VMware Cloud on AWS (VMConAWS) 1.13 was just released and although it is an optional release, it does introduce a pretty interesting capability that I think our customers will really appreciate and benefit from, especially when this capability also makes its way into an on-premises vSphere release.
VMware Remote Console (VMRC) vCenter Proxy
- VMware Remote Console connections will now be proxied through the SDDC’s vCenter, and clients no longer require connectivity to ESXi hosts. This simplifies connectivity requirements, and allows for the use of VMRC over VPN when a DX or vTGW is also being used with the SDDC.
Historically, when you wanted to interact with a Virtual Machine using the vSphere UI in vCenter Server, you had two options. You can either use the HTML5 Remote Console within your browser or you could use the standalone VMware Remote Console (VMRC) application. For basic functionality, the HTML5 console is generally preferred but for cases where you might need to mount a local device from your computer such as a USB, bluetooth or CD-ROM device, you had to use the VMRC client.
Unlike the HTML5 console, which just requires vCenter Server access, VMRC require clients to also have direct connectivity access to the ESXi hosts. Obviously, this is not ideal for a number of reasons and with this new feature, it simplifies console access similar to that of the HTML5 console but also improves security by reducing number of clients that actually need to communicate directly with an ESXi host, which is usually running on an isolated management network.
I was pleasantly surprise when I saw this feature in the latest SDDC release as I know this is something customers have asked about in the past. Funny enough, I had just re-deployed my SDDC a few days ago and figured I would take this new feature for a spin.
Here is a quick screenshot of the new VMRC vCenter Proxy feature in action, simply click on Launch Remote Console and it will now just connect to the VM. This is great if you want to use VMRC over the internet or by going through VPN when using a Direct Connect or the new VMware Transit Connect Gateway (vTGW).
In addition to having SDDC running version 1.13, you will also need either version VMRC 11.2 or 12.0.
You can use the VMware Cloud console to check the version of your SDDC, but another way to determine if you have this new VMRC vCenter Proxy feature is by checking whether your vCenter Server has the following advanced setting configured config.mksdevproxy.enable which should be set to true. When this capability is made available in an on-premises vSphere release, customers will have the option to enable or disable this capability. Enabling and disabling can be done by simply toggling the advanced setting and changes will take effect immediately without any service restarts.
In my opinion, this is a very welcome feature, especially being able to remove unnecessary access to your ESXi hosts from your general end users.
simplijm says
Can this VMRC vCenter Proxy be used for On Prem vCenters? I have a vCenter that is on a private network that I have setup a second NIC on my management network so I can manage the environment without being on the private network. I can get to the vCenter web UI and the VAMI and can operate fairly seamlessly with the exception that I cannot pop a VMRC to any of the VMs, just a web console. In the VMRC logs it showed the MKS connection trying to connect to the private IPs of the ESXi hosts. I set this proxy parameter and now the logs show its going through the management network's vCenter IP to get to the VMs but the console still won't connect. It all looks like it's going through but in the logs right when it looks like it's connecting I see:
"MVNCClient: received socket error 19: Upgrade to websocket error: NOT FOUND, status code 404"
So close yet so far!!
William Lam says
What version of vCenter Server and ESXi are you using? Typically features built for VMC-A will eventually land into an on-premises release, but not always. I can check w/Engineering to see if this is now available as this is certainly something I've had customers ask for