By default, VMware ESXi hypervisor opens just the necessary ports. The most basic access to the hypervisor is by using just a few firewall ports enabled on the hosts.
Contents of this article
- Use vSphere Host Client (no vCenter server available)
- vSphere Web Client (with vCenter)
- Final words
Whether vCenter Server manages the host or it is a standalone ESXi host, different tools and access paths can do this. The vSphere Web Client and the VMware Host Client allow you to open and close firewall ports for each service or allow traffic from selected IP addresses.
You’ll be using the vSphere Web Client (HTML5) if you have VMware vCenter Server in your environment. Or if you are using a standalone ESXi host only, you’ll use ESXi Host Client for the job.
For both tools, you do not need to install any software to your management workstation or laptop, and you can use Windows, Linux, or Mac. That’s quite some progress since in the past, the most used utility for VMware vSphere was a Windows C++ client, now discontinued.
Use vSphere Host Client (no vCenter server available) ^
In this scenario, we just have a single ESXi host (ESXi 6.7), not managed by vCenter Server. We will look at how to open a port in a second. But before that, I’d like to point out that even if ESXi itself has a free version you can administer this way, it does not allow you to use backup software that can take advantage of VMware changed block tracking (CBT) and do incremental backups.
Note: You don’t necessarily need to deploy vCenter Server, but you will need to assign a paid CPU license to the ESXi host to unlock the application programming interface (API).
This is because ESXi has a limited set of API features that won’t work with third-party backup software. Other limits of free ESXi are you can only have two physical CPU sockets and can only create eight virtual CPU (vCPU) virtual machines (VMs).
But let’s get back to our principal mission to show you how to access the firewall settings and open a closed firewall port.
Connect to your ESXi host via vSphere Host Client (HTML5) by going to this URL:
After connecting to your ESXi host, go to Networking > Firewall Rules. You’ll see that the VMware Host Client displays a list of active incoming and outgoing connections with the corresponding firewall ports.
Note: When the rule is grayed out, it is disabled (thus, you can enable it) and vice versa.
For some services, you can manage service details. Right-click a service and select an option from the pop-up menu.
vSphere Web Client (with vCenter) ^
First you’ll need to connect to your vCenter Server via the vSphere Web Client. Go to Hosts and clusters, select Host, and go to Configure > Firewall.
Then select the firewall rule you want to change and click Edit.
In my example, I’ll show you how I configured my firewall rule for NFS access only from a single IP, denying all other IPs. Here is a view of the rule when you click it. As you can see, I unchecked Allow connections from any IP address and entered a single IP that can access my ESXi host.
For some firewall rules, when you open the port, you also need to start the service. For example, after opening a firewall rule for the SNMP port, you’ll need to go to the Services page and start and configure the service.
As you can see, both the ESXi Host Client and vSphere Web Client allow you to open and close firewall ports. But you can only manage predefined ports. Can we create custom firewall ports? The answer is yes; however, you’ll need to use the VMware command-line interface (CLI) for the job, and I’m not sure that’s a supported scenario.
While ESXi 5.x supported this scenario, I haven’t found a VMware knowledge base (KB) article detailing the steps for ESXi 6.x. So it’s up to you. I’ll give you the URL for the VMware KB called Creating custom firewall rules in VMware ESXi 5.x.
Via a Secure Shell (SSH) session using the PuTTY client, for example, you can check the open ports with this command:
esxcli network firewall ruleset list
Final words ^
To some extent, VMware locked out access to custom rules, but there are many predefined ones. Why not try out the predefined ones before going and creating custom ones?
Another gotcha you might encounter is the fact you must configure these custom rules a certain way so they persist across reboots.
You’ll need to be familiar with the vi Linux editor because you’ll need to modify and create XML files—so it’s not that easy of a task. I’m not saying it’s not possible, but when it comes to support, I’m not sure VMware still supports it.