There are situations in small environments when you need to access your ESX/ESXi server from the internet, for troubleshooting or just to create or restart a virtual machine. I bet that’s a piece of cake for some of you, but what if you have a TMG server as a firewall. Well…things are not so easy any more, but they are not complicated either. If you have a situation like this, where a TMG 2010 server acts as a firewall for you or for some of your clients, and want to access an ESX/ESXi server from the internet, then you came to the right place.

In this lab the TMG server is not joined to the domain, but even if it was things still be the same. To be able to connect and use the VMware vSphere console from the outside we need to open/forward three ports on our TMG server, 443 (for security certificate), 902 (for authentication), 903 (for the VM console). For a full list of VMware ports go here. Now, open your TMG console and click the Firewall Policy object. On the Actions pane click the link Publish Non-Web Server Protocols.

On the first screen of the wizard we need to type a name for the rule.

Here, type the IP address of your ESX server, then click Next. This is for the TMG server to know where to forward the incoming traffic.

Since 443 is a standard protocol for security, is predefined in the protocol lists of the TMG server. For the drop-down list select HTTPS Server and click Next.

Since we are connecting for the internet, select External, so the TMG server will listen on that interface for the 443 traffic.

On the Summary page just click Finish to create the rule.

We are not done yet, I sad we need to open three ports, so again, click the link Publish Non-Web Server Protocols in the Actions pane. This time we are opening port 902 for authentication. Give the rule a name and click Next.

Type the ESX server IP address and continue.

Since this protocol is not predefined in the TMG server we need to create it, so click the New button to start the New Protocol Definition Wizard. Give the protocol a name and continue.

On the Primary Connection Information page click the New button to start creating the ports, direction and protocols.

Here on the Protocol Type select TCP, and since the connection is coming from outside to inside on the Direction option select Inbound. On the Port Range boxes type 902 and click OKto close the window.

Back to the Primary Connection Information page click Next to continue.

Here just go with the defaults, because we don’t need secondary connections.

On the Summary screen click Finish to create the protocol.

The new protocol is automatically select for us in the New Server Publishing Rule Wizard. Click Next to continue.

Here select the External network,

and on the Summary screen click Finish to create the rule.

Don’t forget to click the Apply button on the TMG server, to save the configuration changes.

Now we can connect to our ESX server from internet using a FQDN or the external IP address. If your certificate is not trusted you will get a warning, just ignore it.

     

You might be thing, what about the third port ? Yes, we’ll get to that in the following section, because if we don’t, we can’t open a console to our virtual machines. On the vSphere client console right-click a virtual machine and choose Open Console.

As you can see the connection fails, because port 903 is closed.

If we take a look in the TMG logs the connection is denied for the specified port.

Now let’s open this port so we can use the virtual machine console. Again, in TMG click the link Publish Non-Web Server Protocols on the Actions pane. Give the rule a name and continue.

Type the IP address of the ESX server.

Since this protocol definition is not specified, we need to create it. Click the New button.

Give the new protocol definition a name then click Next.

On the Connection Information page click the New button.

Select TCP on the Protocol type, and Inbound on the Direction list. Type 903 on the port rage boxes.

Now finish the New Protocol Definition Wizard using the default settings.

Back on the New Server Publishing Rule page click Next to continue.

Here select the External listener.

Click Finish on the Summary screen to create the rule.

Again, don’t forget to click the TMG Apply button to save the changes.

Now let’s open a virtual machine console to see if it works. And we have a success, no more KMS error.

If we look in the TMG logs we can see the connection is allowed.