Several questions arise when using a cellular Internet connection: Do you have enough bandwidth? Which ports do you need to open on your firewall? Is it possible to use cellular Internet to manage a VMware infrastructure remotely?
Remotely managing VMware infrastructure
No matter where you are, the ideal way to manage a VMware infrastructure remotely involves using a VPN connection to that infrastructure and connecting to it over a high-speed Internet connection. I have done this many times, and it enables you to work as fast as the Internet connection allows (often times, free Wi-Fi Internet connections run slowly because many users are accessing the connection at once).
Managing VMware ESX over a private WAN
A new VMware admin asked me about managing VMware Infrastructure 3 (VI3) over a WAN. The answer depends on the WAN's bandwidth. That said, the VMware Communities forum has posts from admins who have managed ESX over a 56 K dial-up connection (for details, see
But what about when you don't have access to a private WAN or high-speed Internet?
Managing VMware Infrastructure through an Internet firewall
I could probably devote an entire article to this subject but thisVMware Communities diagram depicts what you need to know about VMware network communications. Here is what it looks like:
For our purposes, the most important takeaways from this diagram are the following:
- To manage vCenter, you need only HTTPS or port 443.
- To remotely control a VM guest machine through the firewall with the VMware Remote Console, you need to open ports 902 and 903 to that specific ESX host.
While you shouldn't configure an enterprise network this way, let me explain how I configured my home lab and how this information is used.
I wanted to try to use cellular Internet to to remotely manage my home VMware Infrastructure 3 lab. My options included using a VPN, using a Secure Shell (SSH) connection to an ESX host, using a remote desktop service like GoToMyPC or LogMeIn to get to my home computer and then manage the VI3 from there, among others.
In the end, I decided to configure a single dynamic IP address router to perform port forwarding to the internal LAN. Thus, I configured my dynamic Internet IP address to port forward 443 (HTTPS) to my vCenter Server, on port 443. In order to use the VMware Remote Console, I had to port forward – that is, forward a network port from one network node to another -- TCP ports 902 and 903 to one of my ESX host (you want to use the host that supports the VM guest that you want to use the remote console on).
To get the remote console to function, I had to edit the host virtual machine's file on my local Vista PC so that the internal domain name server (DNS) hostname for the ESX host that I wanted to connect to (for the remote console) resolved to the single public IP address of my home router.
Thus, if I connected to the vCenter server using IP 188.8.131.52 (for example), and the remote console connection to a VM guest on my ESX host named "ESX5" would resolve to the same IP address. Both IP addresses would be port-forwarded and go through a network address translation to the proper internal vCenter server and ESX host as needed.
Managing VMware ESX over a cellular Internet connection
I have a Verizon Wireless 3G cellular USB adapter. I disconnected from my home wireless network and connected to my cellular data network.
My bandwidth varied but was usually registered as 640 Kbps. Wireless, unlike a private WAN or high speed Internet, has very high latency (delay). I was concerned that this delay would cause the VI client to malfunction.
So did it work? Yes. I was able to manage vCenter with just a slight delay. As you can see from the image below, there were only minor "blips" on the utilization of bandwidth when I performed typical vCenter management tasks.
I did, however, encounter an issue when I tried to use the VI Client remote console. At first, it wouldn't work until I could fool the DNS resolution, as I mentioned previously. I can use only the remote console on the ESX server that I configured on my Internet router. Once I got it working, I could connect to my guest VM using the VMware remote console. The bandwidth utilization immediately shot up to 100% cellular Internet utilization. I could barely use the VMware Remote Console. Even with a lot of patience, I am not even sure that I could make use of it if needed.
Other cellular data options
As for other cellular data options for infrastructure management, I was able to use Remote Desktop Protocol (RDP) on my Apple iPhone over the cellular Internet network to a home PC and perform remote control. The performance was great. I could have even run the VI Client. I have also used Andrew Kutz's Virtualization Manager Mobile (VMM) to manage VI3 from my iPhone as well.
I recently bought a CradlePoint CTR350 Mobile Broadband router. This allows me to connect a network of computers to the Internet over the cellular network using the same Verizon wireless cellular Internet connection that I used above. It could be used on the client side so that I can connect my laptop to it using 802.11g wireless for Internet-based VI management, or I could connect it to my VI3 network for cellular management of that infrastructure if a high-speed Internet connection at the data center went down.
Share your experience
There are so many ways to remotely manage a VI3 and so many network connectivity options. I am not so naïve to say that the method I discussed here is the best option. I welcome your stories on how you manage VI3 remotely over private WAN, Internet and cellular networks. Email your stories to the editor and we'll send you a free TrainSignal VMware ESX training course if you're one of the first 20 respondents (U.S. only).
ABOUT THE AUTHOR: David Davis (CCIE #9369, VCP, CWNA, MCSE, CISSP, Linux+, CEH) is the director of infrastructure at Train Signal Inc. He has written hundreds of articles and six video training courses, including the Train Signal VMware ESX Server video training series. His websites are Happy Router.com and VMwareVideos.com.
This was first published in March 2009