ESX Configuration Guide

Whenever possible, use vSphere Client, vSphere Web Access, or a third-party network management tool to administer your ESX hosts instead of working though the command-line interface as the root user. Using vSphere Client lets you limit the accounts with access to the service console, safely delegate responsibilities, and set up roles that prevent administrators and users from using capabilities they do not need.

nUse only VMware sources to upgrade ESX components that you run on the service console.

The service console runs a variety of third-party packages, such as the Tomcat Web service, to support management interfaces or tasks that you must perform. VMware does not support upgrading these packages from anything other than a VMware source. If you use a download or patch from another source, you might compromise service console security or functions. Regularly check third-party vendor sites and the VMware knowledge base for security alerts.

Log In to the Service Console

Although you perform most ESX configuration activities through the vSphere Client, you use the service console command-line interface when you configure certain security features. Using the command-line interface requires that you log in to the host.

Procedure

1Log in to the ESX host using one of the following methods.

n If you have direct access to the host, press Alt+F2 to open the login page on the machine's physical console.

nIf you are connecting to the host remotely, use SSH or another remote console connection to start a session on the host.

2Enter a user name and password recognized by the ESX host.

If you are performing activities that require root privileges, log in to the service console as a recognized user and acquire root privileges through the sudo command, which provides enhanced security compared to the su command.

What to do next

In addition to ESX-specific commands, you can use the service console command-line interface to run many Linux and UNIX commands. For more information about service console commands, use the man command_name command to check for man pages.

Service Console Firewall Configuration

ESX includes a firewall between the service console and the network. To ensure the integrity of the service console, VMware has reduced the number of firewall ports that are open by default.

At installation time, the service console firewall is configured to block all incoming and outgoing traffic, except for ports 22, 123, 427, 443, 902, 5989, 5988, which are used for basic communication with ESX. This setting enforces a high level of security for the host.

NOTE The firewall also allows Internet Control Message Protocol (ICMP) pings and communication with DHCP and DNS (UDP only) clients.

Chapter 14 Service Console Security

In trusted environments, you might decide that a lower security level is acceptable. If so, you can set the firewall for either medium or low security.

Because the ports open by default are strictly limited, you might be required to open additional ports after installation. For a list of commonly used ports that you might open, see “TCP and UDP Ports for Management Access,” on page 159.

As you add the supported services and management agents required to operate ESX effectively, you open other ports in the service console firewall. You add services and management agents through vCenter Server as described in “Configuring Firewall Ports for Supported Services and Management Agents,” on page 156.

In addition to the ports you open for these services and agents, you might open other ports when you configure certain devices, services, or agents such as storage devices, backup agents, and management agents. For example, if you are using Veritas NetBackup™ 4.5 as a backup agent, open ports 13720, 13724, 13782, and 13783, which NetBackup uses for client-media transactions, database backups, user backups or restores, and so forth. To determine which ports to open, see vendor specifications for the device, service, or agent.

Do not modify default firewall rules for the service console using any command or utility other than esxcfg-firewall. If you modify the defaults by using a Linux command, your changes will be ignored and overwritten by the defaults specified for that service by the esxcfg-firewall command.

Determine the Service Console Firewall Security Level

Altering the security level for the service console is a two-part process: determining the service console firewall security level and resetting the service console firewall setting. To prevent unnecessary steps, always check the firewall setting before you change it.

Procedure

1Log in to the service console and acquire root privileges.

2Use the following two commands to determine whether incoming and outgoing traffic is blocked or allowed.

esxcfg-firewall -q incoming esxcfg-firewall -q outgoing

Interpret the results according to Table 14-1.

Table 14-1. Service Console Firewall Security Levels

ESX Configuration Guide

Set the Service Console Firewall Security Level

After you determine the level of firewall security for the service console, you can set the security level. Each time you lower your security setting or open additional ports, you increase the risk of intrusion in your network. Balance your access needs against how tightly you want to control the security of the network.

Procedure

1 Log in to the service console and acquire root privileges.

2 Run one of the following commands to set the service console firewall security level. n To set the service console firewall to medium security:

esxcfg-firewall --allowOutgoing --blockIncoming n To set the virtual firewall to low security:

esxcfg-firewall --allowIncoming --allowOutgoing

CAUTION Using the preceding command disables all firewall protection.

nTo return the service console firewall to high security: esxcfg-firewall --blockIncoming --blockOutgoing

3Use the following command to restart the vmware-hostd process. service mgmt-vmware restart

Changing the service console firewall security level does not affect existing connections. For example, if the firewall is set to low security and a backup is running on a port you did not explicitly open, raising the firewall setting to high does not terminate the backup. The backup completes, releases the connection, and no further connections are accepted for the port.

Open a Port in the Service Console Firewall

You can open service console firewall ports when you install third-party devices, services, and agents. Before you open ports to support the item you are installing, see vendor specifications to determine the necessary ports.

Prerequisites

Use this procedure only to open ports for services or agents that are not configurable through the vSphere Client.

VMware supports opening and closing firewall ports only through the vSphere Client or the esxcfgfirewall command. Using any other methods or scripts to open firewall ports can lead to unexpected behavior.

Procedure

1Log in to the service console and acquire root privileges.

2Use the following command to open the port.

esxcfg-firewall --openPort port_number,tcp|udp,in|out,port_name n port_number is the vendor-specified port number.

n Use tcp for TCP traffic or udp for UDP traffic.

n Use in to open the port for inbound traffic or out to open it for outbound traffic.

Chapter 14 Service Console Security

nport_name is a descriptive name to help identify the service or agent using the port. A unique name is not required.

For example:

esxcfg-firewall --openPort 6380,tcp,in,Navisphere

3Run the following command to restart the vmware-hostd process. service mgmt-vmware restart

Close a Port in the Service Console Firewall

You can close particular ports in the service console firewall. If you close a port, active sessions of the service associated with the port are not necessarily disconnected when you close the port. For example, if a backup is executing and you close the port for the backup agent, the backup continues until it completes and the agent releases the connection.

You can use the -closePort option to close only those ports that you opened with the -openPort option. If you used a different method to open the port, use an equivalent method to close it. For example, you can close the SSH port (22) only by disabling the SSH server incoming connection and SSH client outgoing connection in the vSphere Client.

Prerequisites

Use this procedure only to close ports for services or agents not specifically configurable through the vSphere Client.

VMware supports opening and closing firewall ports only through the vSphere Client or the esxcfgfirewall command. Using any other methods or scripts to open and close firewall ports can lead to unexpected behavior.

Procedure

1 Log in to the service console and acquire root privileges.

2Use the following command to close the port.

esxcfg-firewall --closePort port_number,tcp|udp,in|out,port_name

The port_name argument is optional. For example:

esxcfg-firewall --closePort 6380,tcp,in

3Use the following command to restart the vmware-hostd process. service mgmt-vmware restart

Troubleshooting When Firewalls are Overwritten

When firewall rules are changed after VMware High Availability (HA) traffic, migration, cloning, patching, or vMotion, you might need to configure the firewall defaults for esxcfg-firewall.

Modifying firewall default rules for the service console using any command or utility other than esxcfgfirewall is not supported. If you modify default rules and then attempt to access the service console through the firewall with any tools or utilities, the firewall might revert to its default configuration when your actions are complete. For example, configuring HA on a host causes the firewall to revert to the default configuration specified by esxcfg-firewall if you have modified the rules by using a command other than esxcfg-

firewall.