PCI Audit Requests Communication Encryption Over Specific Ports
Article ID: 438986
Updated On:
Products
Issue/Introduction
A PCI Audit of vSphere is occurring, and questions about the following ports Encryption arise:
- 9080
- 902
- 389
- 8084
- 9084
- 2012
- 2014
- 2020
- 5696
Environment
vSphere 7.x, 8.x
Resolution
A good starting point for port use would be the VMware Ports and Protocols page.
Below is the encryption status for the ports you identified based on current VMware vSphere documentation.
| Port | Service / Purpose | Encryption Status | Notes |
|---|---|---|---|
| 9080 | iofilterVP (ESXi Storage Provider) | Encrypted (TLS) | Uses TLS for communication. Broadcom documentation provides steps to configure specific cipher suites for this port Broadcom KB 320798. |
| 902 | vCenter to ESXi (vpxd/Host management) | Encrypted (SSL/TLS) | Core management traffic between vCenter and ESXi is encrypted. It also carries NFC (Network File Copy) traffic Broadcom KB 318895. |
| 389 | LDAP (Standard) | Plaintext (Unencrypted) | Standard LDAP on port 389 is plaintext. vCenter Identity Sources should use port 636 (LDAPS) or port 3269 (Global Catalog over SSL) for encrypted traffic Broadcom KB 2149697. |
| 8084 | vSphere Update Manager (vUM) | Encrypted (SSL/TLS) | Used by vSphere Lifecycle Manager/Update Manager for secure soap-based communication Broadcom KB 318895. |
| 9084 | vSphere Lifecycle Manager (vLCM) | Encrypted (SSL/TLS) | Core communication port for vLCM tasks between ESXi and vCenter Broadcom KB 318895. |
| 2012 | vCenter / PSC (Component specific) | Encrypted (SSL/TLS) | Typically associated with internal component communication (like VMware Identity Manager or specific vCenter services) which enforce SSL/TLS. Broadcom KB 322259 |
| 2014 | vCenter / PSC (Component specific) | Encrypted (SSL/TLS) | Associated with internal VMware services, generally utilizing TLS for internal data exchange. Broadcom TechDocs - Security |
| 2020 | vCenter / PSC (Component specific) | Encrypted (SSL/TLS) | Internal communication for Single Sign-On (SSO) and related services Broadcom KB 322259. |
| 5696 | KMIP (Key Management) | Encrypted (TLS) | Standard port for Key Management Interoperability Protocol (KMIP) used for vSAN/VM encryption; mandates TLS for secure key exchange. Broadcom TechDocs – KMIP Configuration |
Additional Information
Important Note on Port 9084: Starting with vCenter 8.0 Update 3, Lifecycle Manager has transitioned host patch downloads to port 9087 over HTTPS. In earlier versions, port 9084 operates over unencrypted HTTP.
Important Note on Port 389: vSphere 7.x, and 8.x use 389 for ELM SSO communication. There is no plan or method for implementing encryption for this use case. VCF 9.x provides a new method that replaces ELM, with vCenter Linking that uses encrypted communicaiton.
Feedback
