Enabling VNC support in the VMware ESXi 5.x Firewall

README.md

VMware ESXi includes a built in VNC server that can be used to access a VMs console for manipulation via automated tools (e.g., veewee) or by users on platforms where the vSphere Client is not supported. In ESXi 5.x, the built-in firewall does not allow VNC traffic to be received by the VNC server, even when an individual VM is configured to support this configuration. To complete this activity, the firewall has to be modified to allow the appropriate ports.

The below script can be run via the ESXi command line to setup the firewall rules necessary to run VNC. A few items to note:

• Scripts assumes the firewall rules file is the default provided as by 5.0.0 update 2 build 914586 and/or 5.1.0 build 799733 (may work in other versions)
• In order to persist settings after a reboot, it is necessary to copy the firewall settings to either a specific datastore mapped to the host, or the local persistent storage linked under the /store directory. Further, the either the /etc/rc.local (ESXi 5.0) or /etc/rc.local.d/local.sh (ESXi 5.1) file must be include steps to reinitialize the firewall rules on each reboot by pulling the appropriate file and updating the firewall accordingly.
  • In the case of ESXi 5.1, this is counter to the VMware documentation that recommends putting this content in /etc/profile.local, however I was unable to get those settings working.
• Scripts tested on ESXi 5.0.0 update 2 build 914586 and ESXi 5.1.0 build 799733

References

• Persisting ESXi 5.1 changes
• Enabling VNC in ESXi 5.1 Firewall

vnc_config_5_0.sh

#!/bin/sh

mkdir /store/firewall

# Copy the service.xml firewall rules to a central storage
# so they can survive reboot
cp /etc/vmware/firewall/service.xml /store/firewall

# Remove end tag so rule addition works as expected
sed -i "s/<\/ConfigRoot>//" /store/firewall/service.xml

# Add rule for vnc connections
echo "
  <service id='0033'>
    <id>vnc</id>
    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>
        <begin>5900</begin>
        <end>5964</end>
      </port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
</ConfigRoot>" >> /store/firewall/service.xml

# Copy updated service.xml firewall rules to expected location
# Refresh the firewall rules
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh

# Add steps to profile.local to repeat these steps on reboot
echo "
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh" >> /etc/rc.local

vnc_config_5_1.sh

#!/bin/sh

mkdir /store/firewall

# Copy the service.xml firewall rules to a central storage
# so they can survive reboot
cp /etc/vmware/firewall/service.xml /store/firewall

# Remove end tag so rule addition works as expected
sed -i "s/<\/ConfigRoot>//" /store/firewall/service.xml

# Add rule for vnc connections
echo "
  <service id='0033'>
    <id>vnc</id>
    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>
        <begin>5900</begin>
        <end>5964</end>
      </port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
</ConfigRoot>" >> /store/firewall/service.xml

# Copy updated service.xml firewall rules to expected location
# Refresh the firewall rules
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh

sed -i "s/exit 0//" /etc/rc.local.d/local.sh

# Add steps to profile.local to repeat these steps on reboot
echo "
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh
exit 0" >> /etc/rc.local.d/local.sh

On my ESXi 5.0 Update 1 host (build 623860), I don't have an /etc/profile.local, nor do I have a /store at all. While I'm not certain, I suspect this is because our environment does stateless PXE-based imaging for our ESXi hosts using vSphere Auto Deploy. Another method will need to be used for these types of host deployments.

@justinclayton If vSphere Auto Deploy can support adding a script that gets executed on each boot, you could put in the logic to set the firewall settings that way, but I don't see enough in the documentation of Auto Deploy or Host Profiles to give me any feeling it will one way or another. Note, the /store directory is merely a symbolic link to a datastore, though I don't know whether there are limitations on when it is created (e.g., is it only created when there is a local datastore on the host).

If I learn anything more, I'll be sure to update the gist accordingly.

This was really helpful, thanks! I made a small change in the local.sh file, just to be sure there is less probability of messing up the boot sequence if something goes awry. I tested the script by running it on the command line, and it seems ok.

if test -f /store/firewall/service.xml; then                   
  cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
  esxcli network firewall refresh
fi    

The 5.1 version of the script also works for ESXi v6.0.0 (build-2494585). Thanks!

It appears the complexity of this can be avoided in ESXi 6.5.X by using esxcli network firewall ruleset set -e true -r gdbserver.

Just to chime in, the esxcli network firewall ruleset set -e true -r gdbserver command also seems to work for 6.0.0.

Confirmed that the esxcli network firewall ruleset set -e true -r gdbserver command works in ESXi 5.5 as well. The docs seem to indicate that it's available as far back as 5.1 (maybe with a slightly different syntax? they're not very good docs).