I m running an esxi 6.7 free.
I would like to expose my esxi to internet through my router. But i want to change the default port whose are 80 and 443.
I found many tutorials / knownledge base available for esxi 5.0 and 6.0 but none of theses are working.
In theses tutorial, there are part with firewall and reverse proxy but no matter what i do, nothings works, mostly when i restart the firewall.
asked Nov 20, 2018 at 19:43
mik3fly-4steri5kmik3fly-4steri5k
6513 gold badges13 silver badges30 bronze badges
I suppose it’s already solved but for others….
How to change port by ssh on ESXi 6.7 host video ->
or set in router port redirecting from 443 to desired port if possible.
edit:
for the ones they prefer to read 
1. enable ssh on esxi host
2. connect via ssh or press alt + f1 on esxi host
3. edit this file by command vi /etc/vmware/rhttpproxy/config.xml
4. find text https by command :/https
<!-- HTTPS port to be used by the reverse proxy -->
<httpsPort>443</httpsPort>
5. change port to eg. 9443
(press insert before editing and after finished press esc save it by :wq)
6. reboot needed by command reboot
7. after reboot connect to ssh and create new file changedport.xml by command
vi /etc/vmware/firewall/changedport.xml
8. copy this text to console.
<ConfigRoot>
<service>
<id>changedport</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>9443</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
9. save it by :wq
10. refresh firewall rules by command esxcli network firewall refresh
This is not a permanent solution.
After restarting, you need to add firewall rules again
and execute command esxcli network firewall refresh
answered Oct 13, 2019 at 21:41
1
Steps:
-
edit «/etc/vmware/rhttpproxy/config.xml» (
<httpsPort>443</httpsPort>to<httpsPort>4444</httpsPort>) -
run command «/etc/init.d/rhttpproxy restart»
-
create new file «/etc/vmware/firewall/changes.xml»
-
copy this text to file:
<ConfigRoot> <service> <id>changedport</id> <rule id='0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>4444</port> </rule> <enabled>true</enabled> <required>false</required> </service> </ConfigRoot>
-
run command «/sbin/esxcli network firewall refresh»
-
copy above file into /vmfs/volumes/xxxxxxx-80925220-52bf-b8ac6f41950b/changes.xml
-
add below code to «/etc/rc.local.d/local.sh» for work after reboot:
/sbin/cp /vmfs/volumes/xxxxxxx-80925220-52bf-b8ac6f41950b/changes.xml/ etc/vmware/firewall/ /sbin/esxcli network firewall refresh exit 0
done.
answered Apr 18, 2020 at 8:35
Если вам по каким либо причинам понадобиться изменить порты которые которые используются при соединении к ESXi серверам читайте дальше как это сделать.
Для этого дела можно использовать vSphere Management Assistant или же vSphere CLI.
Для соединения к ESXi серверам vSphere Client использует по умолчанию HTTP порт 80-ый и HTTPS порт 443-ий. Чтобы изменить эти порты нам надо будет изменить proxy.xml файл на хосте а так же можно поменять порты прописанные в конфигурационном файле vSphere Client-а.
Я при примерах буду использовать vSphere CLI, но все тоже и для vSphere Management Assistant-а.
Для начала берем proxy.xml файл что бы его потом изменить и залить обратно:
vifs.pl –server hostname –username username –get /host/proxy.xml local_directory_pathproxy.xml
Затем меняем например на:
HTTP 8080
HTTPS 8081
Нам надо будет для этого под тэгом <ConfigRoot> добавить следующее:
<httpPort>http_port_number</httpPort>
<httpsPort>https_port_number</httpsPort>
в нашем слуычае
<httpPort>8080</httpPort>
<httpsPort>8081</httpsPort>
Вот так примерно
После того как мы сохранили изменения надо залить данный файл обратно:
vifs.pl –server hostname –username username –put local_directory_pathproxy.xml /host/proxy.xml
После этого надо будет перезагрузить Management Agent-ы. Делаем это прямо из консоли ESXi-я.
Troubleshooting Options>Restart Management Agents
Отныне вы при подключении к вашему хосту надо будет указывать порт, вот так как на рисунке:
или же если вы хотите чтоб ваш vSphere Client использовал данные порты надо будет поменять VpxClient.exe.config конфигурационный файл по умолчанию который находится C:Program FilesVMwareInfrastructureVirtual Infrastructure ClientLauncher директории.
Надо будет заменить номера портов в этой линии:
<add key = “protocolports” value = “https:443;http:80:” />
на
<add key = “protocolports” value = “https:8081;http:8080:” />
Отныне при подключении к ESXi серверу с помощью PowerCLI надо будет указывать параметр Port:
Connect-VIServer Server_Name_or_IP_Address –Port Port_Number –User Username –Password Password
И тоже самое при использовании vCLI-я, вот пример на рисунке:
Так что так.
В статье использовался материал из KB Article: 1021199
Port forwarding is the best way to allow external users to the internal network in the networking technology. And the port forwarding in the VMware workstation is not so different. Instead of allowing the external users on the internet, the VMware workstation allows external users on the local network to the specific port you mentioned on the Virtual machine.
You can spin up Virtual machines in the VMware workstation. It doesn’t matter which version of the VMware workstation you are running, be it 15/16 or even lower, enable certain services on it, and make it available for the local users using the port forwarding option.
For example, you can run an FTP server as VM and provide that FTP service for the local users. You can even go a step further and run a web server on the VMware workstation pro and make it available for internet users as well. However, that requires another port forwarding configuration again on edge as well. You have to be a little careful when allowing external users to the internal network.
The point here is the port forwarding is a great feature if you wanted to provide access to certain services on the local network.
Read also,
How to Configure Different Network Types in VMware Workstations?
How to Configure VirtualBox Network Settings ?
How to FIx VMware Bridged Network Not Working in Windows?
In one of the blog posts, we covered how we can configure port forwarding in Virtualbox, and in this blog, we will configure port forwarding in a VMware workstation pro.
Objective :
I have two machines running in my environment, one is Linux mint, and the other is Ubuntu. And both are configured with ssh service on Linux mint it is port 22, and in Ubuntu, it is port 2222. Ubuntu machine also acts as a web server with https service on port 443. We will configure port forwarding on the VMware workstation so that the local users can ssh into the VM and access the internal webpages over port 443.
Prerequisite.
- VMware workstation pro – Any version will work, and I am using VMware workstation 16, and I tested this on older versions such as 12, 13, and 15.
- Virtual machine with some ports enabled.
How do I port forward a VM in a VMware workstation?
There are multiple network adapters in the VMware workstation, such as Bridged networking, host-only adapter, and finally NAT adapter. The port forwarding is only available in the NAT network configuration in the VMware workstation. If you try to select any other adapters, you won’t see the port forwarding functionality.
To allow port forwarding, first, you have VM running with specific services, such as ssh. Then you go to the Vmware workstation network setting and edit the NAT settings to add the port forwarding configuration to allow a port from your local network to the Virtual machine network.
You must make sure that the host machine port number does not conflict with the port you want to access on the Virtual machine.
For example, I have ssh enabled on my host, and if I try to allow the port forwarding for the VM on the default ssh port. The request would forward directly to the host machine as it listened on the same port instead of the VM. We will also see how we can overcome that as well.
We will explain in more detail with a lab.
Steps to enable the port forwarding in VMware workstation.
Connect to the NAT network to the VM.
I have both Linux mint and the Ubuntu machine running and I will change its network settings to the NAT network.
To change the network adapter, Right-click on the VM’s and click on Settings.
Select the network adapter and choose NAT and click on OK.
These settings will add the virtual machine to the NAT network, the VMnet 8 adapter on the Vmware workstation.
After the virtual machines are connected to the NAT network, both the VM’s would receive an address from the VMware NAT DHCP service. Now, the VM’s can speak to each other and also to the host machine. However, the host or any other device on the local network cannot initiate the communication with the virtual machine directly; hence, we will allow the port forwarding for the VM’s.
My VM’s got the following IP addresses.
Ubuntu – 192.168.127.132
Linux Mint –192.168.127.128
See the below output. The Ubuntu VM can speak to the Linux mint and also to the host machine on 192.168.0.4. It can even go out to the internet.
It means NAT network is working as expected.
Validate the services are running.
To test the port forwarding, we need to have VM with some services enabled. We are going to test the port forwarding with SSH and https mainly. So let’s check the services on the VM’s that we have.
On my Linux mint, I have SSH services installed and running on the default SSH port 22.
To check the ssh status on the Linux mint you either type service ssh status or systemctl status service.
As you can see, the service is active and it is now listening to port number 22. You can learn more about the ssh configuration on Linux mint here.
Whereas on the Ubuntu machine, it is slightly different, it is listening on the port 2222 on the same SSH service.
You can use the same command we used on the Linux mint to check the SSH service status on Ubuntu machine as well.
The ubuntu machine is also running with the webserver for port http and https.
I can access the HTTPS service by typing its IP address in the firefox address bar and verified that the HTTPS service is working.
Validate if your host machine is enabled for the SSH service.
After you enable the ssh port forwarding on the VMware workstation, you can access the port from the host machine by using ssh [email protected]<hostIP>
Did you see that I mentioned the host IP instead of a Virtual Machine IP? If your host machine is also enabled with the ssh service, the request will not forward to the VM.
To validate that, you can test the SSH access to your host machine.
Since I am running windows 10 as the host machine and I have not enabled SSH access in it, my host machine will not allow me in with the SSH access. As you can see below, the SSH access is refused.
C:Userssaifudhe>ssh [email protected]
ssh: connect to host 192.168.0.10 port 22: Connection refused
However, if you are using a Linux machine as the host, you will most likely have ssh access enabled. At that point, you need to use a different port for ssh access to the VM. We will look into that later part.
Since my machine is not using port number 22 I can use the default one.
Configure port forwarding for ssh in VMware
To configure the port forwarding, go back to the VMware workstation. And click on Virtual Network Editor…
After few seconds, the virtual network adapter setting window would pop up. By default, all the options will be grayed out, and you need to click on Change settings.
Note: On windows, if you do not have administrator privileges, you won’t be able to make any changes here.
After you click on the Change settings, you will see all the options available to modify. From the Network adapters list, choose VMnet8, the NAT adapter, and click on NAT settings.
The NAT settings window will open now. Here you will see the port forwarding configuration for the VMware workstation. Click Add under port forwarding.
Fill in the port forwarding configuration.
Add the host port as 22
Type: TCP
Virtual machine IP address: 192.168.127.128, this is our Linux mint VM IP address.
Virtual machine Port 22.
Add a user-friendly description, and then click on OK.
Click on OK on the NAT configuration settings as well.
Now you should be able to access the Linux mint machine from your local machine.
Verify the SSH access in VMware port forwarding.
To ssh into the Linux mint, you can use the command ssh [email protected]<host IP> and hit enter.
My username is Saif and my host IP address is 192.168.0.10; hence I can access the machine with the below command.
ssh [email protected]
After I entered the password, I am now able to log in to the machine. Though we did ssh into the host machine, you can notice the IP address of the VM says 192.168.127.128.
Now you know why you should check if the host machine is currently using the default ssh port or not. The port forwarding will not work, when the host machine also using the same port. Instead of forwarding the request to the VM, the request will go to the host machine itself.
What if your host machine uses the default port and you want to ssh into the VM again?
We can still work around a way to access the VM if your host machine still uses the default SSH port number. Let us go ahead and do that now.
Go to the settings— > Virtual adapter settings –> Change Settings.
Choose NAT adapter and click on NAT settings.
Here you can see the previously added port forwarding policy. You may click on properties to edit the existing policy or remove them.
As I have to make changes to the port number, I can edit the existing settings.
Instead of using the default port 22 on the host port, I choose the custom port 2221 and then click on OK.
And click on OK on the NAT settings as well; apply the changes.
Test port forwarding to the VM over SSH.
When you try to SSH into the machine, you need to use the newly added port number instead of the default one.
As you can see, after specifying the SSH custom port 2221, I can log in to the VM.
The default port didn’t work as the SSH port changed, and my windows host does not have the ssh service enabled.
Using the custom port numbers, you can assign port numbers 2221,2222,2223 for VM1, VM2, and VM3, respectively, if you plan to configure the SSH access to multiple virtual machines.
Configure SSH access to the different VM port number.
You can also configure ssh access when the VM uses a different port number instead of a default one.
We already have an Ubuntu machine running ssh service with port 2222, let’s see how we can configure port forwarding for the same.
Open VMware workstation.
Click on Edit –> VirtualAdapter Settings–> Change settings.
Click on NAT settings.
Click on Add.
In the MAP incoming port window,
On the host port type 2222, or the default one if your host machine is not using the ssh service on the default port.
Type: TCP.
Virtual machine IP: 192.168.127.132, which is my ubuntu IP address.
Virtual machine port number: 2222. We already validated Ubuntu VM is running on port 2222.
Provide a user-friendly description and click on OK.
Click on OK on the NAT settings as well and apply the configuration.
Access the Ubuntu machine with a custom port.
To access the ubuntu VM, type ssh -p 2222 [email protected]<hostIP>
So it will be ssh -p 2222 [email protected]
As you can refer to the below output, I can access my Ubuntu machine running ssh with custom port 2222.
Configure port forwarding for Web server.
We have successfully configured the port forwarding for the SSH service, how about the web services running on ports 80 and 443.
Those are not different from configuring the ssh port forwarding.
Click on Edit –> Virtual network Editor –> Change settings –> NAT settings.
In the NAT configuration window, click on Add.
As my windows host is listening to port number 443, I cannot use the same port number. So I decided to use custom port number 8443 this time.
If you want to use the default port number, you will have to disable the https service on your host machine first; then, there will not be any conflict.
Host port: 8443
Type: TCP.
Virtual machine IP address: 192.168.127.132
Virtual machine port 443.
Provide some description.
Click on OK and save the changes.
Verify the https access.
Open a browser on your machine and type the URL as https://192.168.1.10:8443 and then Enter.
You may ignore the security warning and proceed to the page, and you should be able to access the web page as below.
And the best part is, you can even access the web page from your local network as well. As you can refer to the below output, I access the same web page from my IPad as well as on my phone.
The Web page on the phone.
The same web page on an IPad.
We have configured the port forwarding for ssh, HTTPS service successfully; even for HTTP service or any other protocols for that matter, the same procedure can be followed. While configuring the port forwarding, you need to use a custom port number or default port number based on your host service and the port number for the VM, it should just work fine like the SSH and HTTPS.
By default, VMware ESXi hypervisor opens just the necessary ports. The most basic access to the hypervisor is by using just a few firewall ports enabled on the hosts.
Contents
- Use vSphere Host Client (no vCenter server available)
- vSphere Web Client (with vCenter)
- Final words
- Author
- Recent Posts
Vladan Seget is an independent consultant, professional blogger, vExpert 2009-2021, VCAP-DCA/DCD and MCSA. He has been working for over 20 years as a system engineer.
Whether vCenter Server manages the host or it is a standalone ESXi host, different tools and access paths can do this. The vSphere Web Client and the VMware Host Client allow you to open and close firewall ports for each service or allow traffic from selected IP addresses.
You’ll be using the vSphere Web Client (HTML5) if you have VMware vCenter Server in your environment. Or if you are using a standalone ESXi host only, you’ll use ESXi Host Client for the job.
For both tools, you do not need to install any software to your management workstation or laptop, and you can use Windows, Linux, or Mac. That’s quite some progress since in the past, the most used utility for VMware vSphere was a Windows C++ client, now discontinued.
Use vSphere Host Client (no vCenter server available)
In this scenario, we just have a single ESXi host (ESXi 6.7), not managed by vCenter Server. We will look at how to open a port in a second. But before that, I’d like to point out that even if ESXi itself has a free version you can administer this way, it does not allow you to use backup software that can take advantage of VMware changed block tracking (CBT) and do incremental backups.
Note: You don’t necessarily need to deploy vCenter Server, but you will need to assign a paid CPU license to the ESXi host to unlock the application programming interface (API).
This is because ESXi has a limited set of API features that won’t work with third-party backup software. Other limits of free ESXi are you can only have two physical CPU sockets and can only create eight virtual CPU (vCPU) virtual machines (VMs).
But let’s get back to our principal mission to show you how to access the firewall settings and open a closed firewall port.
Connect to your ESXi host via vSphere Host Client (HTML5) by going to this URL:
https://ip_of_esxi/UI
After connecting to your ESXi host, go to Networking > Firewall Rules. You’ll see that the VMware Host Client displays a list of active incoming and outgoing connections with the corresponding firewall ports.
Enable a firewall rule in ESXi Host Client
Note: When the rule is grayed out, it is disabled (thus, you can enable it) and vice versa.
For some services, you can manage service details. Right-click a service and select an option from the pop-up menu.
vSphere Web Client (with vCenter)
First you’ll need to connect to your vCenter Server via the vSphere Web Client. Go to Hosts and clusters, select Host, and go to Configure > Firewall.
Then select the firewall rule you want to change and click Edit.
How to open or block firewall ports on a VMware ESXi 6.7 host
In my example, I’ll show you how I configured my firewall rule for NFS access only from a single IP, denying all other IPs. Here is a view of the rule when you click it. As you can see, I unchecked Allow connections from any IP address and entered a single IP that can access my ESXi host.
Allow connections only from a single IP
For some firewall rules, when you open the port, you also need to start the service. For example, after opening a firewall rule for the SNMP port, you’ll need to go to the Services page and start and configure the service.
Start the SNMP service
As you can see, both the ESXi Host Client and vSphere Web Client allow you to open and close firewall ports. But you can only manage predefined ports. Can we create custom firewall ports? The answer is yes; however, you’ll need to use the VMware command-line interface (CLI) for the job, and I’m not sure that’s a supported scenario.
While ESXi 5.x supported this scenario, I haven’t found a VMware knowledge base (KB) article detailing the steps for ESXi 6.x. So it’s up to you. I’ll give you the URL for the VMware KB called Creating custom firewall rules in VMware ESXi 5.x.
Via a Secure Shell (SSH) session using the PuTTY client, for example, you can check the open ports with this command:
esxcli network firewall ruleset list
Final words
To some extent, VMware locked out access to custom rules, but there are many predefined ones. Why not try out the predefined ones before going and creating custom ones?
Another gotcha you might encounter is the fact you must configure these custom rules a certain way so they persist across reboots.
Subscribe to 4sysops newsletter!
You’ll need to be familiar with the vi Linux editor because you’ll need to modify and create XML files—so it’s not that easy of a task. I’m not saying it’s not possible, but when it comes to support, I’m not sure VMware still supports it.
This small walkthrough explains how to configure a port forwarding in VMware Workstation 9. The same procedure should also work for VMware Workstation 8, 7 and 6.
Why do you need port forwarding in VMware Workstation? The main purpose is to make virtual machines available on the network. You could simply use bridged networking, but sometimes NAT fits better to your requirements. If you want your virtual machine to be available no matter what network you are connected to or if you are limited in IP addresses you might have a valid use case for using NAT and thus port forwarding.
Configuration Parameters
- VMware Workstation 9 running on Windows 7 Ultimate
- The Virtual Machine is an Ubuntu 11.10
- The virtual NIC is configured with DHCP
- I want to make the SSH (22/TCP) available to the network
1. Open Virtual Machine Settings (Rightclick -> Settings…) and set your virtual machines network connection to «NAT«
2. Power on the Virtual Machine and write down the IP address (You could also use a static IP address)
3. Open Virtual Network Editor (Edit -> Virtual Network Editor…)
4. Select VMnet8 / NAT and press NAT Settings…
5. Click Add
6. Configure Port and IP address
7. Press OK twice to close NAT Settings and Virtual Network Editor
Finish! You virtual machines SSH service should now be accessible to the network with your workstations IP address. Needless to say that this is just an example and the port forwarding will also work with any other TCP/UDP Port, as long as it is not in use by your host.
If it does not work, check your Windows Firewall:
How to setup a custom Firewall Rule in Windows 7
1. Open Windows Firewal with Advanced Security (Run > WF.msc)
2. Rightclick Inbound Rules and press New Rule…
3. Select the rule type Port
4. Select TCP and specify Port 22 (If you are not forwarding SSH select corresponding protocol/port)
5. Select Allow the connection
6. Enter a name to identify the rule later
7. Leave everything else at its default unless you know what you are doing
This website uses cookies to give you the best online experience. By using our website you agree to our use of cookies. Accept