Avatar of projects
projects
 asked on

secure remote internet vsphere client esxi 5.5

Can't seem to find much information on how to securely connect to an ESXi host over the internet.
Searching keeps coming up with enabling ssh port and other things but nothing which clearly shows how to set up a secure connection between client and server.
VMwareInternet Protocols

Avatar of undefined
Last Comment
projects

8/22/2022 - Mon
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

To be honest, because it's not advisable to place an ESXi server on a public IP Address accessibly from the internet, because the only thing which prevents access is a username and password!

Which is easy for a brute force attack.
projects

ASKER
Not much choice, the server is at a data center in this case. So, still need to know the best way of handling this.
ASKER CERTIFIED SOLUTION
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
projects

ASKER
That sounds very complicated.
Doesn't the vSphere client allow secure connections or the ESXi server have some sort of method to allow only a certain IP to connect to admin?
All of life is about relationships, and EE has made a viirtual community a real community. It lifts everyone's boat
William Peck
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

It is secure e.g. it uses 443.

But anyone can connect to your ESXi server, and try brute force passwords and usernames.

You could try and use the in-built firewall in ESXi, to allow only from a single IP Address, but it's not designed for this usage.
projects

ASKER
I guess nothing can be done then but it makes me wonder how others deal with this. Sometimes, I need to have servers in different data centers so don't have local access.
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

Secure VPN appliances, RDP to a VM on the Host.

or you accept the risk, that some-one can brute force your vSphere Host Server.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
projects

ASKER
Still confused about this. You are saying install a windows vm for example on that ESXi server, then lock out the admin (root) access to the ESXi server to that vm, then use that win vm to make a local connection to the ESXi host?
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

Better access can be provided, by using

1. a VM - Windows or Linux
2. Access the VM via RDP via SSH tunnel. (this can also be given a single IP Address for access)
3. Once you are connected to the VM.
4. Execute the vSphere Client or web Client to Access ESXi.
5. This stops you having to present ESXi directly on the internet.
projects

ASKER
Ok, I understand this. The only part I don't understand is how I prevent ESXi from showing over the internet then? Even if I access locally only, the host will still show its public IP on the net, thus, its login screen.
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

If the ESXi server does not have a Public IP Address!
projects

ASKER
The server does have a public IP address, that is my first problem, since it is physically at a remote data center which doesn't have private IPs (don't ask).

Also, I'm thinking that VPN would be the best method since I could reach it from anywhere and not accidentally not have access to it when needed from some location which isn't allowed.

Guess I have two things to accomplish then.

1: I need to find a vpn solution
2: I need to have the public IP for the host iteself changed but the vms on the host will still have public IPs, again, no private options.

Not sure how this solves the problem since the vms will have public IPs.
Andrew Hancock (VMware vExpert PRO / EE Fellow/British Beekeeper)

Can you not just give the Public IP Address to VPN End point, and then use any IP Address range on your private network ?

VMs with public IP Address, you need to ensure that are full patched at all times, and secure, with firewalls on, otherwise they will be exposed.
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
projects

ASKER
That's what I'm trying to figure out right now.
Am thinking maybe building a pfsense instance with vpn on it. Maybe that could be used as the public entry point to all of the vms on this host.

I don't know, I've never had to deal with such nonsense.