Quick Tip - List all open ports on the VCSA / PSC

The list of required ports for both a vCenter Server Appliance (VCSA) and Platform Services Controller (PSC) are pretty well documented here (6.5), here (6.0) and here (5.5) for customers who require this information to setup external connectivity within their networking infrastructure. Having said that, it is may not always be clear on what ports are actually opened as they will usually depend on the type of deployment and the services that are running. Instead, some customers have inquired about getting a list of all open ports directly from the VCSA/PSC to ensure they have the actual configuration which can be used to build firewall rules and/or for auditing purposes.

Today, the only method is to login directly into the VCSA/PSC via SSH (you could also use GuestOps API, so that SSH is NOT required) and fetching this information using iptables. Hopefully, in the future, this can be made available as part of the VAMI API since it already covers some basic inbound firewall rule capabilities. In the mean time, below are examples of how to get all the open ports for both VCSA/PSC

Run the following command to view all open ports on VCSA/PSC:

iptables -L port_filter -n --line-numbers

You will notice in the output above, there is also a chain number on the far left side which is associated with each rule. This chain number can be used to inspect the rule further and some rules include a nice alias to help you identify what the port might be used for.

For example, we can run the following to inspect chain rule #30 and find out this port is being used for syslog. If we want the port number, we simply add the -n option.

iptables -L port_filter 30
iptables -L port_filter 30 -n

Not all of the firewall rules have an alias name and even if they do, it still may not be apparent on what service is opening that particular port. We can actually look at the firewall rule definitions which are located under /etc/vmware/appliance/firewall and you will see a JSON file for each of the VCSA/PSC services that require firewall rules to be opened up. For a given port, you can just grep in this directory to identify the service that is requiring the port.

For example, if we take a look at the vmware-syslog, we see that it requires tcp/udp 514 and tcp 1514 under the "rules" array which defines the list of external ports open. You can ignore the internal ports as those are not exposed to the outside world but used by internal services. In case the services are still not clear, you can always reference the port number back to the documentation which I had linked above to get more details about the particular port.

VMware Fusion 2017 Tech Preview adds REST API support

In case you have not heard the news, the VMware Fusion and Workstation team just released their 2017 Tech Preview releases which you can read more about it here and here. A couple of years back, VMware had released a slimmed down desktop Hypervisor based on VMware Fusion called AppCatalyst which was optimized for developers wanting to run Docker Containers. Although the feedback for AppCatalyst was positive, the large majority of customers preferred to see the AppCatalyst specific features such as the RESTful API to just be included natively within Fusion rather than having a separate product.

Although it could not be said at the time, the feedback was heard loud and clear and the plan was to pull in the AppCatalyst REST API directly into Fusion. With the Fusion 2017 Tech Preview, you will now be able to interact with your Virtual Machines running on Fusion using the new Fusion REST API which also includes some additional new capabilities that was not there with the AppCatalyst REST APIs such as network and port forwarding management.

Getting Started

Step 1 - Once you have installed the Fusion 2017 TP release, you will need to start the REST API endpoint which is provided by /Applications/VMware Fusion Tech Preview.app/Contents/Public/vmrest You can just type vmrest and it should automatically start or if you prefer to run it in the background, just type the following:

vmrest &

Here is screenshot of starting the Fusion REST API endpoint:

Note: The default port for the REST API is 8697

Continue reading

Native OVF support for Fusion/Workstation 2017 Tech Preview 

The VMware Fusion and Workstation team just released their 2017 Tech Preview releases and there is a ton of new and awesome capabilities which you can read more about here and here. One of the exciting new features, which I was very fortunate to have been involved with is finally here, native OVF property support! Although customers have had the ability to import OVF/OVAs for some time now, if they included OVF properties, they would be ignored and often times this would result in a failed deployment as those properties are required for the initial setup.

A great example of this is trying to run the vCenter Server Appliance (VCSA) on either Fusion or Workstation. Today, the only workaround is to manually edit the VMX file and supplying the correct OVF properties which I have blogged about here. With the latest TP release of Fusion/Workstation, when you import an OVF/OVA that contains OVF properties, the UI will automatically render the required information directly into the UI without needing users to manually touch the VMX files.

Here is a screenshot of deploying the latest VCSA 6.5d OVA (jump to bottom for some additional VCSA tidbits when deploying to Fusion/Workstation):

Continue reading

Visualizing live network traffic on the vCenter Server Appliance using net-glimpse

Last week I came across a really interesting OSS project called net-glimpse which allows you to easily visualize your network traffic in real-time and making that available using any standard web browser. I thought it would be neat to see what this might look like running on the vCenter Server Appliance (VCSA). I got it up in running in just a couple of minutes and even shared the results on Twitter as you can see from the tweet below:

I had couple of folks ask about the setup and I figure I would post a quick write up. While looking at the project, I found that net-glimpse includes quite a bit of customizations in the colors, data collection and how data is displayed. Specifically, rather than relying on the well-known ports that have already been pre-defined, you can also add additional custom ports and specify the label that it should automatically used. This gave me an idea, instead of a generic visualization of the VCSA, we could get specific service information and have those label automatically get displayed.

Continue reading

VMware 2017 Cycling Kit

I know many of you have reached out over the years and have expressed interest in the VMware Cycling Kits which I have written about here & here. In fact, I still get pinged about this topic every couple of months even though the last time we had ran an order was back in 2014! Obviously, the demand is still high and who can blame you, the kits look freaking amazing 🙂

Earlier this week, I was pleasantly surprised to learn that we were working on a new 2017 VMware Cycling Kit! Kasey Linden, who works in our Federal team was leading this effort and was gauging interests internally. I was definitely interested and I had also suggested that we open this up to the general public as historically it was kept internal for logistical purposes. Not only did Kasey love the idea, but he plans to have the cycling kits available directly on the VMware Merchandise Store for anyone to purchase, which is huge if you ask me!

As of right now, the designs are currently being worked on with the vendor and once that has been approved, it will go live on the VMware Store.

Here is a quick timeline for those interested in looking to grab a cycling kit this year:

Continue reading