VMware vCenter Update Manager network port requirements (1004543)
You can install vCenter Update Manager on the same machine as vCenter Server or on a different machine. Before you install vCenter Update Manager, gather the networking information (including the IP address and port number) about vCenter Server that vCenter Update Manager will use.
vCenter Update Manager 4.x/5.x/6.x
- vCenter Update Manager connects to vCenter Server on TCP port 80.
- ESXi/ESX hosts connect to the Update Manager Web Server listening on HTTP port 9084 for host patch downloads.
- vSphere Client initialization of the vCenter Update Manager plugin uses TCP port 9084 between the client and the vCenter Update Manager server.
- vCenter Update Manager connects to ESXi/ESX hosts on TCP port 902 for pushing virtual machine patches and host upgrade files.
Note: vCenter Update Manager 5.0.x no longer supports patching virtual machines.
- The vCenter Update Manager Client plug-in connects to the vCenter Update Manager SOAP server listening on port 8084. It connects to the vCenter Update Manager Web server on HTTP (SSL) port 9087 for uploading the host upgrade files.
If the default ports 80 and 443 are already in use by another application, the alternate port numbers used by vCenter Update Manager should be within the range 9000-9100. VMware vCenter Update Manager automatically opens these ports for ESX host scanning and remediation.
vCenter Update Manager 1.0.x
After the installation:
- The vCenter Update Manager Web server listens on 9084 TCP if the default is not changed during the installation.
- The vCenter Update Manager SOAP server listens on 8084 TCP if the default is not changed during the installation.
Both are accessed through a reverse proxy that listens on the standard ports 80 and 443, but there is a slight difference depending on the installation:
- When vCenter Update Manager and vCenter Server are installed on the same machine:
- All incoming connections to vCenter Update Manager are accessed through a reverse proxy provided by vCenter Server.
- ESX hosts connect to port 80, and vCenter Server forwards the request to the vCenter Update Manager Web server listening on 9084 for host patch downloads.
- vCenter Server directly connects to vCenter Update Manager on 8084 because they are on the same machine.
- When Update Manager and vCenter Server are installed on two different machines:
- vCenter Update Manager has a reverse proxy listening on ports 80 and 443 if the default is not changed during the installation.
- vCenter Server connects to vCenter Update Manager through port 443. The reverse proxy forwards the request to 8084.
- The ESXi/ESX host connects to vCenter Update Manager through port 80. The reverse proxy forwards the request to 9084.
To obtain metadata, vCenter Update Manager must be able to connect to http://www.vmware.com, and requires outbound ports 80 and 443.
- For binary data, the outbound ports are 80 and 443.
- For ESXi/ESX host scanning and remediation, vCenter Update Manager requires that port 80 be open on the ESX host.
- For vCenter Update Manager to push patches to ESXi/ESX host, port 902 is required.
vSphere Client initialization of the vCenter Update Manager plugin uses TCP port 9084 between the client and the vCenter Update Manager server.
Note: For more information on vCenter Update Manager, see the VMware Update Manager Administration Guide at the VMware Documentation Site.For more information on ports used by VMware products, see TCP and UDP Ports required to access vCenter Server, ESXi/ESX hosts, and other network components (1012382).
Additionally, while the Update Manager server may be able to connect to vmware.com, it is possible that the downloads are failing due to internet filters that can deny access to sub-domains of vmware.com.
This is the default list of download sources for Update Manager:
Note: If any of these addresses fail to display an XML page, the download for Update Manager patches will fail.