When deploying the vCenter Server Appliance (VCSA), there are a set default network ports that are already pre-defined by VMware. It is generally recommended to stick with these defaults unless you have a really good reason to modify them. I am a big fan of strong defaults which can help reduce the number of steps it takes to deploy the VCSA, however I do understand that there are some organizations who may have specific security requirements which requires them to change some of the default ports. It is also important to note that changing the default network ports post-installation is not supported.
Disclaimer: This is not officially supported by VMware, please use at your own risk.
If you deploy the VCSA using the new Guided UI installer, you will not be able to modify the default network ports. However, if you deploy using the new Scripted CLI installer, you do have the option of overriding some of the default ports. Below is a table of the ports that can be modified which includes the variable name, default port number and their port usage which is described in the vSphere 6.0 documentation here. The variable port names are required in the JSON configuration file if you decide to modify from the default.
| Variable Name | Port | Port Usage |
|---|---|---|
| rhttpproxy.ext.port1 | 80 | HTTP Reverse Proxy Port |
| rhttpproxy.ext.port2 | 443 | HTTPs Reverse Proxy Port |
| syslog.ext.port | 514 | Syslog Service Port |
| vpxd.ext.port1 | 902 | ESXi Heartbeat port |
| syslog.ext.tls.port | 1514 | Syslog Service TLS port |
| netdumper.ext.serviceport | 6500 | ESXi Dump Collector port |
| autodeploy.ext.serviceport | 6501 | Auto Deploy Service port |
| autodeploy.ext.managementport | 6502 | Auto Deploy Management port |
| sts.ext.port1 | 7444 | Secure Token Service port |
| vsphere-client.ext.port1 | 9443 | vSphere Web Client port |
Under the "Networking" section of the JSON configuration file, there is a "Ports" field which accepts a JSON encoded string of the ports you wish to modify. It actually took me a bit of time to figure out the exact syntax as this was not clearly documented anywhere. Lets say we wish to change the default HTTPS Reverse Proxy from 443 to 13443 and PSC's STS port from 7444 to 7441, you will need to specify it as shown in the example below. The key is properly escape the inner-double quotations since ports accepts a single string input.
"network": {
"hostname": "192.168.1.140",
"dns.servers": [
"192.168.1.1"
],
"gateway": "192.168.1.1",
"ip": "192.168.1.140",
"ip.family": "ipv4",
"mode": "static",
"prefix": "24",
"ports": "{\"rhttpproxy.ext.port2\":\"13443\",\"sts.ext.port1\":\"7441\"}"
},
If everything was successful, when you connect to the VCSA, you should see that we no longer use the default port of 443 to connect to the vCenter Server as you can see from the screenshot below.
If you ever wonder what ports were selected for either a vCenter Server or Platform Services Controller, you can easily find that by following the instructions in this article.
For customers using the Windows version of vCenter Server, you do have the option of modifying the default ports using the Guided UI since there is no guarantee these ports are not in use as VMware does not control the underlying OS. You can also use the Windows Scripted CLI to modify the default ports which you can find more information here.
Thanks for your research on this! As customers become more security focused going forward, they will want to have the flexibility to modify the default ports associated with their VCSA deployments.
so how can i change that background like you did?
Take a look at this article here http://www.virtuallyghetto.com/2015/02/how-to-customize-the-new-vsphere-6-0-web-client-login-ui.html for the details
Is there any way to firewall the ports so only certain IPs have access? This is possible on the ESXi host, but the GUI firewall options for VCSA are much more simplistic.
Yes, have a look at the appliancesh interface which allows you to specify which inbound IPs are whitelisted. Page 27 for more info https://pubs.vmware.com/vsphere-60/topic/com.vmware.ICbase/PDF/vsphere-esxi-vcenter-server-60-appliance-configuration-guide.pdf
What port or ports is used during the VCSA GUI Install to communicate between the installer location and the ESX target host?
example: my laptop at the office to the server in the DC. 🙂
Everything goes across 443 to either vCenter Server or ESXi endpoint for deploying VCSA
For 6.0 you can change the webconsole port in VCSA in:
/etc/vmware/vsphere-client/webclient.properties
Add this line:
html.console.port = 8081
Then make sure to open the firewall to this port. I'm not certain if the firewall rules in the vcenter application will work, but they should. Alternatively that file suggests a generic iptables rule:
sudo iptables -A INPUT -p tcp --dport -j ACCEPT
I'm wary about the iptables route above because typically these will not be static and will be erased on reboot unless you do an iptables-save, but I don't know 100% how iptables works on the VCSA appliance - VMWare likes to heavily customize it's os and packages.
Willia, hi, I need to change default ssh port in ESXi 6.5, Can I you help me? Regards
How do I do the same in vcsa 6.5? When I tried what was illustrated here, the system said that it cant identify the key "ports" in the json file.
I have same problem
hi,
i need to restore as default 7444 the security token port . Atm is 1744.
The vcenter server 5.5 is installed on one windows server.
Anyone can help me ?
thanks 🙂