WilliamLam.com

Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 Update 1

by // 8 Comments

Pre-ESXi 8.0 Update 1, if you needed to modify the default ESXi HTTP(s) Reverse Proxy Ports, you would simply edit the HTTP reverse proxy configuration file, which I have previously blogged about HERE (pre-ESXi 8.0) and HERE (ESXi 8.0).

For ESXi 8.0 Update 1, the process is slightly diffrent as all ESXi configurations including configuration files have been completely migrated to the new ESXi Configuration Store, which was initially introduced back in vSphere 7.0 Update 1, which you can learn more about it HERE and HERE.

While most users stick with the system defaults with port 80 (HTTP) and port 443 (HTTPS), I know there are some organizations that require these ports to be changed to meet certain internal compliance requirements. Below are the updated instructions for modifying the ESXi HTTP(s) Reverse Proxy Ports when using ESXi 8.0 Update 1 or later.

Disclaimer: VMware does not officially support modifying the default HTTP/HTTPS ports on an ESXi host.

[Read more...]

Creating a custom VIB for ESXi 8.x

by // 26 Comments

Back in 2012, a VMware Fling was released called VIB Author, which allowed users to create their own custom vSphere Infrastructure Bundles (VIB) that typically would include configuration changes that was not possible when using the vSphere API such as enabling custom ESXi firewall ports or even bundling up custom utilities that could run within the ESXi Shell.

The VIB Author tool was eventually deprecated and removed due to the lack of support from Engineering, after all, it was released as a Fling. While the need for opening non-standard ESXi firewall port has greatly improved over the years, with the majority of 2nd and 3rd party solutions simply incorporating that into their solution offering, there are still use cases for requiring a custom VIB.

Even with the VIB Author Fling being deprecated, many in the community was still able to construct custom VIBs which were still compatible with later ESXi 5.x to 7.x releases. In fact, I even use the VIB Author to make it easier to distribute and install the popular ghettoVCB solution which can be installed using either a VIB or an Offline Bundle, another format the VIB Author tool supports creating.

[Read more...]

Configuring TLS Cipher Suites in ESXi 8.0 Update 1

by // 1 Comment

For organizations that mandate specific TLS cipher suites for compliance purposes, you may have used the instructions outlined in this VMware KB 79476 to modify the ESXi Reverse Proxy Configuration File to select the desired supported TLS cipher suites prior to ESXi 8.0 Update 1.

As of ESXi 8.0 Update 1, all configurations including configuration files have been migrated to the new ESXi Configuration Store, which was initially introduced back in vSphere 7.0 Update 1 and you can learn more about it HERE and HERE. Additionally, I recently came to learn from one of our customers, who had inquired about changing the TLS cipher suites for ESXi that as of vSphere 8.0 Update 1, ESXi now runs two reverse proxy: rhttpproxy and Envoy with port 443 now being owned by the Envoy service, which is a popular and lightweight solution for reverse proxy usage.

The implication of this change is that modifying the TLS cipher suites for ESXi as of 8.0 Update 1 now requires the use of the ESXi Configuration Store and with Envoy as the reverse proxy, it is helpful to understand the types of TLS cipher suites that can be supported will be based on Google's BoringSSL TLS implementation, which Envoy itself consumes.

[Read more...]