WilliamLam.com

Blocking vSphere HTML5 VM Console and allowing only Standalone VM Remote Console (VMRC)?

by // 2 Comments

This was an interesting request that came up on the VMTN community forums asking whether it was possible to block users from accessing the vSphere HTML5 (H5) VM Console in vCenter Server and only allowing access to a VM console through the use of the Standalone VM Remote Console (VMRC) client? What is the use case for this you might ask, well it looks like VM screen resolution was getting change between the two clients and the administrator simply wanted to restrict access to the H5 VM Console and direct users to use only the VMRC Client.

At first, I could not see how this could be accomplished since all of their users already have the "Console interaction" privilege within vCenter Server which allows them to to interact with both VM Console interfaces. I was then reminded of an article that I wrote back in 2021 where a user wanted to restrict access to the vSphere UI interface while still allowing access to vCenter Server through the vSphere API, which used an access policy to restrict access based on a URI endpoint within the vCenter Server Tomcat application configuration.

This gave me an idea to experiment with and see if we could do the same and simply restrict the /ui/vmconsole endpoint which serves the H5 VM Console while still preserving VMRC access.

[Read more...]

How to forcefully disconnect a vSphere VM Console session?

by // 1 Comment

The vSphere Virtual Machine Console UI is an extremely useful interface for interacting with a VM, especially for initial configurations and/or debugging and troubleshooting purposes, such as an issue with networking. The VM console is analogous to connecting a physical keyboard and monitor to a computer, you remember the good ol' days right? 😀

Unlike the physical world, where you can only have a single person interacting with the computer, the vSphere VM Console can allow multiple users to view and interact with the VM. It is also not uncommon for customers to limit the number of simultaneous VM Console sessions, especially for security and/or for privacy purposes.


One potential down side with limiting the VM Console session to one is that another user may not be able to connect until the other session has concluded and/or has expired due to lack of activity. This recently came up as a question from a customer asking if there was a way to forcefully disconnect an existing VM Console connection?

[Read more...]

How to audit vSphere Standalone VMRC or HTML5 VMRC connections?

by // Leave a Comment

An interesting question that came in last week from one of our TAMs was how to identify and audit Virtual Machine Remote Console (VMRC) logins from vSphere? The TAM was specifically interested in being able to correlate that a particular user had logged into the VMRC of a VM during a specific period of time. Luckily, this is easily retrievable through vCenter Servers's Event sub-system that stores information about everything that happens in your vSphere environment. The Events can be accessed using either the vSphere Web Client shown below or programmatically using the vSphere API which the UI is built on top of.

audit-standalone-vmrc-and-html5-vmrc-logins-1
You can obviously filter your search in the UI and focus on a particular VM, but often times there can be dozens if not hundreds of "Events" generated for a given VM. I personally prefer to leverage Automation when needing to look for a specific type of Event and more importantly, you can further process the results to either send out reports or hook into other third party systems. Now that we know, "where" to find our data, the next thing is identifying the type of Event that is generated for a VMRC connection.

As of vSphere 5.5 Update 2b, the VMRC in the vSphere Web Client can be accessed in one of two ways: The new HTML5 VMRC by clicking onto the VM screenshot thumbnail or the Standalone VMRC by clicking on the link directly beneath the VM screenshot.

audit-standalone-vmrc-and-html5-vmrc-logins-0
Each VMRC connection method will generate a unique vCenter Server Event. For HTML5 VMRC connections, the Event is called VmAcquiredMksTicketEvent and for Standalone VMRC connections, the Event is called VmAcquiredTicketEvent. As I mentioned earlier, the vCenter Server Event sub-system can be accessed using the vSphere API and you can find the complete list of Events documented here. To demonstrate the use of this particular vSphere API, below is a PowerCLI example using the Get-VIEvent cmdlet. My fellow colleague Alan Renouf has actually blogged about working with Events using PowerCLI which I will be adapting one of his examples for our use case.

We first retrieve the VM that we are interested in by running the following command (specify the name of your VM):

$vm = Get-VM -Name "VCSA-60u2"

To retrieve HTML5 VMRC connections, run the following PowerCLI command:

Get-VIEvent -Entity $vm | Where { $_.Gettype().Name -eq "VmAcquiredMksTicketEvent"} | Select CreatedTime, UserName, FullFormattedMessage | ft -wrap -AutoSize

Here is an example of what the output would look like

audit-standalone-vmrc-and-html5-vmrc-logins-2
To retrieve Standalone VMRC connections, run the following PowerCLI command:

Get-VIEvent -Entity $vm | Where { $_.Gettype().Name -eq "VmAcquiredTicketEvent"} | Select CreatedTime, UserName, UserAgent, FullFormattedMessage | ft -wrap -AutoSize

Here is an example of what the output would look like:

audit-standalone-vmrc-and-html5-vmrc-logins-3