You are unable to download VIBs if vCenter Server is using a custom port for the reverse proxy.

Problem

If you configure vCenter Server reverse proxy to use a custom port, the VIB downloads fail.

Cause

If vCenter Server is using a custom port for the reverse proxy, the custom port is not automatically enabled in the ESXi firewall and the VIB downloads fail.

Solution

  1. Open an SSH connection to the host and log in as root.
  2. (Optional) List the existing firewall rules. 
    esxcli network firewall ruleset list
  3. (Optional) Back up the /etc/vmware/firewall/service.xml file. 
    cp /etc/vmware/firewall/service.xml /etc/vmware/firewall/service.xml.bak
  4. Edit the access permissions of the service.xml file to allow writes by running the chmod command.
    • To allow writes, run chmod 644/etc/vmware/firewall/service.xml.
    • To toggle the sticky bit flag, run chmod +t /etc/vmware/firewall/service.xml.
  5. Open the service.xml file in a text editor.
  6. Add a new rule to the service.xml file that enables the custom port for the vCenter Server reverse proxy . 
    <service id='id_value'>
   <id>vcenterrhttpproxy</id>
   <rule id='0000'>
     <direction>outbound</direction>
     <protocol>tcp</protocol>
     <port type='dst'>custom_reverse_proxy_port</port>
   </rule>
   <enabled>true</enabled>
   <required>false</required>
</service>
    Where id_value must be a unique value, for example, if the last listed service in the service.xml file has ID 0040, you must enter id number 0041.
  7. Revert the access permissions of the service.xml file to the default read-only setting. 
    chmod 444 /etc/vmware/firewall/service.xml
  8. Refresh the firewall rules for the changes to take effect. 
    esxcli network firewall refresh
  9. (Optional) List the updated rule set to confirm the change. 
     esxcli network firewall ruleset list
  10. (Optional) If you want the firewall configuration to persist after a reboot of the ESXi host, copy the service.xml onto persistent storage and modify the local.sh file.
    1. Copy the modified service.xml file onto persistent storage, for example /store/, or onto a VMFS volume, for example /vmfs/volumes/volume/. 
      cp /etc/vmware/firewall/service.xml location_of_xml_file
      You can store a VMFS volume in a single location and copy it to multiple hosts.
    2. Add the service.xml file information to the local.sh file on the host. 
      cp location_of_xml_file /etc/vmware/firewall
esxcli network firewall refresh
      Where location_of_xml_file is the location to which the file was copied.