The flexVDI Software Suite consists of several distributed components that communicate through TCP/IP connections. This means you need to make sure your firewall rules allow this communication. However, CentOS 7 .4 and RHEL 7, since release 7.4, come with firewall rules that disallow incoming connections to most TCP ports by default, governed by the firewalld system service. The flexVDI Config tool cannot reliably check that the required network ports are open in any of the multiple configurations allowed by firewalld, so you have to check it by yourself. Alternatively, a common alternative is to completely disable the firewalld service and rely on network-wide filtering. The network ports used by different components of the flexVDI Software Suits are the following:
- TCP 22: SSH is used to migrate virtual machines.
- TCP 443: the flexVDI Gateway installed in each host uses this port to accept connections from clients. This port is configurable in
- TCP 7777: the OCFS2 tools and daemons use this port to communicate. Other hosts of the platform need to reach this port.
- TCP 9443: the flexVDI Agent uses this port to receive requests from the flexVDI Manager.
- TCP 5800: the flexVDI Manager VM uses this port to accept Spice connections.TCP 5900 and up (5900 to 15900 by default): Ports used for Spice connections to other VMs. The flexVDI Gateway connects to this port.
Of this list, only port TCP 443 must be reachable by flexVDI Clients. Ports 5900 and up have to be reachable by flexVDI Dashboard Gateway to show guest consoles connect to the system administratorvirtual desktops. The rest can be made reachable only by other hosts of the platform and the Manager.
An easy firewall rule would be to add all your service subnet (or just the hosts, Manager and Webportal instances) to the trusted zone. Assuming your services subnet is 10.0.1.0/24:
# firewall-cmd --zone trusted --add-source 10.0.1.0/24 # firewall-cmd --runtime-to-permanent
flexVDI Config main menu shows the following options: