VMware Cloud Community
ericsl
Enthusiast
Enthusiast
Jump to solution

Using VI Client through a firewall

Hello All,

Is it possible to access a stand alone ESX server through a firewall with VI Client? If so what ports need to be opened? Is is safe to open them?

TYIA,

Eric

Reply
0 Kudos
1 Solution

Accepted Solutions
Craig_Baltzer
Expert
Expert
Jump to solution

You'll need ports 443, 902 and 903 open through the firewall.

"Safe" is a relative term and depends on what is on the other side of the firewall (i.e. internal firewall vs Internet-facing firewall), scope of access being granted, sensitivity of the information on the ESX box, monitoring and audit controls in place, etc, etc, etc. I don't know of any active "exploits" out "in the wild" against 443/902/903 but standard security practice says you don't expose server administrative interfaces to the Internet "raw"...

View solution in original post

Reply
0 Kudos
13 Replies
Craig_Baltzer
Expert
Expert
Jump to solution

You'll need ports 443, 902 and 903 open through the firewall.

"Safe" is a relative term and depends on what is on the other side of the firewall (i.e. internal firewall vs Internet-facing firewall), scope of access being granted, sensitivity of the information on the ESX box, monitoring and audit controls in place, etc, etc, etc. I don't know of any active "exploits" out "in the wild" against 443/902/903 but standard security practice says you don't expose server administrative interfaces to the Internet "raw"...

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

It is best to place VC on the Administrative network and a VM on that network. I would then VPN into that VM and access the VIC in a secure environment.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
wila
Immortal
Immortal
Jump to solution

You only need ports tcp 443 and tcp 902. Personally I would not just expose them over the internet and use a VPN or SSH tunnel in order to access the standalone ESX.

When tunneled I usually also add tcp port 80 to it as well.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
Craig_Baltzer
Expert
Expert
Jump to solution

Hi Wil. When I looked at the traffic with a network trace tool I am seeing port 903 conversations when the console is used (used for mouse/keyboard/screen according to the forum posts). Is there something you can set in the VI config that avoids the use of 903 or are you typically not using the console?

Reply
0 Kudos
wila
Immortal
Immortal
Jump to solution

Hi Craig,

No I am actually using the console, not denying that it will normally use 903 if you give it access to it, but it does work without the port.

In order to make sure, I just checked and rechecked and it does work over SSH (so no udp needed) and I have not opened port 903.

I am aware about the threads and documentation, let's take this for reference and

Hmm.. it's probably because my servers are behind a NAT-ed firewall and that I use

vmauthd.server.alwaysProxy=TRUE 

in /etc/vmware/config

that I am getting away with this. But less is better in my opinion in this case.

Which is why Edwards solution is also very interesting as you only need to open an RDP connection over a VPN. The question there is if it is safer to have a VC server on the host or to have one locally. I suppose that's the question and IMO it depends on what you are comfortable with.



--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
Craig_Baltzer
Expert
Expert
Jump to solution

Thanks Wil. Yup, the vmauthd.server.alwaysProxy=TRUE is the magic; as soon as I set that on the ESX host then I only see traffic on 443 and 902. Interesting that there is a reference from one of the VMware guys here in the forums dating back to 2006 saying that seeing traffic on 903 was a "bug" that they would be fixing and that "vmauthd.server.alwaysProxy" was an undocumented workaround. Guess it wasn't at the top of the "fix list" Smiley Happy

Reply
0 Kudos
ericsl
Enthusiast
Enthusiast
Jump to solution

Ed,

Thanks, this is a stand-alone host situation so no VC on site. We're planning on opening the necessary ports to just specific ip addresses, not the entire Internet...

Eric

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

I would still create a VM you can use as a Management appliance local to the single ESX server and have the VIC/RCLI and other necessary tools installed upon it. Thereby not running anything but a VPN from remote locations. This way if the link fails for some reason the work you have been doing will not be lost. I used to go over the VPN using the VIC remotely and lost my connections quite readily. Left some VMs in odd states, to solve that I used a local VM as an administrative console. All problems went away.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
ericsl
Enthusiast
Enthusiast
Jump to solution

Ed,

Good idea. Or even just logmein, no vpn required then...

Eric

Reply
0 Kudos
wila
Immortal
Immortal
Jump to solution

OTOH, if your management VM is no longer running then you have no more control over your server at all.

--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

I use other methods as a backup. I.e. being on site. Or SSH to the ESX host. Or access to a physical host within the data center. Remote Access through ILO/DRAC. Or Multiple VMs in use. Note that if the VM is down you may have more serious problems.

BTW, LogMeIn is a VPN of sorts. Several options exist for this. Some of my customers use gotomypc, logmein, true VPN, openVPN, etc.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
wila
Immortal
Immortal
Jump to solution

Hi Edward,

Yeah I know... it's not one of those things that happen often and if it happens, chances are indeed pretty high there's something more serious going on.

Just wanted to point out that it is something you want to keep in mind when designing a solution for the customer, you do not want to find out that you missed this after problems occur.

I'm an absolute fan of defence in layers and have one of your suggested methods as a backup myself on these type of setups.



--

Wil

| Author of Vimalin. The virtual machine Backup app for VMware Fusion, VMware Workstation and Player |
| More info at vimalin.com | Twitter @wilva
Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

Absolutely. You must have backups just in case. Smiley Happy


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos