Considerations for installing anti-virus software on VMware vCenter Server
search cancel

Considerations for installing anti-virus software on VMware vCenter Server

book

Article ID: 313902

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

This article provides considerations when installing Anti-Virus on vCenter Server.

Symptoms:
VMware vCenter Server Services fail to function after the installation of anti-virus software on the vCenter Server.

Environment

VMware vCenter Server 6.0.x
VMware vCenter Server 5.1.x
VMware vCenter Server 5.0.x
VMware vCenter Server 5.5.x
VMware vCenter Server 4.0.x
VMware vCenter Server 4.1.x

Cause

VMware vCenter Server requires access to predetermined TCP and UDP ports to function. If anti-virus software prevents traffic on these ports, vCenter Server may not function as expected.

vCenter Server constantly updates a number of log files. vCenter Server also relies on multiple config and binary files to function correctly. If these files and folders are being monitored or scanned by the anti-virus software, then this may cause performance issues with vCenter Server or cause the service to fail. Anti-virus scan could cause data corruption

Resolution

These folders should be excluded from Anti-Virus scanning (especially for embedded vPostgres environment, these folders must be excluded):
  • Windows Server 2012 (or later):
       C:\Program Files\VMware\
       
C:\ProgramData\VMware
  • Windows Server 2008:

    C:\ProgramData\VMware\
     
  • Windows Server 2003:

    C:\Documents and Settings\All Users\Application Data\VMware\

Ports to be excluded from Anti-Virus Monitoring / Blocking

 

vCenter Server 4.x

25

TCP

vCenter Server

SMTP Server

Email notifications

vCenter Server 4.x

53

UDP

vCenter Server

DNS Server

DNS lookups

vCenter Server 4.x

80

TCP

Client PC

vCenter Server

Redirect Web Browser to HTTPS Service (443)

vCenter Server 4.x

80

TCP

vCenter Server

ESXi/ESX 4.x

DPM with IPMI (iLO/BMC) ASF Remote Management and Control Protocol

vCenter Server 4.x

88

UDP

vCenter Server

Active Directory Server

AD Authentication

vCenter Server 4.x

88

TCP

vCenter Server

Active Directory Server

AD Authentication

vCenter Server 4.x

135

TCP

vCenter Server

vCenter Server

Linked Mode

vCenter Server 4.x

161

UDP

SNMP Server

vCenter Server

SNMP Polling

vCenter Server 4.x

162

UDP

vCenter Server

SNMP Server

SNMP Trap Send

vCenter Server 4.x

389

TCP/UDP

vCenter Server

Linked vCenter Servers

Bi-directional LDAP authentication with Kerberos encryption on TCP port 389 is required between all vCenter Servers that need to replicate.

vCenter Server 4.x

443

TCP

vCenter Server

ESXi/ESX Host

vCenter Server Agent

vCenter Server 4.x

443

TCP

vCenter Server

ESXi/ESX 4.x

Host DPM with HP iLO Remote Management and Control Protocol

vCenter Server 4.x

443

TCP

Client PC

vCenter Server

VI Web Access (Web Browser)

vCenter Server 4.x

443

TCP

vSphere Client

vCenter Server

vSphere Client access to vCenter Server

vCenter Server 4.x

445

TCP

vCenter Server

Active Directory Server

AD Authentication

vCenter Server 4.x

445

UDP

vCenter Server

Active Directory Server

AD Authentication

vCenter Server 4.x

623

UDP

vCenter Server

ESXi/ESX 4.x Host

DPM with IPMI (iLO/BMC) ASF Remote Management and Control Protocol

vCenter Server 4.x

636

TCP

vCenter Server

Linked vCenter Servers

Linked mode connectivity between vCenter Servers

vCenter Server 4.x

902

TCP/UDP

vCenter Server

ESXi/ESX Host

Heartbeat

vCenter Server 4.x

902

TCP/UDP

ESXi/ESX Host

vCenter Server

Heartbeat

vCenter Server 4.x

903

TCP

Client PC

vCenter Server

VI / vSphere Client to VM Console

vCenter Server 4.x

902

TCP

vCenter Server

ESXi/ESX Host

VI / vSphere Client to VM Console (after connection established between VI / vSphere Client and vCenter Server)

vCenter Server 4.x

1024 (dynamic)

RPC

Linked vCenter Servers

Linked vCenter Servers

Bi-directional RPC communication on dynamic TCP ports is required between all vCenter Servers that need to replicate (via ADAM). A VIC still needs a direct connection to all vCenter Servers that own an object it needs to manage.

vCenter Server 4.x

1433

TCP

vCenter Server

Microsoft SQL Server

For vCenter Server Microsoft SQL Server Database

vCenter Server 4.x

1521

TCP

vCenter Server

Oracle Database Server

For vCenter Server Oracle Database

vCenter Server 4.x

5989

TCP

vCenter Server

ESXi/ESX Host

vCenter Server to ESX

vCenter Server 4.x

5989

TCP

ESXi/ESX Host

vCenter Server

ESX to vCenter Server

vCenter Server 4.x

8005

TCP

vCenter Server

vCenter Server

Internal Communication Port

vCenter Server 4.x

8006

TCP

vCenter Server

vCenter Server

Internal Communication Port

vCenter Server 4.x

8080

TCP

Client PC

vCenter Server 4.x

VMware vCenter Server 4 Management Web Services - HTTP

vCenter Server 4.x

8083

TCP

vCenter Server

vCenter Server

Internal Service Diagnostics

vCenter Server 4.x

8085

TCP

vCenter Server

vCenter Server

Internal Service Diagnostics/SDK

vCenter Server 4.x

8086

TCP

vCenter Server

vCenter Server

Internal Communication Port

vCenter Server 4.x

8087

TCP

vCenter Server

vCenter Server

Internal Service Diagnostics

vCenter Server 4.x

8089

TCP

vCenter Server

vCenter Server

SDK Tunneling Port

vCenter Server 4.x

8443

TCP

Client PC

vCenter Server 4.x

VMware vCenter Server 4 Management Web Services - HTTPS

vCenter Server 4.x

8443

TCP

vCenter Server

vCenter Server

Linked Mode

vCenter Server 4.x

27000

TCP

vCenter Server

VMware License Server

Licensing via FlexLM. Only required by vCenter Server 4 if ESXi/ESX 3.x Hosts will be supported

vCenter Server 4.x

27000

TCP

VMware License Server

vCenter Server

Licensing via FlexLM. Only required by vCenter Server 4 if ESXi/ESX 3.x Hosts will be supported

vCenter Server 4.x

27010

TCP

vCenter Server

VMware License Server

Licensing via FlexLM. Only required by vCenter Server 4 if ESXi/ESX 3.x Hosts will be supported

vCenter Server 4.x

27010

TCP

VMware License Server

vCenter Server

Licensing via FlexLM. Only required by vCenter Server 4 if ESXi/ESX 3.x Hosts will be supported

vCenter Server 4.1

60099

TCP

vCenter Server

vCenter Server Services

This port is for internal communication between vCenter Server and its solutions. Specifically, it is used to exchange messages about inventory. If you do not have it open, a solution that integrates with vCenter Server using this service may be affected.

vCenter Server 5.x

25

TCP

vCenter Server

SMTP Server

Email notifications

vCenter Server 5.x

53

UDP

vCenter Server

DNS Server

DNS lookups

vCenter Server 5.x

80

TCP

Client PC

vCenter Server

vCenter Server requires port 80 for direct HTTP connections.

vCenter Server 5.x

80

TCP

vCenter Server

ESXi 5.x

DPM with IPMI (iLO/BMC) ASF Remote Management and Control Protocol

vCenter Server 5.x

88

UDP

vCenter Server

Active Directory Server

AD Authentication

vCenter Server 5.x

88

TCP

vCenter Server

Active Directory Server

AD Authentication

vCenter Server 5.x

135

TCP

vCenter Server

vCenter Server

Linked Mode

vCenter Server 5.x

161

UDP

SNMP Server

vCenter Server

SNMP Polling

vCenter Server 5.x

162

UDP

vCenter Server

SNMP Server

SNMP Trap Send

vCenter Server 5.x

389

TCP/UDP

vCenter Server

Linked vCenter Servers

This is the LDAP port number for the Directory Services for the vCenter Server group. The vCenter Server system needs to bind to port 389, even if you are not joining this vCenter Server instance to a Linked Mode group. If another service is running on this port, you can run the LDAP service on any port from 1025 through 65535.

vCenter Server 5.x

443

TCP

vSphere Client

vCenter Server

vCenter Server system uses to listen for connections from the vSphere Client.

vCenter Server 5.x

443

TCP

vCenter Server

ESXi 5.x

vCenter Server Agent. Host DPM with HP iLO Remote Management and Control Protocol

vCenter Server 5.x

623

UDP

vCenter Server

ESXi 5.x

DPM with IPMI (iLO/BMC) ASF Remote Management and Control Protocol

vCenter Server 5.x

636

TCP

vCenter Servers

Linked vCenter Servers

vCenter Server Linked Mode, this is the SSL port of the local instance.

vCenter Server 5.x

902

TCP

vCenter Server

ESXi 5.x

vCenter Server system uses to send data to managed hosts. This port must not be blocked by firewalls between the server and the hosts or between hosts.

vCenter Server 5.x

902

UDP

vCenter Server

ESXi 5.x

Managed hosts send a regular heartbeat to the vCenter Server system. This port must not be blocked by firewalls between the server and the hosts or between hosts.

vCenter Server 5.x

902

TCP/UDP

vSphere Client

ESXi 5.x

vSphere Client uses this ports to display virtual machine consoles.

vCenter Server 5.x

902

TCP/UDP

ESXi 5.x

ESXi 5.x

Host access to other hosts for migration and provisioning

vCenter Server 5.x

903

TCP

vSphere Client

ESXi 5.x

Remote console traffic generated by user access to virtual machines on a specific host.

vCenter Server 5.x

1024 (dynamic)

RPC

Linked vCenter Servers

Linked vCenter Servers

Bi-directional RPC communication on dynamic TCP ports is required between all vCenter Servers that need to replicate (via ADAM). A VIC still needs a direct connection to all vCenter Servers that own an object it needs to manage.

vCenter Server 5.x

1433

TCP

vCenter Server

Microsoft SQL Server

For vCenter Server Microsoft SQL Server Database

vCenter Server 5.x

1521

TCP

vCenter Server

Oracle Database Server

For vCenter Server Oracle Database

vCenter Server 5.x

5988

TCP

ESXi 5.x

vCenter Server

CIM transactions over HTTP

vCenter Server 5.x

5989

TCP

vCenter Server

ESXi 5.x

CIM XML transactions over HTTPS

vCenter Server 5.x

5989

TCP

ESXi 5.x

vCenter Server

CIM XML transactions over HTTPS

vCenter Server 5.x

7500

UDP

vCenter Server

vCenter Server

Linked Mode, Java Discovery Port

vCenter Server 5.x

8005

TCP

vCenter Server

vCenter Server

Internal Communication Port

vCenter Server 5.x

8006

TCP

vCenter Server

vCenter Server

Internal Communication Port

vCenter Server 5.x

8009

TCP

vCenter Server

vCenter Server

AJP Port

vCenter Server 5.x

8080

TCP

Client PC

vCenter Server

Web Services HTTP. Used for the VMware VirtualCenter Management Web Services.

vCenter Server 5.x

8083

TCP

vCenter Server

vCenter Server

Internal Service Diagnostics

vCenter Server 5.x

8085

TCP

vCenter Server

vCenter Server

Internal Service Diagnostics/SDK

vCenter Server 5.x

8086

TCP

vCenter Server

vCenter Server

Internal Communication Port

vCenter Server 5.x

8087

TCP

vCenter Server

vCenter Server

Internal Service Diagnostics

vCenter Server 5.x

8089

TCP

vCenter Server

vCenter Server

SDK Tunneling Port

vCenter Server 5.x

8443

TCP

Client PC

vCenter Server

Web Services HTTPS. Used for the VMware VirtualCenter Management Web Services.

vCenter Server 5.x

8443

TCP

vCenter Server

vCenter Server

Linked Mode

vCenter Server 5.x

9443

TCP

Client PC

vCenter Server

vSphere Web Client Access

vCenter Server 5.x

10109

TCP

vCenter Server

vCenter Server

vCenter Server Inventory Service Service Management

vCenter Server 5.x

10111

TCP

vCenter Server

vCenter Server

vCenter Server Inventory Service Linked Mode Communication

vCenter Server 5.x

10443

TCP

Client PC

vCenter Server

vCenter Server Inventory Service HTTPS

vCenter Server 5.x

51915

TCP

ESXi

vSphere Authentication Proxy

This is a web service, which is used to add host to Active Directory domain.

vCenter Server 5.x

60099

TCP

vCenter Server

vCenter Server

Web Service change service notification port

vCenter Server 5.1

7005

TCP

vCenter Server (Tomcat Server settings)

vCenter Server Single Sign On

Base shutdown port.

For more information, see Configuring VMware Tomcat Server Settings in vCenter Server 5.1.

vCenter Server 5.1

7080

TCP

vCenter Server (Tomcat Server settings)

vCenter Server Single Sign On

HTTP Port

vCenter Server 5.1

7444

TCP

vCenter Server (Tomcat Server settings)

vCenter Server Single Sign On

HTTPS Port

vCenter Server 5.1

7009

TCP

vCenter Server (Tomcat Server settings)

Single Sign-On

AJP Port

vCenter Server 5.1

10111

TCP

vCenter Server Inventory Service

vCenter Server

vCenter Server Inventory Service Linked Mode Communication

vCenter Server 5.1

49152 to 65535

TCP

Active Directory

vCenter Server

Allow Active Directory authentication/communication between domain controllers and vCenter Server.

vCenter Server 5.1/5.5

8003

TCP

vCenter Server (Tomcat Server settings)

vCenter ServerManagement Web Services

vCenter ServerManagement Web Services shutdown

vCenter Server 6.0

80

TCP

Client PC

vCenter Server

vCenter Server requires port 80 for direct HTTP connections.

vCenter Server 6.0

88

TCP/UDP

vCenter Server

ESXi 5.x

DPM with IPMI (iLO/BMC) ASF Remote Management and Control Protocol

vCenter Server 6.0

389

TCP/UDP

vCenter Server

Linked vCenter Servers

This is the LDAP port number for the Directory Services for the vCenter Server group. The vCenter Server system needs to bind to port 389, even if you are not joining this vCenter Server instance to a Linked Mode group. If another service is running on this port, you can run the LDAP service on any port from 1025 through 65535.

vCenter Server 6.0

443

TCP

vSphere Client

vCenter Server

vCenter Server system uses to listen for connections from the vSphere Client.

vCenter Server 6.0

514

TCP

vSphere Syslog Collector

vCenter ServerManagement Web Services

vCenter ServerManagement Web Services shutdown

vCenter Server 6.0

636

TCP

vCenter Servers

Linked vCenter Servers

vCenter Server Linked Mode, this is the SSL port of the local instance.

vCenter Server 6.0

902

TCP

vCenter Server

ESXi 5.x

vCenter Server system uses to send data to managed hosts. This port must not be blocked by firewalls between the server and the hosts or between hosts.

vCenter Server 6.0

1514

TCP

vCenter Server

vCenter ServerSyslog Collector

vSphere Syslog Collector TLS port for vCenter Server

vCenter Server 6.0

2012

TCP

vCenter Server

VMware Single Sign-On

Control interface RPC for vCenter Server Single Sign-On (SSO)

vCenter Server 6.0

2014

TCP

PSC

VMware Certificate Authority

RPC port for all VMCA (VMware Certificate Authority) APIs

vCenter Server 6.0

2020

TCP

vCenter Server

vCenter ServerManagement Web Services

Authentication framework management

vCenter Server 6.0

6500

TCP

vCenter Server

ESXi 6.0

ESXi Dump Collector port

vCenter Server 6.0

6501

TCP

vCenter Server

ESXi 6.0

Auto Deploy service

vCenter Server 6.0

6502

TCP

vCenter Server

ESXi 6.0

Auto Deploy management

vCenter Server 6.0

7444

TCP

vCenter Server

Single Sign-On

Secure Token Service

vCenter Server 6.0

8088

TCP

vCenter Server

vCenter Server

Workflow Management Service

vCenter Server 6.0

9443

TCP

vSphere Web Client

vCenter Server

vSphere Web Client HTTPS

vCenter Server 6.0

11711

TCP

vCenter Server

Active Directory

VMware Directory service (vmdir) LDAP

vCenter Server 6.0

11712

TCP

vCenter Server

Active Directory

VMware Directory service (vmdir) LDAPS