Hi All.
In a lab environment, I have a ESXi host with VMkernel interfaces in the same subnet, but only one with management service enabled. So...with both address, I can manage this server (access to VMware Host Client, add host to vCenter, SSH session). Is this a expectde behavior? Which kind of traffic is exclusive to management service? I thought that only a VMkernel interface enabled with management service could be used to manage ESXi.
Regards.
Valter Junior
I'm a newbie, but I believe that checkbox refers to host to vcenter communications, not workstation to vcenter for your access to manage your environment via the browser.
--Alan--
This "management" is misleading because the only purpose is to tell the ESXi where to place the default HA Network and in the old days this where the one and only Gateway was located.
The standard services are bind to all interfaces and are reachable from outside on all of them.
Regards,
Joerg
Hi Joerg. Thank you for your answer. I have 2 questions:
1. In my case, why this behavior happens since my ESXi host is not in a vSphere HA Cluster, so FDM agent is not installed yet?
2. ESXi host be reached by all interfaces is not considered a security vulnerability?
Regards.
Valter Junior
1. Maybe there are some more bits and pieces you tell the ESXi when ticking the "management" check box but for sure its not how YOU and i would say all other also interpret this setting. It will not tell the ESXi where to listen for connection to HostClient, SSH and so on.
2. Well.. reason for more VMKs are normaly the special function for FT, vMotion, iSCSI and so on. In the old days all of these are non-routable and when placing in a separated Subnet and different VLAN you cant reach them from the outside.
If you like you can add IP Addresses or Subnets from which the ESXi Firewall let you connect to SSH, Hostclient for every service you want to add protection.
Btw.... best practices is to leave SSH, ESXi Shell disabled until you have a need for.
Regards,
Joerg