secure remote internet vsphere client esxi 5.5

Can't seem to find much information on how to securely connect to an ESXi host over the internet.
Searching keeps coming up with enabling ssh port and other things but nothing which clearly shows how to set up a secure connection between client and server.
projectsAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
To be honest, because it's not advisable to place an ESXi server on a public IP Address accessibly from the internet, because the only thing which prevents access is a username and password!

Which is easy for a brute force attack.
projectsAuthor Commented:
Not much choice, the server is at a data center in this case. So, still need to know the best way of handling this.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
The Best Way would be a secure VPN Endpoint at the DC.

or a virtual machine on the host with the vSphere Client installed, and then use Firewall on the VM, and RDP to connect to VM.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

projectsAuthor Commented:
That sounds very complicated.
Doesn't the vSphere client allow secure connections or the ESXi server have some sort of method to allow only a certain IP to connect to admin?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
It is secure e.g. it uses 443.

But anyone can connect to your ESXi server, and try brute force passwords and usernames.

You could try and use the in-built firewall in ESXi, to allow only from a single IP Address, but it's not designed for this usage.
projectsAuthor Commented:
I guess nothing can be done then but it makes me wonder how others deal with this. Sometimes, I need to have servers in different data centers so don't have local access.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Secure VPN appliances, RDP to a VM on the Host.

or you accept the risk, that some-one can brute force your vSphere Host Server.
projectsAuthor Commented:
Still confused about this. You are saying install a windows vm for example on that ESXi server, then lock out the admin (root) access to the ESXi server to that vm, then use that win vm to make a local connection to the ESXi host?
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Better access can be provided, by using

1. a VM - Windows or Linux
2. Access the VM via RDP via SSH tunnel. (this can also be given a single IP Address for access)
3. Once you are connected to the VM.
4. Execute the vSphere Client or web Client to Access ESXi.
5. This stops you having to present ESXi directly on the internet.
projectsAuthor Commented:
Ok, I understand this. The only part I don't understand is how I prevent ESXi from showing over the internet then? Even if I access locally only, the host will still show its public IP on the net, thus, its login screen.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
If the ESXi server does not have a Public IP Address!
projectsAuthor Commented:
The server does have a public IP address, that is my first problem, since it is physically at a remote data center which doesn't have private IPs (don't ask).

Also, I'm thinking that VPN would be the best method since I could reach it from anywhere and not accidentally not have access to it when needed from some location which isn't allowed.

Guess I have two things to accomplish then.

1: I need to find a vpn solution
2: I need to have the public IP for the host iteself changed but the vms on the host will still have public IPs, again, no private options.

Not sure how this solves the problem since the vms will have public IPs.
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Can you not just give the Public IP Address to VPN End point, and then use any IP Address range on your private network ?

VMs with public IP Address, you need to ensure that are full patched at all times, and secure, with firewalls on, otherwise they will be exposed.
projectsAuthor Commented:
That's what I'm trying to figure out right now.
Am thinking maybe building a pfsense instance with vpn on it. Maybe that could be used as the public entry point to all of the vms on this host.

I don't know, I've never had to deal with such nonsense.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
VMware

From novice to tech pro — start learning today.