You can review this KB which provides all the ports for connectivity between components in vSphere 6:
https://kb.vmware.com/kb/2131180
However, if you look you'll need to block inbound HTTP/443 from client devices to prevent the C# client from working. Problem is, this would also block connectivity to the reverse proxy on vCenter, which essentially would prohibit access to many HTTPS facilities in vCenter.
Perhaps you should approach this differently ... VMware is going to (finally) terminate the C# client, and 40%+ customers have deployed the HTML5 web client fling into production. So you could try the HTML5 client and show users that C# is not going to be available long term:
Goodbye vSphere Client for Windows (C#) – Hello HTML5 - VMware vSphere Blog - VMware Blogs