PowerCLI: enable SSH and configure ESXi host Firewall

Here is a post to help you be able to configure SSH to start automatically. This is done by PowerCLI scripts that hide the shell warning message and configure the ESXi firewall to allow connection from specific  IP addresses.

You first have to know where you can change the ESXi firewall settings. Here are the steps:

• go to the configuration tab
• select the security profile
• select the rule you want to change and click on the firewall
• select the option “Only allow connections from the following networks” and add the IP address or IP range you want to allow.

Below is the script that performs, you just have to change the $cluster and $ip variables. Copy the script to your PowerCLI session and run it.

$cluster = “<clusterName>”

$ip = “192.168.1.1”

foreach($vmHost in (Get-Cluster $cluster | Get-VMHost | Sort Name)){

    write-host “Configuring SSH on host: $($vmHost.Name)” -fore Yellow

    if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq “TSM-SSH”}).Policy -ne “on”){

        Write-Host “Setting SSH service policy to automatic on $($vmHost.Name)”

        Get-VMHostService -VMHost $vmHost | where { $_.key -eq “TSM-SSH” } | Set-VMHostService -Policy “On” -Confirm:$false -ea 1 | Out-null

    }

    if((Get-VMHostService -VMHost $vmHost | where {$_.Key -eq “TSM-SSH”}).Running -ne $true){

        Write-Host “Starting SSH service on $($vmHost.Name)”

        Start-VMHostService -HostService (Get-VMHost $vmHost | Get-VMHostService | Where { $_.Key -eq “TSM-SSH”}) | Out-null

    }   

    $esxcli = Get-EsxCli -VMHost $vmHost

    if($esxcli -ne $null){

        if(($esxcli.network.firewall.ruleset.allowedip.list(“sshServer”) | select AllowedIPAddresses).AllowedIPAddresses -eq “All”){

            Write-Host “Changing the sshServer firewall configuration”       

            $esxcli.network.firewall.ruleset.set($false, $true, “sshServer”)

            $esxcli.network.firewall.ruleset.allowedip.add(“$ip”, “sshServer”)

            $esxcli.network.firewall.refresh()

        }   

    }

    if(($vmHost | Get-AdvancedSetting | Where {$_.Name -eq “UserVars.SuppressShellWarning”}).Value -ne “1”){

        Write-Host “Suppress the SSH warning message”

        $vmHost | Get-AdvancedSetting | Where {$_.Name -eq “UserVars.SuppressShellWarning”} | Set-AdvancedSetting -Value “1” -Confirm:$false | Out-null

   }

}

The script is very handful, it checks if the SSH Service is running or not and will change the setting if necessary, also goes for the firewall configuration and the part to suppress the Shell warning message.

Home