When viewing ESXi host firewall rules either in the vSphere Client or Host UI, a rule "Active Directory All" is listed.  This rule is disabled by default and only enabled when the ESXi host is added to Active Directory.  Subsequently, if the rule is enabled, incoming TCP port 2020 is enabled.  This port is not listed as a required port on VMware Ports and Protocols for ESXi. 

ESXi 7.x

ESXi 8.x

The inclusion of incoming TCP port 2020 is from a legacy rule originating in an earlier version of ESXi.  The firewall rule was updated to include functionality for the VMAFD (VMware Authentication Framework) service on ESXi, however, that service was later integrated into vCenter on the VCSA and not ESXi and that port was not removed when no longer needed.  

To verify that the port is actually unused, SSH to the host and run the following command to confirm the port is not open/listening:

#> lsof -i -P -n | grep SOCKET_INET | grep 2020

Additionally, a packet capture on that port will validate if there is any traffic on TCP port 2020:

#> pktcap-uw --vmk vmk0 --tcpport 2020 -o /tmp/vmk0_tcp_2020.pcap
(assuming vmk0 is for mgmt, adjust accordingly)

The "Active Directory ALL" ESXi firewall rule will be updated in a future ESXi version to remove the unused portion of incoming TCP port 2020 as it no longer needed.