WilliamLam.com

What is the VMware Client Integration Plugin (CIP)?

by // 3 Comments

If you are a consumer of the vSphere Web Client, you might have seen something called the VMware Client Integration Plugin (CIP) and you may have even downloaded it from bottom of the vSphere Web Client page and installed it on your desktop.

Screen Shot 2015-12-10 at 6.18.30 AM
However, have you ever wondered what CIP is actually used for? I know I personally have even though I have a general idea of what CIP provides, I have always been curious myself about the technical details. Recently there have been a few inquiries internally, so I figure I might as well do some research to see what I can find out.

The VMware CIP is actually a collection of different tools that are bundled together into a single installer that is available for either Microsoft Windows or Apple Mac OS X (Linux is being worked on). These tools provide a set of capabilities that are enabled when using the vSphere Web Client and below is a diagram of the different components included in CIP.

vmware-cip

  • ovftool - Standalone CLI utility used to manage import/export of OVF and OVA images
  • Windows Authentication - Allows the use of SSPI when logging in from the vSphere Web Client
  • Remote Devices - Connecting client side devices such as a CD-ROM, Floppy, USB, etc. to VM
  • File Upload/Download - Datastore file transfer
  • Content Library - Operations related to the Content Library feature such as import and export
  • Client Side Logging/Config - Allows for writing non-flash logs + vSphere Web Client flash and logging settings

In addition to capabilities shown above, CIP is also used to assist with basic input validation when deploying the vCenter Server Appliance deployment using the new guided UI installer.

Internally, CIP is referred to as the Client Support Daemon or CSD for short. Prior to vSphere 6.0 Update 1, CIP ran as a browser plugin relying on the Netscape Plugin Application Programming Interface (NPAPI). In case you had not heard, Google Chrome and other popular browsers have all recently removed support for NPAPI based plugins in favor of better security and increased speed improvements. Due to this change, CIP had to be re-written to no longer rely on this interface and starting with vSphere 5.5 Update 3a and vSphere 6.0 Update 1, the version of CIP that is installed uses this new implementation. CIP is launched today via a protocol handler which is a fancy term for a capability web browsers that allows you to run a specific program when a link is open.

One observation that some customers have made including myself when installing the CIP is that an SSL Certificate is generated during the installation process. To provide the CIP services to the vSphere Web Client, a secure connection must be made to vSphere Web Client pages. To satisfy this requirement, a self-signed SSL Certificate is used and instead of pre-packaging an already generated certificate, one is dynamically created to ensure that no 3rd Party would have access to the private key and be able to access it from the outside.

The longer term plan is to try to move as much of the CIP functionality onto the server side as possible, although not everything will be able to move to the server side. For things like remote devices, it has already been moved to the Standalone VMRC which already provides access to the VM Console and being able to connect to client side devices makes the most sense. Hopefully this gives you a better understanding of what CIP provides and hint of where it is going in the future.

Here are some additional info that you might find useful when installing and troubleshooting CIP:

CIP Installer Logs:

  • Windows -

    %ALLUSERSPROFILE%\VMware\CIP\csd\logs

  • Mac OS X -

    /Applications/VMware Client Integration Plug-in.app/Contents/Library/data/logs

CIP Application Logs:

  • Windows -

    %USERPROFILE%\AppData\Local\VMware\CIP\csd\logs

  • Mac OS X -

    $HOME/VMware/CIP/csd/logs

vSphere Web Client / CSD Session Logs:

  • Windows -

    %USERSPROFILE%\VMware\CIP\ui\sessions

  • Mac OS X -

    $HOME/VMware/CIP/ui/sessions

CIP SSL Certificate Location:

  • Windows -

    %ALLUSERSPROFILE%\VMware\CIP\csd\ssl

  • Mac OS X -

    /Applications/VMware Client Integration Plug-in.app/Contents/Library/data/ssl

 

How to restrict access to both the Standalone VMRC & HTML5 VM Console?

by // 10 Comments

Several weeks back there were a couple of questions from our field asking about locking down access to a Virtual Machine's Console which includes both the new Standalone VMRC (Windows & Mac OS X) which runs on your desktop as well as the new HTML5 VM Console which runs in the browser. Below is a screenshot of the vSphere Web Client showing how to access the two different types of VM Consoles.

restricting-vmrc-and-html5-vm-console-access-1
To prevent users from accessing either of the VM Consoles which also applies to the vSphere C# Client, you can leverage vSphere's extensive Role Based Access Control (RBAC) system. The specific privilege that governs whether a user can access the VM Console is under VirtualMachine->Interaction->Console interaction as seen in the screenshot below.

restricting-vmrc-and-html5-vm-console-access-0
If a user is not granted the following privilege for a particular VM, when they click on either the Standalone VMRC link or the HTML5 VM Console, they will get permission denied and the screen will be blank. Pretty simple if you want to prevent users from accessing the VM Console or allowing only VM Console access when they login.

restricting-vmrc-and-html5-vm-console-access-2

UPDATE (01/31/17): If you are using VMRC 8.1 or greater, you no longer need the additional permission assignment on the ESXi level if you ONLY want to provide VM Console access, just assign it to the VM. However, if you need to provide device management such as mounting an ISO on the client side, then you will still need to assign VMRC role (along with the required privileges for device management) at the ESXi host level.

UPDATE (12/15/15): If you want to restrict users from having ONLY VM Console access which may include the Standalone VMRC, you will need to ensure that the user has the role applied not only on the VMs you wish to restrict but also at the ESXi host level since Standalone VMRC still requires access to ESXi host. You do not need to grant read-only permissions for the user at the ESXi level, but you just need to assign the user "VMRC" only role at the ESXi level or higher to ensure they can connect to the VMRC.

Content Library Tech Preview at VMworld Europe 2015

by // 4 Comments

For those of you who were fortunate enough to attend the Content Library Technical Deep Dive session (#5106) at VMworld Europe several weeks back and stayed until the very end, you were treated to an exclusive sneak peak demo. The demo was well received from what I heard, especially having been one of the most popular feature requests when talking to customers. I know the Content Library Engineering team has been working hard on this feature and I thought what better way than to show it off at VMworld!

I recently had a meeting with the Content Library Dev Manager (Pratima Rao) who also had presented at VMworld Europe and I just got the green light to share the demo with my readers. As a reminder, this is a Tech Preview and I encourage you to check out the disclaimer below if you have any questions related to the delivery of this feature 🙂 So without further ado, here is the Tech Preview video that was demo'ed at VMworld.

Note: There is no audio to the video, but for those interested in what is happening in the video, here is a quick summary. Today, you can upload and manage ISO images within the Content Library, however when trying to mount an ISO from the Content Library, the workflow is not as straight forward as it could be. In a future update of vSphere, you will now have a new option to directly mount an ISO from the Content Library. The demo starts off by showing some ISOs that have already been uploaded to an existing Content Library. We can then access those ISOs by going to the Virtual Machine settings and using the familiar mount ISO workflow to access the content. You will see that there is now a new option to mount an ISO from the Content Library and you will be presented with a filtered list of all files with .iso extension. Once you have selected the the ISO, the VM will mount it like you normally would from a vSphere Datastore or from the client system. Some additional things to note is that you can also filter by searching for specific content by using the search box in case you have multiple Content Libraries. Lastly, there are some useful metadata in the columns fields when looking through your ISOs which could help with further identifying the content you are interested in.

Disclaimer: This is an early Tech Preview and the overview of new technology represents no commitment from VMware to deliver these features in any generally available product. Features are subject to change, and must not be included in contracts, purchase orders, or sales agreement of any kind. Technically feasibility and market demand will affect final delivery. Pricing and packaging for any new technologies features discussed or represented have not been determined

Content Library Tech Preview at VMworld Europe 2015 from lamw on Vimeo.