I am having an issues with Auto Deploy on vCenter 7

I am not able to use Auto Deploy or download the deploy-tftp.zip file from Auto Deploy and it's because ports 6501 and 6502 are not active in iptables on the vCenter server.  I have used iptables-save and iptables-restore to set these ports automatically but they don't stay persistent.  After a vCenter reboot you can see ports open in iptables but as as soon as you go to download the4 zip file the ports disappear from iptables.  You can add them back in and then download the zip file, but what is happening is not normal.  we have never had this issue in previous version of vCenter (6.0 / 6.5 / 6.7), but it seems as though something has changed with version 7.  The ports should be open from the time you enable Auto Deploy, but this is not happening.  It could be something to do with the fact that VMware have removed the option form the serves GUI to automatically start services (not just Auto Deploy).  The only way to be able to set services to start automatically now that I have found is to run the following command from console or SSH session:

vmon-cli -U rbd -S AUTOMATIC

I have also as mentioned used iptables-save and put the output in the /etc/systemd/scripts/ip4save file and this is supposed to be read on reboot, but it seems that that isn't happening.  I have put a script in /etc/init.d/ and set it run run on startup (have used this method previously to start the in-built TFTP server on vCenter) and this is the only way I can get the ports to be open in iptables, but it is random as to whether they stay open or not and they usually close at some stage.

Can anyone tell me how to set persistent rules in iptables so that Auto Deploy will work without having to open the ports in iptables every time you want to use it.  Having to do this makes Auto Deploy unusable.  we have this issue on multiple vCenter 7 servers that have been installed fresh and not upgraded.

Thanks