WilliamLam.com

VMware Cloud on AWS 1.13 adds support for VMRC vCenter Proxy

by // Leave a Comment

VMware Cloud on AWS (VMConAWS) 1.13 was just released and although it is an optional release, it does introduce a pretty interesting capability that I think our customers will really appreciate and benefit from, especially when this capability also makes its way into an on-premises vSphere release.

VMware Remote Console (VMRC) vCenter Proxy

  • VMware Remote Console connections will now be proxied through the SDDC’s vCenter, and clients no longer require connectivity to ESXi hosts.  This simplifies connectivity requirements, and allows for the use of VMRC over VPN when a DX or vTGW is also being used with the SDDC.

Historically, when you wanted to interact with a Virtual Machine using the vSphere UI in vCenter Server, you had two options. You can either use the HTML5 Remote Console within your browser or you could use the standalone VMware Remote Console (VMRC) application. For basic functionality, the HTML5 console is generally preferred but for cases where you might need to mount a local device from your computer such as a USB, bluetooth or CD-ROM device, you had to use the VMRC client.

[Read more...]

How to audit vSphere Standalone VMRC or HTML5 VMRC connections?

by // Leave a Comment

An interesting question that came in last week from one of our TAMs was how to identify and audit Virtual Machine Remote Console (VMRC) logins from vSphere? The TAM was specifically interested in being able to correlate that a particular user had logged into the VMRC of a VM during a specific period of time. Luckily, this is easily retrievable through vCenter Servers's Event sub-system that stores information about everything that happens in your vSphere environment. The Events can be accessed using either the vSphere Web Client shown below or programmatically using the vSphere API which the UI is built on top of.

audit-standalone-vmrc-and-html5-vmrc-logins-1
You can obviously filter your search in the UI and focus on a particular VM, but often times there can be dozens if not hundreds of "Events" generated for a given VM. I personally prefer to leverage Automation when needing to look for a specific type of Event and more importantly, you can further process the results to either send out reports or hook into other third party systems. Now that we know, "where" to find our data, the next thing is identifying the type of Event that is generated for a VMRC connection.

As of vSphere 5.5 Update 2b, the VMRC in the vSphere Web Client can be accessed in one of two ways: The new HTML5 VMRC by clicking onto the VM screenshot thumbnail or the Standalone VMRC by clicking on the link directly beneath the VM screenshot.

audit-standalone-vmrc-and-html5-vmrc-logins-0
Each VMRC connection method will generate a unique vCenter Server Event. For HTML5 VMRC connections, the Event is called VmAcquiredMksTicketEvent and for Standalone VMRC connections, the Event is called VmAcquiredTicketEvent. As I mentioned earlier, the vCenter Server Event sub-system can be accessed using the vSphere API and you can find the complete list of Events documented here. To demonstrate the use of this particular vSphere API, below is a PowerCLI example using the Get-VIEvent cmdlet. My fellow colleague Alan Renouf has actually blogged about working with Events using PowerCLI which I will be adapting one of his examples for our use case.

We first retrieve the VM that we are interested in by running the following command (specify the name of your VM):

$vm = Get-VM -Name "VCSA-60u2"

To retrieve HTML5 VMRC connections, run the following PowerCLI command:

Get-VIEvent -Entity $vm | Where { $_.Gettype().Name -eq "VmAcquiredMksTicketEvent"} | Select CreatedTime, UserName, FullFormattedMessage | ft -wrap -AutoSize

Here is an example of what the output would look like

audit-standalone-vmrc-and-html5-vmrc-logins-2
To retrieve Standalone VMRC connections, run the following PowerCLI command:

Get-VIEvent -Entity $vm | Where { $_.Gettype().Name -eq "VmAcquiredTicketEvent"} | Select CreatedTime, UserName, UserAgent, FullFormattedMessage | ft -wrap -AutoSize

Here is an example of what the output would look like:

audit-standalone-vmrc-and-html5-vmrc-logins-3

How to restrict access to both the Standalone VMRC & HTML5 VM Console?

by // 10 Comments

Several weeks back there were a couple of questions from our field asking about locking down access to a Virtual Machine's Console which includes both the new Standalone VMRC (Windows & Mac OS X) which runs on your desktop as well as the new HTML5 VM Console which runs in the browser. Below is a screenshot of the vSphere Web Client showing how to access the two different types of VM Consoles.

restricting-vmrc-and-html5-vm-console-access-1
To prevent users from accessing either of the VM Consoles which also applies to the vSphere C# Client, you can leverage vSphere's extensive Role Based Access Control (RBAC) system. The specific privilege that governs whether a user can access the VM Console is under VirtualMachine->Interaction->Console interaction as seen in the screenshot below.

restricting-vmrc-and-html5-vm-console-access-0
If a user is not granted the following privilege for a particular VM, when they click on either the Standalone VMRC link or the HTML5 VM Console, they will get permission denied and the screen will be blank. Pretty simple if you want to prevent users from accessing the VM Console or allowing only VM Console access when they login.

restricting-vmrc-and-html5-vm-console-access-2

UPDATE (01/31/17): If you are using VMRC 8.1 or greater, you no longer need the additional permission assignment on the ESXi level if you ONLY want to provide VM Console access, just assign it to the VM. However, if you need to provide device management such as mounting an ISO on the client side, then you will still need to assign VMRC role (along with the required privileges for device management) at the ESXi host level.

UPDATE (12/15/15): If you want to restrict users from having ONLY VM Console access which may include the Standalone VMRC, you will need to ensure that the user has the role applied not only on the VMs you wish to restrict but also at the ESXi host level since Standalone VMRC still requires access to ESXi host. You do not need to grant read-only permissions for the user at the ESXi level, but you just need to assign the user "VMRC" only role at the ESXi level or higher to ensure they can connect to the VMRC.