Skip to content

Instantly share code, notes, and snippets.

Forked from jasonberanek/
Last active September 10, 2015 04:03
Show Gist options
  • Save lantrix/d8b0ddcbe1bb76da7818 to your computer and use it in GitHub Desktop.
Save lantrix/d8b0ddcbe1bb76da7818 to your computer and use it in GitHub Desktop.
Enabling VNC support in the VMware ESXi 5.x Firewall - Used by Packer for vmware-iso on ESXi HyperVisor

VMware ESXi includes a built in VNC server that can be used to access a VMs console for manipulation via automated tools (e.g., veewee) or by users on platforms where the vSphere Client is not supported. In ESXi 5.x, the built-in firewall does not allow VNC traffic to be received by the VNC server, even when an individual VM is configured to support this configuration. To complete this activity, the firewall has to be modified to allow the appropriate ports.

The below script can be run via the ESXi command line to setup the firewall rules necessary to run VNC. A few items to note:

  • Scripts assumes the firewall rules file is the default provided as by 5.0.0 update 2 build 914586 and/or 5.1.0 build 799733 (may work in other versions)
  • In order to persist settings after a reboot, it is necessary to copy the firewall settings to either a specific datastore mapped to the host, or the local persistent storage linked under the /store directory. Further, the either the /etc/rc.local (ESXi 5.0) or /etc/rc.local.d/ (ESXi 5.1) file must be include steps to reinitialize the firewall rules on each reboot by pulling the appropriate file and updating the firewall accordingly.
    • In the case of ESXi 5.1, this is counter to the VMware documentation that recommends putting this content in /etc/profile.local, however I was unable to get those settings working.
  • Scripts tested on ESXi 5.0.0 update 2 build 914586 and ESXi 5.1.0 build 799733


mkdir /store/firewall
# Copy the service.xml firewall rules to a central storage
# so they can survive reboot
cp /etc/vmware/firewall/service.xml /store/firewall
# Remove end tag so rule addition works as expected
sed -i "s/<\/ConfigRoot>//" /store/firewall/service.xml
# Add rule for vnc connections
echo "
<service id='0033'>
<rule id='0000'>
</ConfigRoot>" >> /store/firewall/service.xml
# Copy updated service.xml firewall rules to expected location
# Refresh the firewall rules
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh
# Add steps to profile.local to repeat these steps on reboot
echo "
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh" >> /etc/rc.local
mkdir /store/firewall
# Copy the service.xml firewall rules to a central storage
# so they can survive reboot
cp /etc/vmware/firewall/service.xml /store/firewall
# Remove end tag so rule addition works as expected
sed -i "s/<\/ConfigRoot>//" /store/firewall/service.xml
# Add rule for vnc connections
echo "
<service id='0033'>
<rule id='0000'>
</ConfigRoot>" >> /store/firewall/service.xml
# Copy updated service.xml firewall rules to expected location
# Refresh the firewall rules
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh
sed -i "s/exit 0//" /etc/rc.local.d/
# Add steps to profile.local to repeat these steps on reboot
echo "
cp /store/firewall/service.xml /etc/vmware/firewall/service.xml
esxcli network firewall refresh
exit 0" >> /etc/rc.local.d/
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment