Hello all! Here is another answer to a vShield question that has made a few people, including your's truly, go "Hmmm…." The protocol and paths for the moving parts behind vShield management. Knowing this is critical for deployment of vShield. Here's the lowdown…
The brains of the solution is the vShield Manager. vShield Manager can be managed through the vSphere client or its own Web client. SSH access can be enabled to the vShield Manager or vShield App virtual appliance, but is not enabled by default.
vShield Manager, as the central point of control, handles the bulk of management communications for vShield. The actual gory protocol details are shown in the table below 
|
Source |
Target |
Protocol |
Port |
Application |
Default enabled |
|
Web console |
vShield Manager |
TCP |
80, 443 |
HTTP1, HTTPS |
Yes |
|
SSH client |
vShield Manager |
TCP |
22 |
SSH |
No |
|
vShield App Appliance |
vShield Manager |
UDP |
123 |
NTP |
Yes |
|
vShield Manager |
vShield App Appliance |
TCP |
22 |
SSH |
Yes |
|
vShield Manager |
ESXi host |
TCP |
902 |
Xinetd / vmware-authd2,3 |
Yes |
|
vShield Manager |
ESXi host |
TCP |
903 |
Xinetd / vmware-authd-mks2,3 |
Yes |
|
vSphere Client |
vCenter Server |
TCP |
443 |
HTTPS |
Yes |
|
vShield Manager |
vCenter Server |
TCP |
443 |
HTTPS |
Yes |
|
SSH client |
vShield App Appliance |
TCP |
22 |
SSH |
No |
Footnotes
1. The default non-secure TCP port 80 access is secure as it redirects to an HTTPS landing page (port 443).
- Encrypted with key exchange
- Hidden user
- At deployment the key is pushed from vShield Manager to the vShield App appliance.
- Downloading and uploading files, such as flow monitoring files from appliance to vShield Manager is done over the ESXi host local link, 127.0.0.1.
At least I have not seen it anywhere, How do we back up firewall rules? vShield Manager backup means vShield APP/Edge rules are backed up?