Access ESXi management interface from seperate subnet

I have installed ESXi on a server.  I was able to access the web interface to download the Vmware infrastructure client software, from a computer on the same subnet.  However I have since tried to access the web interface as well as accessing the server via the Vmware Infrastructure client across a VPN tunnel.  I can ping the server, but can't access it via the other ways I just described.  Does anyone know how to open up the permissions on the ESXi server to allow for access from another subnet?
techhdAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

bswinnertonCommented:
I believe its ports 902 and 903 that the VI client uses.  I suppose unblocking those could be a start.
0
bswinnertonCommented:
Here is a diagram courtesy of communities.vmware.com on what ports VMWare ESX & ESXi use.

VI3.5-ports.jpg
0
bswinnertonCommented:
If it's not a firewall problem, try to get to the vi client (not using the vpn connection if you can).  From there click the configuration tab and then make sure that everything is connected to the same vswitch.  If you could post a screenshot of that (assuming the firewall ports don't work), that would be great.
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

bswinnertonCommented:
Sorry, in addition to the above post you need to go to configuration > networking
0
65tdRetiredCommented:
Was it pinged via IP or DNS name?
0
techhdAuthor Commented:
Thanks for the response.
I not only am having the problem across the VPN tunnel, but I am running on a Sonicwall TZ190 firewall with wireless.  When wireless I am also on a different subnet. So I can't access it from my laptop as well.  The firewall rule for both VPN and wireless Lan to Lan, are both wide open with no port restrictions.

In either case I can't access the HTTPS: port on the ESXi server.  Below is the text I am getting when trying to access the HTTPS port.
I have attached the screen shot of the configuration>network screen.

 I am pinging the IP address.




You are not authorized to view this page
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.

Please try the following:

    * Contact the Web site administrator if you believe you should be able to view this directory or page.

HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Internet Information Services (IIS)

Technical Information (for support personnel)

    * Go to Microsoft Product Support Services and perform a title search for the words HTTP and 403.
    * Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Limiting Access by IP Address, IP Address Access Restrictions, and About Custom Error Messages.




Thanks for your help.

config.jpg
0
techhdAuthor Commented:
A little bit more information.  This is the error message I get when I try to access the HTTPS: port on the ESXi server.  

You are not authorized to view this page
The Web server you are attempting to reach has a list of IP addresses that are not allowed to access the Web site, and the IP address of your browsing computer is on this list.

Please try the following:

    * Contact the Web site administrator if you believe you should be able to view this directory or page.

HTTP Error 403.6 - Forbidden: IP address of the client has been rejected.
Internet Information Services (IIS)

Technical Information (for support personnel)

    * Go to Microsoft Product Support Services and perform a title search for the words HTTP and 403.
    * Open IIS Help, which is accessible in IIS Manager (inetmgr), and search for topics titled About Security, Limiting Access by IP Address, IP Address Access Restrictions, and About Custom Error Messages.


This appears to be a security setting on the ESXi box, that limits access to computers on the same subnet?
0
easyDKCommented:
I think, that you probably have wrong NAT/porforward setting somewhere on the net, as it seems, that instead of SSL connection to ESXi, you get to some, perhaps hosted, IIS server.
0
techhdAuthor Commented:
easyDk,
In both scenarios where I am trying to connect, the firewall is wide open for all ports, and the NAT policy is wide open allowing all IPs to pass traffic without any translation.  The firewall is clean of any custom controls.
In summary there is no custom configurations in the firewall limiting IPs, Ports, or translating any ports or IPs across the VPN tunnel or from the wireless LAN to the LAN.  I am able to access the HTTPS: port on the IP address of the SBS running on the VM, that is 1 number off of the IP address of the ESXi.  

This leads me to believe that since there isn't any custom rules limiting anything or translating anything and I can access the HTTPS port on another IP of that same subnet, that the issue is with the ESXi box.  My theory is that the ESXi box has some access policies that limit access to IPs in the same subnet.  Since there has been very little feedback on this issue, I wonder if this is by design only on the ESXi and not on ESX?

I appreciate your response and if you have any other thoughts, I am all ears.

Thanks.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pricklyCommented:
http://communities.vmware.com/message/1154930;jsessionid=F2823FFD57D034EB69F7E4017CE05ED6

JeffDrury
Does the vSwitch that is connected to the different subnet have a service console or vmkernel with an assigned IP address? If so is it possible to reach that IP address from the different subnet? If not it may be a routing issue with the network.
-------------------------------------------

But like easyDK said it looks like you are getting to an IIS server not ESXi ... ESXi does not run IIS to host it's web function.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.