ESXi 8.0 Update 1

Changing the default HTTP(s) Reverse Proxy Ports on ESXi 8.0 Update 1

07.31.2023 by William Lam // 6 Comments

Pre-ESXi 8.0 Update 1, if you needed to modify the default ESXi HTTP(s) Reverse Proxy Ports, you would simply edit the HTTP reverse proxy configuration file, which I have previously blogged about HERE (pre-ESXi 8.0) and HERE (ESXi 8.0).

For ESXi 8.0 Update 1, the process is slightly diffrent as all ESXi configurations including configuration files have been completely migrated to the new ESXi Configuration Store, which was initially introduced back in vSphere 7.0 Update 1, which you can learn more about it HERE and HERE.

While most users stick with the system defaults with port 80 (HTTP) and port 443 (HTTPS), I know there are some organizations that require these ports to be changed to meet certain internal compliance requirements. Below are the updated instructions for modifying the ESXi HTTP(s) Reverse Proxy Ports when using ESXi 8.0 Update 1 or later.

Disclaimer: VMware does not officially support modifying the default HTTP/HTTPS ports on an ESXi host.

[Read more...]

Configuring TLS Cipher Suites in ESXi 8.0 Update 1

07.20.2023 by William Lam // 1 Comment

For organizations that mandate specific TLS cipher suites for compliance purposes, you may have used the instructions outlined in this VMware KB 79476 to modify the ESXi Reverse Proxy Configuration File to select the desired supported TLS cipher suites prior to ESXi 8.0 Update 1.

As of ESXi 8.0 Update 1, all configurations including configuration files have been migrated to the new ESXi Configuration Store, which was initially introduced back in vSphere 7.0 Update 1 and you can learn more about it HERE and HERE. Additionally, I recently came to learn from one of our customers, who had inquired about changing the TLS cipher suites for ESXi that as of vSphere 8.0 Update 1, ESXi now runs two reverse proxy: rhttpproxy and Envoy with port 443 now being owned by the Envoy service, which is a popular and lightweight solution for reverse proxy usage.

The implication of this change is that modifying the TLS cipher suites for ESXi as of 8.0 Update 1 now requires the use of the ESXi Configuration Store and with Envoy as the reverse proxy, it is helpful to understand the types of TLS cipher suites that can be supported will be based on Google's BoringSSL TLS implementation, which Envoy itself consumes.

[Read more...]

Google Coral USB Edge TPU Accelerator on ESXi

05.10.2023 by William Lam // 58 Comments

Several weeks back, I came across a really strange post on the VMTN communities asking how to change the Device ID (DID) and Vendor ID (VID) for a USB Device that has been passthrough to a VM from ESXi? The device in question is the Google Coral USB Edge TPU (Tensor Processing Unit) Accelerator, which is a relatively in-expensive device that can help accelerate machine learning (ML) inferencing. With all the buzz these days with Generative AI and ChatGPT, I can only imagine its popularity has grown even further but I did not realize how popular this device has been in the community, especially for those wanting to use it with ESXi.

The initial observation reported by this user and also by many others in the Coral community was that ESXi was showing the incorrect VID/DID for the Coral USB device and because of this, it was not working correctly when passthrough'ed to a VM and they were looking for a way to change the DID/VID value from 1a6e:089a (Global Unichip Corp.) to 18d1:9302 (Google Inc.).

Interestingly enough, a couple of weeks ago, my buddy Alan Renouf had also shared that he recently purchased the Coral USB device, so I figured I would check with him first to see if he was observing the same behavior that was being reported, which he was. I had been going through the Github reports to try better understand the issue and some of the previous workarounds that users had done including disabling the vmkusb module, which I definitely not recommended, especially for more recent releases of ESXi where that will simply disable all USB functionality to your ESXi host.

I still could not wrap my head around the issue as the reports did not make any sense in terms of the DID/VID not being claimed correctly or that it needed to change to properly function. This also did not make sense when speaking with our USB expert (Songtao who also developed our USB Network Native Driver for ESXi), so I decided to bite the bullet and purchase the Coral USB device, which apparently is difficult to obtain unless you overpay on Amazon, which I did.

[Read more...]