Changing the SSH Port on the ESXi server for Cyber-Ark Integration!!

In one of my recent implementation, I got a request from a client to change the default SSH Port on the ESXi server from Port 22 to Port 63022.
This was a requirement since they have a password management system from Cyber-Ark which would store and reset the root and other user passwords on the ESXi server for security reasons. Cyber-Ark works with any Unix or Linux operating system by using the SSH port. Since ESXi also uses SSH for remote access, we had to integrate Cyber-Ark on SSH port with the ESXi server. Cyber-Ark uses SSH however the integration happens on port 63022 for SSH.
Let’s see how I went about changing the SSH Port to 63022 sand made it consistent across ESXi reboots.
We would need to update this configuration in 2 locations for this to work:-
a) /etc/vmware/firewall/ – In this location we would have to place a new firewall rule for SSH port which me manually define. This would be done by creating an XML file which would be saved in this location. Here are the contents if the xml file:-
SSH 63022

For ease we will call this file ssh63022.xml
We would need to refresh the firewall policies after placing this file in the given location on the ESXi server. Here is the command which will be using:-
#esxcli network firewall refresh

b) /etc/services – The second change would be to create a new services file where we can define the SSH port as 63022 instead of 22. For this we would need to create a new services file. You can copy this file from the default location and place it on a SAN Data-store and then edit it with the new port information. Here is how you can do it:-
# cp /etc/services /vmfs/volumes/EMC-SANLUN-01/ssh
I have created a folder names SSH on my SAN Datastore EMC-SANLUN-01. Then, I am copying the services file to my EMC SAN VMFS datastore which is visible to all my hosts in the cluster. 
Now lets check if the file has moved there:-
~ # cd /vmfs/volumes/EMC-SANLUN-01/ssh
/vmfs/volumes/50f5e6fd-6fa36a6c-8339-000c29c4df2b/ssh # ls -ltrh
-rw-r–r-T    1 root     root        20.3k Jan 16 00:16 services

Now that we have a copy of the services file, lets edit it to change the ssh port. Run the following command:-

/vmfs/volumes/50f5e6fd-6fa36a6c-8339-000c29c4df2b/ssh # vi services
Locate the ssh port setting as shown in the screenshot below:-
Now edit this file and change the port 22 to 63022 as shown below:-
Save the change on this file and run the following command to replace the original file with this file.
~ # cp vmfs/volumes/EMC-SANLUN-01/ssh/services /etc/services
This will change the default ssh port from 22 to 63022.
Now to make it consistent across the reboots, it is important that you perform these 2 steps every time the ESXi server reboots. It is not practical to run these steps manually, hence a better way would be to automate this using the rc.local file which can run simple scripts on the ESXi server during start-up.
Similar to services file in the following location – /vmfs/volumes/EMC-SANLUN-01/ssh, copy the ssh63022.xml which we created in STEP A to this location as well. You can use Datastore Browser on vSphere Client or a utility such as winscp. See screenshot below:-
Now that you have both the files in a shared datastore, update the rc.local file to copy these files to the respective locations everytime the server reboots. You would need to make the following entry in the rc.local file:-
Note – rc.local is located in /etc directory.
Edit the file and update it with the following script:-
#Copy the new firewall rule from vmfs place holder to file system
cp /vmfs/volumes/EMC-SANLUN-01/ssh/ssh63022.xml /etc/vmware/firewall/
#refresh firewall rules
esxcli network firewall refresh
#Copy the modified services file from vmfs place holder to file system
cp /vmfs/volumes/EMC-SANLUN-01/ssh/services /etc/services
#Restart inetd to get the changes
kill -HUP `cat /var/run/`

See screenshot below:-
Run the following command:-
~ # vi /etc/rc.local

Lastly, save this file and Reboot the ESXi host. Now you would have the SSH port set to 63022 and you can easily integrate with Cyber-Ark.
Hope this helps you to make changes to ESXi default ports for 3rd party software integration if needed.

Published by Sunny Dua

Product Management Leader with 18 years of experience with Digital Transformation, Application Modernization, Artificial Intelligence, Machine Learning, Business Observability and AIOps. Led large product portfolios at VMware and now at AppDynamics. Passionate about defining vision, strategy and executing on complex product roadmaps to build successful and innovative products. A Stanford Graduate School of Business LEADer with interests in the field of Critical & Analytical Thinking, Strategic leadership and Design Thinking.

2 thoughts on “Changing the SSH Port on the ESXi server for Cyber-Ark Integration!!

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: