How to open and close firewall ports on VMware ESXi hosts

Home Blog How to open and close firewall ports on VMware ESXi hosts

4sysops - The online community for SysAdmins and DevOps

    , ,   1
By default, VMware ESXi hypervisor opens just the necessary ports. The most basic access to the hypervisor is by using just a few firewall ports enabled on the hosts.

Vladan Seget

Vladan Seget is an independent consultant, professional blogger, vExpert 2009-2019, VCAP-DCA/DCD and MCSA. He has been working for over 20 years as a system engineer.

Latest posts by Vladan Seget (see all)

Contents of this article

Whether vCenter Server manages the host or it is a standalone ESXi host, different tools and access paths can do this. The vSphere Web Client and the VMware Host Client allow you to open and close firewall ports for each service or allow traffic from selected IP addresses.

You'll be using the vSphere Web Client (HTML5) if you have VMware vCenter Server in your environment. Or if you are using a standalone ESXi host only, you'll use ESXi Host Client for the job.

For both tools, you do not need to install any software to your management workstation or laptop, and you can use Windows, Linux, or Mac. That's quite some progress since in the past, the most used utility for VMware vSphere was a Windows C++ client, now discontinued.

Use vSphere Host Client (no vCenter server available) ^

In this scenario, we just have a single ESXi host (ESXi 6.7), not managed by vCenter Server. We will look at how to open a port in a second. But before that, I'd like to point out that even if ESXi itself has a free version you can administer this way, it does not allow you to use backup software that can take advantage of VMware changed block tracking (CBT) and do incremental backups.

Note: You don't necessarily need to deploy vCenter Server, but you will need to assign a paid CPU license to the ESXi host to unlock the application programming interface (API).

This is because ESXi has a limited set of API features that won't work with third-party backup software. Other limits of free ESXi are you can only have two physical CPU sockets and can only create eight virtual CPU (vCPU) virtual machines (VMs).

But let's get back to our principal mission to show you how to access the firewall settings and open a closed firewall port.

Connect to your ESXi host via vSphere Host Client (HTML5) by going to this URL:

https://ip_of_esxi/UI

After connecting to your ESXi host, go to Networking > Firewall Rules. You'll see that the VMware Host Client displays a list of active incoming and outgoing connections with the corresponding firewall ports.

Enable a firewall rule in ESXi Host Client

Enable a firewall rule in ESXi Host Client

Note: When the rule is grayed out, it is disabled (thus, you can enable it) and vice versa.

For some services, you can manage service details. Right-click a service and select an option from the pop-up menu.

vSphere Web Client (with vCenter) ^

First you'll need to connect to your vCenter Server via the vSphere Web Client. Go to Hosts and clusters, select Host, and go to Configure > Firewall.

Then select the firewall rule you want to change and click Edit.

How to open or block firewall ports on a VMware ESXi 6.7 host

How to open or block firewall ports on a VMware ESXi 6.7 host

In my example, I'll show you how I configured my firewall rule for NFS access only from a single IP, denying all other IPs. Here is a view of the rule when you click it. As you can see, I unchecked Allow connections from any IP address and entered a single IP that can access my ESXi host.

Allow connections only from a single IP

Allow connections only from a single IP

For some firewall rules, when you open the port, you also need to start the service. For example, after opening a firewall rule for the SNMP port, you'll need to go to the Services page and start and configure the service.

Start the SNMP service

Start the SNMP service

As you can see, both the ESXi Host Client and vSphere Web Client allow you to open and close firewall ports. But you can only manage predefined ports. Can we create custom firewall ports? The answer is yes; however, you'll need to use the VMware command-line interface (CLI) for the job, and I'm not sure that's a supported scenario.

While ESXi 5.x supported this scenario, I haven't found a VMware knowledge base (KB) article detailing the steps for ESXi 6.x. So it's up to you. I'll give you the URL for the VMware KB called Creating custom firewall rules in VMware ESXi 5.x.

Via a Secure Shell (SSH) session using the PuTTY client, for example, you can check the open ports with this command:

Final words ^

To some extent, VMware locked out access to custom rules, but there are many predefined ones. Why not try out the predefined ones before going and creating custom ones?

Another gotcha you might encounter is the fact you must configure these custom rules a certain way so they persist across reboots.

You'll need to be familiar with the vi Linux editor because you'll need to modify and create XML files—so it's not that easy of a task. I'm not saying it's not possible, but when it comes to support, I'm not sure VMware still supports it.

Are you an IT pro? Apply for membership!

Your question was not answered? Ask in the forum!

1+

Users who have LIKED this post:

  • avatar
Share
1 Comment
  1. Siva 2 weeks ago

    it worked.. thanks..

    0

    Reply

Leave a reply

Your email address will not be published. Required fields are marked *

*

Follow 4sysops

Twitter Facebook Linkedin RSS

Subscribe to post notfications

Leaderboards

Member Leaderboard – Month

Member Leaderboard – Year

Author Leaderboard – 30 Days

Author Leaderboard – Year

Site Wide Activities [RSS]

Viewing 1 - 10 of 10 items

  • TomH commented on Convert Windows Server 2019 Evaluation to the retail edition 27 minutes ago

    Thanks for the reply. I'm reading of folks unable to do the in-place upgrade. And I've seen multiple examples of that, where they tried to do it, and it did not give them the option. Since I'm on, effectively, a trial copy of 2012R2, I think I fall into that category, where it will not allow me to upgrade from eval to eval.

    The quote I get on one response was: You cannot in-place upgrade to a higher version of windows in any of these scenarios from licensed to evaluation, evaluation to licensed, evaluation to evaluation. That makes a kind of sense.

    Again, thanks for the response. Time to reboot my mind and take a different approach.

    Share
  • Profile picture of Vladan Seget

    Vladan Seget commented on Convert Windows Server 2019 Evaluation to the retail edition 1 hour, 21 minutes ago

    Good question, simply download an eval from Microsoft, and then apply the license number you've got when you bought the product.

    Share

  • TomH commented on Convert Windows Server 2019 Evaluation to the retail edition 1 hour, 49 minutes ago

    So if I want to do an in-place upgrade from 2012R2 to 2019, how do I download a copy of 2019 that does that? When I buy the 2019 license 16core, will that include the software or a link to download it?

    Share

  • murat commented on Group logo of PowerShell10 reasons for using PowerShell ISE instead of the PowerShell console 2 hours, 1 minute ago

    Guys does someone know why a module (PM1) works in ISE but not in the PS Console.

    Its a little script what I wrote to logon on 365 what write the credentials in the registry.

    Don't get error messages.

    Strange thing is that the same script works within the console when I save it as PS1.

    So not working as PM1 but as PS1 no problem. 

    Share

  • Alon Or commented on Group logo of PowerShellInstall fonts with a PowerShell script 2 hours, 2 minutes ago

    I use the following code to install Fonts on remote PCs, no need to logoff or reboot. Tested on 1909.

    #Computers to install fonts to
$ComputerArray = @("Pc1","Pc2","Pc3")
#A Share containing only the fonts you want to install
$FontDir="FileServerSharesHelpdeskSpecialFonts"
#Wil be created on remote Pc if not exists, fonts will be copied here and deleted after install.
$PcStagingDir="c:tools"

foreach ($pc in $ComputerArray) {
If((Test-Connection -ComputerName  $pc -Count  1 -ErrorAction SilentlyContinue) -and ($Winrmstatus=Test-WSMan -ComputerName $pc -ErrorAction SilentlyContinue)) {
$RemotePcStagingDir = "$pc$($PcStagingDir.replace(':','$'))"
$DisabledSvcs=@()
$ServiceName = @("WinRM")
foreach ($svc in $ServiceName) {
        $i=0
        while(((Get-Service -ComputerName $pc -Name $svc -ErrorAction SilentlyContinue).status -ne "Running")-and($i -lt 10)){
            if((Get-Service -ComputerName $pc -Name $svc -ErrorAction SilentlyContinue).StartType -eq "Disabled"){
            Write-Host "Try $i , Setting service $svc StartType to Manual on $pc ..."
            $DisabledSvcs+=$svc
            Set-Service -ComputerName $pc -Name $svc -StartupType Manual -ErrorAction SilentlyContinue}
        Write-Host "Try $i / 10 , Starting $svc Service on $pc ..."
        $commandz="sc "+$pc +" Start "+$svc
        & cmd.exe /c $commandz | Out-Null
        $i++
        sleep 3}
        if($i -ge 10){break}
    }
if($i -ge 10){Write-Host "Could NOT start service $svc, Skipping Computer $pc" -ForegroundColor Red}else{
if ( -not (Test-Path -Path $RemotePcStagingDir)){New-Item -Path $RemotePcStagingDir -ItemType Directory -Force}
$RemoteWinDir=Invoke-Command -ComputerName $pc -ScriptBlock {return $env:windir}
foreach($FontFile in (Get-ChildItem -file -path $FontDir)){
    if(-not(Test-Path "$pc$($RemoteWinDir.replace(':','$'))Fonts$FontFile")){
        Copy-Item "$FontDir$FontFile" -Destination $RemotePcStagingDir -Force
        Invoke-Command -ComputerName $pc -ScriptBlock {
       $filePath="$using:PcStagingDir$using:FontFile"
       $fontRegistryPath = "HKLM:SOFTWAREMicrosoftWindows NTCurrentVersionFonts"
       $fontsFolderPath = "$($env:windir)fonts"
    # Create hashtable containing valid font file extensions and text to append to Registry entry name.
    $hashFontFileTypes = @{}
    $hashFontFileTypes.Add(".fon", "")
    $hashFontFileTypes.Add(".fnt", "")
    $hashFontFileTypes.Add(".ttf", " (TrueType)")
    $hashFontFileTypes.Add(".ttc", " (TrueType)")
    $hashFontFileTypes.Add(".otf", " (OpenType)")
    try
    {
        [string]$filePath = (Get-Item $filePath).FullName
        [string]$fileDir  = split-path $filePath
        [string]$fileName = split-path $filePath -leaf
        [string]$fileExt = (Get-Item $filePath).extension
        [string]$fileBaseName = $fileName -replace($fileExt ,"")

        $shell = new-object -com shell.application
        $myFolder = $shell.Namespace($fileDir)
        $fileobj = $myFolder.Items().Item($fileName)
        $fontName = $myFolder.GetDetailsOf($fileobj,21)
        
        if ($fontName -eq "") { $fontName = $fileBaseName }

        copy-item $filePath -destination $fontsFolderPath

        $fontFinalPath = Join-Path $fontsFolderPath $fileName
        if (-not($hashFontFileTypes.ContainsKey($fileExt))){Write-Host "File Extension Unsupported";$retVal = 0}
        if ($retVal -eq 0) {
            Write-Host "Font `'$($filePath)`'`' installation failed on $env:computername" -ForegroundColor Red
            Write-Host ""
            1
        }
        
        else
        {
            Set-ItemProperty -path "$($fontRegistryPath)" -name "$($fontName)$($hashFontFileTypes.$fileExt)" -value "$($fileName)" -type STRING
            Write-Host "Font `'$($filePath)`' $fontName $($hashFontFileTypes.$fileExt) installed successfully on $env:computername" -ForegroundColor Green
        }

    }
    catch
    {
        Write-Host "An error occured installing `'$($filePath)`' on $env:computername" -ForegroundColor Red
        Write-Host "$($error[0].ToString())" -ForegroundColor Red
        $error.clear()
    }
    }
     }
     Remove-Item "$RemotePcStagingDir$FontFile" -ErrorAction SilentlyContinue
}
}
foreach($DisabledSvc in $DisabledSvcs){
    Write-Host "Setting service $DisabledSvc StartType to Disabled on $pc ..."
    Set-Service -ComputerName $pc -Name $DisabledSvc -StartupType Disabled -ErrorAction SilentlyContinue
    $commandz="sc "+$pc +" Stop "+$DisabledSvc
    & cmd.exe /c $commandz | Out-Null
}
}else{if($Winrmstatus){Write-Host "No Connection to Remote Pc $pc" -ForegroundColor Red}Else{Write-Host "No Connection to WinRM service on Remote Pc $pc" -ForegroundColor Red}}
}
    Share
  • Profile picture of tmack

    tmack liked Using PowerShell type accelerators. (So far, This post has 5 likes) 2 hours, 29 minutes ago

    Share
  • Profile picture of Swapnil Kambli

    Swapnil Kambli commented on Group logo of PowerShellManage Azure role-based access control with PowerShell 2 hours, 30 minutes ago

    here is an example for creating custom role

    $role = [Microsoft.Azure.Commands.Resources.Models.Authorization.PSRoleDefinition]::new()$role.Name = 'custom access role'$role.Description = 'custom role.'$role.IsCustom = $true$perms = 'Microsoft.Network/networkInterfaces/read','Microsoft.Compute/virtualMachines/read'$role.Actions = $perms$subs = '/subscriptions/hjhjhjhjhjhjhjhjh'$role.AssignableScopes = $subsNew-AzRoleDefinition -Role $role

    Share
  • Profile picture of Paolo Maffezzoli

    Paolo Maffezzoli replied to the topic Issue posting news in Community Forum 5 hours, 11 minutes ago

    From the last few days it takes more time than usual.

    Share
  • Profile picture of Michael Pietroforte

    Michael Pietroforte replied to the topic Issue posting news in Community Forum 5 hours, 48 minutes ago

    Since when do you experience this problem?

    Share
  • Profile picture of Paolo Maffezzoli

    Paolo Maffezzoli started the topic Issue posting news in Community Forum 5 hours, 56 minutes ago

    Just to inform that there is a really long delay when I click the Add News link.
    In certain case I don't have any page refresh and clicking again cause a double post.

    Share
© 4sysops 2006 - 2019

CONTACT US

Please ask IT administration questions in the forums. Any other messages are welcome.

Sending

Log in with your credentials

or    

Forgot your details?

Create Account