Enabling VNC support in the VMware ESXi 5.x Firewall

README.md

VMware ESXi includes a built in VNC server that can be used to access a VMs console for manipulation via automated tools (e.g., veewee) or by users on platforms where the vSphere Client is not supported. In ESXi 5.x, the built-in firewall does not allow VNC traffic to be received by the VNC server, even when an individual VM is configured to support this configuration. To complete this activity, the firewall has to be modified to allow the appropriate ports.

The below script can be run via the ESXi command line to setup the firewall rules necessary to run VNC. A few items to note:

• Scripts assumes the firewall rules file is the default provided as by 5.0.0 update 2 build 914586 and/or 5.1.0 build 799733 (may work in other versions)
• In order to persist settings after a reboot, it is necessary to copy the firewall settings to either a specific datastore mapped to the host, or the local persistent storage linked under the /store directory. Further, the either the /etc/rc.local (ESXi 5.0) or /etc/rc.local.d/local.sh (ESXi 5.1) file must be include steps to reinitialize the firewall rules on each reboot by pulling the appropriate file and updating the firewall accordingly.
  • In the case of ESXi 5.1, this is counter to the VMware documentation that recommends putting this content in /etc/profile.local, however I was unable to get those settings working.
• Scripts tested on ESXi 5.0.0 update 2 build 914586 and ESXi 5.1.0 build 799733

References

• Persisting ESXi 5.1 changes
• Enabling VNC in ESXi 5.1 Firewall

vnc_config_5_0.sh

#!/bin/sh

mkdir /store/firewall

# Copy the service.xml firewall rules to a central storage
# so they can survive reboot
cp /etc/vmware/firewall/service.xml /store/firewall

# Remove end tag so rule addition works as expected
sed -i "s/<\/ConfigRoot>//" /store/firewall/service.xml

# Add rule for vnc connections
echo "
  <service id='0033'>
    <id>vnc</id>
    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>
        <begin>5900</begin>
        <end>5964</end>
      </port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
</ConfigRoot>" >> /store/firewall/service.xml

# Copy updated service.xml firewall rules to expected location
# Refresh the firewall rules
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh

# Add steps to profile.local to repeat these steps on reboot
echo "
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh" >> /etc/rc.local

vnc_config_5_1.sh

#!/bin/sh

mkdir /store/firewall

# Copy the service.xml firewall rules to a central storage
# so they can survive reboot
cp /etc/vmware/firewall/service.xml /store/firewall

# Remove end tag so rule addition works as expected
sed -i "s/<\/ConfigRoot>//" /store/firewall/service.xml

# Add rule for vnc connections
echo "
  <service id='0033'>
    <id>vnc</id>
    <rule id='0000'>
      <direction>inbound</direction>
      <protocol>tcp</protocol>
      <porttype>dst</porttype>
      <port>
        <begin>5900</begin>
        <end>5964</end>
      </port>
    </rule>
    <enabled>true</enabled>
    <required>false</required>
  </service>
</ConfigRoot>" >> /store/firewall/service.xml

# Copy updated service.xml firewall rules to expected location
# Refresh the firewall rules
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh

sed -i "s/exit 0//" /etc/rc.local.d/local.sh

# Add steps to profile.local to repeat these steps on reboot
echo "
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh
exit 0" >> /etc/rc.local.d/local.sh

Confirmed that the esxcli network firewall ruleset set -e true -r gdbserver command works in ESXi 5.5 as well. The docs seem to indicate that it's available as far back as 5.1 (maybe with a slightly different syntax? they're not very good docs).