Disable port 7444 on the PSC or embedded vCenter appliance
search cancel

Disable port 7444 on the PSC or embedded vCenter appliance

book

Article ID: 320878

calendar_today

Updated On:

Products

VMware vCenter Server VMware vSphere ESXi

Issue/Introduction

After upgrading to vCenter 6.5 or higher, port scanners may indicate that port 7444 is still open externally to the vCenter.

To increase security, port 7444 may be disabled.

Environment

  • VMware vCenter Server 6.5.x
  • VMware vCenter Server 6.7.x
  • VMware vCenter Server 7.0.x
  • VMware vCenter Server 8.0.x

Cause

Port 7444 was originally used by the Secure Token Service in vCenter 5.5, but it is not used in more recent versions of vCenter.

Resolution

Currently, there is no resolution. This port is no longer exposed in the latest vCenter 7.0.x and 8.0.x, but scanners may indicate otherwise after that upgrade.

Workaround:
Port 7444 is a required internal port. To prevent port scanners from detecting the port externally, perform the below workaround.

  1. Disable the firewall configuration exposing port 7444 by removing the firewall configuration file. One or both may be present, depending on how the vCenter was upgraded:

    rm -f /etc/vmware/appliance/firewall/vmware-sso 
    rm -f /etc/vmware/appliance/firewall/sts

  2. Reboot the system or reload the firewall rules:

/usr/lib/applmgmt/networking/bin/firewall-reload

To restore the original configuration that exposes port 7444:

  1. Restore the symbolic link to the configuration file

    /bin/ln -s -f /usr/lib/vmware-sso/firewall/sso-firewall.json /etc/vmware/appliance/firewall/vmware-sso

  2. Reboot the system or reload the firewall rules

    /usr/lib/applmgmt/networking/bin/firewall-reload


 NOTE: If using VMware vSphere+, port 7444 will be required. For more information, see vCenter Cloud Gateway Requirements.

 NOTE: If port 7444 is still being detected from the vCenter Server, run ls /etc/vmware/appliance/firewall  to view the firewall rule files. If there are any files with similar names that have different file extensions (i.e. "vmware-sso.bak" compared to "vmware-sso"), review their contents and either move them to another directory, or remove them with rm.

Powered by Wolken Software