o Key contents of the metadata in the mapping file include the location of the mapped device (name resolution), the locking state of the
mapped device, permissions, and so on.
o You cannot perform vMotion or Storage vMotion between datastores when NPIV is enabled.
o VMware protects the service console with a firewall. It also mitigates risks using other methods:
o Only services essential to managing its functions.
o By default, installed with a high-security setting. All outbound ports are closed.
o By default, all ports not VCP-410 exam questions specifically required for management access to the service console are closed.
o By default, weak ciphers are disabled and all communications from clients are secured by SSL. Default certificates created on ESX use
SHA-1 with RSA encryption as the signature algorithm.
o The Tomcat Web service, has been modified to run only those functions required.
o VMware monitors all security alerts (for the RHEL5 distribution and 3rd party software).
o Insecure services such as FTP and Telnet are not installed.
o The number of applications that use a setuid or setgid flag is minimized.
o ESX can automate whether services start based on the status of firewall ports, but this only applies to service settings configured through the
vSphere Client or applications created with the vSphere Web services SDK. Doesn’t apply to changes made with the esxcfg-firewall utility or
configuration files in /etc/init.d/.
Port Purpose Interface Traffic type
22 SSH Server Service Console Incoming TCP
80 HTTP access and WS-Management Service Console Incoming TCP
123 NTP Client Service Console Outgoing UDP
427 The CIM client SLPv2 to find CIM servers. Service Console Incoming and
outgoing UDP
443 HTTPS access - vmware-hostd
vCenter Server access to ESX hosts
Client access to vCenter Server VCP-410 study guide and ESX hosts
WS-Management
Client access to vSphere Update Manager
Converter access to vCenter Server
Web Access to vCenter Server and ESX hosts
Service Console Incoming TCP
902 Host access to other hosts for migration and provisioning
Authentication traffic for ESX (xinetd/vmware-authd)
Client access to virtual machine consoles (UDP) Status update (heartbeat)
connection from ESX to vCenter Server
Service Console Incoming TCP,
outgoing UDP
903 Remote console traffic from VI client & Web Access (xinetd/vmware-authd-mks) Service Console Incoming TCP
2049 Transactions from NFS storage devices VMkernel Incoming and
outgoing TCP
2050-2250 Between ESX hosts for HA and EMC Autostart Manager Service Console Outgoing TCP,
incoming and
outgoing UDP
3260 Transactions to iSCSI storage devices VMkernel &
Service Console
Outgoing UDP
5900-5964 RFB protocol, which is used by management tools such as VNC Service Console Incoming and
outgoing TCP
5989 CIM XML transactions over VCP-410 questions HTTPS Service Console Incoming and
outgoing TCP
8000 VMotion requests VMkernel Incoming and
outgoing TCP
8042-8045 Between ESX hosts for HA and EMC Autostart Manager Service Console Outgoing TCP,
incoming and
outgoing UDP
8100, 8200 Between ESX hosts for Fault Tolerance Service Console Outgoing TCP,
incoming and
outgoing UDP
PLUS installed management agents and supported services such as NFS.
o Create a separate VLAN for communication with the service console.
o Configure network access for connections with the service console through a single virtual switch and one or more uplink ports.
mapped device, permissions, and so on.
o You cannot perform vMotion or Storage vMotion between datastores when NPIV is enabled.
o VMware protects the service console with a firewall. It also mitigates risks using other methods:
o Only services essential to managing its functions.
o By default, installed with a high-security setting. All outbound ports are closed.
o By default, all ports not VCP-410 exam questions specifically required for management access to the service console are closed.
o By default, weak ciphers are disabled and all communications from clients are secured by SSL. Default certificates created on ESX use
SHA-1 with RSA encryption as the signature algorithm.
o The Tomcat Web service, has been modified to run only those functions required.
o VMware monitors all security alerts (for the RHEL5 distribution and 3rd party software).
o Insecure services such as FTP and Telnet are not installed.
o The number of applications that use a setuid or setgid flag is minimized.
o ESX can automate whether services start based on the status of firewall ports, but this only applies to service settings configured through the
vSphere Client or applications created with the vSphere Web services SDK. Doesn’t apply to changes made with the esxcfg-firewall utility or
configuration files in /etc/init.d/.
Port Purpose Interface Traffic type
22 SSH Server Service Console Incoming TCP
80 HTTP access and WS-Management Service Console Incoming TCP
123 NTP Client Service Console Outgoing UDP
427 The CIM client SLPv2 to find CIM servers. Service Console Incoming and
outgoing UDP
443 HTTPS access - vmware-hostd
vCenter Server access to ESX hosts
Client access to vCenter Server VCP-410 study guide and ESX hosts
WS-Management
Client access to vSphere Update Manager
Converter access to vCenter Server
Web Access to vCenter Server and ESX hosts
Service Console Incoming TCP
902 Host access to other hosts for migration and provisioning
Authentication traffic for ESX (xinetd/vmware-authd)
Client access to virtual machine consoles (UDP) Status update (heartbeat)
connection from ESX to vCenter Server
Service Console Incoming TCP,
outgoing UDP
903 Remote console traffic from VI client & Web Access (xinetd/vmware-authd-mks) Service Console Incoming TCP
2049 Transactions from NFS storage devices VMkernel Incoming and
outgoing TCP
2050-2250 Between ESX hosts for HA and EMC Autostart Manager Service Console Outgoing TCP,
incoming and
outgoing UDP
3260 Transactions to iSCSI storage devices VMkernel &
Service Console
Outgoing UDP
5900-5964 RFB protocol, which is used by management tools such as VNC Service Console Incoming and
outgoing TCP
5989 CIM XML transactions over VCP-410 questions HTTPS Service Console Incoming and
outgoing TCP
8000 VMotion requests VMkernel Incoming and
outgoing TCP
8042-8045 Between ESX hosts for HA and EMC Autostart Manager Service Console Outgoing TCP,
incoming and
outgoing UDP
8100, 8200 Between ESX hosts for Fault Tolerance Service Console Outgoing TCP,
incoming and
outgoing UDP
PLUS installed management agents and supported services such as NFS.
o Create a separate VLAN for communication with the service console.
o Configure network access for connections with the service console through a single virtual switch and one or more uplink ports.
