Yea, what David said...

Sounds reasonable enough. Unfortunately, I already have my firewall configured to forward HTTP and HTTPS packets to a Web server running on the virtual machine that the host supports. So unless it's possible to tweak the Infrastructure Client to listen on alternate ports, I may be stuck. I could try asking my data center for an additional, public IP address to use for this purpose, but I don't think they'll take to kindly to the request unless $$$ are involved.

Thank you,

Brad

I think to just manage ESXi through the VI client you will only need 443 and 902 open. Port 80 is used for the VI web interface which you might not use.

David Strebel

www.holy-vm.com

If you find this information useful, please award points for "correct" or "helpful"

While it is possible to manage your host directly, it is not the best idea to do so. Given that you only have the single IP, why not drop in a VPN device and then make your initial connection to that and then to the ESXi host via the VPN connection.

Or just RDP into one of your servers and put the Infrastructure Client on that server. It's by far the easiest way.

If your VM's are running Windows that is..

Dennes

I am surprised that no one has mentioned locking down the forwarded ports by source IP. I agree it is risky to allow ANY IP access to 443 and 902 on an ESXi box, but if you manage the remote ESXi host from behind some static IPs, just open 443/902 for that static IP address or range. No one else will be able to get in, just you from that static IP.

If you know Linux, build a Linux VM and use OpenVPN (or similar).

If you know Windows, use the VPN software included in RRAS.

Or look for an existing appliance that handle VPN connections.

Andre

fyi all ports http://kb.vmware.com/kb/1012382

I upgraded to Sphere 5 and learning for the VCP5 it says there, that NAT is not supported. So now I have the management network directly connected and only the vm networks behind the firewall. To answer my question: you cannot manage the esxi hosts behind a firewall but you can have the vms behind it.

cheers, Claudia

Claudia wrote:

I upgraded to Sphere 5 and learning for the VCP5 it says there, that NAT is not supported. So now I have the management network directly connected and only the vm networks behind the firewall. To answer my question: you cannot manage the esxi hosts behind a firewall but you can have the vms behind it.

cheers, Claudia

You actually can manage an ESXi host that is behind a firewall.  I do it all the time.  I'm running vSphere Hypervisor on a PC at home and have it behind a Linux based firewall.  I use putty to SSH into the firewall and set up tunneling for ports 443, 902 and 903 to the local IP address of the ESXi host.  The vSphere client doesn't seem to like to connect to localhost, so when I'm connecting through a putty SSH tunnel I put an entry in the hosts file to point the name of my ESXi host to 127.0.0.1 and then I'm able to connect.

Connecting the management network directly to a publicly accessible network doesn't seem like a good idea to me.  SSH is open to all on my firewall, but there is only one user ID that is permitted to login via SSH, all other IDs are rejected even if the password is correct.

Hi Quila

I was able to run the esxi hosts perfectly behind the firewall, but please try to clone a vm from one host to another one, having the vcenter in another subnet. That won't work.

Claudia