My website is running on a single ESX machine in a remote datacenter somewhere. Because I am hosting the machine myself, I had to do my own routing and firewalling. I solved it by installing a pfSense virtual machine, hooking it up to both an internal and external vSwitch:

This way, my server is secure: both the Service Console as well as the virtual web server are only accessible through the firewall. I’m running OpenVPN on the pfSense machine, so if I need access to the internal subnet, I fire up OpenVPN. Sometimes, however, I don’t have the OpenVPN software running on the PC I’m working on, so I cannot access the Service Console and/or the web server.

A cool little solution for this is to use SSH tunneling. I connect to a third machine which is accessible through the Internet (runs a SSH daemon) and is able to connect to, the Service Console IP address. By configuring PuTTY to do some magic for us, I am able to connect my vSphere Client to my ESX server securely, without publishing my ESX-host to the world.


  • Make sure you have a SSHd accessable from the Internet
  • Make sure the VM running SSHd can access the Service Console IP
  • Open PuTTY, navigate to [Connection] – [SSH] – [Tunnels], and fill in three forwarded ports: 443, 902 and 903. Fill in ‘Destination’ like this: [youresxip]:[port].

  • Add an entry to your hosts file so the real DNS-name of the host refers to (Source)

  • Fire up the vSphere Client and connect to [youresxdnsname].[domain]