^{TCP 9080:}

^{Please be aware that ESXi port 9080/tcp does not send HTTP Strict Transport Security (HSTS) headers. HSTS helps protect browser connections against security downgrades. Some security scanning tools incorrectly flag the absence of HSTS on port 9080/tcp as a vulnerability, assuming that all TLS ports should be browser-compatible. However, port 9080/tcp is not a web server, does not support browser connections, and does not support unencrypted communications. Consequently, HSTS checks are irrelevant for this port. VMware is committed to reducing regulatory compliance friction for vSphere Administrators and plans to address this in future product versions.} 

^{TCP 5580:}

^{We would like to inform you that TCP port 5580 corresponds to the VMware POD API. This API does not support HTTP at all, thus HSTS is not relevant for this port.} 

^{https://docs.vmware.com/en/VMware-vSphere/7.0/rn/vsphere-vcenter-server-702-release-notes.html}

^{TCP 3128:} 

^{This port is an incoming port for smart-card based authentication for vCenter. The connection is redirected to port 3128 during smart card login. This port only supports pre-configured mutual authentication connections and is not intended as a direct browser endpoint. As such, it does not return an HSTS header.} 

<sup>https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.authentication.doc/GUID-DE48ED27-E48B-4FDA-B3C8-DD7127BF6879.html

For more information, please refer to https://core.vmware.com/vmware-vsphere-8-default-ssltls-cipher-suites#hsts and https://core.vmware.com/vmware-vsphere-7-default-ssltls-cipher-suites</sup> 

^TCP2379:

^{This is basically a bidirectional TCP port of vSphere- Tanzu}

^{Port description: Expose the etcd server, etcd is a distributed key-value store integral in storing state for the Kubernetes control plane.}

^{If you are not using Tanzu, you may close this port.}