The ESXi Embedded Host Client is a native HTML and JavaScript application and is served
directly from your ESXi host! It should perform much better than any of the existing solutions.
This article will cover installing the VMWare Labs ESXi UI on an ESXi 6 Host, and configuring the ESXi firewall
to only be accessible from a selected IP addresses list.
Download the ESXi offline bundle from here
and upload the offline zip bundle to the ESXi Server.
scp esxui-offline-bundle-6.x-3731936.zip 1.2.3.4:/tmp
esxcli software vib install -d /tmp/esxui-offline-bundle-6.x-3731936.zip
esxcli software vib update -v /tmp/esxui-offline-bundle-6.x-3731936.zip
esxcli software vib remove -v /tmp/esxui-offline-bundle-6.x-3731936.zip
esxcli software vib list | grep ui
esx-ui 0.6.0-3623722 VMware VMwareCertified 2016-03-23
esxcli network ip connection list | grep 80
tcp 0 0 127.0.0.1:80 127.0.0.1:36334 ESTABLISHED 709853 newreno rhttpproxy-work
tcp 0 0 127.0.0.1:36334 127.0.0.1:80 ESTABLISHED 35318 newreno sfcb-vmware_bas
tcp 0 0 1.2.3.4:22 1.2.3.17:54693 ESTABLISHED 33411 newreno busybox
tcp 0 0 127.0.0.1:63079 127.0.0.1:80 CLOSED 35318 newreno sfcb-vmware_bas
tcp 0 0 127.0.0.1:8089 0.0.0.0:0 LISTEN 34731 newreno vpxa-worker
tcp 0 0 1.2.3.4:427 0.0.0.0:0 LISTEN 34172 newreno
tcp 0 0 0.0.0.0:80 0.0.0.0:0 LISTEN 33895 newreno rhttpproxy-work
tcp 0 0 0.0.0.0:8000 0.0.0.0:0 LISTEN 33408 newreno
udp 0 0 1.2.3.4:123 0.0.0.0:0 33577 ntpd
Turn off proxy to the root page which will result in a 404 when going to https://serverip
vim-cmd proxysvc/remove_service "/" "httpsWithRedirect"
vim-cmd proxysvc/service_list # Will show that / no longer exists
vim-cmd proxysvc/add_tcp_service "/" httpsWithRedirect localhost 8309
Confirm that the default action is to drop packets that are now manually allowed,
and that the firewall is enabled and loaded.
esxcli network firewall get
Default Action: DROP
Enabled: true
Loaded: true
Make sure that webAccess is turned on
esxcli network firewall ruleset list | grep web
webAccess true
By default the webAccess rule is set to all, allowing anyone to connect to it.
The same is also true for SSH and VSphere, which would allow anyone to attempt a
connection to the server via SSH or via the VSphere client.
esxcli network firewall ruleset allowedip list --ruleset-id sshServer
esxcli network firewall ruleset allowedip list --ruleset-id webAccess
esxcli network firewall ruleset allowedip list --ruleset-id vSphereClient
Ruleset Allowed IP Addresses
--------- --------------------
sshServer All
webAccess All
vSphereClient All
esxcli network firewall ruleset set --ruleset-id sshServer --allowed-all false
esxcli network firewall ruleset set --ruleset-id webAccess --allowed-all false
esxcli network firewall ruleset set --ruleset-id vSphereClient --allowed-all false
esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 10.0.0.0/24
esxcli network firewall ruleset allowedip add --ruleset-id webAccess --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id webAccess --ip-address 10.0.0.0/24
esxcli network firewall ruleset allowedip add --ruleset-id vSphereClient --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id vSphereClient --ip-address 10.0.0.0/24
esxcli network firewall ruleset allowedip list --ruleset-id sshServer
esxcli network firewall ruleset allowedip list --ruleset-id webAccess
esxcli network firewall ruleset allowedip list --ruleset-id vSphereClient
Ruleset Allowed IP Addresses
--------- -----------------------------------------------------------
sshServer 1.2.3.4, 10.0.0.0/24
webAccess 1.2.3.4, 10.0.0.0/24
vSphereClient 1.2.3.4, 10.0.0.0/24
Get a list of all services on the esx server
esxcli network firewall ruleset allowedip list
Go and crack yourself a beer.. you deserve one!
