Re: ESX 3.5 and VC2.5 (vCenter on internal LAN and...

ejking · ‎08-19-2009

The ESX 3.5 server is behind a Firewall. All ports are open from Internal LAN to ESX server.

I have been advised by the firewall team that the following ports are open from ESX to internal

ESX to vCenter

***********************************

TCP 902 and 903

UDP 903

Licensing 27000 and 27010

ESX to DNS servers

***********************************

DNS TCP/UDP 53

I need to add the ESX server to vCenter and to use Flex licensing server which is on VC. When I try to change the licensing from evaluation to "Use license server" using either IP or FQDN, I get the error "unable to change the license state as the license server is not available".

ICMP is open from internal to the ESX but not the otherway. Ican resolve the ESX host name to IP address from Internal.

How can I test DNS lookup from ESX as ICMP is not open?

What is possibly missing in this configuration?

MauroBonder · ‎08-19-2009

your license server must be register with FQDN.

in licensed features > change to use license server > and set your license server (I.E licenseserver.mycompany.com)

the port need for this work is 27000,27010 (check at your host > Configuration > Security Profile) or test opening all port of firewall into ESX via command line.

*If you found this information useful, please consider awarding points for "Correct" or "Helpful"*

*Please, don't forget the awarding points for "helpful" and/or "correct" answers. *Por favor, não esqueça de atribuir os pontos se a resposta foi útil ou resolveu o problema.* Thank you/Obrigado

ejking · ‎08-19-2009

your license server must be register with FQDN.

YES it is>>

in licensed features > change to use license server > and set your license server (I.E licenseserver.mycompany.com)

That is what I had done stated previously. Also tried IP using IP>>

the port need for this work is 27000,27010 (check at your host > Configuration > Security Profile) or test opening all port of firewall into ESX via command line.

These ports are already open on security profile.>>

How can I test DNS lookup from ESX as ICMP is not open? IE Nslookup?

MauroBonder · ‎08-19-2009

test via command line

nslookup

hostname desired

(I.e)

# nslookup

> vmware02

Server: 10.100.13.1

Address: 10.100.13.1#53

Name: vmware02.domain.com

Address: 10.100.13.4

check icmp

iptables -L

*If you found this information useful, please consider awarding points for "Correct" or "Helpful"*

*Please, don't forget the awarding points for "helpful" and/or "correct" answers. *Por favor, não esqueça de atribuir os pontos se a resposta foi útil ou resolveu o problema.* Thank you/Obrigado

ejking · ‎08-20-2009

will nslookup require ICMP to be open on the Firewall? IE Can I perform nslookup, even though ping is not allowed.

Thanks

NTurnbull · ‎08-20-2009

nslookup will test the DNS name resolution from the box your typing it on to the destination specified in the command

Thanks,

Neil

Thanks, Neil

ejking · ‎08-20-2009

And it does NOT require ICMP?

For example just opening TCP/UDP 53 from source to destination(dns srvr) both ways is sufficient to test nslookup between source and destination thru the Firewall?

All

ESX 3.5 and VC2.5 (vCenter on internal LAN and ESX behind a Firewall)