Following on from my last post in this series which showed us how to configure the ntp time source (Customisation: Lesson 1 – Time Source) lets get straight into it and start configuring more advanced areas.
In this post I will show you how to open some of the firewall ports on your host which are needed for various applications and services to talk to our ESX Host.
In the last post we setup the NTP server, I figure it would be a good start to make sure that now we have added the time server to our host we should start the NTP Service or as the Linux type people will know it, the NTP Daemon or NTPD.
So, if we use the Get-VmHostService cmdlet which is part of the VI Toolkit we can easily start our required service. This cmdlet will give us a list of the services on our host and there current state:
Get-VmHostService -VMHost $VMHost
Key
|
Label | Policy | Required | Running |
ntpd | NTP Daemon | automatic | FALSE | FALSE |
sshd | SSH Server | automatic | FALSE | TRUE |
vmware-vpxa | VMware VirtualCenter Agent | automatic | FALSE | TRUE |
So we can see the service we are interested in 1st on the list so lets narrow down our line of code to just get that service…
Get-VmHostService -VMHost $VMHost |Where-Object {$_.key-eq “ntpd“}
Now we can use this line to start the service using (you have probably guessed it by now) Start-VMHostService.
Put it all together and our line which starts the NTP Service is below:
Get-VmHostService -VMHost $VMHost | Where-Object {$_.key -eq “ntpd“} | Start-VMHostService
You should now be able to use this explanation to start any other services which you may need to run.
So now our service is running it may be handy to allow firewall traffic as the NTP service will not be able to talk to our NTP server unless we tell our host to let the traffic through the ESX Host firewall.
For this we will use the Get-VmhostFirewallException cmdlet which will return a list of the firewall configuration, any rules, open ports and if the services are running an extract from the results is below:
Get-VmhostFirewallException -VMHost $VMHost
Name | Enabled | IncomingPorts | OutgoingPorts | Protocols | ServiceRunning |
CIM Server | TRUE | 5988 | TCP | ||
CIM Secure Server | TRUE | 5989 | TCP | ||
CIM SLP | TRUE | 427 | 427 | UDP, TCP | |
LDAP | FALSE | 389 | TCP, UDP | ||
LDAPS | FALSE | 636 | TCP, UDP | ||
SSH Client | FALSE | 22 | TCP | ||
SSH Server | TRUE | 22 | TCP | TRUE | |
updateManager | FALSE | 80, 9000-9100 | TCP | ||
VNC Server | FALSE | 5900-5964 | TCP |
As VMware already have a rule in the firewall configuration to allow NTP traffic through the cmdlet is made easy for us, all we need to do is enable it using the Set-VMHostFirewallException cmdlet.
Get-VmhostFirewallException -VMHost $VMHost -Name “NTP Client“ | Set-VMHostFirewallException -enabled:$true
While you are here you may also want to enable other rules so that things like SNMP can talk to your management agents etc. SNMP example:
Get-VmhostFirewallException -VMHost $VMHost -Name “SNMP Server“ |Set-VMHostFirewallException -enabled:$true
Now we have added these extra lines to our Host configuration script the full script looks like this:
Connect-VIServer myviserver
$VMHost = “myhost1.mycompany.com“
Remove-VMHostNtpServer -VMHost $VMHost -NtpServer ‘127.127.1.0‘
Add-VMHostNtpServer -VMHost $VMHost -NtpServer ‘ntp.mycompany.com‘
Get-VmHostService -VMHost $VMHost | Where-Object {$_.key -eq “ntpd“} | Start-VMHostService
Get-VmhostFirewallException -VMHost $VMHost -Name “NTP Client“ | Set-VMHostFirewallException -enabled:$true
Get-VmhostFirewallException -VMHost $VMHost -Name “SNMP Server“ | Set-VMHostFirewallException -enabled:$true
@Mario Vinet
Thanks Mario, its always nice to know that people are benefiting from these posts and Im not blogging to the ether 🙂
Great 2nd lesson. Thanks Mr. the Teacher! 🙂