Port numbers that must be open for vSphere Replication 8.x

Products

VMware Live Recovery VMware vSphere ESXi

Issue/Introduction

This article provides information about port numbers that must be open for vSphere Replication 8.x.

Environment

VMware vSphere Replication 8.x

VLSR 9.x

Resolution

vSphere Replication appliance network ports

The vSphere Replication appliance requires certain ports to be open.

NOTE: vSphere Replication Management servers must have NFC traffic access to target ESXi hosts. VR 8.8 no longer uses port # 80 for communication. The below ports are a requirement of 8.7 and below versions. For 8.8 and above, please check - Services, Ports, and External Interfaces That the vSphere Replication Virtual Appliance Uses

Use netcat command when testing from ESXi to appliances (vCenter/SRM/VR)
Use curl command when testing between appliances (vCenter/SRM/VR)

curl -v telnet://Target IP address:31031 (desired port #)
nc –zv xxx.xxx.xx.xxx 31031 (desired port #)

Default Port	Protocol or Description	Source	Target	Endpoints or Consumers
80	TCP	vSphere Replication appliance	All local and remote PSCs in same SSO domain (only if external PSC is used)	All management traffic to the vSphere Replication appliance goes to port 80 on the vCenter Server proxy system.
80	TCP	vSphere Replication appliance	Remote vCenter Server and local vCenter Server	All management traffic to the vSphere Replication appliance goes to port 80 on the vCenter Server proxy system.
80	HTTP	vSphere Replication server in the vSphere Replication appliance	ESXi host (intra-site)	Used to establish the connection before initial replication starts
443	TCP	vSphere Replication appliance	All local and remote PSCs in same SSO domain (only if external PSC is used)	All management traffic to the vSphere Replication appliance
443	TCP	vSphere Replication appliance	Local and remote vCenter Server	All management traffic to the vSphere Replication appliance
443	TCP	New appliance	ESXi that hosts the old appliance	Applicable only for VR 8.x migration upgrade
902	TCP and UDP	vSphere Replication server in the vSphere Replication appliance on secondary site	ESXi host (intra-site only) on secondary site	Used by vSphere Replication servers to send replication traffic to the destination ESXi hosts.
5480	vSphere Replication appliance virtual appliance management interface (VAMI) Web UI	Browser	vSphere Replication 8.x appliance and later	Administrator's Web browser.
7444	TCP	vSphere Replication appliance	vCenter Server (intra-site)
7444	TCP	vCenter Server	All local and remote PSCs
8043	SOAP	vCenter Server	vSphere Replication appliance	From the vCenter Server to the vSphere Replication appliance (intra-site only).
8123	SOAP	vSphere Replication appliance	vSphere Replication server	Management traffic from the vSphere Replication appliance to additional vSphere Replication servers (intra-site only).
10443	HTTPS	vSphere Web Client on the primary site	vCenter Server / Inventory Service on the secondary site	The vSphere Replication UI uses the Inventory Service of the remote vCenter Server to list target datastores.
31031	Initial replication traffic in vSphere Replication. Initial and ongoing replication traffic in vSphere Replication	ESXi host on primary site	vSphere Replication server in the vSphere Replication appliance on the secondary site or an external VRS on secondary site.	From the ESXi host at the protected site to the vSphere Replication appliance or vSphere Replication server at the recovery site.

8043	SOAP	vSphere Replication Management Server -VRMS	vSphere Replication Management Server -VRMS	From the VRMS of the Primary Site to the VRMS on the DR site - Port should be open Across Sites

vSphere Replication server network ports

If you deploy additional vSphere Replication servers, ensure that the subset of the ports that vSphere Replication servers require are open on those servers.

Default Port	Protocol or Description	Source	Target	Endpoints or Consumers
902	TCP and UDP	vSphere Replication server in the vSphere Replication appliance on secondary site	ESXi host (intra-site only) on secondary site	Traffic (specifically the NFC service to the destination ESXi servers) between the vSphere Replication server and the ESXi hosts on the same site.
5480	VAMI Web UI for any additional vSphere Replication servers	Browser	vSphere Replication server	Administrator's Web browser.
8123	SOAP	vSphere Replication management server	vSphere Replication server	Management traffic from the vSphere Replication appliance or VRMS to the vSphere Replication servers (intra-site only).
31031	Initial replication traffic in vSphere Replication Initial and ongoing replication traffic in vSphere Replication	ESXi host on primary site	vSphere Replication server	From the ESXi host at the protected site to the vSphere Replication appliance or vSphere Replication server at the recovery site.
32032	Initial and forward replication traffic with network encryption from the ESXi host at the source site to the vSphere Replication appliance or vSphere Replication server at the target site.	ESXi host on primary site	vSphere Replication server at the target site ESXi on target site (Enhanced Replication)	Encrypted traffic. If you configure a replication of an encrypted VM, the network encryption is automatically turned on and cannot be disabled

Network ports required for replications to Cloud

When you create a connection to the cloud, the vCloud Tunneling Agent in the vSphere Replication appliance creates a tunnel to secure the transfer of replication data to your cloud Organization.

Default Port	Protocol or Description	Source	Target	Endpoints or Consumers
80	TCP	The ESXi host at the protected site.	The vCenter Server at the protected site.	The vCenter Server reverse proxy forwards VIB (vCloud Air DRaaS firewall rules) download request to vSphere Replication appliance.
443	TCP	vSphere Replication appliance at the protected site.	vCloud API	vSphere Replication appliance connects to this port to send replication data to a cloud organization.
10000-10010	TCP	The ESXi host at the protected site.	The vSphere Replication appliance at the protected site.	The vCloud Tunneling Agent opens one of these ports on the vSphere Replication appliance. ESXi hosts connect to that port to send replication data to a cloud organization.

Additional Information

For more detailed port number information, please refer to this link - Network Ports for Site Recovery Manager

For more detailed port number information for 9.x, please refer to this link - https://ports.broadcom.com/home/VMware-Live-Site-Recovery

From the release notes for better information:

https://techdocs.broadcom.com/us/en/vmware-cis/live-recovery/live-site-recovery/9-0/how-do-i-protect-my-environment/replicating-virtual-machines/using-vsphere-replication-with-srm/how-to-reconfigure-replications-to-use-the-enhanced-replication-capabilities.html

Enhanced replications require TCP network connectivity on ports 31031 and 32032 from the

ESXi

hosts on which the replicated VMs are running to the

ESXi

hosts of the cluster containing the target datastore. To use the reprotect workflow with

VMware Live Site Recovery

, the ports must be open in both directions. Make sure your firewall settings are adjusted accordingly.