13 Replies Latest reply on Oct 29, 2008 10:50 AM by Texiwill

    Using VI Client through a firewall

    ericsl Hot Shot

       

      Hello All,

       

       

      Is it possible to access a stand alone ESX server through a firewall with VI Client? If so what ports need to be opened? Is is safe to open them?

       

       

      TYIA,

       

       

      Eric

       

       

        • 1. Re: Using VI Client through a firewall
          Craig Baltzer Expert

          You'll need ports 443, 902 and 903 open through the firewall.

           

           

           

           

          "Safe" is a relative term and depends on what is on the other side of the firewall (i.e. internal firewall vs Internet-facing firewall), scope of access being granted, sensitivity of the information on the ESX box, monitoring and audit controls in place, etc, etc, etc. I don't know of any active "exploits" out "in the wild" against 443/902/903 but standard security practice says you don't expose server administrative interfaces to the Internet "raw"...

          • 2. Re: Using VI Client through a firewall
            Texiwill Guru
            User ModeratorsvExpert

            Hello,

             

            It is best to place VC on the Administrative network and a VM on that network. I would then VPN into that VM and access the VIC in a secure environment.

             


            Best regards,

            Edward L. Haletky

            VMware Communities User Moderator

            ====

            Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

            CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

            As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

            • 3. Re: Using VI Client through a firewall
              wila Guru
              User ModeratorsvExpertCommunity Warriors

              You only need ports tcp 443 and tcp 902. Personally I would not just expose them over the internet and use a VPN or SSH tunnel in order to access the standalone ESX.

              When tunneled I usually also add tcp port 80 to it as well.

              --

              Wil

              | Author of Vimalin. The virtual machine Backup app for VMware Desktop Products
              | Vimalin : Automated backups for VMware Fusion and VMware Workstation Professional
              | More info at https://www.vimalin.com
              | Twitter @wilva
              | VMware Wiki at http://www.vi-toolkit.com
              • 4. Re: Using VI Client through a firewall
                Craig Baltzer Expert

                Hi Wil. When I looked at the traffic with a network trace tool I am seeing port 903 conversations when the console is used (used for mouse/keyboard/screen according to the forum posts). Is there something you can set in the VI config that avoids the use of 903 or are you typically not using the console?

                • 5. Re: Using VI Client through a firewall
                  wila Guru
                  vExpertUser ModeratorsCommunity Warriors

                  Hi Craig,

                   

                  No I am actually using the console, not denying that it will normally use 903 if you give it access to it, but it does work without the port.

                  In order to make sure, I just checked and rechecked and it does work over SSH (so no udp needed) and I have not opened port 903.

                  I am aware about the threads and documentation, let's take this for reference VI Ports and Re: VI 3 Client ports

                   

                  Hmm.. it's probably because my servers are behind a NAT-ed firewall and that I use

                  vmauthd.server.alwaysProxy=TRUE 
                  

                  in /etc/vmware/config

                  that I am getting away with this. But less is better in my opinion in this case.

                   

                  Which is why Edwards solution is also very interesting as you only need to open an RDP connection over a VPN. The question there is if it is safer to have a VC server on the host or to have one locally. I suppose that's the question and IMO it depends on what you are comfortable with.



                  --

                  Wil

                  | Author of Vimalin. The virtual machine Backup app for VMware Desktop Products
                  | Vimalin : Automated backups for VMware Fusion and VMware Workstation Professional
                  | More info at https://www.vimalin.com
                  | Twitter @wilva
                  | VMware Wiki at http://www.vi-toolkit.com
                  • 6. Re: Using VI Client through a firewall
                    Craig Baltzer Expert

                     

                    Thanks Wil. Yup, the vmauthd.server.alwaysProxy=TRUE is the magic; as soon as I set that on the ESX host then I only see traffic on 443 and 902. Interesting that there is a reference from one of the VMware guys here in the forums dating back to 2006 saying that seeing traffic on 903 was a "bug" that they would be fixing and that "vmauthd.server.alwaysProxy" was an undocumented workaround. Guess it wasn't at the top of the "fix list"

                     

                     

                    • 7. Re: Using VI Client through a firewall
                      ericsl Hot Shot

                       

                      Ed,

                       

                       

                      Thanks, this is a stand-alone host situation so no VC on site. We're planning on opening the necessary ports to just specific ip addresses, not the entire Internet...

                       

                       

                      Eric

                       

                       

                      • 8. Re: Using VI Client through a firewall
                        Texiwill Guru
                        vExpertUser Moderators

                        Hello,

                         

                        I would still create a VM you can use as a Management appliance local to the single ESX server and have the VIC/RCLI and other necessary tools installed upon it. Thereby not running anything but a VPN from remote locations. This way if the link fails for some reason the work you have been doing will not be lost. I used to go over the VPN using the VIC remotely and lost my connections quite readily. Left some VMs in odd states, to solve that I used a local VM as an administrative console. All problems went away.

                         


                        Best regards,

                        Edward L. Haletky

                        VMware Communities User Moderator

                        ====

                        Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

                        CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

                        As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

                        1 person found this helpful
                        • 9. Re: Using VI Client through a firewall
                          ericsl Hot Shot

                           

                          Ed,

                           

                           

                          Good idea. Or even just logmein, no vpn required then...

                           

                           

                          Eric

                           

                           

                          • 10. Re: Using VI Client through a firewall
                            wila Guru
                            vExpertCommunity WarriorsUser Moderators

                            OTOH, if your management VM is no longer running then you have no more control over your server at all.

                            --

                            Wil

                            | Author of Vimalin. The virtual machine Backup app for VMware Desktop Products
                            | Vimalin : Automated backups for VMware Fusion and VMware Workstation Professional
                            | More info at https://www.vimalin.com
                            | Twitter @wilva
                            | VMware Wiki at http://www.vi-toolkit.com
                            • 11. Re: Using VI Client through a firewall
                              Texiwill Guru
                              User ModeratorsvExpert

                              Hello,

                               

                              I use other methods as a backup. I.e. being on site. Or SSH to the ESX host. Or access to a physical host within the data center. Remote Access through ILO/DRAC. Or Multiple VMs in use. Note that if the VM is down you may have more serious problems.

                               

                              BTW, LogMeIn is a VPN of sorts. Several options exist for this. Some of my customers use gotomypc, logmein, true VPN, openVPN, etc.

                               


                              Best regards,

                              Edward L. Haletky

                              VMware Communities User Moderator

                              ====

                              Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

                              CIO Virtualization Blog: http://www.cio.com/blog/index/topic/168354

                              As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

                              • 12. Re: Using VI Client through a firewall
                                wila Guru
                                Community WarriorsUser ModeratorsvExpert

                                Hi Edward,

                                 

                                Yeah I know... it's not one of those things that happen often and if it happens, chances are indeed pretty high there's something more serious going on.

                                 

                                Just wanted to point out that it is something you want to keep in mind when designing a solution for the customer, you do not want to find out that you missed this after problems occur.

                                I'm an absolute fan of defence in layers and have one of your suggested methods as a backup myself on these type of setups.



                                --

                                Wil

                                | Author of Vimalin. The virtual machine Backup app for VMware Desktop Products
                                | Vimalin : Automated backups for VMware Fusion and VMware Workstation Professional
                                | More info at https://www.vimalin.com
                                | Twitter @wilva
                                | VMware Wiki at http://www.vi-toolkit.com
                                • 13. Re: Using VI Client through a firewall
                                  Texiwill Guru
                                  vExpertUser Moderators

                                  Hello,

                                   

                                  Absolutely. You must have backups just in case.

                                   


                                  Best regards,

                                  Edward L. Haletky

                                  VMware Communities User Moderator

                                  ====

                                  Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.

                                  Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky

                                  As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization