Restricting SSH Access to vCenter Server While Maintaining Global Web Client (GUI) Access
search cancel

Restricting SSH Access to vCenter Server While Maintaining Global Web Client (GUI) Access

book

Article ID: 437359

calendar_today

Updated On:

Products

VMware vCenter Server

Issue/Introduction

The requirement involves restricting SSH access to the vCenter Server Appliance (vCSA) to specific authorized management IP addresses. The vSphere Client GUI (Port 443) must remain accessible across the network for standard administrative operations. Verification of the vCenter Appliance Management Interface (VAMI) confirms that native firewall rules are applied at the network interface level (NIC) rather than the service level, which prevents the differentiation of access based on specific ports.

Environment

VMware vCenter Server

Cause

The built-in firewall functionality within the vCenter Server Appliance Management Interface (VAMI) operates at the network layer. It is designed to filter traffic based on source IP addresses or subnets but does not support granular port-based filtering. Because the VAMI interface lacks the capability to specify destination ports (such as TCP 22 or TCP 443), any "Allow" or "Reject" rule created within the VAMI applies to all incoming traffic for that interface. Consequently, blocking an IP via VAMI to restrict SSH access also results in the unintended loss of Web Client GUI access for that source.

Resolution

To achieve port-specific restriction without impacting overall connectivity, filtering must be performed by a device or service capable of Layer 4 traffic management. The following methods are recommended:

External Physical or Virtual Firewall Implementation of the restriction at the network perimeter or the gateway serving the vCenter management network is the most effective approach.

  • Configure a rule to allow TCP Port 22 (SSH) only from specific management stations or jump hosts.

  • Configure a rule to allow TCP Port 443 (HTTPS) and TCP Port 9443 from the broader internal network.

  • Apply a "Deny" rule for Port 22 from all other sources.

VMware NSX Distributed Firewall (DFW) In environments utilizing VMware NSX, a DFW policy can be applied directly to the vCenter Server virtual machine.

  • Define a Service Group for SSH.

  • Apply an Allow policy for that service group sourced from the trusted IP Set.

  • Apply a Reject/Drop policy for the SSH service group for all other sources.

Additional Information

References:
How to Block All Traffic on vCenter except for Specific IP Addresses/Subnets
Configure the VAMI firewall to restrict vCenter access to specified IP addresses or subnets

Powered by Wolken Software