Merge remote-tracking branch 'origin/4.14'
diff --git a/source/installguide/hypervisor/vsphere.rst b/source/installguide/hypervisor/vsphere.rst
index 4c01b93..af95ddc 100644
--- a/source/installguide/hypervisor/vsphere.rst
+++ b/source/installguide/hypervisor/vsphere.rst
@@ -339,19 +339,66 @@
Extend Port Range for CloudStack Console Proxy
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
-(Applies only to VMware vSphere version 4.x)
-
-You need to extend the range of firewall ports that the console proxy
-works with on the hosts. This is to enable the console proxy to work
-with VMware-based VMs. The default additional port range is 59000-60000.
-To extend the port range, log in to the VMware ESX service console on
-each host and run the following commands:
+In production environments (large number of VMs),
+it's needed to extend the range of firewall ports that the console proxy
+works with on the hosts. The default additional port range is 50000-50999
+(see global settings ``vmware.additional.vnc.portrange.size`` and ``vmware.additional.vnc.portrange.start``).
+
+Change global setting ``vmware.additional.vnc.portrange.size`` to i.e "10000" and restart the
+management-server service on each management server.
+Add those additional ports to the ESXi firewall on each host.
+Log in via SSH to every VMware ESXi host and edit the file ``/etc/rc.local.d/local.sh``
+by adding the following lines just above the "exit 0" line.:
.. parsed-literal::
- esxcfg-firewall -o 59000-60000,tcp,in,vncextras
- esxcfg-firewall -o 59000-60000,tcp,out,vncextras
+ cat <<EOF > /etc/vmware/firewall/vncAdditionalPorts.xml
+ <ConfigRoot>
+ <service>
+ <id>vncAdditionalPorts</id>
+ <rule id='0000'>
+ <direction>inbound</direction>
+ <protocol>tcp</protocol>
+ <porttype>dst</porttype>
+ <port>
+ <begin>51000</begin>
+ <end>60000</end>
+ </port>
+ </rule>
+ <enabled>true</enabled>
+ <required>false</required>
+ </service>
+ </ConfigRoot>
+ EOF
+ esxcli network firewall refresh
+This will ensure the needed firewall rules are applied on boot of ESXi hosts.
+
+To make the change on the running host, repeat the commands that were just added to ``local.sh`` script, at the shell command line:
+
+.. parsed-literal::
+
+ cat <<EOF > /etc/vmware/firewall/vncAdditionalPorts.xml
+ <ConfigRoot>
+ <service>
+ <id>vncAdditionalPorts</id>
+ <rule id='0000'>
+ <direction>inbound</direction>
+ <protocol>tcp</protocol>
+ <porttype>dst</porttype>
+ <port>
+ <begin>51000</begin>
+ <end>60000</end>
+ </port>
+ </rule>
+ <enabled>true</enabled>
+ <required>false</required>
+ </service>
+ </ConfigRoot>
+ EOF
+ esxcli network firewall refresh
+
+Run the script ``/sbin/auto-backup.sh`` and then logout from each ESXi host.
Configure NIC Bonding for vSphere
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
diff --git a/source/installguide/management-server/_database.rst b/source/installguide/management-server/_database.rst
index 46a9f13..3fb2903 100644
--- a/source/installguide/management-server/_database.rst
+++ b/source/installguide/management-server/_database.rst
@@ -385,5 +385,12 @@
cloudstack-setup-management
You should get the output message “CloudStack Management Server setup is
- done.”
+ done!”
+ .. warning::
+ On RHEL and CentOS systems, firewalld (installed by default) will override all
+ iptables rules set by the cloudstack-setup-management script,
+ so ensure that the firewalld is disabled or ensure the correct firewalld rules
+ are in place to allow traffic to ports 8080, 8250 and 9090 to the management server.
+
+
diff --git a/source/installguide/management-server/_second_mgt.rst b/source/installguide/management-server/_second_mgt.rst
index 4526bfd..f079d75 100644
--- a/source/installguide/management-server/_second_mgt.rst
+++ b/source/installguide/management-server/_second_mgt.rst
@@ -64,6 +64,12 @@
The Management Server on this node should now be running.
If the servlet container is Tomcat7 the argument --tomcat7 must be used.
+
+ .. warning::
+ On RHEL and CentOS systems, firewalld (installed by default) will override all
+ iptables rules set by the cloudstack-setup-management script,
+ so ensure that the firewalld is disabled or ensure the correct firewalld rules
+ are in place to allow traffic to ports 8080, 8250 and 9090 to the management server.
#. Repeat these steps on each additional Management Server.
