Blog

Adding a Firewall Port exception to VMware’s vCenter 6.0 Appliance

VMware released vCenter 6.0 in April 2015. Like many IT professionals, we were interested in seeing what changes were made. After we upgraded to vCenter 6.0, we discovered that while it was more locked down, its shell could still give us more access.

While Sightline can monitor vCenter, ESX hosts and VMs agentlessly, our Power Agents offer a lot more data about what’s going on inside VM’s (mainly process level information), including the vCenter appliance. In fact, Power Agents included with Enterprise Data Management provide you with the real-time data you need to make smarter, more cost effective decisions. EDM is an award winning platform for managing the continuous stream of time series data that is being produced and will help you:

  • Monitor systems
  • Analyze trends and patterns
  • Diagnose costly issues quickly
  • Reduce cost
  • Conduct root cause analysis
  • Automate capacity planning

These are steps you can take to access, and add a firewall port exception to the built-in firewall that comes with the appliance.

VMware, of course, provides instructions on how to manipulate the firewall. But it only allows adding an ip, or ip range to the allowed list of systems that can communicate with vCenter.

In short, it doesn’t allow you to open a port. That was a problem since our Power Agent uses port 1645 for communicating and sending detailed performance data back to our analytics engine. We needed to open that port and that proved to be harder than we thought.

Adding a Port to vCenter:
1) First, you’ll need console access. This presents a familiar screen for admins who have accessed the ESX server consoles before. This is new for the vCenter 6.0 appliance.

vm1

2) Here, you’ll want to navigate to a hidden screen by pressing ALT+F1. Then, you’ll get this login screen:

vm2

3) Here, login with admin credentials and you’ll get a list of help commands.

4) Now, run the following:

vm3

After running “shell.set –enabled True” and “shell”, you’ll get a standard Linux-style prompt.

There is a warning about using the pi shell, and it’s only for advanced troubleshooting. As such, continue at your own risk.

5) Navigate to /etc/vmware/appliance

Here is where you can add custom firewall port changes in the services.conf.

vm5

6) WARNING: Initially, we tried to add a new group to the json in service.conf, and we ended up losing SSH access to the VM. It seems that VMware has a hardcoded limit of 4 rules. Adding a 5th seems to bump the first out.
7) To get around this, we just added our rule to the ssh rule.
run “vi services.conf”

8) We added a comma, and then the section in red.

vm6

9) Then, reload vSphere vCenter 6.0 Appliance FW rule by executing:
/usr/lib/applmgmt/networking/bin/firewall-reload
or simply reboot the vm.

After we rebooted… we could now access our performance monitoring tool on port 1645.