Security scans may identify port 9080 as an open port on ESXi hosts, potentially flagging it as an "Excessive/Unidentified Service." This article explains the legitimate use of this port in vSphere environments and addresses security concerns.

• VMware vSphere versions 6.5, 6.7, 7.0, and 8.0
• vCenter Server
• ESXi hosts

Port 9080 (TCP) is a required system port used for vSphere I/O filtering communication between vCenter Server and ESXi hosts. This port operates specifically on the management network interfaces and is essential for proper system functionality.

1. Verify port 9080 configuration:
   1. Confirm the port is only open between vCenter Server's management interface (typically eth0) and ESXi hosts' management interfaces (typically vmk0)
   2. Verify no direct user access is possible to this port
      
      
2. Document security exceptions:
   1. Add port 9080 to your security scanning allowlist for vSphere environments
   2. Note this as an approved system-to-system communication port
   3. Document that this port is required for vSphere I/O filtering functionality
      
      
3. Implement network segmentation:
   1. Ensure management network interfaces are properly isolated
   2. Restrict access to management networks as per VMware best practices

• Port 9080 is classified as an incoming port for vSphere base functionality
• This port is specifically for system-to-system communication
• Unlike SSH (port 22), port 9080 does not accept direct user connections
• For a complete list of required vSphere ports, visit https://ports.broadcom.com