Automating VMware/Broadcom URL Whitelisting Checks with a Simple Bash Script

Michael Ryom
bash OAUTH proxy vCenter

I wrote another piece of bash script that I think others might fine useful, hence the blog post :) It is some what inspired by DSvClient which I also recently did a new release of check it out here on MichaelRyom.dk or here on GitHub!

Why I wrote this script

I ran into issues working with vCenter and network security. It was a very practical problem: firewall and proxy rules were silently breaking essential VMware/Broadcom services.

Broadcom publishes a public URL list that must be whitelisted for things like vSphere Update Manager, vSAN Cloud Health, and the VVS API. The list lives here:

🔗 https://knowledge.broadcom.com/external/article/327186/public-url-list-for-sddc-manager.html

Back in the day my go‑to method was a blunt‑force curl -k <url> -vvv and then manually scanning the verbose output for errors or a successful 200 OK or finding proxy denies. That works, but it’s noisy, time‑consuming, and impossible to run reliably across dozens of vCenters.

I wanted a single, repeatable command that would:

  • Hit every URL on the official whitelist (that I and most need).
  • Show a concise status (HTTP code + short note - I broke the note part a some point, so mainly HTTP code).
  • Handle the one oddball Broadcom VVS endpoint that requires an OAuth bearer token.

That’s exactly what the script does. It condenses the whole checklist into a tidy table that anyone can read at a glance.

By the way if you wanna jump straight to the script it is available here on codeberg.org

 

What the script actually does

Below is a high‑level walk‑through of the script’s flow. I’ve kept the code deliberately short and commented, so you can see the logic without getting lost in Bash minutiae.

#!/usr/bin/env bashset -euo pipefail          
# Fail fast on errors
# -------------------------------------------------------------------------
# 1️⃣  Arguments – you must supply the <download-token> that replaces the#     placeholder in one of the URLs.
# -------------------------------------------------------------------------
if [[ $# -ne 1 ]]; then
    echo "Usage: $0 <download-token>"
    exit 1
fi

DOWNLOAD_TOKEN="$1"
 
1. Embedded URL list (TOML)

The URLs are stored in a small TOML block right inside the script. Each line follows the same url = "…" syntax, which makes it easy to add or remove entries later.

TOML=$(cat <<'EOS'url = "https://dl.broadcom.com/<downloadToken>/PROD/COMP/ESX_HOST/addon-main/vmw-depot-index.xml"url = "https://partnerweb.vmware.com/service/vsan/all.json"url = "https://vcsa.vmware.com/ph/api/v1/results?deploymentId=2d02e861-7e93-4954-9a73-b08692a330d1&collectorId=VsanCloudHealth.6_5&objectId=0c3e9009-ba5d-4e5f6-bae8-f25ec506d219&type=vsan-updates-json"url = "https://vvs.broadcom.com/v1/compatible/vcg/bundles/all?format=gz"EOS)
 
2. Pull out just the URL lines
mapfile -t URL_LINES < <(grep -E '^url[[:space:]]*=' <<<"$TOML")
 

Now URL_LINES holds each definition, ready for processing.

3. Detect whether we need an OAuth token

Only the vvs.broadcom.com endpoint requires a bearer token. The script scans the list; if it finds such a URL it performs a client‑credentials grant against Broadcom’s auth service.

if $needs_oauth; then    token_resp=$(curl -s -X POST "$AUTH_URL" \        -H 'Content-Type: application/json' \        -d "$(jq -nc --arg cid "$CLIENT_ID" --arg cs "$CLIENT_SECRET" \                '{grant_type:"client_credentials",client_id:$cid,client_secret:$cs}')")    ACCESS_TOKEN=$(jq -r '.access_token // empty' <<<"$token_resp")fi
 
4. Probe each URL

The heart of the script is the probe() helper. It tries a lightweight HEAD request first (fast, no body). If the response isn’t a 2xx, it falls back to a silent GET. The function returns a string like 200|OK.

probe() {    local url=$1 extra=${2:-}    local http_code note    http_code=$(curl --silent --show-error --head --max-time $MAX_TIME \                     $extra "$url" -w "%{http_code}" -o /dev/null) || true}
 

For the OAuth‑protected VVS endpoint we send the token in a custom header (X-Vmw-Esp-Client) and parse the first response line.

5. Print a compact table

Finally the script prints a nicely aligned table:

printf "\n%-95s %-6s %s\n" "Result" "Code" "Note"printf "%-95s %-6s %s\n" "$(printf '=%.0s' {1..95})" "------" "----"printf "%-95s %-6s %s\n" "$src_url" "$code" "$note"
 

The output looks like this (example run with a dummy token):

Result Code Note=============================================================================================== ------ ----https://dl.broadcom.com/<downloadToken>/PROD/COMP/ESX_HOST/addon-main/vmw-depot-index.xml 403 403 https://partnerweb.vmware.com/service/vsan/all.json 200 200 https://vcsa.vmware.com/ph/api/v1/results?deploymentId=2d02e861-7e93-4954-9a73-b08692a330d1&collectorId=VsanCloudHealth.6_5&objectId=0c3e9009-ba5d-4e5f6-bae8-f25ec506d219&type=vsan-updates-json 200 405 https://vvs.broadcom.com/v1/compatible/vcg/bundles/all?format=gz 200 200
 
  • Result – The full URL that was tested (the <downloadToken> placeholder is replaced by the token you passed, but not viable in output).
  • Code – The HTTP status code returned by the server. Anything in the 200‑range means the endpoint is reachable; 3xx indicates a redirect, 4xx/5xx signals a problem.
  • Note – SHOULD HAVE BEEN: The short description taken from the first line of the HTTP response (e.g., “OK”, “Moved Permanently”, “Unauthorized”). It gives a quick hint about why a non‑200 code appeared.

 

How to use the script

Make it executable

chmod +x vmware_broadcom_url_check.sh

 

Run it, passing the download token you got from Broadcom

./vmware_broadcom_url_check.sh <your-download-token>

Replace <your-download-token> with the real token (or a test value if you just want to see the table format).

 

Read the table – any row that isn’t 200 OK is a candidate for firewall or proxy adjustment.

Keeping the URL list up‑to‑date

The official list lives at:

🔗 https://knowledge.broadcom.com/external/article/327186/public-url-list-for-sddc-manager.html

Broadcom occasionally adds or deprecates entries. Whenever you spot a change, simply update the TOML block in the script and re‑run. Because the script is self‑contained, there’s no external configuration file to manage.

Final thoughts

What started as a handful of manual curl commands turned into a repeatable, auditable health‑check that I now run whenever I touch firewall rules, spin up a new vCenter instance.

If you’re managing vSphere, vSAN, or any Broadcom‑backed SDDC component, I hope you find this script as useful as I do. Feel free to fork it, tweak the output format, or integrate it into your own monitoring stack. A big shout‑out to my other project DSvClient which started this for me.

Happy testing! 🚀

This article was updated on 29 Dec 2025