This topic describes how to configure your firewall and how to verify that component VMs correctly resolve DNS entries behind your firewall.

Configure Your Firewall

VMware Tanzu Operations Manager (Ops Manager) and VMware Tanzu Application Service for VMs (TAS for VMs) require the following open TCP ports:

  • 25555: Routes from Ops Manager VM to the BOSH Director.
  • 443: If configured, routes to your own load balancer.
  • 80: If configured, routes to your own load balancer.
  • 8844: Routes from Ops Manager VM to BOSH CredHub.
  • 8443: Routes from Ops Manager VM to BOSH Director UAA.
  • 6868: Routes to the BOSH Agent.
  • 2222: Necessary for using App SSH. For more information, see the TAS for VMs documentation.
  • 25595: Routes from the Traffic Controller to the BOSH Director, to enable sending BOSH health metrics to the Firehose.
  • For vSphere Only: Ops Manager requires that the NSX firewall routes are not blocked. All communication between Ops Manager VMs and vCenter or ESXi hosts route through the NSX firewall and are blocked by default. For more information on which ports to allow, see VMware Ports and Protocols for vSphere.

If you want to use an external NTP server, UDP port 123 must be open.

For more information about required ports for additional installed products, see Routing Network Communications.

Example: Configure Firewall with iptables

The following example procedure uses iptables commands to configure a firewall.

Note: GATEWAY_EXTERNAL_IP is a placeholder. Replace this value with your PUBLIC_IP.

  1. Open /etc/sysctl.conf, a file that contains configurations for Linux kernel settings, by running:

    sudo vi /etc/sysctl.conf
  2. Add the line net.ipv4.ip_forward=1 to /etc/sysctl.conf and save the file.

  3. To remove all existing filtering or Network Address Translation (NAT) rules, run:

    iptables --flush
    iptables --flush -t nat
  4. Add environment variables to use when creating the IP rules by running:

    export VMWARETANZU_IP=
    export LOAD_BALANCER_IP=
  5. To configure IP rules for the specified chains, run:

    • FORWARD:

      iptables -A FORWARD -i eth1 -j ACCEPT
      iptables -A FORWARD -o eth1 -j ACCEPT

      iptables -t nat -A POSTROUTING -o eth0 -j MASQUERADE
            -p tcp --dport 80 -j SNAT --to $GATEWAY_INTERNAL_IP
            -p tcp --dport 443 -j SNAT --to $GATEWAY_INTERNAL_IP

      iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
             25555 -j DNAT --to $VMWARETANZU_IP
      iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
             443 -j DNAT --to $LOAD_BALANCER_IP
      iptables -t nat -A PREROUTING -d $GATEWAY_EXTERNAL_IP -p tcp --dport \
             80 -j DNAT --to $LOAD_BALANCER_IP
      iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8443 -j DNAT \
          --to $VMWARETANZU_IP:443
      iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT \
          --to $LOAD_BALANCER_IP:80
      iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8022 -j DNAT \
          --to $VMWARETANZU_IP:22
      iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 8080 -j DNAT \
          --to $VMWARETANZU_IP:80
  6. Save the iptables by running:

    service iptables save

For more information about administering IP tables with iptables, see the iptables documentation.

Verify that Component VMs Resolve DNS Entries Behind Your Firewall

When you install Ops Manager in an environment that uses a strong firewall, the firewall might block DNS resolution. For example, if you use to test your DNS configuration, the tests fail without warning if the firewall prevents TAS for VMs from accessing *

To verify that component VMs can correctly resolve DNS entries:

  1. SSH into the Ops Manager VM by following the procedure in Log Into the Ops Manager VM with SSH in Logging Into Ops Manager VMs with SSH.

  2. Run any of the following network administration commands with the IP address of the VM:

    • nslookup
    • dig
    • host
    • The appropriate traceroute command for your OS
  3. Review the output of the command and fix any blocked routes. If the output displays an error message, review the firewall logs to determine which blocked route or routes you need to clear.

  4. Repeat steps 1-3 with the BOSH Director VM.

check-circle-line exclamation-circle-line close-line
Scroll to top icon