ESXi Firewall Blocks Remote Connections


I am trying to setup a backup ESXi 5.1/5.5 server at a DR location. I'm finding that ESXi brought back the firewall in version 5 and I am having trouble connecting to the server as a result from any network on a different subnet.

Is it possible to completely disable the firewall? If not how can I configure it to work with remote hosts? On the configuration tab if I go to the security profile option under software and click properties it says "allowed IP addresses: All" for all options.

So I have no clue why it doesn't work. How can I simply disable the firewall or if I can't disable the firewall how can I allow remote management?
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
The firewall is present, but it's limited as to what it can do, and is mostly open!

What are you trying to do?

Access the Management Interface is available by default on

443 TCP
902 TCP
80 TCP
22 TCP (of enabled)

Can you access these ports from your remote location, because by default they are not denied!

see here

What version are you 5.0, 5.1 or 5.5 ?
Are you sure it's not a routing issue on your side?

I can't recall ever having to disable or modify the ESXi firewall in order to access the server from a different network.
Pawel_KowalskiAuthor Commented:
Thanks. This makes no sense then, and I have a hard time believing that this is my router as all other ports work fine on it but I can try a different router once I get back to the DR site.

When I try to connect to the ESXi server at the DR site I can do so using the vSphere client and SSH without any issues. However, if I try to do the same remotely (over WAN using port forwarding) it does not work. I know the port forwarding is setup correctly and like I said I'm pretty sure the router is okay, so I'm thinking ESXi is to blame here.

The version at the DR site is ESXi 5.1 using the custom image Dell provides for their server.
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

If your able to connect to the server when you are at the DR site then as you are aware, that means those ports are open.

I would be looking into networking issues and not necessarily a firewall issue.

Have you tried connecting from some other location other than the one you have currently been trying?

Have you checked firewall logs to verify traffic is making it to the firewall and getting forwarded?

Also, VPN might be a better choice here if you can rather than opening up a ESXi server to the world with port forwards.
Pawel_KowalskiAuthor Commented:
The above message was for Andrew. @themightydude, I won't rule out the router having issues and will test that later when I have access to the DR site. But what's odd is every other port (including port 443, 22) work perfectly fine for other machines, it's only when I switch the rule to go to the ESXi host that it completely stops working. That's why I'm thinking the firewall on the ESXi server could be causing this.

Is there a log somewhere if I login through SSH to see what connections the firewall has dropped?
You could try disabling the firewall and that will let us know for sure if it's a vmware firewall issue.

Should be able to do that from SSH with the following command:
esxcli network firewall set --enabled false
Pawel_KowalskiAuthor Commented:
I ran the command, it doesn't give me any confirmation that it executed without issues. I rebooted the server after I ran it, went to the security profile settings and nothing on there has changed either.

Obviously I am still having the same issues. Anyway to tell that the firewall is actually disabled?

This is the command I ran:

~ # esxcli network firewall set --enabled false
~ #

Open in new window

Rebooting the server may have re-enabled it. I can't remember 100%, but I think that service will come back up after a restart.

This command will show you status of the firewall
esxcli network firewall get

Enabled will either be true or false.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
do not mess with the firewall, and drop the use of vSphere Client...

simple test

can you use

test1: confirm locally

test2: confirm from DR site (remote)

telnet <ip address of ESXi server > 443

telnet <ip address of ESXi server > 80

telnet <ip address of ESXi server > 902

you should get connections....

if not your firewall, router config, port forward is wrong!

is this NAT?

just open not use NATTed rules!
Pawel_KowalskiAuthor Commented:
@thedude, here is the firewall setting:

~ # esxcli network firewall get
   Default Action: PASS
   Enabled: false
   Loaded: true

Just so both of you know the default action was to Drop, not Pass. I changed it to Pass (didn't fix my issue).

Is the fact it's loaded mean that it's still on?

Andrew, here are the results from the tests:


I can connect to SSH locally without issues using (local IP)
Telnet to port 80, 443, and 902 works (80/443 take a fairly long time, especially port 443 but it eventually opens. 902 loads instantly)

When I say "works" I'm using the telnet client built in to windows, port 80 and 443 gives me back a message saying "press any key to continue..." while port 902 gives me a 220 message about authentication. A port that's not working at all would simply return a error message so I assume it is connecting on 80/443.

From the remote site all of the above tests fail (using the remote IP, aka I have tried port forwarding, adding the host to a DMZ, etc. The DR site has a very basic SOHO router from Netgear. I am using port forwarding rules, not sure how that translates in how the router sets things up but like I said these ports work fine when pointed to other servers, just not the ESXi host.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
So all ports are open and ESXi.

Network, Firewall, NAT or router issue.

a standard https://<IP Address> should give you a web page...on the ESXi server.

the block is not happening on ESXi.

Are they open on the ESXi site, not the server, but inbound on the router...

is this a public IP Address ?

or is it NATTED?

e.g. public IP > NATTED internal IP ?
Pawel_KowalskiAuthor Commented:
It is a public IP from my ISP (the 52.x.x.x example). The local IP for the ESXi server once it is on the local side of the gateway is .  Nothing works when I am trying to connect remotely, if I VPN in or remote desktop in it works fine.

I just tested another office to make sure I wasn't crazy. It's virtually an identical setup to the DR site right now, only difference is instead of a cheap $50 netgear router we use the built-in router that came with Comcast's modem (the other site didn't have a router built in, just a gateway). I setup port forwarding for port 902 to that site's ESXi server, tried to go in remotely on port 902 (using telnet) and it worked like a charm. I can't try the other ports as unfortunately this is a production environment.

So instead of spinning the wheels and not getting anywhere I can try to bypass the router I have at the DR site completely and see if that will work. I can literally hook up the ESXi server to my Comcast gateway and use my mobile network to see if the default vSphere page loads. If it does it's clearly a router issue, if it doesn't it's clearly an ESXi issue.

Is that fair as far as troubleshooting goes?
Why not just setup a site to site VPN?
I honestly think the issue is your trying to NAT/Port forward these services across a home netgear router. In my personal opinion and granted this is just mine, someone else may have a different idea.

Get a router mean more for small businesses and setup a Site to Site VPN between your protected site and your DR site.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Port foward

OUTBOUND 52.x.x.x TCP 22 >> INBOUND IP Address TCP 22
Pawel_KowalskiAuthor Commented:
The router could be the case and Andrew that is how it's setup (although I don't get the option of setting inbound/outbound on my router, just the port and local IP).

So port 22 is forwarded to For some reason that doesn't work, even though all other port forward options I have setup work fine including ports 80 and 443 to other servers using this exact router. So what I'll do tonight is the test I mentioned above, I'll disconnect my router, connect the ESXi host directly to the Comcast router, allow it to get a WAN IP from the gateway by disabling DHCP (so it's IP will be something like 52.x.x.x).

Once that is online I'll pull up my laptop, use my cellphone as a hotspot, and try to connect that way. If that doesn't work do I need to do any more tests with another gateway (I can drag the server with me to the office tomorrow)? However, I would think if it doesn't work at the gateway level it must be the server, not anything on Comcast's side.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Do you have any other TCP listening device with TCP 22, 80, 443, 902 you could use as a test..... (not ESXi)

We normally just do a simple Open Port or Port Forward, and direct to internal IP
Michael MachieFull-time technical multi-taskerCommented:
I had never once thought about doing this honestly until I saw this question, at which time I set it up.
My firewall on ESXi 5.1 is enabled, and it allows all IPs to talk to it under the 'Configuration-Security Profile-Firewall-Properties-Firewall Settings- <Firewall button>'. Under the Security Profile Remote Access section, I saw port 443 for vSphere client was enabled so used that port. Voila! Worked perfectly and will now be my #1 choice for accessing the Host instead of RDP'ing to my vCenter and running it there.

However, I did play around with it and noticed that port 22 failed and so did 80. I identified that I already had a forward for port 80 on my firewall, so I couldn't use that port - only one port forward rule allowed for each port - but when I pointed port 80 to my Host it still failed.

I am pretty sure you will need to use one of the specified ports in ESXi for vShpere, which are 902 and 443. Set a forward on your remote location's firewall to forward port 443 to your internal IP of your Host.  I got mine to work first try without issue by using port 443 and specifying the (PublicIP):443 in vSphere under the 'IP Address/ Name' section.

My ESXi installation was a default one too.. I didn't need to change the firewall at all.
Pawel_KowalskiAuthor Commented:
Machienet, that's exactly what I did. The problem is that for some reason ESXi will only accept requests from the local network, not ones coming from the internet (at least the assumption is it's ESXi). Not to get too side tracked but some advice, your router/firewall will often have the ability to redirect external ports to different internal ports. So in your case of port 80 being used up you could use port 81 on the external side and attach it to port 80 on the internal server.

Andrew, the router isn't good enough to tell me what connections I have open. Or did  you mean on the ESXi side? If on the ESXi side should I simply do a TCPDump?

Edit: Andrew, please forgive me, I misunderstood the question. Yes, I have basic servers that use port 80 and 443, some of them run under the ESXi host that is having issues others are on physical hardware. And even the ones that are under the ESXi host worked fine. But I'll double check again tonight just to be sure. Port 902 not really, but I can maybe configure a Pi to listen on that port for telnet traffic?
Michael MachieFull-time technical multi-taskerCommented:
I believe it to be related to your router firewall and not ESXi honestly. If the port was blocked on ESXi then all local connections would fail as well.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.