The only solution to provide ip-based access is to place vCenter and all ESXes behind firewall.

---

VMware vExpert '2009

http://blog.vadmin.ru

For ESX Servers, TCP Wrappers could be for access control

Hello,

When you browse to the Management IP Address of each ESX Server and vCenter it displays a welcome page with links to download the client, tools and the ability to login to web access.

It is best to place your vCenter Server, ESX host service consoles, and ESXi management appliances behind a dedicated firewall. This firewalled network becomes your Management Network and should not be browsable from outside such a network. Actually, I go so far as to create management VMs just for administrators to which you allow RDP access and from these VMs they use the vSphere Client and other management tools within the network

We are running a windows 2003 domain. I would like to deny access from all machines on our network to the three ESX servers and the vCenter server apart from two admin machines. I would have thought this would be done by blocking all ips apart from two, but im not sure how to do this.

For VC, you would need to use Windows Firewall or some other firewall to deny access to all PORTS for all but those necessary. For VMware ESX you would use TCP Wrappers, for ESXi there is no solution short of a firewall.

You could also look into using the HyTrust Appliance, it would Also work for this.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]