We had a Pen Test done recently on a couple of vBlocks that we need some security accreditation against. (See how I'm being vague there for security reasons ;-)

One of the items that came up was a weak cipher on port 10109 of the vCenter server.

Zut Alors!  That sounds serious, well it might be.

Not seeing a way to update the service which was opening this port (vCenter Inventory Service) I did what we would all do, which was search for the KB article.  Impressively there was an article referring to my exact issue, nice!


Well it was until I read it.  The advice was to "disable the firewall rule preventing access to this port".

This is actually back to front.  As I found in Windows Firewall there is actually an allow rule for

"vCenter Inventory Service - Service Management Port"

So what is required is actually that port to be disabled.  Simply change the Windows Firewall Rule.

  1. Right click the rule called "vCenter Inventory Service - Service Management Port"
  2. On the general tab under action change "Allow the connection" to "Block the connection"
  3. Test you can no longer telnet to port 10109 remotely

This was confirmed after logging a call with VMWare (the KB article does state that the port is used for debugging and is used by any external agent.

Hopefully the KB will be updated soon