Required ports for ESXi 5.1.x (2039095) - ESXi5.1.x相关端口
VMware官方KB:http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2039095在内网访问ESXi主机时,你不用操心什么,LAN环境总是能访问的,那么跨防火墙/路由器的远程访问呢?必须打开相应端口才行。
相关端口非常多,但实际上经过实测,在一个客户端(VMware vSphere Client)访问一个服务端(ESXi Host)的简单环境中,只需要下面2个端口:
PortProtocolSourceTargetDescription
443TCPESXi/ESX hostESXi/ESX hostHost to host VM migration and provisioning
902TCPvSphere ClientESXi 5.1.xvSphere Client access to virtual machine consoles (MKS)
TCP443用于vSphere Client对ESXi Host的管理连接,80端口是不需要的,访问80端口会自动跳转到443端口。
TCP902用于vSphere Client访问虚拟机控制台。就是下面这个玩意儿:
当然,对于喜欢SSH登录的命令行大拿,TCP22也是必须的。
PortProtocolSourceTargetDescription
22TCPClient PCESXi 5.1.xSSH Server
默认情况下22端口是关闭的,参看下图可打开:
Configuration --> Security Profile --> Services Properties... --> SSH --> Options... --> Start --> Start and stop with host -->OK
Required ports for ESXi 5.1.x (2039095)
Purpose
This article outlines the required ports for using and accessing an ESXi 5.1 host. In addition, ports that are necessary to access external components, such as storage devices, management systems, etc, are listed. Ensure that these ports are open to access these components.
Note: If you are attaching your ESXi 5.1 host to vCenter Server, additional ports will be required. For more information, see Required ports for vCenter Server 5.1 (2031843).
Resolution
ESXi must be able to send and receive data from every vSphere Client. If you are attaching your ESXi host to vCenter Server, additional ports will be required. To enable migration and provisioning activities between managed hosts, the source and destination hosts must be able to receive data from each other.
Also, if you are attaching your ESXi host to external storage components, such as an NFS or iSCSI device, or management components, such as a SysLog server, monitoring system, etc, additional ports must be opened on the firewall in those instances.
Note: In Microsoft Windows Server 2008, a firewall is enabled by default.
This table outlines the ports required for communication between these components:
PortProtocolSourceTargetDescription
22TCPClient PCESXi 5.1.xSSH Server
53UDPESXi 5.1.xDNS ServerDNS Client
68UDPESXi 5.1.xDHCP ServerDHCP Client
80TCPClient PCESXi 5.1.xRedirect Web Browser to HTTPS Service (443)
88TCPESXi hostActive Directory ServerPAM Active Directory Authentication - Kerberos
111TCPESXi/ESX hostNFS ServerNFS Client – RPC Portmapper
111UDPESXi/ESX hostNFS ServerNFS Client – RPC Portmapper
123UDPESXi/ESX hostNTP Time ServerNTP Client
161UDPSNMP ServerESXi 4.x hostSNMP Polling. Not used in ESXi 3.x
162UDPESXi hostSNMP CollectorSNMP Trap Send
389TCP/UDPESXi hostLDAP ServerPAM Active Directory Authentication - Kerberos
427UDPvSphere ClientESXi/ESX hostCIM Service Location Protocol (SLP)
443TCPvSphere ClientESXi/ESX hostvSphere Client to ESXi/ESX host management connection
443TCPESXi/ESX hostESXi/ESX hostHost to host VM migration and provisioning
445UDPESXi hostMS Directory Services ServerPAM Active Directory Authentication
445TCPESXi hostMS Directory Services ServerPAM Active Directory Authentication
445TCPESXi hostSMB ServerSMB Server
464TCPESXi hostActive Directory ServerPAM Active Directory Authentication - Kerberos
514TCP/UDPESXi 5.1.xSyslog ServerRemote syslog logging
902TCP/UDPESXi 5.1.xESXi 5.1.xHost access to other hosts for migration and provisioning
902UDPESXi 5.1.xvSphere Client(UDP) Status update (heartbeat) connection from ESXi to vCenter Server
902TCPvSphere ClientESXi 5.1.xvSphere Client access to virtual machine consoles (MKS)
49152 to 65535TCP/UDPESXi hostActive Directory ServerBi-directional communication on TCP/UDP ports is required between the ESXi host and the Active Directory Domain Controller (via the netlogond process on the ESXi host). For more information, see Active Directory and Active Directory Domain Services Port Requirements and the Microsoft Knowledge Base article 179442.
2049TCPESXi 5.1.xNFS ServerTransactions from NFS storage devices
2049UDPESXi 5.1.xNFS ServerTransactions from NFS storage devices
3260TCPESXi 5.1.xiSCSI storage serverTransactions to iSCSI storage devices
5900 to 5964TCPESXi 5.1.xESXi 5.1.xRFB protocol, which is used by management tools such as VNC
5988TCPCIM ServerESXi 5.1.xCIM transactions over HTTP
5989TCPvCenter ServerESXi 5.1.xCIM XML transactions over HTTPS
5989TCPESXi 5.1.xvCenter ServerCIM XML transactions over HTTPS
8000TCPESXi 5.1.x (VM Target)ESXi 5.1.x (VM Source)Requests from vMotion
8000TCPESXi 5.1.x (VM Source)ESXi 5.1.x (VM Target)Requests from vMotion
8100TCP/UDPESXi 5.1.xESXi 5.1.xTraffic between hosts for vSphere Fault Tolerance (FT)
8182TCP/UDPESXi 5.1.xESXi 5.1.xTraffic between hosts for vSphere High Availability (vSphere HA)
8200TCP/UDPESXi 5.1.xESXi 5.1.xTraffic between hosts for vSphere Fault Tolerance (FT)
8301UDPESXi 5.1.xESXi 5.1.xDVS port information
8302UDPESXi 5.1.xESXi 5.1.xDVS port information
31100TCPvCenter ServerSPS ServerInternal communication port
31000TCPSPS ServervCenter ServerInternal communication port
如何修改远程控制台(remote console)默认使用的TCP 902端口呢?
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1134
Details
How do I change the port ESX Server uses for the remote console?
Solution
By default, the VMware Remote Console connects over port 902. To change the port the remote console uses, complete the following steps.
1.To change the port vmware-authd runs on, edit the /etc/xinetd.d/vmware-authd file. Change the port = entry to the desired port number. Do not use ports 80 and 443 -- they are already in use.
2.To change the port the console connects to from a remote client, edit the /etc/vmware/config file. Change the authd.client.port = "" entry to the same port from the previous step.
3.Restart xinetd.
/etc/init.d/xinetd restart
4.Restart the VMware Management Interface.
/etc/init.d/httpd.vmware restart
Now you can connect on the port you specified here.
------------------------------------------------------------
vi /etc/vmware/config
libdir = "/usr/lib/vmware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/sbin/authd"
authd.client.port = "20902"
------------------------------------------------------------
ESXi Host上游有路由器做NAT,已做端口映射902-->20902。并未对ESXi Host的console端口902做任何修改。
实际上,ESXi Host上并无/etc/xinetd.d/vmware-authd路径和文件。
VMware vSphere Client在跨路由器远程访问ESXi Host的时候,ESXi会自动通知client使用20902端口连接Console。
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1007289&sliceId=1&docTypeID=DT_KB_1_1&dialogID=370074490&stateId=1 0 370078656
Changing or blocking the default ports 80 (http) and 443 (https) on ESX hosts (1007289) PurposeThis article provides steps to change or the block the default ports 80 (http) and 443 (https) that vmware-hostd listens on.
ResolutionChanging the default ports
ESX 3.0.x
To change the default ports 80 (http) and 443 (https) for ESX 3.0.x:
[*]Open the /etc/vmware/hostd/config.xml file with a text editor.
[*]Locate the following XML segment:
<proxysvc>
<path>/usr/lib/vmware/hostd/libproxysvc.so</path>
<http>
<port>80</port>
<proxyDatabase>
<server id="0">
<namespace> / </namespace>
<host> localhost </host>
<port> 9080 </port>
</server>
<redirect id="0"> /ui </redirect>
<redirect id="1"> /mob </redirect>
<redirect id="2"> /sdk </redirect>
</proxyDatabase>
</http>
<https>
<port>443</port>
<proxyDatabase>
<server id="0">
<namespace> / </namespace>
<host> localhost </host>
<port> 9080 </port>
</server>
<server id="1">
<namespace> /sdk </namespace>
<host> localhost </host>
<port> 8085 </port>
</server>
<server id="2">
<namespace> /ui </namespace>
<host> localhost </host>
<port> 8080 </port>
</server>
<server id="3">
<namespace>/mob</namespace>
<host>localhost</host>
<port>8087</port>
</server>
</proxyDatabase>
/https>
</proxysvc>
[*]Change the http and https port numbers and save the file.
[*]Restart the vmware-hostd process with the command:
# service mgmt-vmware restart
ESX 3.5.x / ESX 4.0
To change the default ports 80 (http) and 443 (https) on ESX 3.5.x or ESX 4.0:
[*]Open the /etc/vmware/hostd/proxy.xml file with a text editor.
[*]Under <ConfigRoot>, add the following entry:
<httpPort>custom port #</httpPort>
<httpsPort>custom port #</httpsPort>
For example:
<httpPort>81</httpPort>
<httpsPort>444</httpsPort>
[*]Save the file.
[*]Restart the vmware-hostd process with the command:
# service mgmt-vmware restart
ESX 4.0
You can open service console firewall ports when you install third-party devices, services, and agents. Before you open ports to support the item you are installing, see vendor specifications to determine the necessary ports.
To open ports for services or agents that are not configurable through the vSphere Client:
Caution: VMware supports opening and closing firewall ports only through the vSphere Client or the esxcfg-firewall command. Using any other methods or scripts to open and close firewall ports can lead to unexpected behavior.
[*]Log in to the service console and acquire root privileges.
[*]Use the following command to open the port:
esxcfg-firewall --openPort <port_number>,tcp|udp,in|out,<port_name>
Where:
[*]<port_number> is the vendor-specified port number.
[*]Use tcp for TCP traffic or udp for UDP traffic.
[*]Use in to open the port for inbound traffic or out to open it for outbound traffic.
[*]<port_name> is a descriptive name to help identify the service or agent using the port. A unique name is not required.
For example:
esxcfg-firewall --openPort 6380,tcp,in,Navisphere
[*]Run the following command to restart:
# service mgmt-vmware restart
Note: VMware does not support configuring a different port for port 443. For more information, see Connecting to the Virtual Machine Console Through a Firewall in the ESX Configuration Guide.
Blocking the default ports
Note: The information in this section pertains to ESX 3.x and ESX 4.0.
You cannot block port 80 and 443 using the esxcfg-firewall commands. These commands return an error indicating that the port is not open.
Custom ports are blocked by default. To open a custom port, issue the following command:
esxcfg-firewall -o <port,tcp|udp,in|out,name>
For example:
esxcfg-firewall -o 81,tcp,in,http
我的原则还是能不改默认端口就不改。
在某些不方便暴露特定端口的情况下,例如80,443,22等,可以在路由器做端口映射时修改外网口端口。
例如,路由器做端口映射:443 --> 20443
那么在客户端访问时,该如何操作呢?你懂的,IP地址后面加上:20443即可,看图:
收藏一下。
想搞一台塔式服务器装ESXi。 黄老师这是搬运一遍备考么 nighttob 发表于 2014-9-15 23:04 static/image/common/back.gif
黄老师这是搬运一遍备考么
放论坛里备忘,中文部分是我写的测试结果。
考啥啊,要用的。
页:
[1]