Required ports for ESXi 5.1.x (2039095) - ESXi5.1.x相关端口

VMware官方KB：http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2039095

在内网访问ESXi主机时，你不用操心什么，LAN环境总是能访问的，那么跨防火墙/路由器的远程访问呢？必须打开相应端口才行。

相关端口非常多，但实际上经过实测，在一个客户端（VMware vSphere Client）访问一个服务端（ESXi Host）的简单环境中，只需要下面2个端口：

Port

Protocol

Source

Target

Description

443

TCP

ESXi/ESX host

ESXi/ESX host

Host to host VM migration and provisioning

902

TCP

vSphere Client

ESXi 5.1.x

vSphere Client access to virtual machine consoles (MKS)

TCP443用于vSphere Client对ESXi Host的管理连接，80端口是不需要的，访问80端口会自动跳转到443端口。
TCP902用于vSphere Client访问虚拟机控制台。就是下面这个玩意儿：



当然，对于喜欢SSH登录的命令行大拿，TCP22也是必须的。

Port	Protocol	Source	Target	Description
22	TCP	Client PC	ESXi 5.1.x	SSH Server

默认情况下22端口是关闭的，参看下图可打开：
Configuration --> Security Profile --> Services Properties... --> SSH --> Options... --> Start --> Start and stop with host -->OK



Required ports for ESXi 5.1.x (2039095)

Purpose
This article outlines the required ports for using and accessing an ESXi 5.1 host. In addition, ports that are necessary to access external components, such as storage devices, management systems, etc, are listed. Ensure that these ports are open to access these components.

Note: If you are attaching your ESXi 5.1 host to vCenter Server, additional ports will be required. For more information, see Required ports for vCenter Server 5.1 (2031843).

Resolution
ESXi must be able to send and receive data from every vSphere Client. If you are attaching your ESXi host to vCenter Server, additional ports will be required. To enable migration and provisioning activities between managed hosts, the source and destination hosts must be able to receive data from each other.

Also, if you are attaching your ESXi host to external storage components, such as an NFS or iSCSI device, or management components, such as a SysLog server, monitoring system, etc, additional ports must be opened on the firewall in those instances.

Note: In Microsoft Windows Server 2008, a firewall is enabled by default.

This table outlines the ports required for communication between these components:

Port	Protocol	Source	Target	Description
22	TCP	Client PC	ESXi 5.1.x	SSH Server
53	UDP	ESXi 5.1.x	DNS Server	DNS Client
68	UDP	ESXi 5.1.x	DHCP Server	DHCP Client
80	TCP	Client PC	ESXi 5.1.x	Redirect Web Browser to HTTPS Service (443)
88	TCP	ESXi host	Active Directory Server	PAM Active Directory Authentication - Kerberos
111	TCP	ESXi/ESX host	NFS Server	NFS Client – RPC Portmapper
111	UDP	ESXi/ESX host	NFS Server	NFS Client – RPC Portmapper
123	UDP	ESXi/ESX host	NTP Time Server	NTP Client
161	UDP	SNMP Server	ESXi 4.x host	SNMP Polling. Not used in ESXi 3.x
162	UDP	ESXi host	SNMP Collector	SNMP Trap Send
389	TCP/UDP	ESXi host	LDAP Server	PAM Active Directory Authentication - Kerberos
427	UDP	vSphere Client	ESXi/ESX host	CIM Service Location Protocol (SLP)
443	TCP	vSphere Client	ESXi/ESX host	vSphere Client to ESXi/ESX host management connection
443	TCP	ESXi/ESX host	ESXi/ESX host	Host to host VM migration and provisioning
445	UDP	ESXi host	MS Directory Services Server	PAM Active Directory Authentication
445	TCP	ESXi host	MS Directory Services Server	PAM Active Directory Authentication
445	TCP	ESXi host	SMB Server	SMB Server
464	TCP	ESXi host	Active Directory Server	PAM Active Directory Authentication - Kerberos
514	TCP/UDP	ESXi 5.1.x	Syslog Server	Remote syslog logging
902	TCP/UDP	ESXi 5.1.x	ESXi 5.1.x	Host access to other hosts for migration and provisioning
902	UDP	ESXi 5.1.x	vSphere Client	(UDP) Status update (heartbeat) connection from ESXi to vCenter Server
902	TCP	vSphere Client	ESXi 5.1.x	vSphere Client access to virtual machine consoles (MKS)
49152    to 65535	TCP/UDP	ESXi host	Active Directory Server	Bi-directional communication on TCP/UDP ports is required between the ESXi host and the Active Directory Domain Controller (via the netlogond process on the ESXi host). For more information, see Active Directory and Active Directory Domain Services Port Requirements and the Microsoft Knowledge Base article 179442.
2049	TCP	ESXi 5.1.x	NFS Server	Transactions from NFS storage devices
2049	UDP	ESXi 5.1.x	NFS Server	Transactions from NFS storage devices
3260	TCP	ESXi 5.1.x	iSCSI storage server	Transactions to iSCSI storage devices
5900 to 5964	TCP	ESXi 5.1.x	ESXi 5.1.x	RFB protocol, which is used by management tools such as VNC
5988	TCP	CIM Server	ESXi 5.1.x	CIM transactions over HTTP
5989	TCP	vCenter Server	ESXi 5.1.x	CIM XML transactions over HTTPS
5989	TCP	ESXi 5.1.x	vCenter Server	CIM XML transactions over HTTPS
8000	TCP	ESXi 5.1.x (VM Target)	ESXi 5.1.x (VM Source)	Requests from vMotion
8000	TCP	ESXi 5.1.x (VM Source)	ESXi 5.1.x (VM Target)	Requests from vMotion
8100	TCP/UDP	ESXi 5.1.x	ESXi 5.1.x	Traffic between hosts for vSphere Fault Tolerance (FT)
8182	TCP/UDP	ESXi 5.1.x	ESXi 5.1.x	Traffic between hosts for vSphere High Availability (vSphere HA)
8200	TCP/UDP	ESXi 5.1.x	ESXi 5.1.x	Traffic between hosts for vSphere Fault Tolerance (FT)
8301	UDP	ESXi 5.1.x	ESXi 5.1.x	DVS port information
8302	UDP	ESXi 5.1.x	ESXi 5.1.x	DVS port information
31100	TCP	vCenter Server	SPS Server	Internal communication port
31000	TCP	SPS Server	vCenter Server	Internal communication port

如何修改远程控制台（remote console）默认使用的TCP 902端口呢？

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1134
Details
How do I change the port ESX Server uses for the remote console?
Solution

By default, the VMware Remote Console connects over port 902. To change the port the remote console uses, complete the following steps.
1.To change the port vmware-authd runs on, edit the /etc/xinetd.d/vmware-authd file. Change the port = entry to the desired port number. Do not use ports 80 and 443 -- they are already in use.
2.To change the port the console connects to from a remote client, edit the /etc/vmware/config file. Change the authd.client.port = "" entry to the same port from the previous step.
3.Restart xinetd.
/etc/init.d/xinetd restart
4.Restart the VMware Management Interface.
/etc/init.d/httpd.vmware restart
Now you can connect on the port you specified here.
------------------------------------------------------------
vi /etc/vmware/config
libdir = "/usr/lib/vmware"
authd.proxy.nfc = "vmware-hostd:ha-nfc"
authd.proxy.nfcssl = "vmware-hostd:ha-nfcssl"
authd.proxy.vpxa-nfcssl = "vmware-vpxa:vpxa-nfcssl"
authd.proxy.vpxa-nfc = "vmware-vpxa:vpxa-nfc"
authd.fullpath = "/sbin/authd"
authd.client.port = "20902"
------------------------------------------------------------
ESXi Host上游有路由器做NAT，已做端口映射902-->20902。并未对ESXi Host的console端口902做任何修改。
实际上，ESXi Host上并无/etc/xinetd.d/vmware-authd路径和文件。
VMware vSphere Client在跨路由器远程访问ESXi Host的时候，ESXi会自动通知client使用20902端口连接Console。

http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=1007289&sliceId=1&docTypeID=DT_KB_1_1&dialogID=370074490&stateId=1 0 370078656

Changing or blocking the default ports 80 (http) and 443 (https) on ESX hosts (1007289) PurposeThis article provides steps to change or the block the default ports 80 (http) and 443 (https) that vmware-hostd listens on.

ResolutionChanging the default ports

ESX 3.0.x

To change the default ports 80 (http) and 443 (https) for ESX 3.0.x:

• Open the [size=+0]/etc/vmware/hostd/config.xml file with a text editor.
  
• Locate the following XML segment:
  
  <proxysvc>
  <path>/usr/lib/vmware/hostd/libproxysvc.so</path>
  <http>
  <port>80</port>
  <proxyDatabase>
  <server id="0">
  <namespace> / </namespace>
  <host> localhost </host>
  <port> 9080 </port>
  </server>
  <redirect id="0"> /ui </redirect>
  <redirect id="1"> /mob </redirect>
  <redirect id="2"> /sdk </redirect>
  </proxyDatabase>
  </http>
  <https>
  <port>443</port>
  <proxyDatabase>
  <server id="0">
  <namespace> / </namespace>
  <host> localhost </host>
  <port> 9080 </port>
  </server>
  <server id="1">
  <namespace> /sdk </namespace>
  <host> localhost </host>
  <port> 8085 </port>
  </server>
  <server id="2">
  <namespace> /ui </namespace>
  <host> localhost </host>
  <port> 8080 </port>
  </server>
  <server id="3">
  <namespace>/mob</namespace>
  <host>localhost</host>
  <port>8087</port>
  </server>
  </proxyDatabase>
  /https>
  </proxysvc>
  
  
  
• Change the http and https port numbers and save the file.
  
• Restart the vmware-hostd process with the command:
  
  # service mgmt-vmware restart
  
  

ESX 3.5.x / ESX 4.0

To change the default ports 80 (http) and 443 (https) on ESX 3.5.x or ESX 4.0:

• Open the /etc/vmware/hostd/proxy.xml file with a text editor.
  
• Under <ConfigRoot>, add the following entry:
  
  <httpPort>custom port #</httpPort>
  
  <httpsPort>custom port #</httpsPort>
  
  For example:
  
  <httpPort>81</httpPort>
  
  <httpsPort>444</httpsPort>
  
  
  
• Save the file.
  
• Restart the vmware-hostd process with the command:
  
  # service mgmt-vmware restart
  
  

ESX 4.0

You can open service console firewall ports when you install third-party devices, services, and agents. Before you open ports to support the item you are installing, see vendor specifications to determine the necessary ports.

To open ports for services or agents that are not configurable through the vSphere Client:

Caution: VMware supports opening and closing firewall ports only through the vSphere Client or the esxcfg-firewall command. Using any other methods or scripts to open and close firewall ports can lead to unexpected behavior.

• Log in to the service console and acquire root privileges.
• Use the following command to open the port:
  
  esxcfg-firewall --openPort <port_number>,tcp|udp,in|out,<port_name>
  
  Where:
  
  • <port_number> is the vendor-specified port number.
  • Use tcp for TCP traffic or udp for UDP traffic.
  • Use in to open the port for inbound traffic or out to open it for outbound traffic.
  • <port_name> is a descriptive name to help identify the service or agent using the port. A unique name is not required.
    
    For example:
    
    esxcfg-firewall --openPort 6380,tcp,in,Navisphere
    
    
• Run the following command to restart:
  
  # service mgmt-vmware restart
  

Note: VMware does not support configuring a different port for port 443. For more information, see Connecting to the Virtual Machine Console Through a Firewall in the ESX Configuration Guide.
Blocking the default ports  
[size=+0]Note: The information in this section pertains to ESX 3.x and ESX 4.0.
   
You cannot block port 80 and 443 using the esxcfg-firewall commands. These commands return an error indicating that the port is not open.

Custom ports are blocked by default. To open a custom port, issue the following command:

esxcfg-firewall -o <port,tcp|udp,in|out,name>

For example:

esxcfg-firewall -o 81,tcp,in,http

我的原则还是能不改默认端口就不改。

在某些不方便暴露特定端口的情况下，例如80，443，22等，可以在路由器做端口映射时修改外网口端口。

例如，路由器做端口映射：443 --> 20443

那么在客户端访问时，该如何操作呢？你懂的，IP地址后面加上:20443即可，看图：

收藏一下。

想搞一台塔式服务器装ESXi。

黄老师这是搬运一遍备考么

nighttob 发表于 2014-9-15 23:04
黄老师这是搬运一遍备考么

放论坛里备忘，中文部分是我写的测试结果。

考啥啊，要用的。