Information Technology Reference
In-Depth Information
As with local CLI access, VMware recommends against using SSH as a means of routinely
managing your ESXi hosts. In fact, in previous versions of vSphere, SSH access to ESXi was
unsupported. It is supported in this version of vSphere, but VMware still recommends against
its regular use. If you want to use a CLI environment, we recommend getting familiar with the
vMA as your primary CLI environment.
Root Login via SSH Is Enabled by Default
Generally speaking, allowing the root user to log into a host via SSH is considered a violation of
security best practices. However, in vSphere 5.0, when SSH and the ESXi Shell are enabled, the
root user is allowed to log in via SSH. h is is yet one more reason to keep SSH and the ESXi Shell
disabled during the normal course of operation.
Although VMware provides SSH as a means of accessing the CLI environment on an ESXi
host, this version of SSH does not provide all the same l exibility as a “full” SSH installation.
This further underscores the need to use SSH on an as-needed basis as well as the need for addi-
tional access controls for your ESXi hosts, such as a network i rewall.
Controlling Network Access via the ESXi Firewall
ESXi ships with a i rewall that controls network trafi c into or out of the host. This i rewall gives
the vSphere administrator an additional level of control over what types of network trafi c are
allowed to enter or leave the ESXi hosts.
By default, the ESXi i rewall allows only incoming and outgoing connections necessary for
managing the VMs and the ESXi host. The following default ports are among those that are open:
TCP 443 and 902: vSphere Client, vCenter Agent
◆
UDP 53: Domain Name System (DNS) client
◆
TCP and UDP 427: Common Information Model (CIM) Service Location Protocol (SLP)
◆
TCP 8000: vMotion
◆
TCP 22: SSH
◆
To see the full list of ports that are open on an ESXi host, you can use the vSphere Client con-
nected directly to an ESXi host, as illustrated in Figure 8.3, or use the vSphere Web Client connected
to a vCenter server, select a host, and navigate to Manage
➢
➢
Security Proi le.
From this same area of the vSphere Client, you can also enable additional ports through the
i rewall or disable ports that are currently open. There are a number of predei ned ports and
related services listed here that can be coni gured.
Perform the following steps to enable or disable trafi c through the ESXi i rewall:
Settings
1.
Launch the traditional vSphere Client and connect to an ESXi host.
2.
Select an ESXi host from the inventory view and select the Coni guration tab.
3.
From the Software section, select Security Proi le.
4.
Click the Properties hyperlink to the right of the Firewall heading.
