Customisation: Lesson 2 – Service and Firewall Configuration

Following on from my last post in this series which showed us how to configure the ntp time source (Customisation: Lesson 1 – Time Source) lets get straight into it and start configuring more advanced areas.

In this post I will show you how to open some of the firewall ports on your host which are needed for various applications and services to talk to our ESX Host.

In the last post we setup the NTP server, I figure it would be a good start to make sure that now we have added the time server to our host we should start the NTP Service or as the Linux type people will know it, the NTP Daemon or NTPD.

So, if we use the Get-VmHostService cmdlet which is part of the VI Toolkit we can easily start our required service.  This cmdlet will give us a list of the services on our host and there current state:

Get-VmHostService -VMHost $VMHost

Key
Label Policy Required Running
ntpd NTP Daemon automatic FALSE FALSE
sshd SSH Server automatic FALSE TRUE
vmware-vpxa VMware VirtualCenter Agent automatic FALSE TRUE

So we can see the service we are interested in 1st on the list so lets narrow down our line of code to just get that service…

Get-VmHostService -VMHost $VMHost |Where-Object {$_.key-eq ntpd}

Now we can use this line to start the service using (you have probably guessed it by now) Start-VMHostService.

Put it all together and our line which starts the NTP Service is below:

Get-VmHostService -VMHost $VMHost | Where-Object {$_.key -eq ntpd} | Start-VMHostService

You should now be able to use this explanation to start any other services which you may need to run.

So now our service is running it may be handy to allow firewall traffic as the NTP service will not be able to talk to our NTP server unless we tell our host to let the traffic through the ESX Host firewall.

For this we will use the  Get-VmhostFirewallException  cmdlet which will return a list of the firewall configuration, any rules, open ports and if the services are running an extract from the results is below:

Get-VmhostFirewallException -VMHost $VMHost

Name Enabled IncomingPorts OutgoingPorts Protocols ServiceRunning
CIM Server TRUE 5988   TCP  
CIM Secure Server TRUE 5989   TCP  
CIM SLP TRUE 427 427 UDP, TCP
LDAP FALSE   389 TCP, UDP
LDAPS FALSE   636 TCP, UDP
SSH Client FALSE   22 TCP  
SSH Server TRUE 22   TCP TRUE
updateManager FALSE   80, 9000-9100 TCP  
VNC Server FALSE 5900-5964 TCP  

As VMware already have a rule in the firewall configuration to allow NTP traffic through the cmdlet is made easy for us, all we need to do is enable it using the Set-VMHostFirewallException cmdlet.

Get-VmhostFirewallException -VMHost $VMHost -Name NTP Client | Set-VMHostFirewallException -enabled:$true

While you are here you may also want to enable other rules so that things like SNMP can talk to your management agents etc. SNMP example:

Get-VmhostFirewallException -VMHost $VMHost -Name SNMP Server  |Set-VMHostFirewallException -enabled:$true

Now we have added these extra lines to our Host configuration script the full script looks like this:

Connect-VIServer myviserver

$VMHost = myhost1.mycompany.com

Remove-VMHostNtpServer -VMHost $VMHost -NtpServer 127.127.1.0

Add-VMHostNtpServer -VMHost $VMHost -NtpServer ntp.mycompany.com

Get-VmHostService -VMHost $VMHost | Where-Object {$_.key -eq ntpd} | Start-VMHostService

Get-VmhostFirewallException -VMHost $VMHost -Name NTP Client | Set-VMHostFirewallException -enabled:$true
Get-VmhostFirewallException -VMHost $VMHost -Name SNMP Server  | Set-VMHostFirewallException -enabled:$true


2 thoughts on “Customisation: Lesson 2 – Service and Firewall Configuration

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.