Go Premium for a chance to win a PS4. Enter to Win

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1493
  • Last Modified:

vCenter remote management of ESXi / VMs

Our client plans to use existing vCenter at the HQ to
remotely manage the ESXi hosts / VMs at a remote
branch office over the WAN (leased circuits).

The physical ESXi hosts & those hosts storage are
located at the branch offices.

Q1:
what are the pre-requisites?  (in terms of WAN speed,
etc).  Do we need to trunk the VLANs over & must
the remote office be part of the HQ's Windows
domain?

Q2:
What Tcp/Udp ports need to be permitted from the
vCenter at HQ to the remote office's ESXi hosts IPs
& remote office's IPs?
0
sunhux
Asked:
sunhux
  • 4
  • 4
4 Solutions
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Q1. There is no requirement to be part of the HQ's Windows Domain, just use the correct userid and password, and domain name to login to vCenter.

What traffic is going over the WAN? if just ESXi Management traffic and console, you do not need to have a fast WAN. No need to stretch the VLANs, to have access to the ESXi Management network.

Q2. See here for a list of firewall ports

TCP and UDP Ports required to access vCenter Server, ESXi/ESX hosts, and other network components (1012382)
0
 
sunhuxAuthor Commented:
There's quite a bit of rules there.  I've extracted & attached what
I think is relevant (ie ESXi 5.x).  Those items in red text are what
I think is involved. Can let know by editing the attached MS Doc
& attach back the updated copy.

If I have VIC client installed on one of the remote office's server,
what's the ports required for this VIC to connect to the vCenter?
vCenteremote-firewallports.doc
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
I've attached and highlighted in yellow, AD and SQL/Oracle only needed if your vCenter Server are remote to SQL and Oracle DB servers, and AD.vCenteremote-firewallports.doc

The important ports are:-

vSphere Client ---> vCenter Server

Port TCP 902
Port TCP 443
Port TCP 80
0
Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.

 
sunhuxAuthor Commented:
So for my case, I should replace vSphere Clients with
all the ESXi hosts' Management IP addresses?

Should I also substitute all the VMs' IP addresses as
the vSphere clients' IP address ?
0
 
sunhuxAuthor Commented:
My vCenter is not running SQL Express but a full SQL,
so does this mean the vCenter is accessing a 'bundled'
SQL & thus does not need any firewall rules for SQL/Oracle?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
where is the SQL database in relation to vCenter Server, if on the same LAN, no firewall rules to change, as it's local.

You need to look at

For vCenter Server Management across WAN
vCenter Server to ESXi Server commuinications (both ways)

vSphere Client will connect to vCenter Server not across WAN!
0
 
sunhuxAuthor Commented:
A VCP colleague told me what's needed is just
Tcp Port 443 and 902 between vCenter and the ESXi hosts,
bidirectional.  Any comment on whether he's right?
0
 
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
if ESXi and vCenter are the only sources communicating - YES, these are the same ports as the vSphere Client uses.

443 (SSL)
902 (VNC like comminications to the VMs console)

So if you have a vCenter at HQ (and all comms are local to AD/SQL etc), the only thing going over the wire (WAN) is 443 TCP and 902 TCP to ESXi this is all that's needed.

depending on size of WAN, you may need to change a timeout variable, you will need to test, and if you find, it gets disconnected, you may need to change this value.
0

Featured Post

Cyber Threats to Small Businesses (Part 1)

This past May, Webroot surveyed more than 600 IT decision-makers at medium-sized companies to see how these small businesses perceived new threats facing their organizations.  Read what Webroot CISO, Gary Hayslip, has to say about the survey in part 1 of this 2-part blog series.

  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now