Changing or blocking the default ports 80 (http) and 443 (https) on ESX hosts
Article ID: 307812
Updated On:
Products
VMware vSphere ESXi
Issue/Introduction
This article provides steps to change or the block the default ports 80 (http) and 443 (https) that vmware-hostd listens on.
Symptoms:
Environment
VMware ESX Server 3.5.x
VMware ESX Server 3.0.x
VMware ESX 4.0.x
VMware ESX Server 3.0.x
VMware ESX 4.0.x
Resolution
Changing the default ports
ESX 3.0.x
To change the default ports 80 (http) and 443 (https) for ESX 3.0.x:
- Open the /etc/vmware/hostd/config.xml file with a text editor.
- Locate the following XML segment:
<proxysvc>
<path>/usr/lib/vmware/hostd/libproxysvc.so</path>
<http>
<port>80</port>
<proxyDatabase>
<server id="0">
<namespace> / </namespace>
<host> localhost </host>
<port> 9080 </port>
</server>
<redirect id="0"> /ui </redirect>
<redirect id="1"> /mob </redirect>
<redirect id="2"> /sdk </redirect>
</proxyDatabase>
</http>
<https>
<port>443</port>
<proxyDatabase>
<server id="0">
<namespace> / </namespace>
<host> localhost </host>
<port> 9080 </port>
</server>
<server id="1">
<namespace> /sdk </namespace>
<host> localhost </host>
<port> 8085 </port>
</server>
<server id="2">
<namespace> /ui </namespace>
<host> localhost </host>
<port> 8080 </port>
</server>
<server id="3">
<namespace>/mob</namespace>
<host>localhost</host>
<port>8087</port>
</server>
</proxyDatabase>
/https>
</proxysvc> - Change the http and https port numbers and save the file.
- Restart the vmware-hostd process with the command:
# service mgmt-vmware restart
ESX 3.5.x / ESX 4.0
To change the default ports 80 (http) and 443 (https) on ESX 3.5.x or ESX 4.0:
- Open the /etc/vmware/hostd/proxy.xml file with a text editor.
- Under <ConfigRoot>, add the following entry:
<httpPort>custom port #</httpPort>
<httpsPort>custom port #</httpsPort>
For example:
<httpPort>81</httpPort>
<httpsPort>444</httpsPort> - Save the file.
- Restart the vmware-hostd process with the command:
# service mgmt-vmware restart
ESX 4.0
You can open service console firewall ports when you install third-party devices, services, and agents. Before you open ports to support the item you are installing, see vendor specifications to determine the necessary ports.
To open ports for services or agents that are not configurable through the vSphere Client:
Caution: VMware supports opening and closing firewall ports only through the vSphere Client or the esxcfg-firewall command. Using any other methods or scripts to open and close firewall ports can lead to unexpected behavior.
- Log in to the service console and acquire root privileges.
- Use the following command to open the port:
esxcfg-firewall --openPort <port_number>,tcp|udp,in|out,<port_name>
Where:- <port_number> is the vendor-specified port number.
- Use tcp for TCP traffic or udp for UDP traffic.
- Use in to open the port for inbound traffic or out to open it for outbound traffic.
- <port_name> is a descriptive name to help identify the service or agent using the port. A unique name is not required.
For example:
esxcfg-firewall --openPort 6380,tcp,in,Navisphere
- Run the following command to restart:
# service mgmt-vmware restart
Note: VMware does not support configuring a different port for port 443. For more information, see Connecting to the Virtual Machine Console Through a Firewall in the ESX Configuration Guide.
Blocking the default ports
Note: The information in this section pertains to ESX 3.x and ESX 4.0.
You cannot block port 80 and 443 using the esxcfg-firewall commands. These commands return an error indicating that the port is not open.
Custom ports are blocked by default. To open a custom port, issue the following command:
esxcfg-firewall -o <port,tcp|udp,in|out,name>
For example:
esxcfg-firewall -o 81,tcp,in,http
Additional Information
The following ports are opened by default:
- 22
- 80
- 443
- 902
- 5988
- 5989
Feedback
Yes
No
Powered by
