Firewall requirements for EMC VSI 6.1 for vSphere Web Client

As you might have read on my blog a few days ago, EMC released an updated version of the Virtual Storage Integrator tool for vSphere Web Client that supports direct provisioning and some management of VNX and VMAX storage. The previous version supported ViPR-only provisioning. If you didn’t see that post you can check it out here. Inevitably when a product involves cross-application and importantly cross-server integration many customers ask the question about what are the firewall requirements to get this thing to work? Let’s take a look.

vsi_firewall

I am going to focus on the new features of VSI 6.1 for this post, so that means the requirements for direction provisioning from a VNX or VMAX array and the proper deployment and configuration of VSI itself.

The first thing you need to understand are how the pieces fit together and the flow of information and control. Whether you use VNX or VMAX there are three pieces to this jigsaw puzzle:

  1. VSI Virtual Appliance which I will call SIS (for Storage Integration Service)
  2. vCenter
  3. Storage array/provisioning controller

Now for the flow of communication. It starts with SIS–you log into the vApp to push the VSI plugin to vCenter which will in turn appear in the vSphere Web Client. The SIS vApp does this by communicating to the vCenter over TCP port 443. Once registered, you then login to the Web Client to configure the plugin with the SIS connection information. The VSI plugin inside vCenter communicates back to SIS on port 8443. Next you add a storage array to the VSI plugin. This initiates a cascading connection:

  1. VSI Web Client to SIS over port 8443
  2. SIS to storage array controller, the exact port however depends.

Depending on what you are provisioning the port requirement here to the target changes:

  • VMAX: From SIS to SMI-S Provider (installed anywhere) over TCP port 5988
  • VNX File: From SIS to VNX control station over TCP port 22
  • VNX File (DHSM requests): From SIS to VNX data mover over TCP port 5080
  • VNX Block: From SIS to VNX storage processor over TCP port 443

So there are two things to glean from this. First the VSI web client NEVER directly contacts the storage management interfaces–it only needs to be able to talk to SIS. The SIS (VSI vApp) is the intermediary for all of the communication, registration and provisioning and user access control. Secondly, for the VMAX, VSI 6.1 only currently supports non-SSL communication to SMI-S over port 5988. It does not currently support SSL over port 5989 or non-default ports configured on SMI-S (this is as far as I know–I have not found a workaround yet).

If you check the product guide you may notice that some of this information is not there and some of it is slightly wrong. The guide states that these ports need to be open between vCenter and the storage controllers, but as I have noted here it is actually between SIS and the storage controllers. The documentation is going to be corrected and a KB article is being written as well to explain the requirements.

Let me know if I missed something or you have any questions!

One Reply to “Firewall requirements for EMC VSI 6.1 for vSphere Web Client”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.