Solved

vCenter remote management of ESXi / VMs

Posted on 2013-05-25
8
1,376 Views
Last Modified: 2013-06-01
Our client plans to use existing vCenter at the HQ to
remotely manage the ESXi hosts / VMs at a remote
branch office over the WAN (leased circuits).

The physical ESXi hosts & those hosts storage are
located at the branch offices.

Q1:
what are the pre-requisites?  (in terms of WAN speed,
etc).  Do we need to trunk the VLANs over & must
the remote office be part of the HQ's Windows
domain?

Q2:
What Tcp/Udp ports need to be permitted from the
vCenter at HQ to the remote office's ESXi hosts IPs
& remote office's IPs?
0
Comment
Question by:sunhux
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 4
8 Comments
 
LVL 120

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 490 total points
ID: 39196820
Q1. There is no requirement to be part of the HQ's Windows Domain, just use the correct userid and password, and domain name to login to vCenter.

What traffic is going over the WAN? if just ESXi Management traffic and console, you do not need to have a fast WAN. No need to stretch the VLANs, to have access to the ESXi Management network.

Q2. See here for a list of firewall ports

TCP and UDP Ports required to access vCenter Server, ESXi/ESX hosts, and other network components (1012382)
0
 

Author Comment

by:sunhux
ID: 39197402
There's quite a bit of rules there.  I've extracted & attached what
I think is relevant (ie ESXi 5.x).  Those items in red text are what
I think is involved. Can let know by editing the attached MS Doc
& attach back the updated copy.

If I have VIC client installed on one of the remote office's server,
what's the ports required for this VIC to connect to the vCenter?
vCenteremote-firewallports.doc
0
 
LVL 120

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 490 total points
ID: 39197520
I've attached and highlighted in yellow, AD and SQL/Oracle only needed if your vCenter Server are remote to SQL and Oracle DB servers, and AD.vCenteremote-firewallports.doc

The important ports are:-

vSphere Client ---> vCenter Server

Port TCP 902
Port TCP 443
Port TCP 80
0
Create the perfect environment for any meeting

You might have a modern environment with all sorts of high-tech equipment, but what makes it worthwhile is how you seamlessly bring together the presentation with audio, video and lighting. The ATEN Control System provides integrated control and system automation.

 

Author Comment

by:sunhux
ID: 39197586
So for my case, I should replace vSphere Clients with
all the ESXi hosts' Management IP addresses?

Should I also substitute all the VMs' IP addresses as
the vSphere clients' IP address ?
0
 

Author Comment

by:sunhux
ID: 39197588
My vCenter is not running SQL Express but a full SQL,
so does this mean the vCenter is accessing a 'bundled'
SQL & thus does not need any firewall rules for SQL/Oracle?
0
 
LVL 120

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 490 total points
ID: 39197590
where is the SQL database in relation to vCenter Server, if on the same LAN, no firewall rules to change, as it's local.

You need to look at

For vCenter Server Management across WAN
vCenter Server to ESXi Server commuinications (both ways)

vSphere Client will connect to vCenter Server not across WAN!
0
 

Author Comment

by:sunhux
ID: 39199327
A VCP colleague told me what's needed is just
Tcp Port 443 and 902 between vCenter and the ESXi hosts,
bidirectional.  Any comment on whether he's right?
0
 
LVL 120

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 490 total points
ID: 39199673
if ESXi and vCenter are the only sources communicating - YES, these are the same ports as the vSphere Client uses.

443 (SSL)
902 (VNC like comminications to the VMs console)

So if you have a vCenter at HQ (and all comms are local to AD/SQL etc), the only thing going over the wire (WAN) is 443 TCP and 902 TCP to ESXi this is all that's needed.

depending on size of WAN, you may need to change a timeout variable, you will need to test, and if you find, it gets disconnected, you may need to change this value.
0

Featured Post

Free Tool: Port Scanner

Check which ports are open to the outside world. Helps make sure that your firewall rules are working as intended.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I will show you HOW TO: Suppress Configuration Issues and Warnings Alert displayed in Summary status for ESXi 6.5 after enabling SSH or ESXi Shell.
Ransomware is a malware that is again in the list of security  concerns. Not only for companies, but also for Government security and  even at personal use. IT departments should be aware and have the right  knowledge to how to fight it.
This Micro Tutorial walks you through using a remote console to access a server and install ESXi 5.1. This example is showing remote access and installation using a Dell server. The hypervisor is the very first component of your virtual infrastructu…
This video shows you how easy it is to boot from ISO images for virtual machines with the ISO images stored on a local datastore on the ESXi host.

749 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question