Solved: securing access to ESXi host vSphereWebclient

tayeb2020 · ‎08-03-2023

Hi community,

I'm trying to secure access to ESXi host through webclient.

My script below worked fine when targetting services like ssh , but when I try targetting "vSphereWebclient" it failed and disconnect the ESXi host from the vcenter.

I think the reason as you can see from the script, I'm disallowing all IPs first before granting access to some specific IPs.

My question is how two concatenate the two loops below, as it seems that should fix my issue un queue the two tasks.
Unless you have another script or workaround you can suggest.

# This script updates ESXi firewall limiting access to some subnets only

# ESXi host(s) to configure. Comma separated in double quotes

$VMhosts = "host1.mylab"

# Allowed IPs and subnets

$remoteIP = "10.0.0.0/8"

# Services being restricted

$Service1 = "sshServer"

foreach($esx in (Get-VMHost $VMhosts)) and {

$esxcli = (get-esxcli –vmhost $esx).network.firewall

$esxcli.ruleset.set($false,$true,"$Service1")

foreach ($ip in $remoteIP){

$esxcli.ruleset.allowedip.add("$ip","$Service1")

}

LucD · ‎08-03-2023

Have a look at Solved: Re: ESXi outgoing firewall - VMware Technology Network VMTN

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

View solution in original post

LucD · ‎08-03-2023

Why would you disable the rule if you intend to in fact use a limited set of IP addresses?
Just change the allowed IP addresses.

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference

tayeb2020 · ‎08-03-2023

Thanks LuCD for the quick response.
When I exclude the first loop that will disable "All IPs access" I'm getting the following error.

PowerCLI C:\Scripts> .\CitrixF5_new.ps1
The remote server returned an error: (500) Internal Server Error.
At C:\Scripts\CitrixF5_new.ps1:30 char:9
+ $esxcli.ruleset.allowedip.add("$ip","$Service2")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], ViError
+ FullyQualifiedErrorId : VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.ViError

The remote server returned an error: (500) Internal Server Error.
At C:\Scripts\CitrixF5_new.ps1:30 char:9
+ $esxcli.ruleset.allowedip.add("$ip","$Service2")
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : OperationStopped: (:) [], ViError
+ FullyQualifiedErrorId : VMware.VimAutomation.Sdk.Types.V1.ErrorHandling.VimException.ViError

PowerCLI C:\Scripts>

The new script looks like:
# This script updates ESXi firewall limiting access to some subnets only

# ESXi host(s) to configure. Comma separated in double quotes

$VMhosts = "host1.mylab"

# Allowed IPs and subnets

$remoteIP = "10.0.0.0/8"

# Services being restricted

$Service1 = "sshServer"

#foreach($esx in (Get-VMHost $VMhosts)) and {

#$esxcli = (get-esxcli –vmhost $esx).network.firewall

#$esxcli.ruleset.set($false,$true,"$Service1")

foreach ($ip in $remoteIP){

$esxcli.ruleset.allowedip.add("$ip","$Service1")

}

#}

LucD · ‎08-03-2023

Have a look at Solved: Re: ESXi outgoing firewall - VMware Technology Network VMTN

Blog: lucd.info Twitter: @LucD22 Co-author PowerCLI Reference