Enabling VNC Access to vSphere 5 VM Guest Consoles
You can allow access through the firewall in a vSphere 5 environment, provided that the ESXi 5 Server and the vCenter Server are properly configured according to VMware documentation. The vSphere Client must also be installed and configured properly according to VMware documentation.
You can use one of two methods to open firewall ports for VNC access:
-
Section 18.4.1, Enabling VNC Access By Opening Multiple Firewall Ports
-
Section 18.4.2, Enabling VNC Access by Creating a Special Configuration File
18.4.1Enabling VNC Access By Opening Multiple Firewall Ports
Use the following steps to enable the 59xx firewall ports for VNC access to vSphere 5 VM guest consoles:
-
In your vSphere environment, log in to the vSphere Client, then select Home > Inventory > Hosts and Clusters.
-
In the Hosts/Clusters tree view, select the ESXi host name that represents the server you want to open for VNC access.
-
Select the Configuration tab, locate and open the Software list box, then select Security Profile.
-
In the Firewall section, select the Properties link to display the Firewall Properties dialog box.
-
In the dialog box, scroll to and select GDB Server, then click OK.
Your ESXi server now allows VNC access to Guest VM consoles through its firewall.
NOTE:If you are using vSphere 4.x or earlier, select VNC Server in the list box for this step.
-
Repeat these steps for each ESXi host system.
The GDB Server setting covers the needed 59xx port range in its own port range, so when you enable firewall access for GDB Server, VNC services also become open. Extra open ports do not present a serious security problem, because a user rarely runs manual services that listen on those ports.
18.4.2Enabling VNC Access by Creating a Special Configuration File
If leaving the extra ports open is a security concern, you can manually add the VNC Server entry to the ESXi 5 firewall configuration and persist that entry across reboots of the server.
IMPORTANT:The preferred method to enable VNC Access to an ESXi 5 server is to use an existing, preconfigured GDB Server firewall entry, as described in Section 18.4.1, Enabling VNC Access By Opening Multiple Firewall Ports.
If you use the method described in this section to enable VNC access, we strongly recommend that you have competent experience with command line Linux/Unix system administration. It is possible to make mistakes while performing these steps that might render your ESXi Server unbootable.
-
In your vSphere environment, log in to the vSphere Client, then select Home > Inventory > Hosts and Clusters.
-
In the Hosts/Clusters tree view, select the ESXi host name that represents the server you want to open for VNC access.
-
Select the Configuration tab, locate and open the Software list box, then select Security Profile.
-
In the Firewall section, select the Properties link to display the Firewall Properties dialog box.
-
In the dialog box, scroll to and select SSH Server, then click OK.
-
From a Linux console, ssh to the IP address of your ESXi host. Log in as root using that host's root password.
-
Using a Linux editor (such as vi), add the following shell script lines to the end of the/etc/rc.local file. for newer esxi hosts edit /etc/rc.local.d/local.sh instead of /etc/rc.local as it may only appear as read only
cat <<EOF > /etc/vmware/firewall/vncServer.xml <ConfigRoot> <service> <id>vncServer</id> <rule id='0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port> <begin>5900</begin> <end>5999</end> </port> </rule> <enabled>true</enabled> <required>false</required> </service> </ConfigRoot> EOF esxcli network firewall refreshIMPORTANT:Enter the code exactly as shown in the sample above. Use spaces to indicate indents in the code, do not use tab characters.
-
Save the /etc/rc.local file.
-
While still logged in, run the following command:
/sbin/auto-backup.sh
-
Log out from the SSH session.
-
From either the ESXi host’s console or from the VMWare Client, reboot the ESXi host.
You should now see VNC Server as an available service in the Firewall Properties pane. The service should be enabled.
This process creates the /etc/vmware/firewall/vncServer.xml config file with the necessary settings to open the firewall ports.
Simply creating and editing this file does not work when the ESXi Server is rebooted because the root file system in ESXi 5 is a volatile RAM disk that is loaded from a master copy on each boot. Any changes made to this RAM disk are lost upon reboot.
A workaround to this rule relies on the fact that the ESXi Server uses the auto-backup.sh script to persist a select set of files every 10 minutes (or when changes are made by with the VMware Client or the VI-SDK facilities) from this file system to the master persistent copy. The /etc/rc.local file is one of these select files, so adding the shell script to the end of the file can add the needed firewall entry each time the ESXi server boots.
There is one other area in each Esxi host that you will be required to modify the .vmx file and after that is done the VM has to be powered off completely then powered back on for the changes to take effect;
The following lines were added to the VMX file for the VM to allow VNC connections on port 5901 and require a VNC password.
RemoteDisplay.vnc.enabled = "TRUE"
RemoteDisplay.vnc.port = "5901"
RemoteDisplay.vnc.password = "ChangeThisToYourPassword"
To connect to a VM using VNC, you have to connect to ipaddressofhost:vncport (port 1 is the same as 5901 in the VNC world, 2 is 5902, etc.)
credits to https://www.netiq.com/documentation/cloudmanager22/ncm22_reference/data/bxzaz5n.html#bxzbjo1 for most of this guide
