Configuring Windows Server 2008 to allow a smaller range of ports for Linked Mode communications
Article ID: 343196
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This table contains the ports that need to opened through the firewall for Linked Mode.
Note: All ports need to be opened for bi-directional communication.
| Port | Protocol | Description |
| 135 | TCP/UDP | Used by ADAM for RPC communications between vCenter Servers in Linked Mode. |
| 389 | TCP/UDP | This port must be open in the local and all remote instances of vCenter Server. This is the LDAP port number for the Directory Services for the vCenter Server group. The vCenter Server system needs to bind to port 389, even if you are not joining this vCenter Server instance to a Linked Mode group. If another service is running on this port, it might be preferable to remove it or change its port to a different port. You can run the LDAP service on any port from 1025 through 65535. If this instance is serving as the Microsoft Windows Active Directory, change the port number from 389 to an available port from 1025 through 65535. |
| 636 | TCP | This is the SSL port of the local instance for vCenter Server Linked Mode. If another service is running on this port, it might be preferable to remove it or change its port. You can run the SSL service on any port from 1025 through 65535. |
| 1024 | TCP | RPC communication on dynamic TCP ports is required between all vCenters that need to replicate (via ADAM). |
| 7500 | UDP | vCenter Inventory Service Groups diagnostics port for Inventory Service instances. |
| 8443 | TCP | VMware Web Management Services Linked Mode Communication port. |
| 10111 | TCP | vCenter Inventory Service Linked Mode Communication. |
| 10443 | TCP | vCenter Inventory Service Linked Mode Communication between Inventory Service instances. This can be changed during the vCenter Server installation and should be adjusted in the firewall settings as needed. |
Notes:
- For more information on the ports used for ADAM, see Network Ports Used by ADAM.
- For more information, see TCP and UDP Ports required to access vCenter Server, ESX hosts, and other network components (1012382).
These ports are used for establishing communication between the vCenter Server instances. Ephemeral (dynamic) port values between 49152 and 65535 are also required to be open for subsequent communication to function properly. This article details changes that can be made in the Windows Server 2008 operating system to reduce the range of ephemeral ports used.
Symptoms:
- Establishing a Linked Mode configuration between vCenter Server instances is not feasible due to the large number of ports that need to be opened between them.
- You have modified the registry on both vCenter Server instances as per the Microsoft Knowledge Base article 154596 but still see port communication outside of the range that is selected.
Note: The preceding link was correct as of May 13, 2015. If you find the link is broken, please provide feedback and a VMware employee will update the link.
Environment
VMware vCenter Server 5.0.x
VMware vCenter Server 4.1.x
VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x
VMware vCenter Server 4.0.x
VMware vCenter Server 4.1.x
VMware vCenter Server 5.1.x
VMware vCenter Server 5.5.x
VMware vCenter Server 4.0.x
Resolution
In Windows Server 2008, the netsh command can be used to limit the number of ephemeral (dynamic) ports used for outgoing RPC communication. The number of ports used can be as low as 256 and as high as 64510 (1025 through 65535).
The syntax of the netsh command is:
Note: Run the netsh commands as Administrator, from an elevated command prompt.
Note: Run the netsh commands as Administrator, from an elevated command prompt.
netsh int ipv4|ipv6 set dynamic tcp|udp start=number num=range
Where the starting port to be used is number and the total number of ports is range. For our purposes, ipv4 would be used for the protocol and both tcp and udp would need to be used via separate netsh commands.
These examples limit the port range to values between 60100 and 60356:
netsh int ipv4 set dynamic tcp start=60100 num=256
netsh int ipv4 set dynamic udp start=60100 num=256
netsh int ipv4 set dynamic udp start=60100 num=256
Each Windows Server 2008 system where this change is made needs to be rebooted for the change to take effect.
For more information see the Microsoft Knowledge Base article 929851.
Note: The preceding link was correct as of November 4, 2011. If you find the link is broken, please provide feedback and a VMware employee will update the link.
Additional Information
If there is a physical firewall between the vCenter Servers in the Linked Mode configuration, configure the firewall to allow traffic on ports 389, 636, 135 and the dynamic port range configured to pass between the vCenter Server instances. TCP and UDP Ports required to access VMware vCenter Server, VMware ESXi and ESX hosts, and other network components
Feedback
Yes
No
Powered by
