1. Ports
  2. Port 902

Port 902: VMware Authentication — The Gatekeeper of Virtual Worlds

Port 902 is the door to the virtual world. Every time an administrator connects to a virtual machine console, every time a VM's disk migrates between storage systems, every time vCenter checks if an ESXi host is still alive, port 902 carries that traffic.

This port runs the VMware Authentication Daemon (vmauthd), the gatekeeper that decides who gets to touch your virtual machines. It's not glamorous work. It's the work that makes virtualization possible.

What Runs on Port 902

Port 902 serves multiple critical functions in VMware environments:

Authentication: The VMware Authentication Daemon validates credentials before granting access to VMs. When you connect, the daemon responds with a banner announcing itself: 220 VMware Authentication Daemon Version 1.10: SSL Required1. SSL is mandatory. Your credentials never travel in plaintext.

Console Access: When you open a remote console to a virtual machine through vSphere, that connection flows through port 902. You're not connecting to the VM directly. You're authenticating through the daemon, which then brokers your access to the VM's display and input.2

Network File Copy (NFC): VMware's NFC protocol uses port 902 for disk operations, including cold migrations, cloning, and backup operations. When a VM moves between datastores, NFC handles the data transfer.3 Every VMDK file being backed up requires its own NFC connection through this port.

Heartbeats: vCenter Server sends heartbeat traffic to ESXi hosts over port 902 (UDP) to verify they're alive and responsive.4

The Technical Mechanism

When you connect to port 902, the conversation follows a specific pattern:

  1. The client initiates a TCP connection
  2. The daemon responds with its version banner, announcing supported protocols: SOAP for control, VNC for display, and NFC for file operations
  3. SSL/TLS negotiation begins (mandatory since version 1.10)
  4. Authentication occurs over the encrypted channel
  5. Once authenticated, the daemon authorizes access to the requested resource

The daemon validates credentials against configured authentication sources: local users, Active Directory, or other identity providers. It's modular by design, allowing integration with various identity management systems.1

For NFC operations, the protocol requires bidirectional connectivity between ESXi hosts. If jumbo frames are configured, NFC uses 8960-byte packets, and the entire network path must support jumbo frames for the operation to succeed.3

The History

VMware didn't just create a product. They created an industry.

In February 1998, Diane Greene, Mendel Rosenblum, Scott Devine, Edward Wang, and Edouard Bugnion founded VMware in Palo Alto.5 Rosenblum was a Stanford professor who had been exploring virtualization as a simulation tool for multiprocessor research. He and his students realized that the decades-old concept of virtualization, long abandoned after the mainframe era, could be brought back to life on commodity x86 hardware.

There was a problem. Intel's x86 architecture wasn't designed for virtualization. Certain privileged instructions didn't trap properly when executed in a virtual machine. The CPU simply wouldn't cooperate.

Rosenblum and his colleagues solved this with dynamic binary translation, a technique that rewrites problematic code at runtime.6 It was clever enough to work and fast enough to be practical. In May 1999, VMware Workstation 1.0 shipped, and the virtualization revolution began.7

The company entered the server market in 2001 with ESX Server 1.0, a bare-metal hypervisor that ran directly on hardware without a host operating system.8 The name "ESX" stands for "Elastic Sky X", a name from a marketing firm that the engineers hated. They added the X themselves to make it sound more technical.9

Port 902 has been part of VMware's architecture from those early days, carrying authentication and console traffic for what would become the dominant virtualization platform in enterprise computing.

In 2003, VMware introduced vMotion, the ability to move a running virtual machine between physical hosts with no downtime.8 This was the moment virtualization stopped being a convenience and became infrastructure. You could now maintain hardware without touching the workloads running on it.

VMware went public in 2007 at a $19.1 billion valuation, the largest tech IPO that year.5 In November 2023, Broadcom acquired VMware for $69 billion.5

Security Considerations

Port 902 has a complex security history. Its authentication role makes it a prime target.

CVE-2009-4811 was a format string vulnerability in vmware-authd.exe that allowed remote attackers to crash the authentication daemon by sending specially crafted USER and PASS commands.10 A denial-of-service vulnerability in your authentication service is exactly as bad as it sounds.

Brute force attacks are common. Both Nmap and Metasploit include scripts specifically designed to audit VMware Authentication Daemon passwords.11 If this port is exposed to the Internet with weak credentials, attackers will find it.

The ESXiArgs ransomware campaign of February 2023 demonstrated what happens when VMware infrastructure is exposed without proper patching. Attackers exploited CVE-2021-21974, a heap overflow in the OpenSLP service, to encrypt virtual machines across more than 3,800 servers globally.12 The attack targeted servers with exposed management ports, including 902. VMware had released a patch two years earlier.

The lesson is consistent across every VMware security incident: don't expose management ports to the Internet. Place vCenter Server and ESXi hosts behind a firewall. Restrict port 902 access to authorized IP addresses and networks. Use multi-factor authentication. Monitor for brute force attempts.13

Port 902 requires SSL. Always has since version 1.10. But encryption without access control is security theater.

Related Ports

Port 902 operates alongside several other VMware ports:

PortProtocolService
443TCPvSphere Web Client, vCenter API, ESXi management
902TCP/UDPVMware Authentication Daemon, NFC, heartbeats
903TCPVMware Remote Console (VMRC)
427TCP/UDPService Location Protocol (SLP), targeted in ESXiArgs attacks

Port 903 handles remote console access specifically, though there's historical confusion about its exact role. Some ESXi versions use only port 902 for console access.14

Port 443 carries most vSphere management traffic and has been the target of several critical vulnerabilities, including CVE-2021-21985, a remote code execution flaw with a CVSS score of 9.8.15

The Weight of What It Carries

Before VMware, a typical data center ran one application per server. Server utilization averaged 12-18 percent.16 The rest was wasted capacity, wasted power, wasted space.

VMware changed the economics of computing. A consolidation ratio of 6:1 is average. 10:1 or higher is common.16 Entire data centers that once required hundreds of physical servers now run on dozens.

Port 902 carries the authentication and file transfer traffic for this transformation. Every VM console session. Every storage migration. Every backup job that reads VMDK files over the network.

When you SSH into a server at 3am because production is down, you're probably connecting to a virtual machine. The hardware underneath might be anywhere. The VM might have moved between physical hosts while you slept. Port 902 is part of the infrastructure that makes that possible, the narrow gate through which administrators pass to command machines that exist only as files on a storage array.

The physical machine you're troubleshooting doesn't exist. But port 902 doesn't care. It authenticates you anyway.

Frequently Asked Questions

Previous

Port 873: rsync — The Difference Engine

Next

Port 993: IMAPS — The Encrypted Mailroom

Was this page helpful?

😔
🤨
😃