Pre-ESXi 8.0 Update 1, if you needed to modify the default ESXi HTTP(s) Reverse Proxy Ports, you would simply edit the HTTP reverse proxy configuration file, which I have previously blogged about HERE (pre-ESXi 8.0) and HERE (ESXi 8.0).
For ESXi 8.0 Update 1, the process is slightly diffrent as all ESXi configurations including configuration files have been completely migrated to the new ESXi Configuration Store, which was initially introduced back in vSphere 7.0 Update 1, which you can learn more about it HERE and HERE.
While most users stick with the system defaults with port 80 (HTTP) and port 443 (HTTPS), I know there are some organizations that require these ports to be changed to meet certain internal compliance requirements. Below are the updated instructions for modifying the ESXi HTTP(s) Reverse Proxy Ports when using ESXi 8.0 Update 1 or later.
Disclaimer: VMware does not officially support modifying the default HTTP/HTTPS ports on an ESXi host.
Step 1 - SSH to ESXi host and run the following command with the desired HTTP(s) port values:
cat >> proxy.json << __PROXY__ { "proxy": { "http_port": 8080, "https_port": 8443 } } __PROXY__
Step 2 - Run the following command and provide the proxy.json file to update the proxy properties:
configstorecli config current set -c esx -g services -k rhttpproxy -infile proxy.json
Step 3 (Optional) - If the command was successful, we can also check the settings by running the following command:
configstorecli config current get -c esx -g services -k rhttpproxy
Step 4 - Restart the ESXi Reverse Proxy service for the change to go into effect:
/etc/init.d/rhttpproxy restart
Step 5 - Since we are no longer use the default HTTP(s) Reverse Proxy ports for ESXi, these new ports are blocked by default and we need to update the ESXi firewall configuration.
Run the following commands and replace the HTTP(s) port values, which will create the required configuration file and reload the ESXi firewall:
cat > /etc/vmware/firewall/custom-rhttpproxy <<EOF <ConfigRoot> <service> <id>custom-rhttpproxy</id> <rule id='0000'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>8443</port> </rule> <rule id='0001'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>dst</porttype> <port>8080</port> </rule> <rule id='0002'> <direction>inbound</direction> <protocol>tcp</protocol> <porttype>src</porttype> <port>8080</port> </rule> <enabled>true</enabled> <required>false</required> </service> </ConfigRoot> EOF localcli network firewall refresh
Note: The ESXi firewall is stateless for custom ports and to ensure these settings are preserved during a reboot, you can either add this command to /etc/rc.local.d/local.sh or you can create a custom VIB that bundles the ESXi configuration file as shown in this blog post HERE.
Finally, we can connect to our ESXi host using the new ports to verify that everything was configured correctly such as accessing the ESXi Host Client or using PowerCLI to connect on port 8443 as demonstrated in the screenshot below. In the case of adding an ESXi host these modified ports, you will need to append the HTTPS port number (:8443) after the IP Address/Hostname of the host as vCenter Server defaults to using port 443.
One caveat to be aware of, which was something that I had ran into back in the day, but I was not able to figure out is that when attempting to run ESXCLI locally within the ESXi shell, the following error will be thrown:
IO error: [Errno 111] Connection refused
I recently learned that ESXCLI assumes the default HTTP port (since it is running locally) and if you want it to function as before, you will need to configure an additional environment variable so that it knows which port to use.
Run the following command and replace the IP Address of your ESXi host and the configured HTTP port:
export VI_URL=http://192.168.30.174:8080/sdk/webService
Now, when you run ESXCLI, it will connect properly but you may noticed in the screenshot it is also prompting for credentials.
This is currently expected and you can either manually type in the root password or you can set another environment variable that contains the root password if you do not wish to get prompted.
export VI_PASSWORD=VMware1!
While this is not ideal, you can add these two environment variable definitions to /etc/profile.local which is automatically read when you log on. This way, you can run ESXCLI and no additional prompts will be raised.
Thomas Chung says
Excellent Article! Thank you so much!
I was able to create SSL Cert and setup Port Forwarding to local ESXi host with port 8443
Leon says
what if the second command has came with error as below: Error: Extra data: line 8 column 1 (char 74), when provide the proxy.json file to update the proxy properties command.
wuwu says
After I modified the port according to your document, the new port can be used normally. However, after I restarted the system, custom-rhttpproxy and proxy.json disappeared. I had to create them again. I wrote them to /etc /rc.local.d/local.sh, but it seems that this script has expired and cannot be executed automatically at boot. I manually executed /etc/rc.local.d/local.sh and it can run normally. I would like to ask what should I do? How can I use the new port after booting?
wuwu says
Sorry, it has been solved. The local.sh script is available, but the port recovery takes a long time.
Etienne says
Thank you William, it works like a charm.
For step 5 if I may : The script will not be run when UEFI secure boot is enabled.
Matty says
is it possible to change SSH port on an ESXi 8+?