Tag Archives: Firewall

PowerCLI: enable SSH and configure ESXi Firewall


It’s a long time ago when I posted a new article on my blog so it’s time to write some new content. I want to start with a post about configuring SSH to start automatically, hide the Shell warning message and configure the ESXi firewall to allow the connection from a certain IP address. Of course all this is done by running a PowerCLI script.

But first I want to show you where you can change the ESXi firewall settings. Go to the configuration tab and select the Security Profile. Select the rule you want to change and click on firewall.. Select the option “Only allow connections from the following networks” and add the IP address or IP range you want to allow.

image

But like I mentioned before this is not a job do by hand when you have a large vSphere environment so I want to share the PowerCLI script below to perform this task for you. The only things you need to change are the $cluster and $ip variables. Then copy the script to your PowerCLI session and run it.

$cluster = "<clusterName>"
$ip = "192.168.1.1"

foreach($vmHost in (Get-Cluster $cluster | Get-VMHost | Sort Name)){
    write-host "Configuring SSH on host: $($vmHost.Name)" -fore Yellow
    if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Policy -ne "on"){
        Write-Host "Setting SSH service policy to automatic on $($vmHost.Name)"
        Get-VMHostService -VMHost $vmHost | where { $_.key -eq "TSM-SSH" } | Set-VMHostService -Policy "On" -Confirm:$false -ea 1 | Out-null
    }

    if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq "TSM-SSH"}).Running -ne $true){
        Write-Host "Starting SSH service on $($vmHost.Name)"
        Start-VMHostService -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq "TSM-SSH"}) | Out-null
    }    
    
    $esxcli = Get-EsxCli -VMHost $vmHost
    if($esxcli -ne $null){
        if(($esxcli.network.firewall.ruleset.allowedip.list("sshServer") | select AllowedIPAddresses).AllowedIPAddresses -eq "All"){
            Write-Host "Changing the sshServer firewall configuration"        
            $esxcli.network.firewall.ruleset.set($false, $true, "sshServer")
            $esxcli.network.firewall.ruleset.allowedip.add("$ip", "sshServer")
            $esxcli.network.firewall.refresh()
        }    
    }
    
    if(($vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"}).Value -ne "1"){
        Write-Host "Suppress the SSH warning message"
        $vmHost | Get-AdvancedSetting | Where {$_.Name -eq "UserVars.SuppressShellWarning"} | Set-AdvancedSetting -Value "1" -Confirm:$false | Out-null
    }    
}

The script checks if the SSH Service is running or not and will change the setting is necessary. This is also the case with the Firewall configuration and the part to suppress the Shell warning message.

Advertisements

Veeam Backup: RPC error The RPC server is unavailable. Code 1722


In one of my Veeam Backup jobs I had two Windows 2008 R2 VM’s with the Windows Firewall enabled. The backup job failed with the error: RPC error The RPC server is unavailable. Code 1722.

You can find the error in the job Statistics screen:

image

This error is the result of enabling Application-aware image processing (Microsoft VSS) and the Windows Firewall. RPC by default doesn’t like to work through a firewall. But Microsoft has a fix for this. KB article KB154596 explains how to change the RPC settings within the Windows Registry. You need to add the following settings:

Ports REG_MULTI_SZ

Specifies a set of IP port ranges consisting of either all the ports available from the Internet or all the ports not available from the Internet. Each string represents a single port or an inclusive set of ports. For example, a single port may be represented by 5984, and a set of ports may be represented by 5000-5100. If any entries are outside the range of 0 to 65535, or if any string cannot be interpreted, the RPC runtime treats the entire configuration as invalid.

PortsInternetAvailable REG_SZ Y or N (not case-sensitive)

If Y, the ports listed in the Ports key are all the Internet-available ports on that computer. If N, the ports listed in the Ports key are all those ports that are not Internet-available.

UseInternetPorts REG_SZ ) Y or N (not case-sensitive

Specifies the system default policy.

If Y, the processes using the default will be assigned ports from the set of Internet-available ports, as defined previously.

If N, the processes using the default will be assigned ports from the set of intranet-only ports.

Or you can copy the following *.REG file and execute this on the Windows 2008 R2 VM.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Rpc\Internet]
“Ports”=hex(7):35,00,30,00,30,00,30,00,2d,00,35,00,31,00,30,00,30,00,00,00,00,\
  00
“PortsInternetAvailable”=”Y”
“UseInternetPorts”=”Y”

The next step is to add a firewall rule:

image

After changing these settings you need to reboot the VM.

Now you are able to run the Veeam Backup job with the Firewall enabled on a Windows 2008 R2 VM.

 

Source Link
Micrsoft.com KB154596

VMware: Custom firewall rules via XML files


Na mijn vorige post over Veeam FastSCP en de firewall van ESX. Besloot ik zelf een xml bestand te maken voor de MGE shutdown module.

Dit heb ik als volgt gedaan:

Download de XMLNotepad vanaf hier: http://www.microsoft.com/

Kopieer de FastSCP.xml en noem deze MgeUPS.xml

Open de MgeUPS.xml in XMLNotepad
ESXFirewallxml

Voeg de volgende code in:

<!– Firewall configuration information for MGE UPS Network Shutdown Module–>
<ConfigRoot>
<service>
<id>MgeUPS</id>
<rule id=”0000″>
<direction>outbound</direction>
<protocol>tcp</protocol>
<port type=”dst”>
<begin>80</begin>
<end>80</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
<rule id=”0001″>
<direction>inbound</direction>
<protocol>tcp</protocol>
<port type=”dst”>
<begin>4679</begin>
<end>4680</end>
</port>
<flags>-m state –state NEW</flags>
</rule>
</service>
</ConfigRoot>

Daarna sla je het bestand op en kopieer je deze naar de /etc/vmware/firewall directory op je ESX server.

Als laatste voer je het commando: esxcfg-firewall -e MgeUPS uit. Let op dit is cAsEsEnEtIve. Deze naam is hetzelfde als het <id> in het bovenstaande xml bestand.

Daarna nog even het volgende commando uitvoeren: service mgmt-vmware restart.

Nu kun je in de VI client de nieuwe rule activeren.

ESXFirewallxml3

De nieuwe rules zijn geconfigureerd.

ESXFirewallxml2

Op deze manier kun je dus zelf kant en klare XML bestandjes klaarzetten en uitvoeren.