VMware ESXi includes a built in VNC server that can be used to access a VMs console for manipulation via automated tools (e.g., veewee) or by users on platforms where the vSphere Client is not supported. In ESXi 5.x, the built-in firewall does not allow VNC traffic to be received by the VNC server, even when an individual VM is configured to support this configuration. To complete this activity, the firewall has to be modified to allow the appropriate ports.
The below script can be run via the ESXi command line to setup the firewall rules necessary to run VNC. A few items to note:
- Scripts assumes the firewall rules file is the default provided as by 5.0.0 update 2 build 914586 and/or 5.1.0 build 799733 (may work in other versions)
- In order to persist settings after a reboot, it is necessary to copy the firewall settings to either a specific datastore mapped to the host, or the local persistent storage linked under the /store directory. Further, the either the
/etc/rc.local
(ESXi 5.0) or/etc/rc.local.d/local.sh
(ESXi 5.1) file must be include steps to reinitialize the firewall rules on each reboot by pulling the appropriate file and updating the firewall accordingly.- In the case of ESXi 5.1, this is counter to the VMware documentation that recommends putting this content in
/etc/profile.local
, however I was unable to get those settings working.
- In the case of ESXi 5.1, this is counter to the VMware documentation that recommends putting this content in
- Scripts tested on ESXi 5.0.0 update 2 build 914586 and ESXi 5.1.0 build 799733
On my ESXi 5.0 Update 1 host (build 623860), I don't have an /etc/profile.local, nor do I have a /store at all. While I'm not certain, I suspect this is because our environment does stateless PXE-based imaging for our ESXi hosts using vSphere Auto Deploy. Another method will need to be used for these types of host deployments.