Enabling VNC for ESXi 5 using custom firewall rule

Well I did say the next post would be on recovery deleted objects using the Active Directory Recycle Bin, but a slight detour as part of my lab setup for 70-640 was the requirement to enable VNC on my ESXi host.

I have previously blogged about this process for previous iterations of ESX (https://deangrant.wordpress.com/2012/03/10/manage-virtual-machines-using-vnc-viewer-in-esx-4/). However, in ESXi 5 there is a further step required to configure the firewall to enable the required TCP connection ports, these being in the range 5900 – 5964.

From the VMware KB, I discovered how to create a custom firewall rule and enable the updated rule (http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2008226).

So here goes:

1) Backup the ‘/etc/vmware/firewall/service.xml’.

2) Modify the above file with a text editor to include the below rule to allow required TCP connection ports.

<service id=”0032″>
<id>VNC</id>
<rule id=’0000′>
<direction>outbound</direction>
<protocol>tcp</protocol>
<porttype>dst</porttype>
<port>
<begin>5900</begin>
<end>5964</end>
</port>
</rule>
<enabled>true</enabled>
</service>

3) Refresh the firewall rules so they take effect by run the following command:

esxcli network firewall refresh 

4) Confirm your firewall rule is listed and enabled by running the following command:

esxcli network firewall ruleset list

Once the host firewall rules have been conffgured you can configure the virtual machine as previously.

Configure virtual machine

1) Power of the virtual machine

2) Edit the configuration file (.vmx) using a text editor and add the following lines;

RemoteDisplay.vnc.enabled = “TRUE”
RemoteDisplay.vnc.password = “Enter password”
RemoteDisplay.vnc.port = “<Enter port number between 5900-5964>″
remoteDisplay.vnc.keymap = “uk”

The RemoteDisplay.vnc.port needs to be unique for each virtual machine and can be a TCP port number between 5900-5964

3) Power on the virtual machine.

Advertisements

2 thoughts on “Enabling VNC for ESXi 5 using custom firewall rule

  1. Thanks for the post Dean – very helpful. For our labs, we’ll eventually move over to 5.x and your XML template will come in handy. Although VMware advise the use of ports 5900-5999, any number can be used as long as there are no conflicts (See: http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1246) . We have hundred of VMs running with port numbers of 5999 in our lab environment. We find VNC is much quicker for our students to access the VMs than VMRC etc.

    Like

  2. When editing the service.xml file, be sure to increment the service id field. More recent ESXi distributions already have service id 32.

    It was also necessary to make a copy of the service.xml file to edit, then copy the edited file back to the original name. ESXi does something strange with permissions.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s