This is an automated email from the ASF dual-hosted git repository. andrijapanic pushed a commit to branch vnc-ports-on-vsphere-firewall in repository https://gitbox.apache.org/repos/asf/cloudstack-documentation.git
commit ae0aa67ec631a7accabe4e9c1756fc28137886ef Author: Andrija Panic <[email protected]> AuthorDate: Tue Jun 9 22:06:37 2020 +0200 vnc-ports --- source/installguide/hypervisor/vsphere.rst | 65 +++++++++++++++++++++++++----- 1 file changed, 56 insertions(+), 9 deletions(-) diff --git a/source/installguide/hypervisor/vsphere.rst b/source/installguide/hypervisor/vsphere.rst index 4c01b93..8011002 100644 --- a/source/installguide/hypervisor/vsphere.rst +++ b/source/installguide/hypervisor/vsphere.rst @@ -339,19 +339,66 @@ port group so that CloudStack can find it: Extend Port Range for CloudStack Console Proxy ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ -(Applies only to VMware vSphere version 4.x) - -You need to extend the range of firewall ports that the console proxy -works with on the hosts. This is to enable the console proxy to work -with VMware-based VMs. The default additional port range is 59000-60000. -To extend the port range, log in to the VMware ESX service console on -each host and run the following commands: +In production environments (large number of VMs), +it's needed to extend the range of firewall ports that the console proxy +works with on the hosts. The default additional port range is 50000-50999 + - see global settings ``vmware.additional.vnc.portrange.size`` + and ``vmware.additional.vnc.portrange.start``. + +Change global setting ``vmware.additional.vnc.portrange.size`` to i.e "10000" and restart the +management-server service on each management server. +Add those additional ports to the ESXi firewall on each host. +Log via SSH to every VMware ESX host and edit file ``/etc/rc.local.d/local.sh`` +by adding the following lines just above the "exit 0" line.: .. parsed-literal:: - esxcfg-firewall -o 59000-60000,tcp,in,vncextras - esxcfg-firewall -o 59000-60000,tcp,out,vncextras + cat <<EOF > /etc/vmware/firewall/vncAdditionalPorts.xml + <ConfigRoot> + <service> + <id>vncAdditionalPorts</id> + <rule id='0000'> + <direction>inbound</direction> + <protocol>tcp</protocol> + <porttype>dst</porttype> + <port> + <begin>51000</begin> + <end>60000</end> + </port> + </rule> + <enabled>true</enabled> + <required>false</required> + </service> + </ConfigRoot> + EOF + esxcli network firewall refresh + +This will ensure the needed firewall rules are applied on boot of ESXi hosts. +Repeat the same commands that were just added to local.sh`` + +.. parsed-literal:: + cat <<EOF > /etc/vmware/firewall/vncAdditionalPorts.xml + <ConfigRoot> + <service> + <id>vncAdditionalPorts</id> + <rule id='0000'> + <direction>inbound</direction> + <protocol>tcp</protocol> + <porttype>dst</porttype> + <port> + <begin>51000</begin> + <end>60000</end> + </port> + </rule> + <enabled>true</enabled> + <required>false</required> + </service> + </ConfigRoot> + EOF + esxcli network firewall refresh + +Run the script ``/sbin/auto-backup.sh`` Configure NIC Bonding for vSphere ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
