ESXi host disconnects from vCenter Server and vCenter Server cannot be accessed using the vSphere Client after restricting vSphere Client access to specific IP addresses
Article ID: 432374
Updated On:
Products
Issue/Introduction
Due to security requirements, administrators may restrict access to the vSphere Client by configuring firewall rules on the ESXi host. In such cases, the "vSphere Web Client" ruleset may be selected in the Firewall section of the ESXi host.
After configuring the ESXi host firewall to allow access to the vSphere Client only from specific IP addresses, the ESXi host may become disconnected from vCenter Server. Additionally, vCenter Server may no longer be accessible using the vSphere Client.
Environment
ESXi
Cause
This issue occurs when access restrictions are configured in the ESXi firewall using the "vSphere Web Client (443, 902)" ruleset and the required IP addresses for vCenter Server are not included in the allowed list.
Although the ruleset name suggests that it only affects access through the vSphere Web Client, the restriction applies to all traffic to the ESXi host on ports 443 and 902. As a result, communication between the ESXi host and vCenter Server may be blocked if the vCenter Server IP address is not included in the allowed list.
Resolution
To resolve this issue, ensure that the vCenter Server IP address is included in the allowed IP list for the "vSphere Web Client (443, 902)" firewall ruleset on the ESXi host.
Allowing the vCenter Server IP address ensures that the required communication between the ESXi host and vCenter Server on ports 443 and 902 is permitted.
If the vSphere Client can no longer access vCenter Server after the restriction is applied, refer to the following article to reset the vSphere Web Client firewall ruleset:
Additional Information
Feedback
