You can allow access through the firewall in a vSphere 5 environment, provided that the ESXi 5 Server and the vCenter Server are properly configured according to VMware documentation. The vSphere Client must also be installed and configured properly according to VMware documentation.
You can use one of two methods to open firewall ports for VNC access:
Use the following steps to enable the 59xx firewall ports for VNC access to vSphere 5 VM guest consoles:
In your vSphere environment, log in to the vSphere Client, then select > > .
In the Hosts/Clusters tree view, select the ESXi host name that represents the server you want to open for VNC access.
Select the tab, locate and open the list box, then select .
In the Firewall section, select the link to display the Firewall Properties dialog box.
In the dialog box, scroll to and select r, then click .
Your ESXi server now allows VNC access to Guest VM consoles through its firewall.
NOTE:If you are using vSphere 4.x or earlier, select in the list box for this step.
Repeat these steps for each ESXi host system.
The setting covers the needed 59xx port range in its own port range, so when you enable firewall access for GDB Server, VNC services also become open. Extra open ports do not present a serious security problem, because a user rarely runs manual services that listen on those ports.
If you are concerned about these extra open ports, you can use the method for opening firewall ports explained in Section 18.4.2, Enabling VNC Access by Creating a Special Configuration File.
If leaving the extra ports open is a security concern, you can manually add the VNC Server entry to the ESXi 5 firewall configuration and persist that entry across reboots of the server.
IMPORTANT:The preferred method to enable VNC Access to an ESXi 5 server is to use an existing, preconfigured GDB Server firewall entry, as described in Section 18.4.1, Enabling VNC Access By Opening Multiple Firewall Ports.
If you use the method described in this section to enable VNC access, we strongly recommend that you have competent experience with command line Linux/Unix system administration. It is possible to make mistakes while performing these steps that might render your ESXi Server unbootable.
In your vSphere environment, log in to the vSphere Client, then select > > .
In the Hosts/Clusters tree view, select the ESXi host name that represents the server you want to open for VNC access.
Select the tab, locate and open the list box, then select .
In the Firewall section, select the link to display the Firewall Properties dialog box.
In the dialog box, scroll to and select r, then click .
From a Linux console, ssh to the IP address of your ESXi host. Log in as root using that host's root password.
Using a Linux editor (such as vi), add the following shell script lines to the end of the /etc/rc.local file.
cat <<EOF > /etc/vmware/firewall/vncServer.xml
<ConfigRoot>
<service>
<id>vncServer</id>
<rule id='0000'>
<direction>inbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>
<begin>5900</begin>
<end>5999</end>
</port>
</rule>
<enabled>true</enabled>
<required>false</required>
</service>
</ConfigRoot>
EOF
esxcli network firewall refresh
IMPORTANT:Enter the code exactly as shown in the sample above. Use spaces to indicate indents in the code, do not use tab characters.
Save the /etc/rc.local file.
While still logged in, run the following command:
/sbin/auto-backup.sh
Log out from the SSH session.
From either the ESXi host’s console or from the VMWare Client, reboot the ESXi host.
You should now see as an available service in the Firewall Properties pane. The service should be enabled.
This process creates the /etc/vmware/firewall/vncServer.xml config file with the necessary settings to open the firewall ports.
Simply creating and editing this file does not work when the ESXi Server is rebooted because the root file system in ESXi 5 is a volatile RAM disk that is loaded from a master copy on each boot. Any changes made to this RAM disk are lost upon reboot.
A workaround to this rule relies on the fact that the ESXi Server uses the auto-backup.sh script to persist a select set of files every 10 minutes (or when changes are made by with the VMware Client or the VI-SDK facilities) from this file system to the master persistent copy. The /etc/rc.local file is one of these select files, so adding the shell script to the end of the file can add the needed firewall entry each time the ESXi server boots.