The ability to connect to a virtual machine using a VNC client has been available since the early days of VMware GSX as described by this VMware KB article. The required .vmx configuration can also be applied to virtual machines running on ESX(i), but is not officially supported by VMware. With ESXi 5, this continues to work but there is one additional caveat users should to be aware of, which is the new firewall that has been introduced in ESXi 5.
In addition to the three .vmx configurations:
- RemoteDisplay.vnc.enabled = [true|false]
- RemoteDisplay.vnc.port = [port #]
- RemoteDisplay.vnc.password = [optional]
Users need to also enable the ports selected for each virtual machine on the ESXi firewall. Here is an example of a firewall rule that needs to be created:
Take a look at this blog post for details on configuring custom firewall rules including persisting the custom rules upon a system reboot.
Here are a few screenshots of configuring the .vmx configurations and using a VNC client to connect to the powered on virtual machine.
Only the first two .vmx configurations are required, if you do not set a password, anyone can connect to the virtual machine as long as they know the hostname/IP Address of your ESX(i) host and port.
To connect to a specific virtual machine, you will specify the hostname/IP Address of the ESX(i) host and port for the given virtual machine. If you set a password, you will need to also provide that before you can connect.
Please be aware of the limitations and security concerns of using VNC. VMware Remote Console or standard RDP/SSH should still be considered for virtual machine remote access.
Emanuel says
hmm I just found out that if you don't care about opening up heaps of ports (e.g. at home or labs or just for testing) then you can enable a pre-existing firewall rule called "VM serial port connected over network" which basically just opens all TCP ports above 1024 or so.
Flohack says
Just to note that not all VNC clients seem to support the correct encoding. RealVNC failed during connect with some unknown encoding erros in the vmware.log file of the corresponding VM, while TightVNC was fine with hextile encoding.
Anonymous says
I copy/pasted the above XML, refreshed the firewall ruleset, but 'vnc' didn't not show up in the list. The cause is that the first line doesn't match the last one (because ESXi is case sensitive)! If you change the first line to then 'vnc' will show up as expected.
Anonymous says
That should've read "change the first line to 'ConfigRoot'" - I suspect the site interpreted my angle brackets as HTML code and stripped it out. 😉
Alexandros says
Very nice How-To!
Adwait says
How does VNC to a VM managed by vCenter work?
What I observed was that for VNC console, we still need to connect to the underlying : and not the : .
Annoying part is to enable firewall rule on each individual ESXi host managed by the vCenter
Adwait says
The text in the brackets was filtered in the above question.
How does VNC to a VM managed by vCenter work?
What I observed was that for VNC console, we still need to connect to the underlying ESXi_HOST: DISPLAY_PORT and not the vCENTER_HOST : DISPLAY_PORT .
Annoying part is to enable firewall rule on each individual ESXi host managed by the vCenter
Andrew says
Thanks for your work, your site is extremely useful. I just wanted to mention that it looks like the firewall rules mentioned don't seem to be listed here. Did they get stripped out at some point?
Thanks again!
Jan says
I just want to mention that the KB article link is broken.