7: used for server status check

135-139: ports used by Remote Procedure Call endpoint mapper and NetBIOS - needed only for deployment phase

443: used for secure HTTP communication to vCenter so it needs to be open on all nodes (Primary, Secondary and EMS) in both directions

445: SMB connection for deployment for EMS deployment. SMB v1 must be enabled during the deployment phase and can be disabled after Engine is installed.

9727 and 9728 - used for Neverfail Webservices service to communicate between the 3 servers (EMS, Primary and Secondary) and to connect to the EMS portal - EMS talks with Engine (and viceversa) over a HTTPS encrypted website connection using sha256RSA hash algorithm. Also, EMS installs using a self-signed certificate which may be changed with a proper CA issued certificate

57348 - used for Channel communication - not encrypted but the replication procedure is proprietary so someone would need to know the algorithm in order to be able to re-create the data that is received. The encryption was not added yet in the Engine features mainly because it would use a lot of CPU on already highly used Active servers. The communication is done on the Passive using a dynamic ephemeral port, valid only for the duration of the connection.

52267 - used for encrypted Client connection. Neverfail uses port 52267 as the default Client connection port. The active server listens on port 52267 for any client connection requests. Once the client has connected to the active server, the client and the active server will communicate using ephemeral ports, which are assigned dynamically from a range, and are valid only for the duration of the connection.