open vm console from other network than esxi hosts resides

Hi,

We have a couple of esxi hosts and a vcenter.

There are 2 networks A and B: The hosts reside in network A. The vcenter has 2 nic's, 1 in each network.

When connecting from a workstation, that resides in network B with vsphere client to the vcenter on the ip address in network B, all works fine and we can manage the hosts that are connected to the vcenter. But when we try to open a console of a vm, we get an error:
Unable to connect to the MKS: Failed to connect to server [IP of host in Network A]:902

Is it possible to redirect the vm console traffic through the vcenter server where the workstations in network B can connect with? Because the workstations cant connect to the hosts in network A. It's not possible because the networks are seperated.

Thanks in advance.

Regards
PramoITAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Failing to connect to a console with a MKS error, is because the Client cannot access the vCenter Server directly.

Check that your Client can resolve IP Addresses, and Hostnames, FQDN to vCenter Server.
PramoITAuthor Commented:
Hi,

The clients CAN connect to the vcenter server. They do this with vsphere clients. That works all fine. The problem occurs when trying to open a console of a vm through vsphere client. Vsphere tries to connect directly to the ip address of the host that resides in the other network.

Regards,
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Can you ping the host and it's VMs ?

Can you use RDP to connect to these VMs ?

Seems like a traffic or routing issue.
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

PramoITAuthor Commented:
No pinging is not possible, but that is normal because the 2 networks are seperated.

Let me explain.

Network A is a private network, lets say: 10.10.50.0/24

Networks B is a public network. The clients reside there or somewhere on the internet.

The hosts are in network A

Vcenter has an ip in Network A and another IP (public) in network B.

The clients connect to the vcenter using the public IP. Everything works fine, except when trying to open a console of a vm vsphere client then says for example:

Unable to connect to the MKS: Failed to connect to server 10.10.50.15:902

Of course it is impossible for the client who resides in the public range or somewhere on the internet to connect to 10.10.20.15:902 because that is a private ip and we dont want that the hosts can be reached from the internet.

My question is: is it possible that the vcenter will behave like a proxy for the vm consoles?

I hope it's now clear.

Regards,
compdigit44Commented:
Is there a firewall between the vcenter server and workstation opening the VM console? If so are the proper ports open?

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2031843

I believe port 903 is needed for the VM console
PramoITAuthor Commented:
Hi,

Already done that. The port to the vcenter is open. But like it says in the article

"903 TCP Port 903 must be open between the vSphere Client and ESX / ESXi hosts. The vSphere Client uses this port to display virtual machine consoles on ESX / ESXi hosts. "

This port has to be open between the client and the ESX hosts. And that's the thing, that can't be done because that networks are seperated.

I've read some other articles from vmware and I came to the conclusion that what I asked is impossible.  It is not possible to reroute the console traffic (port 902/903) through vcenter. Like a proxy.

Thanks all.

Regards,
Qlemo"Batchelor", Developer and EE Topic AdvisorCommented:
Yes, that seems to be correct. vCenter VM Console requires the client to be able to connect to the VM host on port 902 or 903. No proxies can be used.
If the VM hosts would use the network B address instead of network A, and the port is available on the public interface, it would work.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
If you client cannot connect to the VMs, because there are on a different network, than your client does not have access to, no traffic will pass.

The same issue occurs, connecting to ESXi, with the vSphere Client into a datacentre, with a public IP Address for ESXi, but the VMs are on a different internal network. - no direct access to VMs via Internet, so no console access.

You would be better connecting to RDP on the vCenter Server, and using the vSphere Client, or using a Terminal Server/Remote Desktop Server, with two network interfaces, and vSphere Client installed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Virtualization

From novice to tech pro — start learning today.