It’s a long time ago when I posted a new article on my blog so it’s time to write some new content. I want to start with a post about configuring SSH to start automatically, hide the Shell warning message and configure the ESXi firewall to allow the connection from a certain IP address. Of course all this is done by running a PowerCLI script.
But first I want to show you where you can change the ESXi firewall settings. Go to the configuration tab and select the Security Profile. Select the rule you want to change and click on firewall.. Select the option “Only allow connections from the following networks” and add the IP address or IP range you want to allow.
But like I mentioned before this is not a job do by hand when you have a large vSphere environment so I want to share the PowerCLI script below to perform this task for you. The only things you need to change are the $cluster and $ip variables. Then copy the script to your PowerCLI session and run it.
$cluster = "<clusterName>" $ip = "192.168.1.1" foreach($vmHost in (Get-Cluster $cluster | Get-VMHost | Sort Name)){ write-host "Configuring SSH on host: $($vmHost.Name)" -fore Yellow if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Policy -ne "on"){ Write-Host "Setting SSH service policy to automatic on $($vmHost.Name)" Get-VMHostService -VMHost $vmHost | where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy "On" -Confirm:$false -ea 1 | Out-null } if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Running -ne $true){ Write-Host "Starting SSH service on $($vmHost.Name)" Start-VMHostService -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"}) | Out-null } $esxcli = Get-EsxCli -VMHost $vmHost if($esxcli -ne $null){ if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -eq "All"){ Write-Host "Changing the sshServer firewall configuration" $esxcli.network.firewall.ruleset.set($false, $true, "sshServer") $esxcli.network.firewall.ruleset.allowedip.add("$ip", "sshServer") $esxcli.network.firewall.refresh() } } if(($vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"}).Value -ne "1"){ Write-Host "Suppress the SSH warning message" $vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"} | Set-AdvancedSetting -Value "1" -Confirm:$false | Out-null } }
The script checks if the SSH Service is running or not and will change the setting is necessary. This is also the case with the Firewall configuration and the part to suppress the Shell warning message.
ICT-Freak.nl 
Thanks for Good scripts , How can i more ips to firewall I have say 5 to 6 ips
Rgds—Dev
To add more IPs to firewall I think you can change your second line to something like this:
$ips = @(“192.168.1.1″,”192.168.1.2″,”192.168.1.3″,”192.168.1.4″,”192.168.1.5”)
Under that, insert a line that sets up another loop:
foreach ($ip in $ips) {
And then add a line at the bottom with just the close bracket for the loop you just added
}
Thanks for the script. Whats a good way to do so for all services that are enabled along with the 5-6 IP addressses?
Thanks!
–S
thanks for the script. i have a question that how can i display the “complete” allowed ip address (using network.firewall.ruleset.allowedip.list(“sshServer”)), i tried |ft -wrap, but only display 4 allowed ip
how about if i want to delete the existing all ips from sshServer and re-add new set of ip’s in sshServer using powershell.