VMware Update Manager on vSphere – Check the Firewall!

Yesterday I noticed something strange while updating a VI3 environment to vSphere with Update Manager 4.0
The update of update manager went fine as well as the creation of new baselines.

Whenever I remediated a Host, the Host went into maintenance mode and the remediate process hangs on 33%. This same behaviour occured when I first staged the updates towards the ESX Host. Checking the network performance chart I noticed a spike in performance and after that nothing else happened. Checking the log files I noticed several timeouts while transferring the packages towards the ESX Host.

After doing some further research I noticed something that was completely new for me: The “VMware Update Manager” option in the Security Profile (Firewall) of the ESX 4.0 Host:

vsphere 
 This is mentioned in the Update Manager Manual:

Server port (range: 9000–9100) Listening port for the Web server that provides access to the plug-in client installer, and provides access to the patch depot for ESX/ESXi hosts.
Update Manager automatically opens ESX/ESXi firewall ports in this range to allow outbound HTTP traffic to the patch store. Listening port for the Web server that provides access to the plug-in client.

While checking VI3.5 environment I noticed that ESX3.5 also has a profile for “updateManager” which I never ever used before. (and which isn’t even enabled on the VI3 environment on where Update Manager just works fine)

Update Manager on ESX3.5
   
  Conclusions:

– I needed to I enabled the “VMware Update Manager”-service in the ESX 4.0 firewall for the Update Manager to work!

– Apparently the Update Manager didn’t automatically opened the ESX firewall ports as stated in the manual.

– Apparently this firewall setting isn’t required on ESX 3.5 (and isn’t automatically opened as well)

Leave a comment

3 Comments

  1. Markus Siegl-Hahm

     /  December 1, 2009

    Thank you very much for this helpful hint.

    really crazy but now it works

  2. dkraut

     /  October 26, 2010

    Thank you for this info. This was about the 15th hurdle I hit tonight while trying to upgrade a few hosts. I was about to take a bat to my system, but you prevented that! 🙂 BTW, important to note that simply enabling this under Config / Security was not enough. Also required canceling the existing staging process, which was stuck at 33%. After restarting the process, voilà! it worked… Cheers!

  1. VMware Update Manager on vSphere – Check the Firewall! « VirtualKenneth's Blog

Leave a Reply

%d bloggers like this: