ESXi Firewall Blocks Remote Connections

Posted on 2014-12-01
Medium Priority
Last Modified: 2015-01-07

I am trying to setup a backup ESXi 5.1/5.5 server at a DR location. I'm finding that ESXi brought back the firewall in version 5 and I am having trouble connecting to the server as a result from any network on a different subnet.

Is it possible to completely disable the firewall? If not how can I configure it to work with remote hosts? On the configuration tab if I go to the security profile option under software and click properties it says "allowed IP addresses: All" for all options.

So I have no clue why it doesn't work. How can I simply disable the firewall or if I can't disable the firewall how can I allow remote management?
Question by:Pawel_Kowalski
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 6
  • 5
  • +1
LVL 123
ID: 40474454
The firewall is present, but it's limited as to what it can do, and is mostly open!

What are you trying to do?

Access the Management Interface is available by default on

443 TCP
902 TCP
80 TCP
22 TCP (of enabled)

Can you access these ports from your remote location, because by default they are not denied!

see here


What version are you 5.0, 5.1 or 5.5 ?

Expert Comment

ID: 40474456
Are you sure it's not a routing issue on your side?

I can't recall ever having to disable or modify the ESXi firewall in order to access the server from a different network.

Author Comment

ID: 40474471
Thanks. This makes no sense then, and I have a hard time believing that this is my router as all other ports work fine on it but I can try a different router once I get back to the DR site.

When I try to connect to the ESXi server at the DR site I can do so using the vSphere client and SSH without any issues. However, if I try to do the same remotely (over WAN using port forwarding) it does not work. I know the port forwarding is setup correctly and like I said I'm pretty sure the router is okay, so I'm thinking ESXi is to blame here.

The version at the DR site is ESXi 5.1 using the custom image Dell provides for their server.
Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.


Expert Comment

ID: 40474482
If your able to connect to the server when you are at the DR site then as you are aware, that means those ports are open.

I would be looking into networking issues and not necessarily a firewall issue.

Have you tried connecting from some other location other than the one you have currently been trying?

Have you checked firewall logs to verify traffic is making it to the firewall and getting forwarded?

Also, VPN might be a better choice here if you can rather than opening up a ESXi server to the world with port forwards.

Author Comment

ID: 40474488
The above message was for Andrew. @themightydude, I won't rule out the router having issues and will test that later when I have access to the DR site. But what's odd is every other port (including port 443, 22) work perfectly fine for other machines, it's only when I switch the rule to go to the ESXi host that it completely stops working. That's why I'm thinking the firewall on the ESXi server could be causing this.

Is there a log somewhere if I login through SSH to see what connections the firewall has dropped?

Expert Comment

ID: 40474506
You could try disabling the firewall and that will let us know for sure if it's a vmware firewall issue.

Should be able to do that from SSH with the following command:
esxcli network firewall set --enabled false

Author Comment

ID: 40474544
I ran the command, it doesn't give me any confirmation that it executed without issues. I rebooted the server after I ran it, went to the security profile settings and nothing on there has changed either.

Obviously I am still having the same issues. Anyway to tell that the firewall is actually disabled?

This is the command I ran:

~ # esxcli network firewall set --enabled false
~ #

Open in new window


Expert Comment

ID: 40474553
Rebooting the server may have re-enabled it. I can't remember 100%, but I think that service will come back up after a restart.

This command will show you status of the firewall
esxcli network firewall get

Enabled will either be true or false.
LVL 123
ID: 40474559
do not mess with the firewall, and drop the use of vSphere Client...

simple test

can you use

test1: confirm locally

test2: confirm from DR site (remote)

telnet <ip address of ESXi server > 443

telnet <ip address of ESXi server > 80

telnet <ip address of ESXi server > 902

you should get connections....

if not your firewall, router config, port forward is wrong!

is this NAT?

just open ports.....do not use NATTed rules!

Author Comment

ID: 40474610
@thedude, here is the firewall setting:

~ # esxcli network firewall get
   Default Action: PASS
   Enabled: false
   Loaded: true

Just so both of you know the default action was to Drop, not Pass. I changed it to Pass (didn't fix my issue).

Is the fact it's loaded mean that it's still on?

Andrew, here are the results from the tests:


I can connect to SSH locally without issues using (local IP)
Telnet to port 80, 443, and 902 works (80/443 take a fairly long time, especially port 443 but it eventually opens. 902 loads instantly)

When I say "works" I'm using the telnet client built in to windows, port 80 and 443 gives me back a message saying "press any key to continue..." while port 902 gives me a 220 message about authentication. A port that's not working at all would simply return a error message so I assume it is connecting on 80/443.

From the remote site all of the above tests fail (using the remote IP, aka I have tried port forwarding, adding the host to a DMZ, etc. The DR site has a very basic SOHO router from Netgear. I am using port forwarding rules, not sure how that translates in how the router sets things up but like I said these ports work fine when pointed to other servers, just not the ESXi host.
LVL 123
ID: 40474634
So all ports are open and listening....at ESXi.

Network, Firewall, NAT or router issue.

a standard https://<IP Address> should give you a web page...on the ESXi server.

the block is not happening on ESXi.

Are they open on the ESXi site, not the server, but inbound on the router...

is this a public IP Address ?

or is it NATTED?

e.g. public IP > NATTED internal IP ?

Author Comment

ID: 40474687
It is a public IP from my ISP (the 52.x.x.x example). The local IP for the ESXi server once it is on the local side of the gateway is .  Nothing works when I am trying to connect remotely, if I VPN in or remote desktop in it works fine.

I just tested another office to make sure I wasn't crazy. It's virtually an identical setup to the DR site right now, only difference is instead of a cheap $50 netgear router we use the built-in router that came with Comcast's modem (the other site didn't have a router built in, just a gateway). I setup port forwarding for port 902 to that site's ESXi server, tried to go in remotely on port 902 (using telnet) and it worked like a charm. I can't try the other ports as unfortunately this is a production environment.

So instead of spinning the wheels and not getting anywhere I can try to bypass the router I have at the DR site completely and see if that will work. I can literally hook up the ESXi server to my Comcast gateway and use my mobile network to see if the default vSphere page loads. If it does it's clearly a router issue, if it doesn't it's clearly an ESXi issue.

Is that fair as far as troubleshooting goes?

Expert Comment

ID: 40474697
Why not just setup a site to site VPN?

Expert Comment

ID: 40474707
I honestly think the issue is your trying to NAT/Port forward these services across a home netgear router. In my personal opinion and granted this is just mine, someone else may have a different idea.

Get a router mean more for small businesses and setup a Site to Site VPN between your protected site and your DR site.
LVL 123
ID: 40474722
Port foward

OUTBOUND 52.x.x.x TCP 22 >> INBOUND IP Address TCP 22

Author Comment

ID: 40474788
The router could be the case and Andrew that is how it's setup (although I don't get the option of setting inbound/outbound on my router, just the port and local IP).

So port 22 is forwarded to For some reason that doesn't work, even though all other port forward options I have setup work fine including ports 80 and 443 to other servers using this exact router. So what I'll do tonight is the test I mentioned above, I'll disconnect my router, connect the ESXi host directly to the Comcast router, allow it to get a WAN IP from the gateway by disabling DHCP (so it's IP will be something like 52.x.x.x).

Once that is online I'll pull up my laptop, use my cellphone as a hotspot, and try to connect that way. If that doesn't work do I need to do any more tests with another gateway (I can drag the server with me to the office tomorrow)? However, I would think if it doesn't work at the gateway level it must be the server, not anything on Comcast's side.
LVL 123

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE^2)
Andrew Hancock (VMware vExpert / EE MVE^2) earned 1000 total points
ID: 40474795
Do you have any other TCP listening device with TCP 22, 80, 443, 902 you could use as a test..... (not ESXi)

We normally just do a simple Open Port or Port Forward, and direct to internal IP
LVL 13

Expert Comment

by:Michael Machie
ID: 40474858
I had never once thought about doing this honestly until I saw this question, at which time I set it up.
My firewall on ESXi 5.1 is enabled, and it allows all IPs to talk to it under the 'Configuration-Security Profile-Firewall-Properties-Firewall Settings- <Firewall button>'. Under the Security Profile Remote Access section, I saw port 443 for vSphere client was enabled so used that port. Voila! Worked perfectly and will now be my #1 choice for accessing the Host instead of RDP'ing to my vCenter and running it there.

However, I did play around with it and noticed that port 22 failed and so did 80. I identified that I already had a forward for port 80 on my firewall, so I couldn't use that port - only one port forward rule allowed for each port - but when I pointed port 80 to my Host it still failed.

I am pretty sure you will need to use one of the specified ports in ESXi for vShpere, which are 902 and 443. Set a forward on your remote location's firewall to forward port 443 to your internal IP of your Host.  I got mine to work first try without issue by using port 443 and specifying the (PublicIP):443 in vSphere under the 'IP Address/ Name' section.

My ESXi installation was a default one too.. I didn't need to change the firewall at all.

Author Comment

ID: 40474879
Machienet, that's exactly what I did. The problem is that for some reason ESXi will only accept requests from the local network, not ones coming from the internet (at least the assumption is it's ESXi). Not to get too side tracked but some advice, your router/firewall will often have the ability to redirect external ports to different internal ports. So in your case of port 80 being used up you could use port 81 on the external side and attach it to port 80 on the internal server.

Andrew, the router isn't good enough to tell me what connections I have open. Or did  you mean on the ESXi side? If on the ESXi side should I simply do a TCPDump?

Edit: Andrew, please forgive me, I misunderstood the question. Yes, I have basic servers that use port 80 and 443, some of them run under the ESXi host that is having issues others are on physical hardware. And even the ones that are under the ESXi host worked fine. But I'll double check again tonight just to be sure. Port 902 not really, but I can maybe configure a Pi to listen on that port for telnet traffic?
LVL 13

Accepted Solution

Michael Machie earned 1000 total points
ID: 40474960
I believe it to be related to your router firewall and not ESXi honestly. If the port was blocked on ESXi then all local connections would fail as well.

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, I am going to show you how to simulate a multi-site Lab environment on a single Hyper-V host. I use this method successfully in my own lab to simulate three fully routed global AD Sites on a Windows 10 Hyper-V host.
Giving access to ESXi shell console is always an issue for IT departments to other Teams, or Projects. We need to find a way so that teams can use ESXTOP for their POCs, or tests without giving them the access to ESXi host shell console with a root …
Teach the user how to configure vSphere Replication and how to protect and recover VMs Open vSphere Web Client: Verify vsphere Replication is enabled: Enable vSphere Replication for a virtual machine: Verify replicated VM is created: Recover replica…
Teach the user how to use create log bundles for vCenter Server or ESXi hosts Open vSphere Web Client: Generate vCenter Server and ESXi host log bundle:  Open vCenter Server Appliance Web Management interface and generate log bundle: Open vCenter Se…
Suggested Courses

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question