VMware Cloud Community
Kevin_S
Contributor
Contributor
‎10-15-2013 07:47 AM
Jump to solution

New ESXi 5.1 host in DMZ - Can't connect via vCenter Client or web, but can via SSH if I enabled

We have a simple DMZ where I setup a host running ESXi 5.1. I have another windows server in the DMZ subnet and I can load up the web site of the new ESXi host from it. From my PC in our LAN I cannot pull up ESXi 5.1 web interface or connect via vSphere Client. If I enable SSH on the new host, I can use putty to connect to the new ESXi host from my PC in LAN. I have looked at the event logs in our firewall and nothing appears to be blocked. I assume the issue is related to a security or firewall setting in ESXi 5.1 but I am not familiar. Any assistance would be appreciated.

thanks

-Kevin

0 Kudos
1 Solution

Accepted Solutions
a_p_
Leadership
Leadership
‎10-15-2013 01:35 PM
Jump to solution

Just a thought. Why don't you run the ESXi host's management in your internal network, and only the VMs in the DMZ? This would make the ESXi host's management even more secure and you wouldn't have to open firewall ports.

André

View solution in original post

0 Kudos
5 Replies
nkrishnan
Expert
Expert
‎10-15-2013 08:28 AM
Jump to solution

Hi Kevin, Make sure you have enabled required network port to access the ESXi hosts through vSphere client

Refer http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=101238... http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=203184...

443TCPThe default port that the vCenter Server system uses to listen for connections from the vSphere Client. To enable the vCenterServer system to receive data from the vSphere Client, open port 443 in the firewall.

The vCenter Server system also uses port 443 to monitor data transfer from SDK clients.

If you use another port number for HTTPS, you must use ip-address:port when you log into the vCenter Server system.
636TCPFor vCenter Server Linked Mode, this is the SSL port of the local instance. If another service is running on this port, it might be preferable to remove it or change its port to a different port. You can run the SSL service on any port from 1025 through 65535.
902TCP/UDPThe default port that the vCenter Server system uses to send data to managed hosts. Managed hosts also send a regular heartbeat over UDP port 902 to the vCenter Server system. The port is also used for transmitting virtual machine consoles for ESXi 4.x and 5.x hosts. This port must not be blocked by firewalls between the server and the hosts or between hosts.
903TCPPort 903 must be open between the vSphere Client and ESX / ESXi hosts. The vSphere Client uses this port to display virtual machine consoles on ESX / ESXi hosts.
--Nithin
0 Kudos
Kevin_S
Contributor
Contributor
‎10-15-2013 01:27 PM
Jump to solution

thanks for the quick reply. I enabled logging on our firewall and when i attempt to connect to the host via VMware vSphere Client i get the output below. I don't see how our firewall would be blocking any ports? thanks

vmware-error.JPG

0 Kudos
a_p_
Leadership
Leadership
‎10-15-2013 01:35 PM
Jump to solution

Just a thought. Why don't you run the ESXi host's management in your internal network, and only the VMs in the DMZ? This would make the ESXi host's management even more secure and you wouldn't have to open firewall ports.

André

0 Kudos
Kevin_S
Contributor
Contributor
‎10-15-2013 02:24 PM
Jump to solution

André, thanks for the reply. At this point I do have some flexibility as the overall objective is to have a VMWare host run VM's that will be accessible from the internet. We have a web server and an ip phone proxy server in the DMZ and already have some access rules setup. For instance our LAN can access DMZ without restriction but the External network would have restrictions to the DMZ. One issue could be DMZ restriction to LAN but I have temporary placed any any allow rules to experiment. To answer your question, I would want to keep it setup this way to keep it as simple as possible. I also don't see a reason why it shouldn't work unless there is a specific setting in the ESXi server that is prohibiting traffic from our 10.X LAN to 192.168.X DMZ

0 Kudos
Kevin_S
Contributor
Contributor
‎10-18-2013 08:55 AM
Jump to solution

I wanted to follow-up on this one.. Just having ESXi 5.1 on a host in the DMZ without vCenter Server running and not allowing a vSphere client on the internal network to connect has to be an SSL issue on the host. The web interface (using SSL) doesnt come up either but I can putty in using port 22.

At this point we are going to do what André suggested and keep our management outside of the DMZ on our internal network and just keep the VM's in the DMZ. This will be more secure removing Management from DMZ exposure.

thanks

0 Kudos