wow was early in the morning when I replied, I didn't even pick that up.

Just for clarity, id suggest you place a firewall between the outside and inside as per Paul's post above, this stuff shouldn't be routable from the outside.

Also adding those rules in would only stop ssh and vsphere host client, not connections to the other services, at the end of the day this firewall is very basic, and should only ever be used for reducing local network footprints. A firewall VM isn't a difficult thing to build out.

Rich in CYA mode..

You are right. In everything.

This hosts is setup in a remote Datacenter, I do not have physical access to it and it is a standalone server...  some people recommends pfSense, but yeah, it has production sites so I need to take extra care. Not sure about what I will be able to do in terms of NICs, I do not think I can change that unless networking is virtual.

Do you have some more information on how to proceed ?

I was setting up proper IP addresses.

The issue was: firewall was disabled, either this is the default or the previous system administrator disabled it.

Regards

The ESX firewall is definitely enabled by default. The first thing I do on a host when I first set it up is allow access to SSH through the firewall, so it's definitely active. The default configuration does expose port 443, though, of course, or your VI client wouldn't connect so you can adjust the firewall for other stuff *grin*.

Switching the configuration over can be easy or complex, depending on how the VMs are configured and whether or not there are other hosts with VMs on them that need to be able to reach the VMs on this host. If the VMs are using public WAN IPs, then you'll either need to switch those to private IPs after pfSense is set up, or you'll need to set up pfSense as a filtering bridge so that the internal VMs can continue using their existing setup (this is more complex on the pfSense side, but may be way easier than reconfiguring all of your existing VMs).

To make this work, you'll need 2 free IPs. One for pfSense so you can reach it to manage it, and one for the internal VMKernel management interface. Ultimately, the external VMKernel's IP will be released - but you don't want to do that until the very end, after you're positive everything is working and you can reach your new internal VMKernel interface through your pfSense setup and you can manage your pfSense (you can set up OpenVPN or something for remote access to pfSense, which is a good idea - make sure it works before you lock things down). You're working with a production environment, so the key is to be paranoid and make sure everything is tested as you go, so you don't lock yourself out of your host or pfSense.

The steps I'd take would be to create my second vSwitch and call it "LAN" and connect it to an unused NIC on the host (just in case pfSense goes down and someone needs to plug in a PC locally to manage the host). I like to rename the original vSwitch to "WAN", so it's more clear, but doing so will require you to edit all of your VMs and tell them the new name of the vSwitch on their NICs (why vSphere doesn't do this automatically, I don't know). Then I'd install pfSense, configure it for remote access via OpenVPN so I can manage it. I'd then make sure pfSense was going to start automatically on host startup, since it's now a critical VM you can't live without (I'd make it the first VM to start). I'd then create a VMKernel interface on my LAN vSwitch and enable it for management and give it an IP appropriate for the LAN network (it'll be a routable, if pfSense is going to be a filtering bridge, or a private if pfSense is going to NAT for you). Then I'd set up the firewall rules to get to my new VMKernel interface (open port 443, 80 (if you want), 22 (if you want), and 902 (VM console port) and test connectivity with the VI client to it to make sure it works and I can see the console of VMs (this is super important if something breaks somewhere). Once I'm sure my core setup is all happy and I can manage the host and pfSense safely, I'd set up my firewall rules for my VMs, then move my VMs from the WAN vSwitch to the LAN vSwitch one at a time and test to make sure my rules worked as I expected (reconfiguring the VM's IP to private IPs, if that's the route I went with pfSense). Once everything was working and no one was calling to complain that I'd just borked the server, I'd delete the VMKernel interface on the WAN vSwitch (I'd want to be absolutely certain I can reach everything before I did this).

Obviously a lot of this is going to take some time if you're not familiar with pfSense. Just test everything as you go.

Here's a quick diagram of the setup:

Thank you very much!