In this post I’ll describe the required firewall ports for vRealize Automation Appliance Ports .
As a security best practice, configure incoming and outgoing ports for the vRealize Automation appliance according to VMware recommendations.
Incoming
Ports
Port
|
Protocol
|
Comments
|
22
|
TCP
|
Optional. Access for SSH sessions.
|
80
|
TCP
|
Optional. Redirects to 443.
|
88
|
TCP (UDP optional)
|
Cloud KDC Kerberos authentication
from external mobile devices.
|
443
|
TCP
|
Access to the vRealize Automation
console and API calls.
|
Access for machines to download
the guest agent and software bootstrap agent.
|
||
Access for load balancer, browser.
|
||
4369, 5671, 5672, 25672
|
TCP
|
RabbitMQ messaging.
|
5480
|
TCP
|
Access to the virtual appliance
management interface.
|
Used by the Management Agent.
|
||
5488, 5489
|
TCP
|
Internally used by the vRealize
Automation appliance for updates.
|
8230, 8280, 8281, 8283
|
TCP
|
Internal vRealize Orchestrator
instance.
|
8443
|
TCP
|
Access for browser. Identity
Manager administrator port over HTTPS.
|
8444
|
TCP
|
Console proxy communication for vSphere
VMware Remote Console connections.
|
8494
|
TCP
|
Container service cluster sync
|
9300–9400
|
TCP
|
Access for Identity Manager
audits.
|
54328
|
UDP
|
|
40002, 40003
|
TCP
|
vIDM cluster sync
|
Outgoing
Ports
Port
|
Protocol
|
Comments
|
25, 587
|
TCP, UDP
|
SMTP for sending outbound
notification email.
|
53
|
TCP, UDP
|
DNS server.
|
67, 68, 546, 547
|
TCP, UDP
|
DHCP.
|
80
|
TCP
|
Optional. For fetching software
updates. Updates can be downloaded separately and applied.
|
88, 464, 135
|
TCP, UDP
|
Domain controller.
|
110, 995
|
TCP, UDP
|
POP for receiving inbound
notification email.
|
143, 993
|
TCP, UDP
|
IMAP for receiving inbound
notification email.
|
123
|
TCP, UDP
|
Optional. For connecting directly
to NTP instead of using host time.
|
389
|
TCP
|
Access to View Connection Server.
|
389, 636, 3268, 3269
|
TCP
|
Active Directory. Default ports
shown, but are configurable.
|
443
|
TCP
|
Communication with IaaS Manager
Service and infrastructure endpoint hosts over HTTPS.
|
Communication with the vRealize
Automation software service over HTTPS.
|
||
Access to the Identity Manager
upgrade server.
|
||
Access to View Connection Server.
|
||
445
|
TCP
|
Access to ThinApp repository for
Identity Manager.
|
902
|
TCP
|
ESXi network file copy operations
and VMware Remote Console connections.
|
5050
|
TCP
|
Optional. For communicating with vRealize
Business for Cloud.
|
5432
|
TCP, UDP
|
Optional. For communicating with
another appliance PostgreSQL database.
|
5500
|
TCP
|
RSA SecurID system. Default port
shown, but is configurable.
|
8281
|
TCP
|
Optional. For communicating with
an external vRealize Orchestrator instance.
|
8494
|
TCP
|
Container service cluster sync
|
9300–9400
|
TCP
|
Access for Identity Manager
audits.
|
54328
|
UDP
|
|
40002, 40003
|
TCP
|
vIDM cluster sync
|