vsphere-esxi-vcenter-server-51-security-guide

vSphere Security

ESXi 5.1

vCenter Server 5.1 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of this document, see b54cec67b84ae45c3b358c66/support/pubs.

EN-000792-02

vSphere Security

2 VMware, Inc.You can find the most up-to-date technical documentation on the VMware Web site at:

b54cec67b84ae45c3b358c66/support/

The VMware Web site also provides the latest product updates.

If you have comments about this documentation, submit your feedback to:

docfeedback@b54cec67b84ae45c3b358c66

Copyright ? 2009–2012 VMware, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. VMware products are covered by one or more patents listed at b54cec67b84ae45c3b358c66/go/patents .

VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies.

VMware, Inc.3401 Hillview Ave.Palo Alto, CA b54cec67b84ae45c3b358c66

Contents

About vSphere Security7

Updated Information9

1Security for ESXi Systems11

ESXi Architecture and Security Features11

Security Resources and Information18

2Securing ESXi Configurations19

Securing the Network with Firewalls19

Securing Virtual Machines with VLANs24

Securing Standard Switch Ports29

Internet Protocol Security30

Securing iSCSI Storage34

Cipher Strength36

Control CIM-Based Hardware Monitoring Tool Access36

3Securing the Management Interface39

General Security Recommendations39

ESXi Firewall Configuration40

ESXi Firewall Commands45

4Using the ESXi Shell47

Use the vSphere Client to Enable Access to the ESXi Shell47

Use the vSphere Web Client to Enable Access to the ESXi Shell49

Use the Direct Console User Interface (DCUI) to Enable Access to the ESXi Shell 50

Log in to the ESXi Shell for Troubleshooting51

5Lockdown Mode53

Lockdown Mode Behavior54

Lockdown Mode Configurations54

Enable Lockdown Mode Using the vSphere Client55

Enable Lockdown Mode Using the vSphere Web Client55

Enable Lockdown Mode from the Direct Console User Interface55

6ESXi Authentication and User Management57

Managing Users with the vSphere Client57

Password Requirements59

Assigning Permissions for ESXi60

Assigning ESXi Roles71

Using Active Directory to Manage Users and Groups74

VMware, Inc. 3

vSphere Security

Using vSphere Authentication Proxy76

7vCenter Server Authentication and User Management83

Using vCenter Single Sign-On with vSphere84

How vCenter Single Sign-On Deployment Scenarios Affect Log In Behavior84

Configuring vCenter Single Sign-On87

Using vCenter Single Sign On to Manage Users and Groups95

vCenter Server User Directory Settings100

Assigning Permissions for vCenter Server101

Assigning Roles in the vSphere Web Client104

Manually Replicate Data in a Multisite vCenter Single Sign-On Deployment106

Troubleshooting vCenter Single Sign-On108

8Encryption and Security Certificates113

Generate New Certificates for ESXi114

Enable SSL Certificate Validation Over NFC114

Upload an SSL Certificate and Key Using HTTPS PUT115

Replace a Default ESXi Certificate with a CA-Signed Certificate115

Replace a Default ESXi Certificate with a CA-Signed Certificate Using the vifs Command116

Upload an SSH Key Using HTTPS PUT116

Upload an SSH Key Using a vifs Command117

Configure SSL Timeouts117

Modifying ESXi Web Proxy Settings118

Enable Certificate Checking and Verify Host Thumbprints122

Enable Certificate Checking and Verify Host Thumbprints in the vSphere Web Client122 9Securing Virtual Machines125

General Virtual Machine Protection125

Configuring Logging Levels for the Guest Operating System129

Limiting Exposure of Sensitive Data Copied to the Clipboard132

Disable Unexposed Features133

Limiting Guest Operating System Writes to Host Memory134

Removing Unnecessary Hardware Devices136

Prevent a Virtual Machine User or Process from Disconnecting Devices136

Prevent a Virtual Machine User or Process from Disconnecting Devices in the vSphere Web Client137 10Securing vCenter Server Systems139

Hardening the vCenter Server Host Operating System139

Best Practices for vCenter Server Privileges139

Limiting vCenter Server Network Connectivity141

Restricting Use of Linux-Based Clients141

Verifying the Integrity of the vSphere Client142

Set an Inactivity Timeout for the vSphere Client142

Disable Sending Host Performance Data to Guests142

11Best Practices for Virtual Machine and Host Security145

Installing Antivirus Software145

Managing ESXi Log Files146

4 VMware, Inc.

Contents Securing Fault Tolerance Logging Traffic148

Auto Deploy Security Considerations148

Image Builder Security Considerations148

Host Password Strength and Complexity149

Synchronizing Clocks on the vSphere Network151

Disable Shell Access for Anonymous Users152

Limit DCUI Access in Lockdown Mode152

Disable the Managed Object Browser (MOB)153

Disable Authorized (SSH) Keys153

Establish and Maintain Configuration File Integrity154

Monitoring and Restricting Access to SSL Certificates154

Delete VMDK Files Securely154

Index157

VMware, Inc. 5

vSphere Security

6 VMware, Inc.

About vSphere Security

vSphere Security provides information about securing your vSphere? environment for VMware? vCenter?

Server and VMware ESXi.

To help you protect your ESXi? installation, this documentation describes security features built in to ESXi and the measures that you can take to safeguard it from attack.

Intended Audience

This information is intended for anyone who wants to secure their ESXi configuration. The information is

written for experienced Windows or Linux system administrators who are familiar with virtual machine

technology and datacenter operations.

VMware, Inc. 7

vSphere Security

8 VMware, Inc.

Updated Information

This vSphere Security documentation is updated with each release of the product or when necessary.

This table provides the update history of the vSphere Security documentation.

Revision Description

EN-000792-02n Corrected command syntax in “Import vCenter Single Sign On Multisite Replication Data,” on

page 108.

n Added 'Turn off the Virtual Machine' to the prerequisites in “Modify Guest Operating System Variable Memory Limit in the vSphere Web Client,” on page 135 and “Prevent the Guest Operating System

Processes from Sending Configuration Messages to the Host in the vSphere Web Client,” on

page 135.

n Minor edits.

EN- 000792-01n Added section on troubleshooting Single Sign-On, at “Troubleshooting vCenter Single Sign-On,” on page 108.

n Updated list of TCP and UDP ports needed for vCenter Virtual Appliance at “TCP and UDP Ports for Management Access,” on page 23

n Added note indicating that the process for configuring and replacing certificates is different for the

vCenter Server Virtual Appliance.

n Changed Note text, User name description, and Password description in Step 4 of “Add a vCenter

Single Sign On Identity Source,” on page 89.

n Minor edits.

EN- 000792-00Initial release.

VMware, Inc. 9

vSphere Security

10 VMware, Inc.

Security for ESXi Systems1 ESXi is developed with a focus on strong security. VMware ensures security in the ESXi environment and

addresses system architecture from a security standpoint.

This chapter includes the following topics:

n“ESXi Architecture and Security Features,” on page 11

n“Security Resources and Information,” on page 18

ESXi Architecture and Security Features

The components and the overall architecture of ESXi are designed to ensure security of the ESXi system as a whole.

From a security perspective, ESXi consists of three major components: the virtualization layer, the virtual

machines, and the virtual networking layer.

ESXi Architecture

Figure 1-1.

VMware, Inc. 11

Security and the Virtualization Layer

VMware designed the virtualization layer, or VMkernel, to run virtual machines. It controls the hardware that hosts use and schedules the allocation of hardware resources among the virtual machines. Because the

VMkernel is fully dedicated to supporting virtual machines and is not used for other purposes, the interface to the VMkernel is strictly limited to the API required to manage virtual machines.

ESXi provides additional VMkernel protection with the following features:

Memory Hardening The ESXi kernel, user-mode applications, and executable components such as

drivers and libraries are located at random, non-predictable memory

addresses. Combined with the non-executable memory protections made

available by microprocessors, this provides protection that makes it difficult

for malicious code to use memory exploits to take advantage of vulnerabilities.

Kernel Module Integrity Digital signing ensures the integrity and authenticity of modules, drivers and

applications as they are loaded by the VMkernel. Module signing allows

ESXi to identify the providers of modules, drivers, or applications and whether

they are VMware-certified. VMware software and certain third-party drivers

are signed by VMware.

Trusted Platform Module (TPM)vSphere uses Intel Trusted Platform Module/Trusted Execution Technology (TPM/TXT) to provide remote attestation of the hypervisor image based on hardware root of trust. The hypervisor image comprises the following elements:

n ESXi software (hypervisor) in VIB (package) format

n Third-party VIBs

n Third-party drivers

To leverage this capability, your ESXi system must have TPM and TXT enabled. When TPM and TXT are enabled, ESXi measures the entire hypervisor stack when the system boots and stores these measurements in the Platform Configuration Registers (PCR) of the TPM. The measurements include the VMkernel, kernel modules, drivers, native management applications that run on ESXi, and any boot-time configuration options. All VIBs that are installed on the system are measured.

Third-party solutions can use this feature to build a verifier that detects tampering of the hypervisor image, by comparing the image with an image of the expected known good values. vSphere does not provide a user interface to view these measurements.

The measurements are exposed in a vSphere API. An event log is provided as part of the API, as specified by the Trusted Computing Group (TCG) standard for TXT.

vSphere Security

12 VMware, Inc.

Chapter 1 Security for ESXi Systems

Security and Virtual Machines

Virtual machines are the containers in which applications and guest operating systems run. By design, all

VMware virtual machines are isolated from one another. This isolation enables multiple virtual machines to run securely while sharing hardware and ensures both their ability to access hardware and their uninterrupted performance.

Even a user with system administrator privileges on a virtual machine’s guest operating system cannot breach this layer of isolation to access another virtual machine without privileges explicitly granted by the ESXi system administrator. As a result of virtual machine isolation, if a guest operating system running in a virtual machine fails, other virtual machines on the same host continue to run. The guest operating system failure has no effect on:

n The ability of users to access the other virtual machines

n The ability of the operational virtual machines to access the resources they need

n The performance of the other virtual machines

Each virtual machine is isolated from other virtual machines running on the same hardware. Although virtual machines share physical resources such as CPU, memory, and I/O devices, a guest operating system on an inpidual virtual machine cannot detect any device other than the virtual devices made available to it.

Virtual Machine Isolation

Figure 1-2.

Because the VMkernel mediates the physical resources and all physical hardware access takes place through the VMkernel, virtual machines cannot circumvent this level of isolation.

Just as a physical machine communicates with other machines in a network through a network card, a virtual machine communicates with other virtual machines running in the same host through a virtual switch. Further,

a virtual machine communicates with the physical network, including virtual machines on other ESXi hosts,

through a physical network adapter.

VMware, Inc. 13

vSphere Security

Figure 1-3.

Virtual Networking Through Virtual Switches

These characteristics apply to virtual machine isolation in a network context:

n If a virtual machine does not share a virtual switch with any other virtual machine, it is completely isolated from virtual networks within the host.

n If no physical network adapter is configured for a virtual machine, the virtual machine is completely isolated from any physical networks.

n If you use the same safeguards (firewalls, antivirus software, and so forth) to protect a virtual machine from the network as you would for a physical machine, the virtual machine is as secure as the physical

machine.

You can further protect virtual machines by setting up resource reservations and limits on the host. For

example, through the detailed resource controls available in ESXi, you can configure a virtual machine so that it always receives at least 10 percent of the host’s CPU resources, but never more than 20 percent.

Resource reservations and limits protect virtual machines from performance degradation that would result if another virtual machine consumed excessive shared hardware resources. For example, if one of the virtual machines on a host is incapacitated by a denial-of-service (DoS) attack, a resource limit on that machine

prevents the attack from taking up so much of the hardware resources that the other virtual machines are also affected. Similarly, a resource reservation on each of the virtual machines ensures that, in the event of high resource demands by the virtual machine targeted by the DoS attack, all the other virtual machines still have enough resources to operate.

By default, ESXi imposes a form of resource reservation by applying a distribution algorithm that pides the available host resources equally among the virtual machines while keeping a certain percentage of resources for use by other system components. This default behavior provides a degree of natural protection from DoS and distributed denial-of-service (DDoS) attacks. You set specific resource reservations and limits on an

inpidual basis to customize the default behavior so that the distribution is not equal across the virtual machine configuration.

Security and the Virtual Networking Layer

The virtual networking layer includes virtual network adapters and virtual switches. ESXi relies on the virtual networking layer to support communications between virtual machines and their users. In addition, hosts use the virtual networking layer to communicate with iSCSI SANs, NAS storage, and so forth.

The methods you use to secure a virtual machine network depend on which guest operating system is installed, whether the virtual machines operate in a trusted environment, and a variety of other factors. Virtual switches provide a substantial degree of protection when used with other common security practices, such as installing firewalls.

14 VMware, Inc.

Chapter 1 Security for ESXi Systems

ESXi also supports IEEE 802.1q VLANs, which you can use to further protect the virtual machine network or storage configuration. VLANs let you segment a physical network so that two machines on the same physical network cannot send packets to or receive packets from each other unless they are on the same VLAN.

Creating a Network DMZ on a Single ESXi Host

One example of how to use ESXi isolation and virtual networking features to configure a secure environment is the creation of a network demilitarized zone (DMZ) on a single host.

Figure 1-4. DMZ Configured on a Single ESXi Host

External Network Internal Network

In this example, four virtual machines are configured to create a virtual DMZ on Standard Switch 2:

n Virtual Machine 1 and Virtual Machine 4 run firewalls and are connected to virtual adapters through standard switches. Both of these virtual machines are multi homed.

n Virtual Machine 2 runs a Web server, and Virtual Machine 3 runs as an application server. Both of these virtual machines are single-homed.

The Web server and application server occupy the DMZ between the two firewalls. The conduit between these elements is Standard Switch 2, which connects the firewalls with the servers. This switch has no direct

connection with any elements outside the DMZ and is isolated from external traffic by the two firewalls.

From an operational viewpoint, external traffic from the Internet enters Virtual Machine 1 through Hardware Network Adapter 1 (routed by Standard Switch 1) and is verified by the firewall installed on this machine. If the firewall authorizes the traffic, it is routed to the standard switch in the DMZ, Standard Switch 2. Because the Web server and application server are also connected to this switch, they can serve external requests.

Standard Switch 2 is also connected to Virtual Machine 4. This virtual machine provides a firewall between the DMZ and the internal corporate network. This firewall filters packets from the Web server and application server. If a packet is verified, it is routed to Hardware Network Adapter 2 through Standard Switch 3. Hardware Network Adapter 2 is connected to the internal corporate network.

When creating a DMZ on a single host, you can use fairly lightweight firewalls. Although a virtual machine in this configuration cannot exert direct control over another virtual machine or access its memory, all the

virtual machines are still connected through a virtual network. This network could be used for virus

propagation or targeted for other types of attacks. The security of the virtual machines in the DMZ is equivalent to separate physical machines connected to the same network.

VMware, Inc. 15

vSphere Security

Creating Multiple Networks Within a Single ESXi Host

The ESXi system is designed so that you can connect some groups of virtual machines to the internal network, others to the external network, and still others to both—all on the same host. This capability is an outgrowth of basic virtual machine isolation coupled with a well-planned use of virtual networking features.

External Networks, Internal Networks, and a DMZ Configured on a Single ESXi Host

Figure 1-5.

Network 1Network 2Network 2Network 1

In the figure, the system administrator configured a host into three distinct virtual machine zones: FTP server, internal virtual machines, and DMZ. Each zone serves a unique function.

FTP server Virtual Machine 1 is configured with FTP software and acts as a holding area

for data sent to and from outside resources such as forms and collateral

localized by a vendor.

This virtual machine is associated with an external network only. It has its own

virtual switch and physical network adapter that connect it to External

Network 1. This network is dedicated to servers that the company uses to

receive data from outside sources. For example, the company uses External

Network 1 to receive FTP traffic from vendors and allow vendors access to data

stored on externally available servers though FTP. In addition to servicing

Virtual Machine 1, External Network 1 services FTP servers configured on

different ESXi hosts throughout the site.

16 VMware, Inc.

Chapter 1 Security for ESXi Systems

Because Virtual Machine 1 does not share a virtual switch or physical network

adapter with any virtual machines in the host, the other resident virtual

machines cannot transmit packets to or receive packets from the Virtual

Machine 1 network. This restriction prevents sniffing attacks, which require

sending network traffic to the victim. More importantly, an attacker cannot use

the natural vulnerability of FTP to access any of the host’s other virtual

machines.

Internal virtual machines Virtual Machines 2 through 5 are reserved for internal use. These virtual

machines process and store company-private data such as medical records,

legal settlements, and fraud investigations. As a result, the system

administrators must ensure the highest level of protection for these virtual

machines.

These virtual machines connect to Internal Network 2 through their own virtual

switch and network adapter. Internal Network 2 is reserved for internal use by

personnel such as claims processors, in-house lawyers, or adjustors.

Virtual Machines 2 through 5 can communicate with one another through the

virtual switch and with internal virtual machines elsewhere on Internal

Network 2 through the physical network adapter. They cannot communicate

with externally facing machines. As with the FTP server, these virtual machines

cannot send packets to or receive packets from the other virtual machines’

networks. Similarly, the host’s other virtual machines cannot send packets to

or receive packets from Virtual Machines 2 through 5.

DMZ Virtual Machines 6 through 8 are configured as a DMZ that the marketing

group uses to publish the company’s external Web site.

This group of virtual machines is associated with External Network 2 and

Internal Network 1. The company uses External Network 2 to support the Web

servers that use the marketing and financial department to host the corporate

Web site and other Web facilities that it hosts to outside users. Internal Network

1 is the conduit that the marketing department uses to publish content to the

corporate Web site, post downloads, and maintain services like user forums.

Because these networks are separate from External Network 1 and Internal

Network 2, and the virtual machines have no shared points of contact (switches

or adapters), there is no risk of attack to or from the FTP server or the internal

virtual machine group.

By capitalizing on virtual machine isolation, correctly configuring virtual switches, and maintaining network separation, the system administrator can house all three virtual machine zones in the same ESXi host and be confident that there will be no data or resource breaches.

The company enforces isolation among the virtual machine groups by using multiple internal and external networks and making sure that the virtual switches and physical network adapters for each group are

completely separate from those of other groups.

Because none of the virtual switches straddle virtual machine zones, the system administrator succeeds in

eliminating the risk of packet leakage from one zone to another. A virtual switch, by design, cannot leak packets directly to another virtual switch. The only way for packets to travel from one virtual switch to another is under the following circumstances:

n The virtual switches are connected to the same physical LAN.

n The virtual switches connect to a common virtual machine, which could be used to transmit packets.

Neither of these conditions occur in the sample configuration. If system administrators want to verify that no common virtual switch paths exist, they can check for possible shared points of contact by reviewing the

network switch layout in the vSphere Client.

VMware, Inc. 17

To safeguard the virtual machines’ resources, the system administrator lowers the risk of DoS and DDoS attacks by configuring a resource reservation and a limit for each virtual machine. The system administrator further protects the ESXi host and virtual machines by installing software firewalls at the front and back ends of the DMZ, ensuring that the host is behind a physical firewall, and configuring the networked storage resources so that each has its own virtual switch.

Security Resources and Information

You can find additional information about security on the VMware Web site.

The table lists security topics and the location of additional information about these topics.

Table 1-1. VMware Security Resources on the Web

Topic Resource

VMware security policy, up-to-date security

alerts, security downloads, and focus

discussions of security topics

b54cec67b84ae45c3b358c66/security/

Corporate security response policy b54cec67b84ae45c3b358c66/support/policies/security_response

VMware is committed to helping you maintain a secure environment.

Security issues are corrected in a timely manner. The VMware Security

Response Policy states our commitment to resolve possible

vulnerabilities in our products.

Third-party software support policy b54cec67b84ae45c3b358c66/support/policies/

VMware supports a variety of storage systems, software agents such as

backup agents, system management agents, and so forth. You can find

lists of agents, tools, and other software that supports ESXi by searching

b54cec67b84ae45c3b358c66/vmtn/resources/ for ESXi compatibility

guides.

The industry offers more products and configurations than VMware can

test. If VMware does not list a product or configuration in a compatibility

guide, Technical Support will attempt to help you with any problems,

but cannot guarantee that the product or configuration can be used.

Always evaluate security risks for unsupported products or

configurations carefully.

General information about virtualization and security VMware Virtual Security Technical Resource Center b54cec67b84ae45c3b358c66/go/security/

Compliance and security standards, as well as

partner solutions and in-depth content about

virtualization and compliance

b54cec67b84ae45c3b358c66/go/compliance/

Information about VMsafe technology for protection of virtual machines, including a list of partner solutions b54cec67b84ae45c3b358c66/go/vmsafe/

vSphere Security

18 VMware, Inc.

Securing ESXi Configurations2 You can take measures to promote a secure environment for your ESXi hosts, virtual machines, and iSCSI

SANs. Consider network configuration planning from a security perspective and the steps that you can take to protect the components in your configuration from attack.

This chapter includes the following topics:

n“Securing the Network with Firewalls,” on page 19

n“Securing Virtual Machines with VLANs,” on page 24

n“Securing Standard Switch Ports,” on page 29

n“Internet Protocol Security,” on page 30

n“Securing iSCSI Storage,” on page 34

n“Cipher Strength,” on page 36

n“Control CIM-Based Hardware Monitoring Tool Access,” on page 36

Securing the Network with Firewalls

Security administrators use firewalls to safeguard the network or selected components in the network from intrusion.

Firewalls control access to devices within their perimeter by closing all communication pathways, except for those that the administrator explicitly or implicitly designates as authorized. The pathways, or ports, that

administrators open in the firewall allow traffic between devices on different sides of the firewall.

I MPORTANT The ESXi firewall in ESXi 5.0 does not allow per-network filtering of vMotion traffic. Therefore,

you must install rules on your external firewall to ensure that no incoming connections can be made to the vMotion socket.

In a virtual machine environment, you can plan your layout for firewalls between components.

n Physical machines such as vCenter Server systems and ESXi hosts.

n One virtual machine and another—for example, between a virtual machine acting as an external Web server and a virtual machine connected to your company’s internal network.

n A physical machine and a virtual machine, such as when you place a firewall between a physical network adapter card and a virtual machine.

VMware, Inc. 19

vSphere Security

How you use firewalls in your ESXi configuration is based on how you plan to use the network and how secure any given component needs to be. For example, if you create a virtual network where each virtual machine is dedicated to running a different benchmark test suite for the same department, the risk of unwanted access from one virtual machine to the next is minimal. Therefore, a configuration where firewalls are present between the virtual machines is not necessary. However, to prevent interruption of a test run from an outside host, you might set up the configuration so that a firewall is present at the entry point of the virtual network to protect the entire set of virtual machines.

Firewalls for Configurations with vCenter Server

If you access ESXi hosts through vCenter Server, you typically protect vCenter Server using a firewall. This firewall provides basic protection for your network.

A firewall might lie between the clients and vCenter Server. Alternatively, vCenter Server and the clients can

be behind the firewall, depending on your deployment. The main point is to ensure that a firewall is present at what you consider to be an entry point for the system.

For a comprehensive list of TCP and UDP ports, including those for vSphere vMotion? and vSphere Fault Tolerance, see “TCP and UDP Ports for Management Access,” on page 23.

Networks configured with vCenter Server can receive communications through the vSphere Client or third-party network management clients that use the SDK to interface with the host. During normal operation,

vCenter Server listens for data from its managed hosts and clients on designated ports. vCenter Server also assumes that its managed hosts listen for data from vCenter Server on designated ports. If a firewall is present between any of these elements, you must ensure that the firewall has open ports to support data transfer.

You might also include firewalls at a variety of other access points in the network, depending on how you plan to use the network and the level of security various devices require. Select the locations for your firewalls based on the security risks that you have identified for your network configuration. The following is a list of firewall locations common to ESXi implementations.

n Between the vSphere Client or a third-party network-management client and vCenter Server.

n If your users access virtual machines through a Web browser, between the Web browser and the ESXi host.

n If your users access virtual machines through the vSphere Client, between the vSphere Client and the ESXi host. This connection is in addition to the connection between the vSphere Client and vCenter Server,

and it requires a different port.

n Between vCenter Server and the ESXi hosts.

n Between the ESXi hosts in your network. Although traffic between hosts is usually considered trusted, you can add firewalls between them if you are concerned about security breaches from machine to

machine.

If you add firewalls between ESXi hosts and plan to migrate virtual machines between the servers, perform

cloning, or use vMotion, you must also open ports in any firewall that pides the source host from the

target hosts so that the source and targets can communicate.

n Between the ESXi hosts and network storage such as NFS or iSCSI storage. These ports are not specific to VMware, and you configure them according to the specifications for your network.

20 VMware, Inc.

Chapter 2 Securing ESXi Configurations

Firewalls for Configurations Without vCenter Server

If you connect clients directly to your ESXi network instead of using vCenter Server, your firewall configuration is somewhat simpler.

Networks configured without vCenter Server receive communications through the same types of clients as they do if vCenter Server were present: the vSphere Client or third-party network management clients. For the most part, the firewall needs are the same, but there are several key differences.

n As you would for configurations that include vCenter Server, be sure a firewall is present to protect your ESXi layer or, depending on your configuration, your clients and ESXi layer. This firewall provides basic

protection for your network. The firewall ports you use are the same as those you use if vCenter Server is

in place.

n Licensing in this type of configuration is part of the ESXi package that you install on each of the hosts.

Because licensing is resident to the server, a separate license server is not required. This eliminates the

need for a firewall between the license server and the ESXi network.

Connecting to vCenter Server Through a Firewall

The port that vCenter Server uses to listen for data transfer from its clients is 443. If you have a firewall between vCenter Server and its clients, you must configure a connection through which vCenter Server can receive data from the clients.

To enable vCenter Server to receive data from the vSphere Client, open port 443 in the firewall to allow data transfer from the vSphere Client to vCenter Server. Contact the firewall system administrator for additional information on configuring ports in a firewall.

If you are using the vSphere Client and do not want to use port 443 as the port for vSphere Client-to-vCenter Server communication, you can switch to another port by changing the vCenter Server settings in the vSphere Client. To learn how to change these settings, see the vCenter Server and Host Management documentation.

Connecting to the Virtual Machine Console Through a Firewall

When you connect your client to ESXi hosts through vCenter Server, certain ports are required for user and administrator communication with virtual machine consoles. These ports support different client functions, interface with different layers on ESXi, and use different authentication protocols.

Port 902This is the port that vCenter Server assumes is available for receiving data from

ESXi. The vSphere Client uses this port to provide a connection for guest

operating system mouse, keyboard, screen (MKS) activities on virtual

machines. It is through this port that users interact with the virtual machine

guest operating systems and applications. Port 902 is the port that the vSphere

Client assumes is available when interacting with virtual machines.

VMware, Inc. 21

本文来源：https://www.bwwdw.com/article/7mwq.html