Changing the SSH Port on the ESXi server for Cyber-Ark Integration!!

In one of my recent implementation, I got a request from a client to change the default SSH Port on the ESXi server from Port 22 to Port 63022.
This was a requirement since they have a password management system from Cyber-Ark which would store and reset the root and other user passwords on the ESXi server for security reasons. Cyber-Ark works with any Unix or Linux operating system by using the SSH port. Since ESXi also uses SSH for remote access, we had to integrate Cyber-Ark on SSH port with the ESXi server. Cyber-Ark uses SSH however the integration happens on port 63022 for SSH.
Let’s see how I went about changing the SSH Port to 63022 sand made it consistent across ESXi reboots.
We would need to update this configuration in 2 locations for this to work:-
a) /etc/vmware/firewall/ – In this location we would have to place a new firewall rule for SSH port which me manually define. This would be done by creating an XML file which would be saved in this location. Here are the contents if the xml file:-
SSH 63022
inbound
tcp
dst
63022
true
false

For ease we will call this file ssh63022.xml
We would need to refresh the firewall policies after placing this file in the given location on the ESXi server. Here is the command which will be using:-
#esxcli network firewall refresh

b) /etc/services – The second change would be to create a new services file where we can define the SSH port as 63022 instead of 22. For this we would need to create a new services file. You can copy this file from the default location and place it on a SAN Data-store and then edit it with the new port information. Here is how you can do it:-
# cp /etc/services /vmfs/volumes/EMC-SANLUN-01/ssh
I have created a folder names SSH on my SAN Datastore EMC-SANLUN-01. Then, I am copying the services file to my EMC SAN VMFS datastore which is visible to all my hosts in the cluster. 
Now lets check if the file has moved there:-
~ # cd /vmfs/volumes/EMC-SANLUN-01/ssh
/vmfs/volumes/50f5e6fd-6fa36a6c-8339-000c29c4df2b/ssh # ls -ltrh
-rw-r–r-T    1 root     root        20.3k Jan 16 00:16 services

Now that we have a copy of the services file, lets edit it to change the ssh port. Run the following command:-

/vmfs/volumes/50f5e6fd-6fa36a6c-8339-000c29c4df2b/ssh # vi services
Locate the ssh port setting as shown in the screenshot below:-
Now edit this file and change the port 22 to 63022 as shown below:-
Save the change on this file and run the following command to replace the original file with this file.
~ # cp vmfs/volumes/EMC-SANLUN-01/ssh/services /etc/services
This will change the default ssh port from 22 to 63022.
Now to make it consistent across the reboots, it is important that you perform these 2 steps every time the ESXi server reboots. It is not practical to run these steps manually, hence a better way would be to automate this using the rc.local file which can run simple scripts on the ESXi server during start-up.
Similar to services file in the following location – /vmfs/volumes/EMC-SANLUN-01/ssh, copy the ssh63022.xml which we created in STEP A to this location as well. You can use Datastore Browser on vSphere Client or a utility such as winscp. See screenshot below:-
Now that you have both the files in a shared datastore, update the rc.local file to copy these files to the respective locations everytime the server reboots. You would need to make the following entry in the rc.local file:-
Note – rc.local is located in /etc directory.
Edit the file and update it with the following script:-
#Copy the new firewall rule from vmfs place holder to file system
cp /vmfs/volumes/EMC-SANLUN-01/ssh/ssh63022.xml /etc/vmware/firewall/
#refresh firewall rules
esxcli network firewall refresh
#Copy the modified services file from vmfs place holder to file system
cp /vmfs/volumes/EMC-SANLUN-01/ssh/services /etc/services
#Restart inetd to get the changes
kill -HUP `cat /var/run/inetd.pid`

See screenshot below:-
Run the following command:-
~ # vi /etc/rc.local


Lastly, save this file and Reboot the ESXi host. Now you would have the SSH port set to 63022 and you can easily integrate with Cyber-Ark.
Hope this helps you to make changes to ESXi default ports for 3rd party software integration if needed.

Published by Sunny Dua

Sunny Dua works as a Senior Product Line Manager for VMware’s Cloud Management business. His charter is to deliver Multi-Cloud solutions to reduce cloud complexity by leveraging data analytics and artificial intelligence. His 16+ years of experience include technical and strategic roles for Hewlett Packard, Capgemini, and VMware. He is a hands-on Product Manager with deep knowledge of Cloud and Enterprise technologies. His current charter includes driving product strategy and roadmap for VMware’s vRealize portfolio within the VMware’s Multi-Cloud strategy.

2 thoughts on “Changing the SSH Port on the ESXi server for Cyber-Ark Integration!!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: