Link to home
Get AccessLog in
Avatar of CCB-Tech
CCB-Tech

asked on

What is the best way to lock down an ESXi Local User?

I have created a VM that I only want certain users to be able to access. This is for an ESXi server not connected to our Domain or to a vCenter server. So it is only a local user. The VM in question is running in a DMZ so RDP, VNC, etc are out. I want them to access it via vSpheres Console. I have been able to restrict the user so that they can see no host information, and the only thing they can really do is open the console via right click. But they can still see a LOT of information about the VM that I would prefer they not have access to. The only permissions assigned to this roll is the following:

All Priveleges --> Virtual Machine --> Interaction --> Console Interaction

Pretty much all options are greyed out or completely missing. It's just that they can still see the Summary Tab, Resource Allocation, etc. Is there any way to limit it to only the console tab? Or even better, any way to connect a user directly to a VM Console? My boss mentioned that he thought there might be a way to do this via vSphere Remote Command Line. Any ideas?
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image

have a look at my solution here

https://www.experts-exchange.com/questions/26804260/Hide-VM's-in-vCenter-for-certain-users.html

if you require further assitance please post back
ASKER CERTIFIED SOLUTION
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This content is only available to members.
To access this content, you must be a member of Experts Exchange.
Get Access
You will be prompted to enter username and password for the ESX host server, so you'll need to add these to the users.

But you'll then have a direct console access.

 User generated image
Avatar of CCB-Tech
CCB-Tech

ASKER

Sweet! I most certainly will be trying this tomorrow. I'll get back to you then!
Okay, I got this working just fine with the root login. However, I am now trying to connect via this method but I'm getting a permission denyed error. I have Console access enabled, what else needs to be enabled?
do you mean you are logging in with another user and it fails?
Yes, I'm trying to log on as the user I had restricted. I can connect to the console by logging on normally to vSphere Client. But not via this way.
I believe the users will need elevated root permissions to connect to console using vmware-vmrc.
what if you grant Administrator role to the user for the Virtual Machine they need to connect to?
Woot! I found the answer. This is the link:

http://communities.vmware.com/message/1465136;jsessionid=BABB964ACFEB9B5C49468A693D377369

This is excellent though, because now the user doesn't see anything unncessary inside of vSphere client. It just goes straight to the Console. Is there any way to install just the viewer program and not all of the vSphere Client?
vmware-vmrc is part of the vSphere client, so not on it's own, but just remove the shortcuts and the main vSphere *.exe. If you are concerned the indididual may run it. Or publish as an application under Thin Client that is what we do for Sub-Contractors.
Okay, that's not a problem at all. Truthfully I wasn't real concerned, but it is best to keep things as lean as possible. Thanks for all your help on this!