WilliamLam.com

Auditing & Automating Disabled Protocols (TLS/SSLv3) for ESXi 6.0u3 & 6.5 using PowerCLI

by // 32 Comments

A couple of weeks back, I had received a question from one of our TAMs in regards to automating the disablement of specific TLS/SSL protocols for their ESXi 6.0 Update 3 hosts. As of vSphere 6.0 Update 3 and vSphere 6.5, customers now have the ability to completely disable TLS 1.0, TLS 1.1 and SSLv3 using the new TLS Reconfiguration Tool. Mike Foley did a nice write up here if you are interested in more details.

The TLS Reconfiguration Tool works well if you have the same version of vSphere for both your vCenter Server and ESXi host, but has challenges when you are in a mixed environment like this particular customer. In their environment, they are running vCenter Server 6.5 and ESXi 6.5 Update 3 which prevented them from using the TLS Reconfiguration Tool as this is a limitation with the tool today.

UPDATE (05/11/17) - Added support for ESXi 6.5 hosts as well

Given the TLS Reconfiguration Tool was written in Python, I was able to take a closer look at its implementation and I found that the settings that controlled the disabled protocols were just merely a few ESXi Advanced Settings which meant that this could be automated using standard vSphere Automation Tools that our customers were already familiar with. As part of this exercise, I also discovered the tool currently does NOT support disabling TLS/SSLv3 protocols for the Small Footprint CIM Broker (SFCB) service which is also required if you want to be in full compliance for a particular TLS protocol. Although there is not a direct SFCB API that allows you to manage the sfcb.cfg configuration file, there is still a way we can automate this without requiring SSH to the ESXi host which would technically be the alternative. Lastly, I was a bit surprised to see the TLS Reconfiguration Tool did not have a "query" option for listing the current disabled protocols for all ESXi hosts, but they do have it for vCenter Server itself.

To help this particular customer and others who may have specific TLS compliance requirements, I have created the following PowerCLI script called ESXiDisableProtocolConfiguration.ps1 which includes the following two functions:

  • Get-ESXiDPC - Retrieve the current disabled protocols for all ESXi hosts within a vSphere Cluster
  • Set-ESXiDPC - Configure the specific disabled protocols for all ESXi hosts within a vSphere Cluster

[Read more...]

PowerCLI Core is now available on Docker Hub!

by // 8 Comments

The much anticipated PowerCLI Core was just released this week as a VMware Fling which allows you to run PowerCLI on Linux, Mac OS X or even as a Docker Container. This is HUGE if you ask me, especially for customers who would like the benefits of PowerCLI and not be forced to use a Windows system which it traditionally had required.

I personally have been using PowerCLI Core for quite some time now on my Mac OS X and the experience is exactly the same as you would find it on its Windows counterpart. The Docker Container is also a another great way to consume PowerCLI Core and I also use that quite frequently as well. One thing I felt that would make the Docker Container even easier to consume for those looking to do something really quick in PowerCLI or what I call "Just In time PowerCLI access" is to be able to quickly pull it down from Docker Hub rather than having to download bunch some files and then manually build it yourself (not that it is complicated) but sometimes speed is the game.

I had posted a tweet earlier this morning and literally a few hours later, my good friend Alan Renouf delivered the goods! In addition, you will also find that the new version of PowerCLI Core Docker Container is now using Photon OS image rather than Ubuntu as it previously did.

In addition to the three methods of consuming PowerCLI Core, you also now find it hosted on Docker Hub: https://hub.docker.com/r/vmware/powerclicore/

UPDATE (01/03/17) - It looks like PowerNSX is now also included with PowerCLI Core. To use PowerNSX, simply import it by running the following command: Import-Module PowerNSX and you will now have access to the PowerNSX cmdlets! Nice job to the PowerNSX guys for making this possible for our customers!

To access PowerCLI Core from Docker Hub, you simply just need a system installed with the Docker Client (Windows, Linux or Mac OS X) running or you can even use VMware's Photon OS which comes with Docker by default and following the instructions below:

Step 1 - Pull the PowerCLI Core image from Docker Hub by running the following command:

docker pull vmware/powerclicore

screen-shot-2016-10-19-at-10-52-00-pm
Step 2 - Run the PowerCLI Core Docker Container by running the following command:

docker run --rm -it --entrypoint='/usr/bin/powershell' vmware/powerclicore

screen-shot-2016-10-19-at-10-52-33-pm
It is literally that easy to access PowerCLI from ANY platform at ANY time! 😀

Step 3 - If you are using a self-signed certificate, you will need to run the following command below before you can call the Connect-VIServer cmdlet:

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

How to restrict access to both the Standalone VMRC & HTML5 VM Console?

by // 10 Comments

Several weeks back there were a couple of questions from our field asking about locking down access to a Virtual Machine's Console which includes both the new Standalone VMRC (Windows & Mac OS X) which runs on your desktop as well as the new HTML5 VM Console which runs in the browser. Below is a screenshot of the vSphere Web Client showing how to access the two different types of VM Consoles.

restricting-vmrc-and-html5-vm-console-access-1
To prevent users from accessing either of the VM Consoles which also applies to the vSphere C# Client, you can leverage vSphere's extensive Role Based Access Control (RBAC) system. The specific privilege that governs whether a user can access the VM Console is under VirtualMachine->Interaction->Console interaction as seen in the screenshot below.

restricting-vmrc-and-html5-vm-console-access-0
If a user is not granted the following privilege for a particular VM, when they click on either the Standalone VMRC link or the HTML5 VM Console, they will get permission denied and the screen will be blank. Pretty simple if you want to prevent users from accessing the VM Console or allowing only VM Console access when they login.

restricting-vmrc-and-html5-vm-console-access-2

UPDATE (01/31/17): If you are using VMRC 8.1 or greater, you no longer need the additional permission assignment on the ESXi level if you ONLY want to provide VM Console access, just assign it to the VM. However, if you need to provide device management such as mounting an ISO on the client side, then you will still need to assign VMRC role (along with the required privileges for device management) at the ESXi host level.

UPDATE (12/15/15): If you want to restrict users from having ONLY VM Console access which may include the Standalone VMRC, you will need to ensure that the user has the role applied not only on the VMs you wish to restrict but also at the ESXi host level since Standalone VMRC still requires access to ESXi host. You do not need to grant read-only permissions for the user at the ESXi level, but you just need to assign the user "VMRC" only role at the ESXi level or higher to ensure they can connect to the VMRC.