTTP. Used for the VMware VirtualCenter Management Web Services.
Web Services HTTPS. Used for the VMware VirtualCenter Management Web Services.
Web Service change service notification port
Auto Deploy service
Auto Deploy management
|7005||TCP||vCenter Single Sign-On|
|7009||TCP||vCenter Single Sign-On|
vCenter Single Sign-On HTTP Port
vSphere Web Client - HTML5 Remote Console
vSphere Web Client - HTML5 Remote Console, HTTPS (vCenter 5.5 Update 2 and later)
vCenter Single Sign-On - VMware Secure Token Service
|8000||TCP||Requests from vMotion|
|8009||TCP||AJP connector port for vCenter Server Appliance communication with Tomcat|
|8100||TCP||Traffic between ESXi hosts for vSphere Fault Tolerance (FT)|
|8182||TCP||Traffic between ESXi hosts for vSphere High Availability (HA)|
|8200||TCP||Traffic between ESXi hosts for vSphere Fault Tolerance (FT)|
Port range used if 80 and 443 are unavailable for communication to the ESXi hosts.
vSphere Web Client HTTPS
|9875 - 9877||TCP||vSphere Web Client Java Management Extension (JMX). Dynamically acquired upon the vSphere Web Client service starting.|
vSphere Web Client HTTP
vCenter Inventory Service HTTP
vCenter Inventory Service Management
vCenter Inventory Service Linked Mode Communication
vCenter Inventory Service HTTPS
vCenter Single Sign-On - VMware Directory Service (LDAP)
vCenter Single Sign-On - VMware Directory Service (LDAPS)
vCenter Single Sign-On - VMware Identity Management Service
|49000 - 65000|
vCenter Single Sign-On - VMware Identity Management Service. Dynamically acquired upon the VMware Identity Management Service starting.
|Storage Policy Server HTTP|
|Storage Policy Server HTTPS|
|vCenter Server Storage Monitoring Service HTTP|
|vCenter Server Storage Monitoring Service HTTPS|
|VMware vSphere Profile-Driven Storage Service HTTP|
|31100||TCP||VMware vSphere Profile-Driven Storage Service HTTPS|
|VMware Storage Management Service HTTP|
|VMware Storage Management Service HTTPS|
Note: If you want the vCenter Server system to use a different port to receive the vSphere Web Client data, see the vCenter Server and Host Management Guide.
- TCP and UDP Ports required to access VMware vCenter Server, VMware ESXi and ESX hosts, and other network components (1012382)
Request a Product Feature
To request a new product feature or to provide feedback on a VMware product, please visit the Request a Product Feature page.