• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 3651
  • Last Modified:

Access ESXi management interface from seperate subnet

I have installed ESXi on a server.  I was able to access the web interface to download the Vmware infrastructure client software, from a computer on the same subnet.  However I have since tried to access the web interface as well as accessing the server via the Vmware Infrastructure client across a VPN tunnel.  I can ping the server, but can't access it via the other ways I just described.  Does anyone know how to open up the permissions on the ESXi server to allow for access from another subnet?
0
techhd
Asked:
techhd
1 Solution
 
bswinnertonCommented:
I believe its ports 902 and 903 that the VI client uses.  I suppose unblocking those could be a start.
0
 
bswinnertonCommented:
Here is a diagram courtesy of communities.vmware.com on what ports VMWare ESX & ESXi use.

VI3.5-ports.jpg
0
 
bswinnertonCommented:
If it's not a firewall problem, try to get to the vi client (not using the vpn connection if you can).  From there click the configuration tab and then make sure that everything is connected to the same vswitch.  If you could post a screenshot of that (assuming the firewall ports don't work), that would be great.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
bswinnertonCommented:
Sorry, in addition to the above post you need to go to configuration > networking
0
 
65tdCommented:
Was it pinged via IP or DNS name?
0
 
techhdAuthor Commented:
Thanks for the response.
I not only am having the problem across the VPN tunnel, but I am running on a Sonicwall TZ190 firewall with wireless.  When wireless I am also on a different subnet. So I can't access it from my laptop as well.  The firewall rule for both VPN and wireless Lan to Lan, are both wide open with no port restrictions.

In either case I can't access the HTTPS: port on the ESXi server.  Below is the text I am getting when trying to access the HTTPS port.
I have attached the screen shot of the configuration>network screen.

 I am pinging the IP address.




You are not authorized to view this page
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.

Please try the following:

    * Contact the Web site administrator if you believe you should be able to view this directory or page.

HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Internet Information Services (IIS)

Technical Information (for support personnel)

    * Go to Microsoft Product Support Services and perform a title search for the words HTTP and 403.
    * Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Limiting Access by IP Address, IP Address Access Restrictions, and About Custom Error Messages.




Thanks for your help.

config.jpg
0
 
techhdAuthor Commented:
A little bit more information.  This is the error message I get when I try to access the HTTPS: port on the ESXi server.  

You are not authorized to view this page
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.

Please try the following:

    * Contact the Web site administrator if you believe you should be able to view this directory or page.

HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Internet Information Services (IIS)

Technical Information (for support personnel)

    * Go to Microsoft Product Support Services and perform a title search for the words HTTP and 403.
    * Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Limiting Access by IP Address, IP Address Access Restrictions, and About Custom Error Messages.


This appears to be a security setting on the ESXi box, that limits access to computers on the same subnet?
0
 
easyDKCommented:
I think, that you probably have wrong NAT/porforward setting somewhere on the net, as it seems, that instead of SSL connection to ESXi, you get to some, perhaps hosted, IIS server.
0
 
techhdAuthor Commented:
easyDk,
In both scenarios where I am trying to connect, the firewall is wide open for all ports, and the NAT policy is wide open allowing all IPs to pass traffic without any translation.  The firewall is clean of any custom controls.
In summary there is no custom configurations in the firewall limiting IPs, Ports, or translating any ports or IPs across the VPN tunnel or from the wireless LAN to the LAN.  I am able to access the HTTPS: port on the IP address of the SBS running on the VM, that is 1 number off of the IP address of the ESXi.  

This leads me to believe that since there isn't any custom rules limiting anything or translating anything and I can access the HTTPS port on another IP of that same subnet, that the issue is with the ESXi box.  My theory is that the ESXi box has some access policies that limit access to IPs in the same subnet.  Since there has been very little feedback on this issue, I wonder if this is by design only on the ESXi and not on ESX?

I appreciate your response and if you have any other thoughts, I am all ears.

Thanks.
0
 
pricklyCommented:
http://communities.vmware.com/message/1154930;jsessionid=F2823FFD57D034EB69F7E4017CE05ED6

JeffDrury
Does the vSwitch that is connected to the different subnet have a service console or vmkernel with an assigned IP address? If so is it possible to reach that IP address from the different subnet? If not it may be a routing issue with the network.
-------------------------------------------

But like easyDK said it looks like you are getting to an IIS server not ESXi ... ESXi does not run IIS to host it's web function.
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now