Pure Storage Plugin for the vSphere Web Client Firewall Requirements

This is a question that has come up quite often and I have blogged about this for several different products in the past. What Firewall rules do I need to create to install and use the Pure Storage Plugin for the vSphere Web Client? Luckily this is fairly simple. For instructions on using and installing the Web Client plugin check out these posts here and here.

When you go to install the plugin from the array GUI and you see the following error it could very well be a network error:

firewall error

It can of course also be what it says (wrong host name or bad credentials) but it might be that a firewall rule (or lack thereof) is blocking it. In order to allow this you need to add one rule. TCP to target port 443 on the vCenter server must be opened from the Primary Controller of the FlashArray (ct0.eth0). Regardless of whether you logged into the array using the virtual IP or the IP of the secondary controller the FlashArray will push out the plugin to the Web Client using this IP address/ethernet port. Furthermore, this is kind of a one time requirement. It is only needed when you install the plugin, upgrade or or remove it, it is not required for standard functioning of the plugin once it has been installed.

There is a port that needs to be opened though for continued functioning of the plugin and it is essentially the reverse…kinda. You need to create a rule that allows TCP access to the target port 443 on the FlashArray, but not necessarily for the primary controller. Whichever IP you plan to use (or whatever FQDN that you plan to use resolves to) to register the array in the Web Client is the IP that you need to allow access to. So if you use the virtual IP, create a rule to the virtual IP, if you use controller 1 IP make it for the controller 1 IP. This rule needs to persist for the entirety of the use of the plugin.

I highly recommend you always register arrays using the virtual IP, this will provide resiliency in the case of a controller going down, for failure reasons or just the short moments during a code upgrade.

So to review:

Let’s say my vCenter IP was 192.168.1.10 and my FlashArray primary controller eth0 was 192.168.1.25 and my virtual IP was 192.168.1.30

Prior to installing, upgrading or uninstalling the plugin, open:

TCP Port 443 on the vCenter Server from the FlashArray Primary Controller

This rule would look like:

Open Target TCP Port 443 on target IP of 192.168.1.10 from source IP of 192.168.1.25

Prior to using the plugin from within the Web Client, open:

TCP Port 443 on the IP that will be used to register the array in the Web Client from the vCenter Server.

If I registered the array using my virtual IP this rule would look like:

Open Target TCP Port 443 on target IP of 192.168.1.30 from source IP of 192.168.1.10

fireall_diagram

 

2 Replies to “Pure Storage Plugin for the vSphere Web Client Firewall Requirements”

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.