In order to allow remote management, 
VMWare integration and snapshot replication, SynetoOS uses a set of TCP ports.


Inbound Ports

SynetoOS does not need any ports opened from the internet towards the appliance to have a functioning support tunnel when enabled and access to software updates. 

You need to setup port forwarding only when configuring snapshot replication between two Syneto appliances in different locations and you are not using VPN between the two sites.


Outbound Ports 

To provide the basic range of features, SynetoOS should be allowed to connect to the ports and destinations listed below



PortDestinationDescriptionService 
22 TCPa. syneto.eu
b. Other Syneto appliances
c. central.syneto.eu
d. central.api.syneto.eu
e. files.syneto.eu
f. stc-0.syneto.eu
g. stc-1.syneto.eu
h. stc-2.syneto.eu
i. stc-3.syneto.eu
j. stc-4.syneto.eu
k. stc-5.syneto.eu
l. stc-6.syneto.eu
m. stc-7.syneto.eu
n. proxy.t.syneto.eu
 Required for Syneto Remote Support tunnel

Required for snapshot replication to other Syneto appliances
SSH
Secure Shell service allows you to connect to the CLI management interface. It is also used for secure snapshot replication.
80 TCP
pkg.syneto.eu
Required for SynetoOS software updates
HTTP / Web Server
Allows accessing the management with an http:// prefix.
Redirects immediately to https:// for security reasons.
443 TCP
a. pkg.syneto.eu
b. central.syneto.eu
c. central.api.syneto.eu
d. files.syneto.eu
e. VMware ESXi host(s)
f. VMware vCenter
g. stc-0.syneto.eu
h. stc-1.syneto.eu
i. stc-2.syneto.eu
j. stc-3.syneto.eu
k. stc-4.syneto.eu
l. stc-5.syneto.eu
m. stc-6.syneto.eu
n. stc-7.syneto.eu
o. proxy.t.syneto.eu
Required for SynetoOS software updates
Required for Syneto Remote Support tunnel

SerenITy service & other hybrid cloud services delivered via Syneto Central platform


Uploading support files using the support-upload CLI command


Connections to other ESXi hosts, running VMs on other ESXi hosts


Querying information about virtual machines

HTTPS / Web Server

Web Management Interface.



IPMI Ports
TCP Ports: 80, 443, 5901, 5900, 5120, 5123
UDP Ports: 623



ESXi Ports

"The vSphere Client and the VMware Host Client allow you to open and close firewall ports for each service or to allow traffic from selected IP addresses.

ESXi includes a firewall that is enabled by default. At installation time, the ESXi firewall is configured to block incoming and outgoing traffic, except traffic for services that are enabled in the host's security profile. For the list of supported ports and protocols in the ESXi firewall, see the VMware Ports and Protocols Toolâ„¢ at https://ports.vmware.com/. ..."

See more details on the official documentation: https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-171B99EA-15B3-4CC5-8B9A-577D8336FAA0.html



For full range of features also include the bellow list of ports and destinations 


Port
Destination/ Services
Description
25 TCP
Email server
Allows SynetoOS to send email alerts to administrators. Required if the email server supports this port
465 TCP
Email server
Allows SynetoOS to send email alerts to administrators. Required if the email server supports this port
587 TCP
Email server
Allows SynetoOS to send email alerts to administrators. Required if the email server supports this port
53 UDP
DNS server
Allows hostname resolution
123 UDP
NTP server
Allows access to network time protocol (NTP) servers for time synchronization
902 TCP
VMware ESXi hosts
Allows network block device (NBD) data transfers from an external VMware ESXi host and a Syneto appliance (for VM migrations or Chronos)
3260 TCP
iSCSI targets
Allows for iSCSI data transfers
111, 968, 2049, 4045 TCP
NFS
Used for sharing datastores to ESXi hosts.
137,138 TCP
SMB
Used for SMB sharing.
548 TCP
AFP
Used for AFP sharing.
2003, 2004, 7002
carbon_cache
Used for Analytics.
5353 UDP
mdnsd
DNS resolver. Used to resolve host names.
11211
memcached
Used by the Web Management Interface to cache various data in the memory.
9000-9099 TCP
mbuffer
One port opened temporarily for each non-encrypted snapshot replication.
Port is closed after a snapshot is received. These ports cannot be NATed, or you have to NAT all of them one-to-one on your gateway.