Solved

ESXi Firewall Blocks Remote Connections

Posted on 2014-12-01
20
450 Views
Last Modified: 2015-01-07
Hello,

I am trying to setup a backup ESXi 5.1/5.5 server at a DR location. I'm finding that ESXi brought back the firewall in version 5 and I am having trouble connecting to the server as a result from any network on a different subnet.

Is it possible to completely disable the firewall? If not how can I configure it to work with remote hosts? On the configuration tab if I go to the security profile option under software and click properties it says "allowed IP addresses: All" for all options.

So I have no clue why it doesn't work. How can I simply disable the firewall or if I can't disable the firewall how can I allow remote management?
0
Comment
Question by:Pawel_Kowalski
  • 7
  • 6
  • 5
  • +1
20 Comments
 
LVL 118
ID: 40474454
The firewall is present, but it's limited as to what it can do, and is mostly open!

What are you trying to do?

Access the Management Interface is available by default on

443 TCP
902 TCP
80 TCP
22 TCP (of enabled)

Can you access these ports from your remote location, because by default they are not denied!

see here

http://buildvirtual.net/working-with-the-esxi-firewall/

What version are you 5.0, 5.1 or 5.5 ?
0
 
LVL 4

Expert Comment

by:themightydude
ID: 40474456
Are you sure it's not a routing issue on your side?

I can't recall ever having to disable or modify the ESXi firewall in order to access the server from a different network.
0
 

Author Comment

by:Pawel_Kowalski
ID: 40474471
Thanks. This makes no sense then, and I have a hard time believing that this is my router as all other ports work fine on it but I can try a different router once I get back to the DR site.

When I try to connect to the ESXi server at the DR site I can do so using the vSphere client and SSH without any issues. However, if I try to do the same remotely (over WAN using port forwarding) it does not work. I know the port forwarding is setup correctly and like I said I'm pretty sure the router is okay, so I'm thinking ESXi is to blame here.

The version at the DR site is ESXi 5.1 using the custom image Dell provides for their server.
0
 
LVL 4

Expert Comment

by:themightydude
ID: 40474482
If your able to connect to the server when you are at the DR site then as you are aware, that means those ports are open.

I would be looking into networking issues and not necessarily a firewall issue.

Have you tried connecting from some other location other than the one you have currently been trying?

Have you checked firewall logs to verify traffic is making it to the firewall and getting forwarded?

Also, VPN might be a better choice here if you can rather than opening up a ESXi server to the world with port forwards.
0
 

Author Comment

by:Pawel_Kowalski
ID: 40474488
The above message was for Andrew. @themightydude, I won't rule out the router having issues and will test that later when I have access to the DR site. But what's odd is every other port (including port 443, 22) work perfectly fine for other machines, it's only when I switch the rule to go to the ESXi host that it completely stops working. That's why I'm thinking the firewall on the ESXi server could be causing this.

Is there a log somewhere if I login through SSH to see what connections the firewall has dropped?
0
 
LVL 4

Expert Comment

by:themightydude
ID: 40474506
You could try disabling the firewall and that will let us know for sure if it's a vmware firewall issue.

Should be able to do that from SSH with the following command:
esxcli network firewall set --enabled false
0
 

Author Comment

by:Pawel_Kowalski
ID: 40474544
I ran the command, it doesn't give me any confirmation that it executed without issues. I rebooted the server after I ran it, went to the security profile settings and nothing on there has changed either.

Obviously I am still having the same issues. Anyway to tell that the firewall is actually disabled?

This is the command I ran:


~ # esxcli network firewall set --enabled false
~ #

Open in new window

0
 
LVL 4

Expert Comment

by:themightydude
ID: 40474553
Rebooting the server may have re-enabled it. I can't remember 100%, but I think that service will come back up after a restart.

This command will show you status of the firewall
esxcli network firewall get

Enabled will either be true or false.
0
 
LVL 118
ID: 40474559
do not mess with the firewall, and drop the use of vSphere Client...

simple test

can you use

test1: confirm locally

test2: confirm from DR site (remote)

telnet <ip address of ESXi server > 443

telnet <ip address of ESXi server > 80

telnet <ip address of ESXi server > 902

you should get connections....

if not your firewall, router config, port forward is wrong!

is this NAT?

just open ports.....do not use NATTed rules!
0
 

Author Comment

by:Pawel_Kowalski
ID: 40474610
@thedude, here is the firewall setting:


~ # esxcli network firewall get
   Default Action: PASS
   Enabled: false
   Loaded: true

Just so both of you know the default action was to Drop, not Pass. I changed it to Pass (didn't fix my issue).

Is the fact it's loaded mean that it's still on?

Andrew, here are the results from the tests:

Locally:

I can connect to SSH locally without issues using 10.10.10.50 (local IP)
Telnet to port 80, 443, and 902 works (80/443 take a fairly long time, especially port 443 but it eventually opens. 902 loads instantly)

When I say "works" I'm using the telnet client built in to windows, port 80 and 443 gives me back a message saying "press any key to continue..." while port 902 gives me a 220 message about authentication. A port that's not working at all would simply return a error message so I assume it is connecting on 80/443.

From the remote site all of the above tests fail (using the remote IP, aka 52.68.2.2). I have tried port forwarding, adding the host to a DMZ, etc. The DR site has a very basic SOHO router from Netgear. I am using port forwarding rules, not sure how that translates in how the router sets things up but like I said these ports work fine when pointed to other servers, just not the ESXi host.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 118
ID: 40474634
So all ports are open and listening....at ESXi.

Network, Firewall, NAT or router issue.

a standard https://<IP Address> should give you a web page...on the ESXi server.

the block is not happening on ESXi.

Are they open on the ESXi site, not the server, but inbound on the router...

is this a public IP Address ?

or is it NATTED?

e.g. public IP > NATTED internal IP ?
0
 

Author Comment

by:Pawel_Kowalski
ID: 40474687
It is a public IP from my ISP (the 52.x.x.x example). The local IP for the ESXi server once it is on the local side of the gateway is 10.10.10.50 .  Nothing works when I am trying to connect remotely, if I VPN in or remote desktop in it works fine.

I just tested another office to make sure I wasn't crazy. It's virtually an identical setup to the DR site right now, only difference is instead of a cheap $50 netgear router we use the built-in router that came with Comcast's modem (the other site didn't have a router built in, just a gateway). I setup port forwarding for port 902 to that site's ESXi server, tried to go in remotely on port 902 (using telnet) and it worked like a charm. I can't try the other ports as unfortunately this is a production environment.

So instead of spinning the wheels and not getting anywhere I can try to bypass the router I have at the DR site completely and see if that will work. I can literally hook up the ESXi server to my Comcast gateway and use my mobile network to see if the default vSphere page loads. If it does it's clearly a router issue, if it doesn't it's clearly an ESXi issue.

Is that fair as far as troubleshooting goes?
0
 
LVL 4

Expert Comment

by:themightydude
ID: 40474697
Why not just setup a site to site VPN?
0
 
LVL 4

Expert Comment

by:themightydude
ID: 40474707
I honestly think the issue is your trying to NAT/Port forward these services across a home netgear router. In my personal opinion and granted this is just mine, someone else may have a different idea.

Get a router mean more for small businesses and setup a Site to Site VPN between your protected site and your DR site.
0
 
LVL 118
ID: 40474722
Port foward

OUTBOUND 52.x.x.x TCP 22 >> INBOUND IP 10.10.10.50 Address TCP 22
0
 

Author Comment

by:Pawel_Kowalski
ID: 40474788
The router could be the case and Andrew that is how it's setup (although I don't get the option of setting inbound/outbound on my router, just the port and local IP).

So port 22 is forwarded to 10.10.10.50. For some reason that doesn't work, even though all other port forward options I have setup work fine including ports 80 and 443 to other servers using this exact router. So what I'll do tonight is the test I mentioned above, I'll disconnect my router, connect the ESXi host directly to the Comcast router, allow it to get a WAN IP from the gateway by disabling DHCP (so it's IP will be something like 52.x.x.x).

Once that is online I'll pull up my laptop, use my cellphone as a hotspot, and try to connect that way. If that doesn't work do I need to do any more tests with another gateway (I can drag the server with me to the office tomorrow)? However, I would think if it doesn't work at the gateway level it must be the server, not anything on Comcast's side.
0
 
LVL 118

Assisted Solution

by:Andrew Hancock (VMware vExpert / EE MVE)
Andrew Hancock (VMware vExpert / EE MVE) earned 250 total points
ID: 40474795
Do you have any other TCP listening device with TCP 22, 80, 443, 902 you could use as a test..... (not ESXi)

We normally just do a simple Open Port or Port Forward, and direct to internal IP
0
 
LVL 13

Expert Comment

by:Michael Machie
ID: 40474858
I had never once thought about doing this honestly until I saw this question, at which time I set it up.
My firewall on ESXi 5.1 is enabled, and it allows all IPs to talk to it under the 'Configuration-Security Profile-Firewall-Properties-Firewall Settings- <Firewall button>'. Under the Security Profile Remote Access section, I saw port 443 for vSphere client was enabled so used that port. Voila! Worked perfectly and will now be my #1 choice for accessing the Host instead of RDP'ing to my vCenter and running it there.

However, I did play around with it and noticed that port 22 failed and so did 80. I identified that I already had a forward for port 80 on my firewall, so I couldn't use that port - only one port forward rule allowed for each port - but when I pointed port 80 to my Host it still failed.

I am pretty sure you will need to use one of the specified ports in ESXi for vShpere, which are 902 and 443. Set a forward on your remote location's firewall to forward port 443 to your internal IP of your Host.  I got mine to work first try without issue by using port 443 and specifying the (PublicIP):443 in vSphere under the 'IP Address/ Name' section.

My ESXi installation was a default one too.. I didn't need to change the firewall at all.
0
 

Author Comment

by:Pawel_Kowalski
ID: 40474879
Machienet, that's exactly what I did. The problem is that for some reason ESXi will only accept requests from the local network, not ones coming from the internet (at least the assumption is it's ESXi). Not to get too side tracked but some advice, your router/firewall will often have the ability to redirect external ports to different internal ports. So in your case of port 80 being used up you could use port 81 on the external side and attach it to port 80 on the internal server.

Andrew, the router isn't good enough to tell me what connections I have open. Or did  you mean on the ESXi side? If on the ESXi side should I simply do a TCPDump?

Edit: Andrew, please forgive me, I misunderstood the question. Yes, I have basic servers that use port 80 and 443, some of them run under the ESXi host that is having issues others are on physical hardware. And even the ones that are under the ESXi host worked fine. But I'll double check again tonight just to be sure. Port 902 not really, but I can maybe configure a Pi to listen on that port for telnet traffic?
0
 
LVL 13

Accepted Solution

by:
Michael Machie earned 250 total points
ID: 40474960
I believe it to be related to your router firewall and not ESXi honestly. If the port was blocked on ESXi then all local connections would fail as well.
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

Exchange server is not supported in any cloud-hosted platform (other than Azure with Azure Premium Storage).
Last article we focus in how to VMware: How to create and use VMs TAGs – Part 1 so before follow this article and perform the next tasks, you should read the first article how to create the TAG before using them in Veeam Backup Jobs.
Teach the user how to use configure the vCenter Server storage filters Open vSphere Web Client:  Navigate to vCenter Server Advanced Settings: Add the four vCenter Server storage filters: Review the advanced settings: Modify the values of the four v…
Teach the user how to use vSphere Update Manager to update the VMware Tools and virtual machine hardware version Open vSphere Client: Review manual processes for updating VMware Tools and virtual hardware versions: Create a new baseline group in vSp…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now