Controlling VMware ESXi server from VSphere client via SSH tunnel

Posted on September 9, 2012 by admin

Recently I was facing an issue of accessing ESXi servers in the lab network. This lab network topology is presented
below (off course for this post all IP addresses are changed from the real ones). As one can see all the access to the
internal lab network is going through the multihomed server running SSH, VNC and NX.

vmware esxi on the firewalled lab network

The problem with controlling ESXi hosts is that vSphere client can only be installed on Windows PC and this lab
had no Windows PCs.

SSH port forwarding to the rescue

I figured – OK, I will try to do dynamic ssh port forwarding, but …

vSphere client doesn’t seem to support SOCKS proxy settings, which means that I needed to figure out ports
involved in communication between vSphere client and ESXi host and then do ssh local port forwarding.

At this point I had to go to the lab, connect my Windows laptop to the switch and run wireshark while I was
accessing ESXi hosts via vSphere client. Wireshark capture showed that only ports involved into communication
on the ESXi side are ports :

443
902

At this point I left lab and went back to my desk.

Connected to SSH server in the lab with the following command

1 ssh -L 443:10.0.0.2:443 -L 902:10.0.0.2:902 user@10.1.0.1

Well, actually since I was on a Windows machine I had to use putty, so my settings were
And I tried to connect via vSphere to 127.0.0.1

vSphere didn’t like that.

And the reason is – our forwarded ports are listening on the localhost 127.0.0.1

But vSphere for some reason resolves 127.0.0.1 to my host name and then to my host name IP address of the
Network Interface Card which is off course not 127.0.0.1

I found two possible solutions to that

Solution 1
Updating Windows hosts file with bogus host name pointing to 127.0.0.1 helped to fix this issue
After that modification I was able to connect to ESXi. Accessing console of the VMs worked fine too.
Solution 2
We can tell ssh to bind not to our localhost but to the IP address of the Network Interface Card.

For example IP address of my NIC was 192.168.0.32, so I did following adjustments in the putty

After that I was able to connect just by entering 127.0.0.1 in the vSphere IP address field
This entry was posted in VMware and tagged ssh port forwarding, vSphere over ssh tunnel, vSphere ports. Bookmark the permalink.

7 Responses to Controlling VMware ESXi server from VSphere client via SSH tunnel

Jay says:
September 24, 2012 at 1:48 am

How about if connect to vcenter (10.0.0.1) where manage many ESX server (10.0.0.2/3) how to forward that ESX?
I’ve tried and the console for ESX server (10.0.0.2/3) cannot work the popup message “Failed to connect to server
10.0.0.2:902”
Reply

admin says:
September 24, 2012 at 9:09 am

IMHO this will be impossible with the local port forwarding, cause you will need to forward multiple ESX servers
ports to the same localhost and obviously you can’t bind to the same port twice.
 Using socks proxy (via ssh) would be a solution here, but as I wrote “vSphere client doesn’t support socks”.
So may be you can try some socksifier library for Windows, which will hopefully allow you to socksify vSphere client.
For example this one http://www.freecap.ru/eng/
Reply

Steve says:
February 27, 2014 at 11:14 am

I’m trying the same thing as “Jay” above, and I think although I haven’t tested yet, that it MIGHT be possible
by using different IP addresses in the loopback network (ie 127.0.0.2, 127.0.0.3, etc) to forward via putty to
the different internal IPs, and then putting the NAMES of the machines in my local hosts file. You will have to
have registered your ESXi hosts with hostnames instead of just IP addresses within your vCenter, because
otherwise I think it will send the internal IP back to your client to connect to the MKS port.. If I get it to work,
I’ll try to return here and share my config details, but I wanted to at least post the idea while I was looking at
your page, before I lose the link or forget!!
-Steve
Reply

Jakob Staerk says:

March 9, 2016 at 4:16 am

Using 127.0.0.2 works. In putty just set local port to:

127.0.0.2:443

etc.
Reply

Björn Langels says:

July 22, 2014 at 2:59 pm

Tanks!
I noted that I had to stop the vmware converter server to run before connecting via ssh as the server will occupy localhost:443
and prevent the tunnel to actually set up for port 443.
When stopping the converter server it worked as a charm for ESXi 5.5 free.
I forwarded ports 902,903,443 and (and 80 and 22 as well but I don’t think it was necessary)
Reply

James Ward says:

September 5, 2014 at 2:24 pm

I have a different problem, but your understanding of port forwarding is deep and may help.

I am on a Mac running OSX Mavericks connecting to a VMWare 5.5 server. I’m using the vSphere Web Client. Port 9443 is
open, so everything works fine until I try to open a console. This uses port 7331 which is blocked. So, I THINK I could make
this work by tunneling port 7331, but can’t for the life of me figure out the right syntax. I have root access to the VMWare
server, but I do not control the firewall(s) in between.

I know this works and suspect it is blocked because I can open consoles on port 7331 on systems inside the same datacenter.
Reply

Eugene says:
October 20, 2014 at 8:52 am

Big thanks! It helped me!

Reply
Proudly powered by WordPress.