I have always assumed that vSphere’s extensions to PowerShell (PowerCLI) all used the standard vCenter api end point (https://vsphere.name/sdk). Normally the server I run PowerCLI on is also the server I run the vSphere fat client on meaning more than 443 is open to the fat client. When we deployed vRO (Orchestrator for those who are confused with the new naming) we needed to run a PowerShell host for a number of PowerCLI and Powershell only functions to be initiated by vRO. You can read about how to implement a powershell host on VMware’s blog here. It works great vRO is able to execute Powershell and pass information back to vRO. We did run into some issues that were determined to be firewall blocks. Initially we found that some PowerCLI commands used 10443 (inventory service api) directly not just the assumed 443. This was a surprise. Digging around I have been unable to locate information on the exact ports used. VMware was also unable to identify the exact ports. What we did locate was that if you open the fat client (C#) ports all of the command’s will work. So here is my list all TCP:
Inventory service
10443 10080
vCenter service
80 8080 8443 9443 10443 443 903 902
Web client
9443 9090
ESXi
427 22 80 443 902
Some of these have been removed in vSphere 6. I hope it helps you remove a potential issue in advance. If someone knows the exact ports or has the ability / time to test them all feel free to comment.