Several weeks back there were a couple of questions from our field asking about locking down access to a Virtual Machine's Console which includes both the new Standalone VMRC (Windows & Mac OS X) which runs on your desktop as well as the new HTML5 VM Console which runs in the browser. Below is a screenshot of the vSphere Web Client showing how to access the two different types of VM Consoles.
To prevent users from accessing either of the VM Consoles which also applies to the vSphere C# Client, you can leverage vSphere's extensive Role Based Access Control (RBAC) system. The specific privilege that governs whether a user can access the VM Console is under VirtualMachine->Interaction->Console interaction as seen in the screenshot below.
If a user is not granted the following privilege for a particular VM, when they click on either the Standalone VMRC link or the HTML5 VM Console, they will get permission denied and the screen will be blank. Pretty simple if you want to prevent users from accessing the VM Console or allowing only VM Console access when they login.
UPDATE (01/31/17): If you are using VMRC 8.1 or greater, you no longer need the additional permission assignment on the ESXi level if you ONLY want to provide VM Console access, just assign it to the VM. However, if you need to provide device management such as mounting an ISO on the client side, then you will still need to assign VMRC role (along with the required privileges for device management) at the ESXi host level.
UPDATE (12/15/15): If you want to restrict users from having ONLY VM Console access which may include the Standalone VMRC, you will need to ensure that the user has the role applied not only on the VMs you wish to restrict but also at the ESXi host level since Standalone VMRC still requires access to ESXi host. You do not need to grant read-only permissions for the user at the ESXi level, but you just need to assign the user "VMRC" only role at the ESXi level or higher to ensure they can connect to the VMRC.
sandy says
hi
I have a question regarding vsphere 6, how to generate web shortcuts for machine console specially Linux.
Regards
Sandy
Robert Reynolds says
William,
I have benefited from your blog over the years. I currently have a BCS case open on something that you might have insight on. We have a need for PCI/DSS 3.0 requirement to restrict access to remote consoles to a limited set of IPs that we know can only be accessed with two factor authentication. This is currently possible through the ESXi existing firewall rules on port 902 except for remote consoles that use HTML5, which it appears use the vCenter IP as a proxy. We would prefer not to restrict at the vCenter firewall since we are hoping to restrict access only on one cluster within vCenter and leave the other clusters without that restriction. Support Request # 16917222703. If you have time for your thoughts that would be appreciated.
-Robert Reynolds
Indiana University
William Lam says
Robert,
The only thing that comes to mind is by creating a role that either allows/prevents HTML5 access and you can apply it at the appropriate inventory level, else you would have to create the firewall as you've mentioned at the VC level. I think the RBAC approach is more scalable and you can easily add/remove users based on their group membership over firewall rules.
Robert Reynolds says
Thank you William for the quick reply. We do not want to prevent HTML5 access, just restrict it to certain IP ranges. Am I correct in thinking that HTML5 does not use port 902 on the ESXi host but rather 7343? That is why we were looking for a way to restrict on ESXi. Are customized ESXi firewall rules a viable solution?
William Lam says
Robert,
That's correct, HTML5 uses WebMKS which runs over a different port. For vSphere 5.5, that was 7343 and in with vSphere 6.0 is it 9443 (same port as the vSphere Web Client itself) and you could also change the default HTML5 port as well.
For what you're trying to accomplish, the options would be to filter at VC level restricting the IPs or doing this higher up the stack at the networking infrastructure level which is also pretty common when needing to set ACLs. There's nothing to do on ESXi itself and best method is to do this somewhere where you can easily manage it and I personally wouldn't recommend doing it at the ESXi host level, even if it was possible.
Robert Reynolds says
In looking at the filter option for VC I am having a hard time getting a definite list of ports for vSphere 6 that we would need to restrict. Is it still 902 for the Windows client and then 9443 for the Web client and HTML5. Are there any other ports to be concerned about for the remote console?
Dion says
Hi, Is there any way we can apply the permission all hosts at a cluster level to apply to the hosts without it recursing down to other VMs? We have a few different tenants in the same vcenter and we currently restrict visibility by restricting permissions to the resource pool.
It would be nice to not have to set it to all hosts manually or via script it as its not persistent when hosts move in and out of a cluster. Setting this at the cluster level with recursion 1, exposes too much to different groups and 2, doesn't seem like a secure thing to do.
William Lam says
Yes, you can always use a script to apply to all hosts within a Cluster and not recurse down. Obviously the UI won't have these levels of granularity but that's where Automation can help.
Peter says
William,
My vCenter not public, What would be the best solution?
owensderwin says
Hello William,
I have two ESXi 6.0 servers that i have built both identical versions (6.0.0 Update 2 (Build 4600944)), however i can only connect to the guess machines on one of these ESXi servers using VMRC 10 or 9 Mac stand alone client. It just sits in a "connecting" state. Any idea where i should look to resolve this issue?