VMware Cloud Community

ESX host behind Firewall

Dear all,

I have a question about an ESX host that is behind a firewall (DMZ) and connected to a VC inside local network

the host was added successfully to VC (after openning ports 902,443,27000,27010) and the consoles of DMZ VM's can now be seen (after adding vmauthd.server.alwaysProxy = "TRUE" in /etc/vmware/config to use port 902 instead of 903)

the problems I have are the following :

1. when I create new VM's from VIClient connected to VC it is added to inventory but the task progress keeps "In Progress" forever and the VM cannot be used (when connecting VIClient directly to host NO PROBLEMS)

2. when I clone a VM from another host the progress stops at "95%" forever, and also the VM cannot be used

I tryed to browse Datastores and found all vmx files (for the newly created and cloned VM's) sizes are 0

waiting for your posts and thanks in advance Smiley Happy

0 Kudos
5 Replies

Take a look at this info: http://www.boche.net/blog/?p=655


VMware vExpert '2009


EMCCAe, HPE ASE, MCITP: SA+VA, VCP 3/4/5, VMware vExpert XO (14 stars)
VMUG Russia Leader
0 Kudos
VMware Employee
VMware Employee


*If you found this information useful, please consider awarding points for "Correct" or "Helpful"*

*Please, don't forget the awarding points for "helpful" and/or "correct" answers. *Por favor, não esqueça de atribuir os pontos se a resposta foi útil ou resolveu o problema.* Thank you/Obrigado
0 Kudos
Hot Shot
Hot Shot

Well face the same issue with one VM which stops at 95%, after researching I found that if you have more than two disks on different datastore and unable to read the information from another datastore then you will get the error message. Before cloning the VM, check that you have the access to all the datastore such as source and destination.

If you still getting the error message, then upload the vmware.log and vmkernel log for the VM and host.

AM,If you found my answer to be useful, feel free to mark it as Helpful or Correct.

The latest blogs and articles on Virtulization:


Anuj Modi, If you found my answer to be useful, feel free to mark it as Helpful or Correct. The latest blogs and articles on Virtulization: anujmodi.wordpress.com
0 Kudos


The problem is that your VC host is really in the wrong location from a security perspective so you need to open up all sorts of ports on the firewalls for your ESX hosts.... VC is JUST as important as the service console and should be protected as such.

So I generally do the following:

Internet <-> DMZ FW <-> DMZ VMs + Physical hosts <-> Internal Firewall <-> Production/whatever <-> Virtualizaiton Management FW <-> ESX + VC + VIC workstations running as VMs.

This way VC can talk freely to ESX and VIC to VC, etc. and everything is buried deep in your networks.

You could use Hytrust also within this if you need more security.

If you need to P2V from DMZ to ESX you would follow the steps outlined in http://itknowledgeexchange.techtarget.com/virtualization-pro/secure-method-to-p2v-across-security-zo...

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos

Fixing HyTrust search in VMware communities.

0 Kudos