ESXi Host Firewall Ports

Whibble · ‎06-07-2023

I have two ESXi hosts on their own VLAN. I have a Windows Active Directory Domain Controller on another VLAN. I'm trying to join the ESXi hosts to the domain but got the 'Errors in Active Directory operations' error and figured out that the TCP port traffic on ports 88, 123, 135, 137, 139, 389, 445, 464, and 3268 are not getting through. Ports 80 and 443 work just fine.

Here's what I have tried and discovered:

I access the host via its web interface. I go to networking, then firewall rules. The 'Active Directory All' listing is set to allow all IP addresses and is active. Yet, when I log on to my domain controller and use 'Test-NetConnection [ESXi host IP] -port 135', it fails. I log in to the shell for the ESXi host and use the command 'nc -v -n [DC IP] 135' and it also fails. Doing the same nc command, but with port 80 instead, succeeds. I have tried completely turning off the firewall for the ESXi host, using the commands 'esxcli network firewall set --enabled=false' and 'esxcli network firewall set --default-action=true' but this did not solve the issue. I still cannot get port 135 (or other ports listed above) traffic to or from this ESXi host. I have also tried sending and receiving the TCP port traffic to/from an admin workstation on the same VLAN as the ESXi host, and it still didn't work.

My domain controller has its firewall completely open on all those above listed ports. It can successfully get TCP traffic over those ports to every other machine on the network. I have a Windows Server 2016 that is on the same VLAN as my ESXi hosts, and it can communicate with my domain controller over port 135. DNS resolution between the ESXi host and my domain controller works just fine.

What could my issue be? I don't think it's related to the network, as every other machine on every VLAN can communicate just fine. I don't think it's the ESXi firewall, since I completely disabled it and the issue persisted. Is there somewhere else within the ESXi configuration that could be stopping me from being able to communicate to my domain controller over ports 135, 137, 139, 389, etc?

Sachchidanand · ‎06-07-2023

Hi,

On a ESXi host, go to Networking tab and you will find firewall rules sub tab, under that you can enable and allow the required ports and ip address respectivly .

See the screenshot attched for your reference.

Whibble · ‎06-08-2023

Accessing the firewall rules through the host itself gives me the same options as I see in vCenter. There's a listing for Active Directory All, with 'Incoming Ports' set to 2020, and 'Outgoing Ports' set to '123, 137, 139, 3268, 389, 445, 464, 7476, 88'.

Whibble · ‎06-08-2023

Minor update:

I'm a little baffled. I'm not even entirely sure it's a firewall issue at this point, but it has to be, right? I got on the shell for my ESXi host and ran these two commands:

esxcli network firewall set --enabled=false
esxcli network firewall set --default-action=true

That should, in theory, completely disable the firewall (temporarily, for testing purposes). Even if, for some reason, it wasn't disabled, the default behavior should have been to allow the traffic.

Yet, when I try to Test-NetConnection from my Domain Controller to the ESXi host over port 135 or 389, I get an immediate 'WARNING: TCP connect to (ip address:389) failed' message. Like, immediately.

Okay, so it's got to be a switch-based firewall in the way then. Except, there's a Windows NAS running on the same exact subnet a single IP address number away from my ESXi host, and I can get port 135 TCP traffic there with no issue.

What exactly could possibly be the issue here? I must be missing something very simple.

filipe_dias · ‎06-08-2023

Is it possible to create a custom rules on esxi firewall?

Sachchidanand · ‎06-08-2023

you have to check all posible restrction in betwwen ESXi and Windows machine like ACL or any firewall.

You also have to check firewall rules on Windows itself, search for the "windows firewall with advanced security" on your windows machine for inbound and outbound rules...see screenshot

Whibble · ‎06-12-2023

There is no ACL or any network-based firewall in place at the moment. The firewall on the Windows Domain Controller is completely open on all those ports. Every other machine besides my ESXi host can get traffic on ports 88, 123, 135, 137, 139, 389, 445, 464, and 3268 to the domain controller. I'm almost certain it is something inside ESXi blocking me.

Sachchidanand · ‎06-12-2023

You can create custome firewall rules in ESXi, please go through the below document if you sure the issue is at ESXi end only

https://kb.vmware.com/s/article/2008226

Whibble · ‎06-12-2023

I've turned the firewall completely off, and still the traffic would not go through. I'm not sure adding firewall rules would help, and I was also curious about the line in that article that states:

Note: With the security changes implemented in vSphere 7.0 (reference KB https://kb.vmware.com/s/article/78689 ) the only supported way to open up ports is through a partner-created VIB to open the ports or change the files needed.

So I'm not entirely sure it would even let me. I can try, however.