If leaving the extra ports open is a security concern, you can manually add the VNC Server entry to the ESXi 5 firewall configuration and persist that entry across reboots of the server.
IMPORTANT:The preferred method to enable VNC Access to an ESXi 5 server is to use an existing, preconfigured GDB Server firewall entry, as described in Section D.1, Enabling VNC Access By Opening Multiple Firewall Ports.
If you use the method described in this section to enable VNC access, we strongly recommend that you have competent experience with command line Linux/Unix system administration. It is possible to make mistakes while performing these steps that might render your ESXi Server unbootable.
In your vSphere environment, log in to the vSphere Client, then select > > .
In the Hosts/Clusters tree view, select the ESXi host name that represents the server you want to open for VNC access.
Select the tab, locate and open the list box, then select .
In the Firewall section, select the link to display the Firewall Properties dialog box.
In the dialog box, scroll to and select r, then click .
From a Linux console, ssh to the IP address of your ESXi host. Log in as root using that host's root password.
Using a Linux editor (such as vi), add the following shell script lines to the end of the /etc/rc.local file.
cat <<EOF > /etc/vmware/firewall/vncServer.xml
<ConfigRoot>
<service>
<id>vncServer</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>
<begin>5900</begin>
<end>5999</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
EOF
esxcli network firewall refresh
IMPORTANT:Enter the code exactly as shown in the sample above. Use spaces to indicate indents in the code, do not use tab characters.
Save the /etc/rc.local file.
While still logged in, run the following command:
/sbin/auto-backup.sh
Log out from the SSH session.
From either the ESXi host’s console or from the VMWare Client, reboot the ESXi host.
You should now see as an available service in the Firewall Properties pane. The service should be enabled.
This process creates the /etc/vmware/firewall/vncServer.xml config file with the necessary settings to open the firewall ports.
Simply creating and editing this file does not work when the ESXi Server is rebooted because the root file system in ESXi 5 is a volatile RAM disk that is loaded from a master copy on each boot. Any changes made to this RAM disk are lost upon reboot.
A workaround to this rule relies on the fact that the ESXi Server uses the auto-backup.sh script to persist a select set of files every 10 minutes (or when changes are made by with the VMware Client or the VI-SDK facilities) from this file system to the master persistent copy. The /etc/rc.local file is one of these select files, so adding the shell script to the end of the file can add the needed firewall entry each time the ESXi server boots.