When working in a Zero Trust Environment and programs are not working the way they should it is nice to have some Tools available to do troubleshooting. When new applications are installed and not working you can be asking yourself is it my issue with the application or is the firewall blocking ports. I recently had a support call with VMware and they showed me two commands that work awesome to test to see if ports are open to a destination IP on a specific port. You can test TCP or UDP. I used these commands on ESXi (version 6.5 and 6.7) and some of the vRealize product appliances. I thought I would show some examples that could save you time with troubleshooting.

Use nc command (NETCAT Command) and curl

# Command used to check if connection to Log Insight was open with UDP from ESXi Host
# Command to test connection to IP specified using UDP
nc -zu 10.10.10.10 514

# Command to connect to specified IP using TCP. Uses verbose and waits 3 seconds.
nc -ztv vrops01.vCrocs.info 443 -w 3

# Here is an example that uses curl:
# Command that can be used to test TCP from ESXi
curl -v telnet://vrops01.vCrocs.info:443

# Here are all the options with the nc command:
nc --help

GNU netcat 0.7.1, a rewrite of the famous networking tool.
Basic usages:
connect to somewhere: nc [options] hostname port [port] ...
listen for inbound: nc -l -p port [options] [hostname] [port] ...
tunnel to somewhere: nc -L hostname:port -p port [options]
Mandatory arguments to long options are mandatory for short options too.
Options:
-c, --close close connection on EOF from stdin
-e, --exec=PROGRAM program to exec after connect
-g, --gateway=LIST source-routing hop point[s], up to 8
-G, --pointer=NUM source-routing pointer: 4, 8, 12, ...
-h, --help display this help and exit
-i, --interval=SECS delay interval for lines sent, ports scanned
-l, --listen listen mode, for inbound connects
-L, --tunnel=ADDRESS:PORT forward local port to remote address
-n, --dont-resolve numeric-only IP addresses, no DNS
-o, --output=FILE output hexdump traffic to FILE (implies -x)
-p, --local-port=NUM local port number
-r, --randomize randomize local and remote ports
-s, --source=ADDRESS local source address (ip or hostname)
-t, --tcp TCP mode (default)
-T, --telnet answer using TELNET negotiation
-u, --udp UDP mode
-v, --verbose verbose (use twice to be more verbose)
-V, --version output version information and exit
-x, --hexdump hexdump incoming and outgoing traffic
-w, --wait=SECS timeout for connects and final net reads
-z, --zero zero-I/O mode (used for scanning)

Remote port number can also be specified as range. Example: '1-1024'

Powershell code to test ports from a Windows Server:

# Check to see if path is open to a destination IP and Port Number from a Windows Server

# Enter Remote Port Number
$PortNumber = '443'

# Enter Remote IP
$Destination = 'vrops01.vCrocs.info'

$socket = New-Object Net.Sockets.TcpClient
$socket.Connect($Destination,$PortNumber)

if($socket.Connected){
  $PortOpened = 'Port: ' + $PortNumber + ' to ' + $Destination +' is Open! :)'
  $socket.Close()
} # End If
else{
  $PortOpened = 'Port: ' + $PortNumber + ' to ' + $Destination +' IS NOT Open! :('
} # End Else

# Show Results

Write-Host $PortOpened