Hello all! Here is another answer to a vShield question that has made a few people, including your's truly, go "Hmmm…."  The protocol and paths for the moving parts behind vShield management. Knowing this is critical for deployment of vShield. Here's the lowdown…

Appvsmtraffic1

The brains of the solution is the vShield Manager. vShield Manager can be  managed through the vSphere client or its own Web client.  SSH access can be enabled to the vShield Manager or vShield App virtual appliance, but is not enabled by default.

vShield Manager, as the central point of control, handles the bulk of management communications for vShield. The actual gory protocol details are shown in the table below 😉

Source

Target

Protocol

Port

Application

Default enabled

Web console

vShield Manager

TCP

80, 443

HTTP1, HTTPS

Yes

SSH client

vShield Manager

TCP

22

SSH

No

vShield App Appliance

vShield Manager

UDP

123

NTP

Yes

vShield Manager

vShield App Appliance

TCP

22

SSH

Yes

vShield Manager

ESXi host

TCP

902

Xinetd / vmware-authd2,3

Yes

vShield Manager

ESXi host

TCP

903

Xinetd / vmware-authd-mks2,3

Yes

vSphere Client

vCenter Server

TCP

443

HTTPS

Yes

vShield Manager

vCenter Server

TCP

443

HTTPS

Yes

SSH client

vShield App Appliance

TCP

22

SSH

No

Footnotes

1. The default non-secure TCP port 80 access is secure as it redirects to an HTTPS landing page (port 443).

2. Management traffic from Appliance to vShield Manager, like health checks done with CORBA, are port forwarded over the SSH tunnel.
3. CORBA over SSH
  • Encrypted with key exchange
  • Hidden user
  • At deployment the key is pushed from vShield Manager to the vShield App appliance.
  • Downloading and uploading files, such as flow monitoring files from appliance to vShield Manager is done over the ESXi host local link, 127.0.0.1.