WilliamLam.com

How to audit vSphere Standalone VMRC or HTML5 VMRC connections?

by // Leave a Comment

An interesting question that came in last week from one of our TAMs was how to identify and audit Virtual Machine Remote Console (VMRC) logins from vSphere? The TAM was specifically interested in being able to correlate that a particular user had logged into the VMRC of a VM during a specific period of time. Luckily, this is easily retrievable through vCenter Servers's Event sub-system that stores information about everything that happens in your vSphere environment. The Events can be accessed using either the vSphere Web Client shown below or programmatically using the vSphere API which the UI is built on top of.

audit-standalone-vmrc-and-html5-vmrc-logins-1
You can obviously filter your search in the UI and focus on a particular VM, but often times there can be dozens if not hundreds of "Events" generated for a given VM. I personally prefer to leverage Automation when needing to look for a specific type of Event and more importantly, you can further process the results to either send out reports or hook into other third party systems. Now that we know, "where" to find our data, the next thing is identifying the type of Event that is generated for a VMRC connection.

As of vSphere 5.5 Update 2b, the VMRC in the vSphere Web Client can be accessed in one of two ways: The new HTML5 VMRC by clicking onto the VM screenshot thumbnail or the Standalone VMRC by clicking on the link directly beneath the VM screenshot.

audit-standalone-vmrc-and-html5-vmrc-logins-0
Each VMRC connection method will generate a unique vCenter Server Event. For HTML5 VMRC connections, the Event is called VmAcquiredMksTicketEvent and for Standalone VMRC connections, the Event is called VmAcquiredTicketEvent. As I mentioned earlier, the vCenter Server Event sub-system can be accessed using the vSphere API and you can find the complete list of Events documented here. To demonstrate the use of this particular vSphere API, below is a PowerCLI example using the Get-VIEvent cmdlet. My fellow colleague Alan Renouf has actually blogged about working with Events using PowerCLI which I will be adapting one of his examples for our use case.

We first retrieve the VM that we are interested in by running the following command (specify the name of your VM):

$vm = Get-VM -Name "VCSA-60u2"

To retrieve HTML5 VMRC connections, run the following PowerCLI command:

Get-VIEvent -Entity $vm | Where { $_.Gettype().Name -eq "VmAcquiredMksTicketEvent"} | Select CreatedTime, UserName, FullFormattedMessage | ft -wrap -AutoSize

Here is an example of what the output would look like

audit-standalone-vmrc-and-html5-vmrc-logins-2
To retrieve Standalone VMRC connections, run the following PowerCLI command:

Get-VIEvent -Entity $vm | Where { $_.Gettype().Name -eq "VmAcquiredTicketEvent"} | Select CreatedTime, UserName, UserAgent, FullFormattedMessage | ft -wrap -AutoSize

Here is an example of what the output would look like:

audit-standalone-vmrc-and-html5-vmrc-logins-3

HTML5 console now defaults to HTTPS/WSS in vSphere 5.5 Update 2

by // 5 Comments

I just found out from one of my readers that with the latest release of vSphere 5.5 Update 2, the HTML5 Console in vCenter Server now goes over a secure connection (HTTPS) as well as using secure web socket connection (WSS) by default. In addition to this change, the HTML5 console port has also been changed from 7331 to 7343. I know customers have asking about this in the past and though this was not possible with previous releases, I am glad to see that VMware Engineering has now added this capablity, another reason to go to vSphere 5.5 Update 2!

This new change is also documented in the vSphere 5.5 Update release notes, which I some how must have missed:

Virtual machines with HTML 5 console in vSphere 5.5 open connections with http:// instead of https://
When the HTML 5 console is launched on a virtual machine, it uses connections like http:// and web sockets like ws:// instead of secure connections like https:// and wss://.

This release resolves the issue by launching the virtual machine console with secure connection over port 7343 instead of the connection over port 7331.

For those of you using my generateHTML5VMConsole script to generate a pre-authenticated HTML5 VM Console, I have updated the script to include a new variable called isvSphere55u2 which will default to "false" but you can set it in the command-line to "true" and this will automatically generate a URL using HTTPS instead of HTTP and use port 7343 instead of 7331. Other than these two minor changes, the URL format is exactly the same and will continue to work.

Here is a quick screenshot of the HTML5 VM Console URL in my lab running vSphere 5.5 Update 2:

vsphere-55u2-html5-console-https-webmks

How to change the default HTML5 VM console port in vSphere 5.5?

by // 1 Comment

A couple of weeks back I wrote an article on how to generate a pre-authenticated HTML5 VM console link in vSphere 5.5 which allows a user to access the new HTML5 VM console from any operating system including Mac OS X, Windows and Linux. In the article I also provided a script to automatically generate the HTML5 VM console URL given a VM name which looks something like the following:

http://reflex.primp-industries.com:7331/console/?vmId=vm-23&vmName=VCSA&host=reflex.primp-industries.com&sessionTicket=cst-VCT-5254c455-4340-2185-e149-01ce44b146e1--tp-4A-88-17-7C-F5-D0-79-E6-9D-A1-E3-83-97-52-97-EA-E5-D3-D8-07&thumbprint=4A:88:17:7C:F5:D0:79:E6:9D:A1:E3:83:97:52:97:EA:E5:D3:D8:07

If you have tried out the new HTML5 VM console which is enabled only for a Mac OS X system using the new vSphere Web Client 5.5, you may have noticed it opens up a connection on port 7331 by default. However, this port is actually dynamic and could change if the underlying operating system hosting the vSphere Web Client is already in use. If you are running on the VCSA (vCenter Server Appliance), there is a good chance that this will be the default port but for a Windows based installation, that may or may not be the case.

If you wish to find out what the default port is, you can take a look at the vSphere Web Client log file and search for the keyword "Djetty.port". On the VCSA, the log is located in /var/log/vmware/vsphere-client/logs/vsphere_client_virgo.log and here is a screenshot of what that looks like:

To change the default port, you will need to edit the vSphere Web Client configuration property file located in /var/lib/vmware/vsphere-client/webclient.properties for the VCSA and there is an equilvent for a Windows system as well. You will need to add the following entry:

html.console.port = PORT-NUMBER

Once you are done, you will need to save your changes and restart the vSphere Web Client service. On the VCSA, to restart the vSphere Web Client you will need to run the following command:

/etc/init.d/vsphere-client restart

Now if we go back to the vSphere Web Client and open the VM console on a Mac OS X system or generate a URL using the script, you should see the HTML5 VM console is now connecting to the new port.