VMware NSX for vSphere Security Configuration Gui

Version 2.1

NSX Version Covered 6.3.0

Currently only below entities are covered and others are out of scope.

Management Plane Data Plane

NSX Manager (Primary and Secondary)
VMware vSphere
Control Plane
NSX Controller (Local and Universal)
NSX vSwitch
VXLAN
Distributed Logical Router
Distributed Firewall
NSX Edge Services Gateway
VMware vSphere Distributed Switch

How to read this security confgiruation guide

ID It is a unique ID to reference a hardening guide recommendation

Component It is one of the NSX components based on the Planes described above
Subcomponent It is a logical grouping of hardening guide recommendations
Title It is the short title for a recommendation
Vulnerability Discussion It describes the vulnerability behind a particular recommendation
Assessment Procedure It describes step by step method to follow to find compliance state with a recommendatio
Word of Caution It lists any negative repercussions that might happen by following a recommendation
Desired Value It lists the desired state/value of the recommendation
Is the setting default? It lists if the recommended security setting is the default product configuration
API It is a reference to NSX REST APIs.
Reference It is a reference to documentation or other related stuff based on the recommendation
y Configuration Guide

2.1

ut of scope.

ide recommendation
he Planes described above
commendations

cular recommendation
o find compliance state with a recommendation
t happen by following a recommendation
mendation
s the default product configuration

related stuff based on the recommendation

 Acknowledgement
Name Role Company
Pravin Goyal Original AuthVMware
Umar Saeed Author (this VMware
VMware
VMware
VMware
VMware
VMware
VMware
VMware
VMware
VMware
VMware
VMware
VMware
VMware
VMware
VMware
ID Component Subcomponent Title

backup-excludes NSX Manager Backup and Restore Do not exclude audit logs and system events
from backing up.

backup-user- NSX Manager Backup and Restore Ensure that backup user has strong password
password

block-unused-ports NSX Manager Ports Block access to ports not used by NSX Manager.

disable-ipv6 NSX Manager Network Ensure IPv6 is disabled/not configured if not in

use

disable-ipv6-dns NSX Manager Network Ensure IPv6 DNS is disabled/not configured if

not in use

disable-ssh- NSX Manager Communication Disable Secure Shell (SSH) unless needed for
manager diagnostics or troubleshooting purposes.

enable-ntp NSX Manager General Ensure that NTP server is authorized.

enable-remote- NSX Manager Logging Configure remote logging for NSX manager.
syslog

ensure-valid- NSX Manager Certificates Ensure that the NSX manager certificate is valid
certificates and legitimate.

harden-vsphere- VMware vSphere All Harden the VMware vSphere Environment.

environment
keep-nsx-patched NSX Manager Installation Follow VMware Security Advisories and apply
patches.

limit-user-role NSX Manager User Administration Utilize roles and privileges within NSX manager
to limit user privileges.

limit-user-scope NSX Manager User Administration Define Access Scope for NSX manager users.

monitor-api-use NSX Manager REST APIs Monitor the use of APIs.

no-unsupported- NSX Manager Unsupported Do not install/use software not supported by

software Software VMware.

password- NSX Manager Web UI Ensure sufficient Password strength as defined

complexity-webui in your local site policy.
restrict-nsx-access NSX Manager Communication Restrict access to NSX Manager.

restrict-nsx-va- VMware vSphere NSX Manager VA Restrict access to NSX Manager Virtual
access Appliance in VMware vSphere Environment.

secure-backup-dir NSX Manager Backup and Restore Ensure that the backup directory is secured.

secure-dns-server NSX Manager Network Ensure that IPv4 DNS is authorized and secure.

secure-sftp-server NSX Manager Backup and Restore Ensure that the SFTP server on which backup is
done is hardened as appropriate

secure-syslog-server NSX Manager Logging Ensure that Syslog server is authorized and the
configuration is appropriate.

use-sftp NSX Manager Backup and Restore Use SFTP for backup and restoration.
verify-install-media NSX Manager Installation Verify integrity of installation media before
installing the product.
Vulnerability Discussion Assessment Procedure

Audit logs and system events carry important Follow below steps to assess this recommendation:
information that might be needed in future for
tracking the events or for accountability and 1) Log on to NSX Manager Virtual Appliance
security reasons. It is important to safeguard 2) Go to "Manage" --> "Backup & Restore"
these
Ensurelogs
thatand
thethus
SFTPshould
serverbe regularly
backup backed
account 3) Under
Assess the"Backup
backup&user
Restore",
on theverify that quality
password "Audit Logs"
and and
up to be preserved for future.
credentials are secured. Use strong passwords "System
ensure that the passwords meet required complexityare
Events" are not excluded (By DEFAULT they as
for backup user. NOT Excluded)
defined in your local site policy.

Blocking unneeded ports can prevent general Verify that only ports listed in the "Reference" section in
attacks on those ports and thus reduce attack this sheet are open on NSX Manager.
surface.
IPv6 is the next version of the Internet Follow below steps to assess this recommendation:
protocol, but it is not widely used. Binding this
protocol to the 1) Log on to NSX Manager Virtual Appliance
network stack increases the attack surface. 2) Go to "Manage" --> "Network"
Until needed, IPv6 should be disabled. 3) Under "General network settings", verify IPv6 is not
configured
If you are not using IPv6 within your Follow below steps to assess this recommendation:
environment, there is no good reason why IPv6
DNS should be configured. Having unnecessary 1) Log on to NSX Manager Virtual Appliance
services running in the environment, increases 2) Go to "Manage" --> "Network"
the attack surface. Unless needed, IPv6 DNS 3) Under "DNS Servers", verify IPv6 DNS is not configured
should be disabled.
Secure Shell (SSH) is an interactive command Try opening a connection via SSH to NSX Manager. If the
line environment available for making remote connection opens requesting for credentials, this means
connections to NSX manager. Access via SSH SSH is enabled and is available for making connections.
requires the root or higher privileged user
account credentials. The activities performed Alternatively, login to NSX Manager virtual appliance and
from the SSH generally bypass NSX for vSphere go to "Summary" tab. Under "System-level components",
based RBAC and audit controls. Thus, SSH "SSH Service" status should be "Stopped".
should only be turned on when needed to
troubleshoot/resolve
By ensuring that all systems problemsusethat cannot be Follow below steps to assess this recommendation:
the same
fixed via other procedures.
relative time source (including the relevant
localization offset), and that the relative time 1) Log on to NSX Manager Virtual Appliance
source can be correlated to an agreed-upon 2) Go to "Manage" --> "General"
time standard (such as Coordinated Universal 3) Under "Time Settings", verify that "NTP Server" are
Time—UTC), you can make it simpler to track authorized and trusted. It is recommended to use the
and correlate an intruder’s actions when same NTP server used by the SSO server.
Remote
reviewing logging to a central
the relevant log host
log files. provides
Incorrect timea Follow below steps to assess this recommendation:
secure,
settingscentralized
can make itstore for NSX
difficult logs. This
to inspect and
mitigates
correlate logthefiles
riskstoagainst
detectlog tampering
attacks, and canon the 1) Log on to NSX Manager Virtual Appliance
local
makesystem.
auditingAlso, by gathering log files onto a 2) Go to "Manage" --> "General"
inaccurate.
central host you can more easily monitor the 3) Verify syslog server configuration
environment with a single tool. You can also do
aggregate
By ensuring analysis
that the andSSLsearching
certificates to look
usedforare Follow below steps to assess this recommendation:
such
valid things as coordinated
and legitimate attacks that
would ensure on multiple
the
entities withinofthe
proper chain infrastructure.
trust is established. Logging to a 1) Log on to NSX Manager Virtual Appliance
Also note
secure,
that thecentralized log server
default certificate also helps
algorithm is RSA 2) Go to "Manage" --> "SSL Certificates"
prevent
with log tampering
a minimum key sizeandofalso
2048provides
bits. a 3) Click on the certificate and verify certificate details.
long-term audit record.
NSX for vSphere relies on a secure VMware Assess the VMware vSphere environment and ensure that
vSphere environment to achieve the greatest the an appropriate level of VMware vSphere hardening
benefits along with a secured infrastructure. guide is enforced and maintained.
VMware vSphere environment that is not
hardened appropriately can jeopardize the
working of NSX for vSphere.
VMware releases security advisories for
various products time to time. Staying on top
of these advisories can ensure that you have
the safest underlying product and the product
is not vulnerable to known threats.
Assigning a higher level privilege than needed
to carry out the job in hand violates "Need to
Know" security principle. NSX manager
provides roles designed for carrying out
specific tasks such as auditing, security
administration, NSX deployment
administration and NSX configuration. Utilize
these roles and assign them to specific user
accounts as appropriate.
Assigning access to entities other than needed
to carry out the job in hand violates "Need to
Know" security principle. NSX manager
provides access scope restriction options to
limit the entities a user with specific role can
access. Utilize this feature to correctly assign
the access scope to specific user accounts as
appropriate.
As of now, there is no built-in mechanism to
restrict the usage of REST APIs. But, such usage
should be monitored from logs and ensure
that the API usage is granted and approved by 2) Navigate to NSX manager instance
your local site policy.
Installing any un-supported/un-tested/un-
approved software on infrastructure products
such as NSX for vSphere as this can spell
disaster. It is highly recommended to not
install/use any software not supported by
VMware to minimize the threat to
infrastructure. Do not add other software
components to the NSX for vSphere appliances
as it is an untested configuration and could
Minimal
potentiallypassword
interferecomplexity is enforced
with the operation of the
when
securitya user creates/changes
functions a password for
they provide.
NSX Web UI. This allows room for setting weak
passwords, which makes it more likely that
attacks against user credentials will be
successful.
Assess the NSX for vSphere installation, patching and
upgrade history and ensure that the released VMware
Security Advisories are followed and enforced.
Follow below steps to assess this recommendation:
1) Login to VMware vSphere Web Client
2) Navigate to "Networking and Security" -> "NSX
Manager"
3) Choose the NSX manager instance and click on
"Manage" tab
4) Click on "Users" tab to get user list
5) Verify that the user account and assigned role is
legitimate.
Follow below steps to assess this recommendation:
1) Login to VMware vSphere Web Client
2) Navigate to "Networking and Security" -> "NSX
Manager"
3) Choose the NSX manager instance and click on
"Manage" tab
4) Click on "Users" tab to get user list
5) Verify that the user account and access scope is
legitimate.
Follow below steps to assess this recommendation:
1) Log in to the VMware vSphere Web Client
3) Click on "Monitor"
4) Review entries under "Audit Logs", "System Events" and
"Tasks"
-OR-
Use a log management product such as VMware Log
Insight to monitor these logs and generate appropriate
warnings as needed.
Assess the NSX for vSphere deployment and try
inventorying various products installed. Ensure that no
unsupported software is installed.
Assess the administrator on the password quality and
ensure that the passwords meet required complexity as
defined in your local site policy.
The NSX Manager should not be on a network Assess the deployment and try to reach NSX manager
accessible to standard virtual machine network being on standard network. NSX manager should only be
or management network in general. Any reachable using isolation mechanisms.
compromise on NSX manager could potentially
lead to communicating with hypervisors
directly.
Users having access to NSX manager VA in Login to VMware vSphere environment and inspect which
VMware vSphere environment could users have access permissions to NSX manager VA. No
Use network
potentially access
cause control
harm such as firewalls
by intentionally or to user other than the intended administrator should have
prevent unauthorized
unintentionally accesspower
performing to NSX manager. access to the VA or be able to carry out any administrative
Another way to restrict access might be to only actions on that VA.
off/suspend/migrate or other administrative
allow TCP/443
functions. from a secure
It is important thatJumphost
the NSX manager
management
VA station. using user access
access is protected
controls or separating / isolating the NSX
manager environment.
It is important to ensure that the directory Login to the SFTP server and navigate to backup directory.
where the NSX for vSphere backup is stored on Ensure that the backup directory cannot be read or
the SFTP server is secured with proper written to by the user other than backup user.
directory permissions. Do not grant read or
write permissions for anyone else other than
the backup user account.
By ensuring that the IPv4 DNS servers are Follow below steps to assess this recommendation:
authorized and secure would mitigate the risks
against DNS based vulnerabilities. Also, ensure 1) Log on to NSX Manager Virtual Appliance
that the DNS server is hardened based on the 2) Go to "Manage" --> "Network"
best practice guidelines. 3) Under "General network settings", verify IPv4 DNS is
authorized and secure.

It is as important to harden the SFTP server as Audit the SFTP server and ensure that it is hardened with
to use SFTP for backup and restoration instead general best practices and guidelines for FTP server
of insecure FTP. Hardening the SFTP server on hardening.
which backup is done would ensure that
common threats and vulnerabilities can be
mitigated. Unhardened or exposed server
might lead to breaking into the server and
compromising important data.

This recommendation goes hand-in-hand with
the recommendation to enable remote syslog.
Ensuring that the remote Syslog server is
authorized and secure is very important. Use a
SIEM solution or a syslog server solution such
as VMware Log Insight and configure it to
collect the NSX logs securely.
Do not use insecure FTP for backup and
restoration. FTP is typically unencrypted and
presents confidentiality and integrity risks.
Backup and restoration procedures involve
secure data and hence unencrypted FTP
should not be used.
Follow below steps to assess this recommendation:
1) Log on to NSX Manager Virtual Appliance
2) Go to "Manage" --> "General"
3) Verify Syslog Server configuration
Follow below steps to assess this recommendation:
1) Log on to NSX Manager Virtual Appliance
2) Go to "Manage" --> "Backup & Restore"
3) Under "Backup & Restore", verify "FTP Server settings"
Always download VMware software from After downloading the media use the MD5/SHA1 sum
VMware Secure website using an https value to verify the integrity of the download. Compare the
connection. Always check the SHA1 hash after MD5/SHA1 hash output with the value posted on the
downloading the bits, offline bundle, or patch VMware secure website.
to ensure integrity and authenticity of the
downloaded files. If you obtain physical media
from VMware and the security seal is broken,
return the software to VMware for a
replacement.
Word of Caution Desired Value Is the setting default?

If you are already sending the audit Audit logs and System events are not Yes
and system logs to remote logging excluded
server via syslog, do not include those
same audit and system logs whenever
aNAbackup is performed to the specified Strong passwords as defined in your local No
SFTP target. It would be needlessly site policy
redundant, and the backups containing
those logs can be pretty big.

NA Only needed ports should be open No

NA IPv6 should be disabled Yes

NA IPv6 DNS should be disabled Yes

If you need to use SSH, set the Turned off Yes

thumbprint a single time at the client,
and always use the same client to
connect. If prompted for initial
connection approval later from the
same client, don't connect.

Wherever possible, consider using

VMware
NA vSphere Web Client over SSH. 1) Use at the least 3 NTP servers from No
outside time sources
-OR-
2) Configure a few local NTP servers on a
trusted network that in turn obtain their
time from at least three outside time
sources
NA Remote syslog server is configured. No

NA 1) Appropriate Issuer No
2) Correct certificate Type
3) RSA Algorithm
4) 2048 bits keys or higher

NA NA No
NA NA No

NA NA No

NA NA No

NA Review activity logs for API usage No

NA NA No

NA Strong passwords as defined in your local No

site policy
NA NA No

NA NA No

NA No read or write permissions on backup No

directory

NA NA No

NA NA No

NA NA No

NA NA No
NA SHA1 or MD5 hash should match No
API Reference

https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-2A75A102-518D
ip>/api/1.0/appliance-
management/backuprestore/
backupsettings
https://<nsxmgr- NA
ip>/api/1.0/appliance-
management/backuprestore/
backupsettings

NA http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-E7C4E61C-1F36-

https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-2A75A102-518D
ip>/api/1.0/appliance-
management/system/network

https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-2287ACAA-C1B6
ip>/api/1.0/appliance-
management/system/network

http://pubs.vmware.com/NSX-
6/topic/com.vmware.nsx.install
.doc/GUID-F4161963-B338-
https://<nsx-manager- 477D-9D2F-
ip>/api/1.0/appliance- 147DF26680F0.html
management/components/co
mponent/SSH/ to check the
status
https://<nsxmgr- http://www.pool.ntp.org/en/
ip>/api/1.0/appliance-
management/system/timese
ttings

https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.install.doc/GUID-CFB0DC96-C329-
ip>/api/1.0/appliance-
management/system/syslogse
rver

https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-75E20224-AE0D-
ip>/api/1.0/appliance-
management/certificatemana
ger/certificates/nsx

NA http://www.vmware.com/security/hardening-guides.html
https://<nsxmgr- http://www.vmware.com/security/advisories/
ip>/api/1.0/appliance-
management/global/info

https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-049478CE-681F-
ip>/api/2.0/services/usermgm
t/role/<userId>

https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-79F9067D-2F29-
ip>/api/2.0/services/usermgm
t/role/<userId>

https://<vsm- NA
ip>/api/2.0/systemevent?
startIndex=0\&pageSize=10

https://<nsxmgr- https://www.vmware.com/sup
ip>/api/1.0/appliance- port/policies/thirdparty.html
management/components

https://<nsxmgr-
ip>/api/1.0/appliance-
management/notifications

https://<nsxmgr-
NA
ip>/api/2.0/logging/auditlog? NA
startIndex=0\&pageSize=10
NA NA

NA https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.vsphere.security.doc/GUID-3F7F

https://<nsxmgr- NA
ip>/api/1.0/appliance-
management/backuprestore/
backupsettings

https://<nsxmgr-
ip>/api/1.0/appliance-
management/system/network

https://<nsxmgr- http://www.giac.org/paper/gsec/3581/creating-secure-inter-company-file-transfer-system/1058
ip>/api/1.0/appliance-
management/backuprestore/
backupsettings

https://<nsxmgr- http://blogs.vmware.com/management/2013/09/log-insight-remote-syslog-architectures.html
ip>/api/1.0/appliance-
management/system/syslogse
rver

https://<nsxmgr- http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-79F9067D-2F29-
ip>/api/1.0/appliance-
management/backuprestore/
backupsettings
NA http://kb.vmware.com/kb/1537
ID Component Subcomponent Title
block-unused-ports NSX Controller Ports Block access to ports not used
by NSX Controller.

disable-ssh- NSX Controller Communication Disable Secure Shell (SSH)

controller unless needed for diagnostics
or troubleshooting purposes.

isolate-controller- NSX Controller Communication Controller network should be

network isolated.

secure-controller- NSX Controller Communication Controller network should be

network secured.

restrict-nsx-va- VMware vSphere NSX Controller VA Restrict access to NSX

access Controller Virtual Appliance in
VMware vSphere Environment.
Vulnerability Discussion Assessment Procedure
Blocking unneeded ports can prevent general attacks Verify that only ports listed in the "Reference"
on those ports and thus reduce attack surface. column in this sheet are open on NSX Controller.
Secure Shell (SSH) is an interactive command line
environment available for making remote
connections to NSX Controller. Access via SSH
requires the root or higher privileged user account
credentials. The activities performed from the SSH
generally bypass NSX based RBAC and audit controls.
Thus, SSH should only be turned on when needed to
troubleshoot/resolve problems that cannot be fixed
via other procedures.
Controller network should be secured. By default,
IPSec is enabled between the controllers for NSX.
However, isolating the controller network provides
additional layer of security that may help prevent
confidentiality, Integrity, and availability attacks.
Controller network should be secured. By default,
IPSec is enabled between the controllers for NSX.
Users having access to NSX Controller VA in VMware
vSphere environment could potentially cause harm
by intentionally or unintentionally performing power
off/suspend/migrate or other administrative
functions. It is important that the NSX Controller VA
access is protected using user access controls or
separating / isolating the NSX Controller
environment.
Try opening a connection via SSH to NSX
Controller. If the connection opens requesting for
credentials, this means SSH is enabled and is
available for making connections.
Ensure that the controller network is deployed on
a network that is not configured for or connected
to other types of traffic.
Ensure that the controller network is secured.
Run Rest API call to get the properties of the
controller node and verify that ipSecEnabled
element is true.
https://<nsxmgr>/api/2.0/vdn/controller/node
Response:
<controllerNodeConfig>
<ipSecEnabled>true</ipSecEnabled >
</controllerNodeConfig>
Login to VMware vSphere environment and
inspect which users have access permissions to
NSX Controller VA. No user other than the
intended administrator should have access to the
VA or be able to carry out any administrative
actions on that VA.
Word of Caution Desired Value Is the setting default?
NA Only needed ports should be open No

If you need to use SSH, set the Turned off No

thumbprint a single time at the client,
and always use the same client to
connect. If prompted for initial
connection approval later from the
same client, don't connect.

Wherever possible, consider using

VMware vSphere Web Client over SSH.

NA NA NA

If you prefer to implement controller <ipSecEnabled>true</ipSecEnabled > Yes

network security/isolation through
other means you may turn this off.

NA NA No
API Reference
NA http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-E7C4E61C-1F36-

Log in to the controller

console with the admin user.
On the command line; type
the following: "set allow-
password-ssh no"

NA NA

To disable IPSec : NA
https://<nsxmgrip>/api/2.0/vd
n/controller/node

Set ipSecEnabled = false

NA https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.vsphere.security.doc/GUID-3F7F
ID Component Subcomponent Title
block-unused-ports Various Ports Block access to ports not used on data
plane.

disable-ssh-gateway NSX Edge Edge Service Disable Secure Shell (SSH) unless
Gateway needed for diagnostics or
troubleshooting purposes.

disable-ssh-router NSX Edge Edge Logical Router Disable Secure Shell (SSH) unless
needed for diagnostics or
troubleshooting purposes.

enable-md5 NSX Edge Edge Logical Router Enable in-protocol MD5 authentication
for OSPF and BGP.

isolate-storage-network Storage Network Isolate storage network from other

networks

isolate-vxlan VXLAN Communication Isolate Virtual network tunnel traffic.

no-non-hypervisors Hypervisor NA Do not allow any untrusted hypervisors

on logical network data plane.
password-complexity-er NSX Edge Edge Logical Router Ensure sufficient Password Strength as
defined in your local site policy.

reject-forged-transmit- NSX vSwitch vSphere Distributed Ensure that the “Forged Transmits”
dvportgroup Switch policy is set to reject.

reject-mac-change- NSX vSwitch vSphere Distributed Ensure that the “MAC Address
dvportgroup Switch Change” policy is set to reject.

reject-promiscuous-mode- NSX vSwitch vSphere Distributed Ensure that the “Promiscuous Mode”
dvportgroup Switch policy is set to reject.

restrict-nsx-va-access VMware vSphere Edge VA Restrict access to Edge Virtual

Appliance in VMware vSphere
Environment.

restrict-vds-access NSX vSwitch vSphere Distributed Restrict access to vSphere distributed

Switch switch.
use-srcid-lb-option VXLAN Teaming Policy Choose "Load Balance - SRCID" for the
VXLAN vmknic teaming policy.
Vulnerability Discussion
Blocking unneeded ports can prevent general attacks on those
ports and thus reduce attack surface.

Secure Shell (SSH) is an interactive command line environment

available for making remote connections to NSX edge service
gateway. Access via SSH requires the root or higher privileged
user account credentials. The activities performed from the SSH
generally bypass NSX based RBAC and audit controls. Thus, SSH
should only be turned on when needed to troubleshoot/resolve
problems that cannot be fixed via other procedures. It is also
useful to block ssh via firewall rules on any interface that is not
the internal vnic you want to use to access ssh. Doing so
prevents brute force attacks from the actual internet if this is a
gateway.
Secure Shell (SSH) is an interactive command line environment
available for making remote connections to NSX logical
(distributed) router. Access via SSH requires the root or higher
privileged user account credentials. The activities performed
from the SSH generally bypass NSX based RBAC and audit
controls. Thus, SSH should only be turned on when needed to
Edge routers can be configured
troubleshoot/resolve problems to use
that OSPF be
cannot or BGP
fixedto
viaprovide
other
dynamic routing
procedures. functionality. OSPF and BGP authentication is
disabled by default. When using a dynamic routing protocol,
Edge routers exchange messages with other routers
over untrusted networks. These protocols are unauthenticated,
allowing an attacker on the network to forge messages to Edge
that cause it to reroute traffic to attacker-controlled hosts.

Current virtualized disk technologies rely on unencrypted and

insecure transports such as iSCSI. Protect against rogue VM
attacks by isolating these storage networks from data transport
networks. If compromised, attackers may be able to recover VM
disks and other sensitive information.

Virtual network tunnel traffic (vxlan) needs to be separated from

other traffic to avoid tampering with the tunnel. The Physical nic
for the virtual tunneling end point (VTEP) should be on an
isolated network with the other VTEPs in your data center on
trusted hypervisors. You can isolate this to a VLAN segment, but
for extra safety use physical isolation.

Having untrusted hypervisors tends to loosen specific and tested

control over protecting intended storage access.

Having non-hypervisors on logical network data plane makes the

vxlan vulnerable to accepting traffic from forged sources. Mixing
non-hypervisors with hypervisors do not guarantee sufficient
protection and thus could lead to compromise of data leading to
failure of confidentiality, integrity and availability.
Minimal password complexity is enforced when a user
creates/changes a password for VDR/Edge. This allows a room
for setting weak passwords, which makes it more likely that
attacks against user credentials will be successful.

If the virtual machine operating system changes the MAC

address, the operating system can send frames with an
impersonated source MAC address at any time. This allows
an operating system to stage malicious attacks on the
devices in a network by impersonating a network adaptor
authorized by the receiving network.

By default, forged transmits is set to accept. It should be

changed to reject.
If the virtual machine operating system changes the MAC
address, it can send frames with an impersonated source MAC
address at any time. This allows it to stage malicious attacks on
the devices in a network by impersonating a network adaptor
authorized by the receiving network. This will prevent VMs from
changing their effective MAC address. It will affect applications
that require this functionality. An example of an application like
this is Microsoft Clustering, which requires systems to effectively
share a MAC address. This will also affect how a layer 2 bridge
will operate.
When This willmode
promiscuous also affect applications
is enabled that requirealla
for a dvPortgroup,
specific MAC address
virtual machines for licensing.
connected An exceptionhave
to the dvPortgroup should
thebe made
for
potential of reading all packets across that network, meaningto.
the dvPortgroups that these applications are connected
only the virtual machines connected to that dvPortgroup.
Promiscuous mode is disabled by default on the ESXI Server, and
this is the recommended setting. However, there might be a
legitimate reason to enable it for debugging, monitoring or
troubleshooting reasons. Security devices might require the
ability to see all packets on a vSwitch. An exception should be
made for the dvPortgroups that these applications are
connected to, in order to allow for full-time visibility to the
traffic on that dvPortgroup. Unlike standard vSwitches,
dvSwitches only allow Promiscuous Mode at the dvPortgroup
level
Users having access to Edge VA in VMware vSphere environment
could potentially cause harm by intentionally or unintentionally
performing power off/suspend/migrate or other administrative
functions. It is important that the Edge VA access is protected
using user access controls or separating / isolating the Edge VA
environment.

As a best practice, protect the vDS configuration in vCenter

server after initial System Preparation (i.e. Networking config
should only be managed via NSX Manager) to avoid changes
that can get vCenter and the NSX Manager configuration out-of-
sync and potentially impact the Logical Networking.

Also, It helps better isolating the NSX Manager and vCenter/vDS

configuration environment as you may have multiple/separate
administrators (Cloud Admin and Network Admin) managing
them.
SRCID means that VM-to-VTEP pinning will be based on
the virtual machine source virtual port ID. This is the
recommended setting as all traffic from a given virtual
machine will be pinned to one VTEP on the host.

The other Load Balance option is SRCMAC which

effectively works the same way as SRCID for virtual
machines with only one MAC address. If the virtual
machines have multiple MAC addresses, SRCMAC will
conflict with Forged Transmit Reject settings,
whereas SRCID will not.
Assessment Procedure Word of Caution
Verify that only ports listed in the "Reference" column in NA
this sheet are open on data plane.

Try opening a connection via SSH to NSX edge service
gateway. If the connection opens requesting for
credentials, this means SSH is enabled and is available for
making connections.
If you need to use SSH, set the thumbprint a
single time at the client, and always reuse the
same client to connect. If prompted for initial
connection approval later from the same client,
don't connect.

Wherever possible, consider using VMware

vSphere Web Client over SSH.

Try opening a connection via SSH to NSX distributed
logical router. If the connection opens requesting for
credentials, this means SSH is enabled and is available for
making connections.
Use the protocol commands to find out if the
authentication is enabled.
If the commands return
Null Authentication—This is also called Type 0 and it
means no authentication information is included in the
packet header. It is the default.
If you need to use SSH, set the thumbprint a
single time at the client, and always use the
same client to connect. If prompted for initial
connection approval later from the same client,
don't connect.
NA
Also, firewall the SSH port (Port 22) on all edge
interfaces except the one to the control plane.
Wherever possible, consider using VMware
vSphere Web Client over SSH.

Plain Text Authentication—This is also called Type 1 and it

uses simple clear-text passwords.
Do a thorough check on the infrastructure design and NA
deployment network diagram.
MD5 Authentication—This Ensure
is also that
called Typethe2storage
and it
network
uses MD5iscryptographic
isolated from passwords.
any other networks.
This is the desired
level of authentication.
Using VMware certified third party software such as
protectV might be utilized to enhance data access
security.

Also ensure that backing data stores have the same level
of security as for SFTP backup servers.
Thoroughly review the deployment and ensure that the NA
virtual network
Use local is isolated.
disk storage as a last resort for NSX Manager.

Do a thorough check on the infrastructure design and NA

deployment network diagram. Ensure that there are no
non-hypervisors on the logical network data plane. Also,
ensure that only trusted hypervisors are used and have
the common function to support.
Assess the administrator on the password quality and NA
ensure that the passwords meet required complexity as
defined in your organizational policy.

Verify by using the vSphere Web Client to connect to the There are 2 load balancing options when
vCenter Server and as administrator: configuring VXLAN networking:
1. Go to "Home > Inventory > Networking".
2. Select "DSwitch" for distributed portgroups. Load Balance - SRCID
3. Select each dvPortgroup connected to active VM's Load Balance - SRCMAC
requiring securing.
4. Go to tab "Summary > Edit Settings > Policies > SRCMAC option requires forged transmit policy
Security". to "accept" where as SRCID option does not
5. Set the Forged transmits value to "Reject" require forged transmit policy to "accept".
Verify by using the vSphere Web Client to connect to the This setting might break Microsoft Clustering
vCenter Server and as administrator: and L2 Bridging.
1. Go to "Home > Inventory > Networking".
2. Select "DSwitch" for distributed portgroups.
3. Select each dvPortgroup connected to active VM's
requiring securing.
4. Go to tab "Summary > Edit Settings > Policies >
Security".
5. "Mac Address Changes" = "Reject"
Verify by using the vSphere Web Client to connect to the NA
vCenter Server and as administrator:
1. Go to "Home > Inventory > Networking".
2. Select "DSwitch" for distributed portgroups.
3. Select each dvPortgroup connected to active VM's
requiring securing.
4. Go to tab "Summary > Edit Settings > Policies >
Security".
5. "Promiscuous Mode" = "Reject"

Login to VMware vSphere environment and inspect which NA

users have access permissions to Edge VA. No user other
than the intended administrator should have access to
the VA or be able to carry out any administrative actions
on that VA.

Login to VMware vSphere environment and inspect which NA

users have access permissions to vSphere distributed
switch. No user other than the intended administrator
should have access to it.
To assess this recommendation: SRCMAC option requires forged transmit policy
to "accept" where as SRCID option does not
1) Login to VMware vSphere Web Client require forged transmit policy to "accept".
2) Navigate to "Networking and Security" -->
"Installation"
3) Go to "Host Preparation" tab.
4) Under "VXLAN" column select "Configure"
5) Ensure that "VMKNic Teaming Policy" option is set to
"Load Balance - SRCID".
Desired Value Is the setting default? API
Only needed ports should be No NA
open

Turned off Yes https://<nsxmgr-

ip>/api/4.0/edges/<edgeId>/cli
remoteaccess?enable=true|
false

Turned off Yes NA

MD5 authentication enabled No https://<nsxmgr-

ip>/api/4.0/edges/<edgeId>/ro
uting/config

Best Practice guidance is to No NA

use dedicated vNIC and VLAN
for storage and compute.

NA No NA

NA No NA
Strong passwords as defined No NA
in your local site policy

NA Yes https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssd

NA Yes https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssd

NA Yes https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssd

NA No NA

NA No https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.wssd
NA No https://<vsm-
ip>/api/4.0/edges/<edgeId>/lo
adbalancer/config
Reference
http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-E7C4E61C-1F36-457C-ACC5-EAF955C46E8B.htm

http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.install.doc/GUID-1EA25D37-F1C7-45C8-AEBA-A555ACC972BC.htm

http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.install.doc/GUID-1EA25D37-F1C7-45C8-AEBA-A555ACC972BC.htm

http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-EF251ED4-5BCA-43D5-9C01-975601EACF1E.htm

http://www.safenet-inc.com/data-protection/virtualization-cloud-security/protectv-cloud-data-protection/

https://communities.vmware.com/docs/DOC-27683

NA
http://pubs.vmware.com/nsx-63/index.jsp#com.vmware.nsx.admin.doc/GUID-9EBB38F3-BE2C-4C15-BA49-879DBBE6F2F0.htm

http://www.vmware.com/files/pdf/p
roducts/nsx/vmware-nsx-on-cisco-
n7kucs-design-guide.pdf

http://www.vmware.com/security/h
ardening-guides.html

http://www.vmware.com/security/h
ardening-guides.html

http://www.vmware.com/security/h
ardening-guides.html

https://pubs.vmware.com/vsphere-65/index.jsp#com.vmware.vsphere.security.doc/GUID-6C181D08-6650-4AD1-92D1-AAFDA

No
http://www.vmware.com/files/pdf/p
roducts/nsx/vmware-nsx-on-cisco-
n7kucs-design-guide.pdf

http://www.vmware.com/security/h
ardening-guides.html
Date Change

28-Mar-17 First version based on NSX version 6.3 and vSphere 6.5. Renamed Security Configruati
10-Jun-16 Update VTEP default port to 4789 for NSXv 6.2.3
2--Apr-16 Port information table in Appendix
9-Apr-15 Removed Draft and Internal and added version number in the document
23-Feb-15 Updated Appendix for host prep ports between ESXi and vCenter
15-Oct-14 Control Plane > isolate-controller-network
8-Oct-14 Port information table in Appendix
8-Oct-14 Added acknowledgement
6-Oct-14 Management Plane > secure-dns-server
6-Oct-14 Management Plane > secure-syslog-server
6-Oct-14 Control Plane > utilize-vlan
6-Oct-14 Data Plane > isolate-vxlan
6-Oct-14 Data Plane > disable-ssh-router
6-Oct-14 Data Plane > enable-md5
6-Oct-14 Data Plane > password-complexity-er
22-Sep-14 Management Plane > backup-excludes
19-Sep-14 Management Plane
19-Sep-14 Control Plane
19-Sep-14 Data Plane
19-Sep-14 Doc. Info > How to read this hardening guide
19-Sep-14 Management Plane > disable-ssh-manager
19-Sep-14 Management Plane > verify-install-media
19-Sep-14 Control Plane > isolate-controller-network
19-Sep-14 Control Plane > disable-ssh-controller
19-Sep-14 Management Plane > disable-ipv6
19-Sep-14 Management Plane > disable-ipv6-dns
19-Sep-14 Data Plane > disable-ssh-gateway
19-Sep-14 Data Plane > disable-ssh-router
19-Sep-14 Data Plane > reject-forged-transmit-dvportgroup
19-Sep-14 Data Plane > reject-mac-change-dvportgroup
19-Sep-14 Data Plane > reject-promiscuous-mode-dvportgroup
19-Sep-14 Appendix > Ports 2878, 2888, 3888 > Purpose
19-Sep-14 Appendix > Csync
19-Sep-14 Appendix > Rest Client to NSX Controller
19-Sep-14 Data Plane > disable-ssh-router
19-Sep-14 Data Plane > enable-md5-dlr
19-Sep-14 Data Plane > enable-md5
19-Sep-14 Data Plane > password-complexity-dlr
19-Sep-14 Data Plane > password-complexity-dlr
19-Sep-14 Data Plane > password-complexity-er
19-Sep-14 Data Plane > reject-forged-transmit-dvportgroup
19-Sep-14 Data Plane > reject-mac-change-dvportgroup
19-Sep-14 Data Plane > reject-promiscuous-mode-dvportgroup
19-Sep-14 Data Plane > reject-mac-change-dvportgroup
19-Sep-14 Data Plane > reject-promiscuous-mode-dvportgroup
19-Sep-14 Data Plane > isolate-vxlan
19-Sep-14 Data Plane > isolate-storage-network
19-Sep-14 Data Plane > disable-ssh-gateway
19-Sep-14 Data Plane > default-firewall-rules
19-Sep-14 Doc. Info > Acknowledgement
19-Sep-14 Data Plane > restrict-vds-access
28-Aug-14 Data Plane > isolate-vxlan
28-Aug-14 Data Plane > isolate-vxlan
28-Aug-14 Data Plane > disable-ssh-router
28-Aug-14 Data Plane > disable-ssh-gateway
28-Aug-14 Management Plane > disable-ssh-manager
28-Aug-14 Control Plane > disable-ssh-controller
28-Aug-14 Control Plane > isolate-controller-network
28-Aug-14 Doc. Info Sheet
28-Aug-14 Control Plane > use-vpn-technology
28-Aug-14 Control Plane > isolate-controller-network
21-Aug-14 Data Plane > accept-forged-transmit-dvportgroup
21-Aug-14 Data Plane > accept-forged-transmit-dvportgroup
21-Aug-14 Data Plane > use-srcid-lb-option
20-Aug-14 Added "Acknowledgment" section in Doc. Info sheet
20-Aug-14 Management Plane > harden-vsphere-environment
20-Aug-14 Management Plane > disable-ssh-manager
20-Aug-14 Management Plane > restrict-nsx-access
20-Aug-14 Management Plane > restrict-nsx-va-access
20-Aug-14 Control Plane > restrict-nsx-va-access
20-Aug-14 Data Plane > restrict-nsx-va-access
20-Aug-14 Management Plane > limit-user-role
20-Aug-14 Management Plane > limit-user-scope
20-Aug-14 block-unused-ports in all the planes
20-Aug-14 isolate-vxlan
20-Aug-14 Control Plane > disable-ssh-controller
20-Aug-14 Doc. Info > Management Plane Components
20-Aug-14 Doc. Info > Control Plane Components
20-Aug-14 Doc. Info > Data Plane Components
20-Aug-14 Doc. Info > Data Plane Components
20-Aug-14 Data Plane > default-firewall-rules
20-Aug-14 Data Plane > disable-ssh-edge
20-Aug-14 Data Plane > enable-md5-dlr
20-Aug-14 Data Plane > password-complexity-dlr
20-Aug-14 Data Plane > disable-ssh-edge
20-Aug-14 Data Plane > disable-ssh-gateway
20-Aug-14 Data Plane > disable-ssh-router
20-Aug-14 Data Plane > disable-ssh-router
20-Aug-14 Data Plane > accept-forged-transmit
20-Aug-14 Data Plane > reject-mac-changes
20-Aug-14 Data Plane > reject-promiscuous-mode
20-Aug-14 Data Plane > no-non-hypervisors
20-Aug-14 Data Plane > enable-md5-dlr
20-Aug-14 Data Plane > password-complexity-dlr
20-Aug-14 Data Plane > accept-forged-transmit-dvportgroup
19-Aug-14 Added a worksheet named "Appendix"
19-Aug-14 Added "Ports and protocols required by NSX for vSphere" Table
19-Aug-14 Management Plane > block-unused-ports
19-Aug-14 Control Plane > block-unused-ports
19-Aug-14 Data Plane > block-unused-ports
14-Aug-14 Whole book
10-Aug-14 Management Plane > change-default-password --> Removed
10-Aug-14 Management Plane > ensure-valid-certificates --> Title
10-Aug-14 Management Plane > no-unsupported-software --> Subcomponent
10-Aug-14 Management Plane > no-unsupported-software --> Vulnerability Discussion
10-Aug-14 Management Plane > password-complexity-webui --> Vulnerability Discussion
10-Aug-14 Management Plane > verify-install-media --> Vulnerability Discussion
10-Aug-14 Management Plane > verify-install-media --> Assessment Procedures
10-Aug-14 Control Plane > disable-ssh-controller --> Word of Caution
10-Aug-14 Control Plane > disable-ssh-router --> Word of Caution
10-Aug-14 Data Plane > disable-ssh-edge --> Vulnerability discussion
10-Aug-14 Data Plane > isolate-storage-network --> Reference
10-Aug-14 Data Plane > isolate-storage-network --> Assessment Procedure
10-Aug-14 Data Plane > no-non-hypervisors --> Vulnerability Discussion
10-Aug-14 Data Plane > no-non-hypervisors --> Assessment Procedures
10-Aug-14 Data Plane > rabbitmq-server-certificate --> Removed
10-Aug-14 Data Plane > reject-forged-transmits --> ID
10-Aug-14 Data Plane > reject-forged-transmits --> Title
10-Aug-14 Data Plane > reject-forged-transmits --> Vulnerability Discussion
10-Aug-14 Data Plane > reject-forged-transmits --> Assessment Procedure
10-Aug-14 Data Plane > reject-forged-transmit-dvportgroups --> ID
10-Aug-14 Data Plane > reject-forged-transmit-dvportgroups --> Title
10-Aug-14 Data Plane > reject-forged-transmit-dvportgroups --> Vulnerability Discussion
10-Aug-14 Data Plane > reject-forged-transmit-dvportgroups --> Assessment Procedure
10-Aug-14 Control Plane > isolate-controller-network
10-Aug-14 Control Plane > isolate-vxlan
10-Aug-14 Control Plane > utilize-vlan
10-Aug-14 Control Plane > use-vpn-technology
1-Aug-14 Made various minor verbatim changes
1-Aug-14 Deleted the column "Configuration File"
1-Aug-14 Deleted the column "Configuration Parameters"
1-Aug-14 Added the column "Word of Caution"
1-Aug-14 Added the cautionary warning for some recommendations
1-Aug-14 Added REST API references
Comments

For internal review

Added ports for Cross vCetner Universal Objects

Version 1.4 to be published for wider distribution.
Added ports TCP 80 between Esxi and vCenter.
Recommendation revised
Added ports 6999 and 8301, 8302 into the table
Acknowledged Dmitri Kalintsev
Reference link removed.
Added clarification in "Vulnerability Discussion" column
Removed entry
Provided reference link
Changed sub-component name to "Edge Logical Router"
Changed sub-component name to "Edge Logical Router"
Changed sub-component name to "Edge Logical Router"
Highlighted that this is default setting by putting "Yes" under "Is the setting default?" column
Added "Is the setting default?" column. Put "No" everywhere initially.
Added "Is the setting default?" column. Put "No" everywhere initially.
Added "Is the setting default?" column. Put "No" everywhere initially.
Added information for "Is the setting default?" column
Highlighted that this is default setting by putting "Yes" under "Is the setting default?" column
Added clarification in "Vulnerability Discussion" column
Updated "Word of Caution" column
Highlighted that this is default setting by putting "Yes" under "Is the setting default?" column
Highlighted that this is default setting by putting "Yes" under "Is the setting default?" column
Highlighted that this is default setting by putting "Yes" under "Is the setting default?" column
Highlighted that this is default setting by putting "Yes" under "Is the setting default?" column
Highlighted that this is default setting by putting "Yes" under "Is the setting default?" column
Highlighted that this is default setting by putting "Yes" under "Is the setting default?" column
Highlighted that this is default setting by putting "Yes" under "Is the setting default?" column
Highlighted that this is default setting by putting "Yes" under "Is the setting default?" column
Changed to Controller Cluster
New Entry
Entry deleted
Subcomponent name Changed to "Edge Router".
ID changed to "enable-md5"
Subcomponent name Changed to "Edge Router".
Subcomponent name Changed to "Edge Router".
ID changed to password-complexity-er
Verbatim change in "Assessment Procedure" Column
API reference link updated
API reference link updated
API reference link updated
"Word of Caution" column updated
"Word of Caution" set to NA
"Vulnerability Discussion" column updated
"Desired Value" column updated
"Word of Caution" column updated
Entry deleted
Acknowledgement Updated to add new contributors
New Entry
Vulnerability discussion updated
Title updated
Word of Caution Updated
Word of Caution Updated
Word of Caution Updated
Word of Caution Updated
Vulnerability discussion updated
Changed version from 6.x to 6.1 since the guide is for 6.1
Merged with Control Plane > isolate-controller-network recommendation
Word of Caution Updated with recommendation to use IPsec alternatively
Renamed to "reject-forged-transmit-dvportgroup"
Modified guideline to set it to reject instead of accept
New guidance
NA
Changed component name from "vCenter Server" to "VMware vSphere"
New guidance
New guidance
New guidance
New guidance
New guidance
New guidance
New guidance
Changed subcomponent name to "Ports" from "Various"
Moved to Data Plane from Control Plane
Slight change in the verbiage
Changed vCenter Server to "VMware vSphere"
Deleted "NSX Edge Logical Router"
Changed "Distributed Logical Router" to "Logical (Distributed) Router"
Added "VMware vSphere Distributed Switch"
Changed "NSX Edge for vSphere" to just "NSX Edge". We don’t need to say vSphere repeatedly.
Changed "NSX Edge for vSphere" to just "NSX Edge". We don’t need to say vSphere repeatedly.
Changed "NSX Edge for vSphere" to just "NSX Edge". We don’t need to say vSphere repeatedly.
Changed "NSX Edge for vSphere" to just "NSX Edge". We don’t need to say vSphere repeatedly.
Renamed to "disable-ssh-gateway"
Slight change in the verbiage
Corrected Component and sub-component names
Slight change in the verbiage
Deleted - only vDS is required
Deleted - only vDS is required
Deleted - only vDS is required
Slight change in the verbiage
Changed Subcomponent name from "Distributed Logical Router" to "Logical (Distributed) Router"
Changed Subcomponent name from "Distributed Logical Router" to "Logical (Distributed) Router"
Added justification and reference for this setting
"Appendix" to contain miscellaneous information
Added "Ports and protocols required by NSX for vSphere" table
New guidance
New guidance
New guidance
Made various verbatim changes
Out of date. Appliance today cannot be deployed with default credentials
Title updated to explicitly say "NSX Manager"
Subcomponent name changed to "Unsupported Software" from "Third Party Software"
Vulnerability discussion updated
Fixed a typo in vulnerability discussion
Changed the word iso to bits to make it more general to include OVF or any other downloads
Changed "VMware Website" to "VMware Secure Website"
Added a cautionary recommendation on using SSH
Added a cautionary recommendation on using SSH
Updated vulnerability discussion
Added reference for ProtectV product
Updated assessment procedure to look for more protective measures
Updated vulnerability discussion
Updated assessment procedure
The RabbitMQ cert can't be changed today. Implicit trust is guaranteed to the self-signed cert
ID changed to accept-forged-transmit
Title changed to accept
Vulnerability discussion updated to be in line with the title
Assessment Procedure updated to be in line with the title
ID changed to accept-forged-transmit-dvportgroups
Title changed to accept
Vulnerability discussion updated to be in line with the title
Assessment Procedure updated to be in line with the title
New guidance
New guidance
New guidance
New guidance
 Ports and protocols required by NSX
Source Target Port Protocol
Client PC NSX Manager 443 TCP
Client PC NSX Manager 80 TCP
ESXi Host vCenter Server 80 TCP
vCenter Server ESXi Host 80 TCP
ESXi Host NSX Manager 5671 TCP
ESXi Host NSX Controller 1234 TCP
NSX Controller NSX Controller 2878, 2888, 3888 TCP
NSX Controller NSX Controller 7777 TCP
NSX Controller NSX Controller 30865 TCP
NSX Controller NTP Time Server 123 TCP
NSX Controller NTP Time Server 123 UDP
NSX Manager NSX Controller 443 TCP
NSX Manager vCenter Server 443 TCP
NSX Manager vCenter Server 902 TCP
NSX Manager ESXi Host 443 TCP
NSX Manager ESXi Host 902 TCP
NSX Manager DNS Server 53 TCP
NSX Manager DNS Server 53 UDP
NSX Manager Syslog Server 514 TCP
NSX Manager Syslog Server 514 UDP
NSX Manager NTP Time Server 123 TCP
vCenter Server NSX Manager 80 TCP
NSX Manager NTP Time Server 123 UDP
REST Client NSX Manager 443 TCP
VXLAN Termination End Point VXLAN Termination End Point 4789 (8472 pre-NSX 6.2.3) UDP
(VTEP) (VTEP)
ESXi Host ESXi Host 6999 UDP
ESXi Host NSX Manager 8301, 8302 UDP
NSX Manager ESXi Host 8301, 8302 UDP
Primary NSX Manager Secondary NSX Manager 443 TCP
Primary NSX Manager vCenter Server 443 TCP
Secondary NSX Manger vCenter Server 443 TCP
Primary NSX Manager NSX Universal Controller Cluster 443 TCP
Secondary NSX Manager NSX Universal Controller Cluster 443 TCP
ESXi Host NSX Universal Controller Cluster 1234 TCP
ESXi Host Primary NSX Mangager 5671 TCP
ESXi Host Secondary NSX Manager 5671 TCP
tocols required by NSX for vSphere
Purpose Sensitive User Data SSL ProtectedAuthentication Mechanism
NSX Manager Administrative Interface No Yes PAM Authentication
NSX Manager VIB Access No No PAM Authentication
ESXi Host Preparation No No
ESXi Host Preparation No No
AMQP No Yes AMQP user/password
User World Agent Connection No Yes
Controller Cluster - State Sync No Yes IPSec
Inter-Controller RPC Port No Yes IPSec
Controller Cluster -State Sync No Yes IPSec
NTP client connection No Yes No Authentication
NTP client connection No Yes No Authentication
Controller to Manager Communication No Yes User/Password
vSphere Web Access No Yes
vSphere Web Access No Yes
Management and provisioning connection No Yes
Management and provisioning connection No Yes
DNS client connection No Yes
DNS client connection No Yes
Syslog connection No Yes
Syslog connection No Yes
NTP client connection No Yes
Host Preparation No No
NTP client connection No Yes
NSX Manager REST API No Yes User/Password
Transport network encapsulation between No Yes
VTEPs.
ARP on VLAN LIFs No Yes
DVS Sync No Yes
DVS Sync No Yes
Cross-vCenter NSX Universal Sync Service No Yes
vSphere API No Yes
vSphere API No Yes
NSX Controller REST API No Yes User/Password
NSX Controller REST API No Yes User/Password
NSX Control Plane Protocol No Yes
AMQP No Yes AMQP user/password
AMQP No Yes AMQP user/password