Link to home
Start Free TrialLog in
Avatar of projects

asked on

secure remote internet vsphere client esxi 5.5

Can't seem to find much information on how to securely connect to an ESXi host over the internet.
Searching keeps coming up with enabling ssh port and other things but nothing which clearly shows how to set up a secure connection between client and server.
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image

To be honest, because it's not advisable to place an ESXi server on a public IP Address accessibly from the internet, because the only thing which prevents access is a username and password!

Which is easy for a brute force attack.
Avatar of projects


Not much choice, the server is at a data center in this case. So, still need to know the best way of handling this.
Avatar of Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
That sounds very complicated.
Doesn't the vSphere client allow secure connections or the ESXi server have some sort of method to allow only a certain IP to connect to admin?
It is secure e.g. it uses 443.

But anyone can connect to your ESXi server, and try brute force passwords and usernames.

You could try and use the in-built firewall in ESXi, to allow only from a single IP Address, but it's not designed for this usage.
I guess nothing can be done then but it makes me wonder how others deal with this. Sometimes, I need to have servers in different data centers so don't have local access.
Secure VPN appliances, RDP to a VM on the Host.

or you accept the risk, that some-one can brute force your vSphere Host Server.
Still confused about this. You are saying install a windows vm for example on that ESXi server, then lock out the admin (root) access to the ESXi server to that vm, then use that win vm to make a local connection to the ESXi host?
Better access can be provided, by using

1. a VM - Windows or Linux
2. Access the VM via RDP via SSH tunnel. (this can also be given a single IP Address for access)
3. Once you are connected to the VM.
4. Execute the vSphere Client or web Client to Access ESXi.
5. This stops you having to present ESXi directly on the internet.
Ok, I understand this. The only part I don't understand is how I prevent ESXi from showing over the internet then? Even if I access locally only, the host will still show its public IP on the net, thus, its login screen.
If the ESXi server does not have a Public IP Address!
The server does have a public IP address, that is my first problem, since it is physically at a remote data center which doesn't have private IPs (don't ask).

Also, I'm thinking that VPN would be the best method since I could reach it from anywhere and not accidentally not have access to it when needed from some location which isn't allowed.

Guess I have two things to accomplish then.

1: I need to find a vpn solution
2: I need to have the public IP for the host iteself changed but the vms on the host will still have public IPs, again, no private options.

Not sure how this solves the problem since the vms will have public IPs.
Can you not just give the Public IP Address to VPN End point, and then use any IP Address range on your private network ?

VMs with public IP Address, you need to ensure that are full patched at all times, and secure, with firewalls on, otherwise they will be exposed.
That's what I'm trying to figure out right now.
Am thinking maybe building a pfsense instance with vpn on it. Maybe that could be used as the public entry point to all of the vms on this host.

I don't know, I've never had to deal with such nonsense.