secure remote internet vsphere client esxi 5.5

projects
projects used Ask the Experts™
on
Can't seem to find much information on how to securely connect to an ESXi host over the internet.
Searching keeps coming up with enabling ssh port and other things but nothing which clearly shows how to set up a secure connection between client and server.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
To be honest, because it's not advisable to place an ESXi server on a public IP Address accessibly from the internet, because the only thing which prevents access is a username and password!

Which is easy for a brute force attack.

Author

Commented:
Not much choice, the server is at a data center in this case. So, still need to know the best way of handling this.
VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017
Commented:
The Best Way would be a secure VPN Endpoint at the DC.

or a virtual machine on the host with the vSphere Client installed, and then use Firewall on the VM, and RDP to connect to VM.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Author

Commented:
That sounds very complicated.
Doesn't the vSphere client allow secure connections or the ESXi server have some sort of method to allow only a certain IP to connect to admin?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
It is secure e.g. it uses 443.

But anyone can connect to your ESXi server, and try brute force passwords and usernames.

You could try and use the in-built firewall in ESXi, to allow only from a single IP Address, but it's not designed for this usage.

Author

Commented:
I guess nothing can be done then but it makes me wonder how others deal with this. Sometimes, I need to have servers in different data centers so don't have local access.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Secure VPN appliances, RDP to a VM on the Host.

or you accept the risk, that some-one can brute force your vSphere Host Server.

Author

Commented:
Still confused about this. You are saying install a windows vm for example on that ESXi server, then lock out the admin (root) access to the ESXi server to that vm, then use that win vm to make a local connection to the ESXi host?
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Better access can be provided, by using

1. a VM - Windows or Linux
2. Access the VM via RDP via SSH tunnel. (this can also be given a single IP Address for access)
3. Once you are connected to the VM.
4. Execute the vSphere Client or web Client to Access ESXi.
5. This stops you having to present ESXi directly on the internet.

Author

Commented:
Ok, I understand this. The only part I don't understand is how I prevent ESXi from showing over the internet then? Even if I access locally only, the host will still show its public IP on the net, thus, its login screen.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
If the ESXi server does not have a Public IP Address!

Author

Commented:
The server does have a public IP address, that is my first problem, since it is physically at a remote data center which doesn't have private IPs (don't ask).

Also, I'm thinking that VPN would be the best method since I could reach it from anywhere and not accidentally not have access to it when needed from some location which isn't allowed.

Guess I have two things to accomplish then.

1: I need to find a vpn solution
2: I need to have the public IP for the host iteself changed but the vms on the host will still have public IPs, again, no private options.

Not sure how this solves the problem since the vms will have public IPs.
Andrew Hancock (VMware vExpert / EE Fellow)VMware and Virtualization Consultant
Fellow 2018
Expert of the Year 2017

Commented:
Can you not just give the Public IP Address to VPN End point, and then use any IP Address range on your private network ?

VMs with public IP Address, you need to ensure that are full patched at all times, and secure, with firewalls on, otherwise they will be exposed.

Author

Commented:
That's what I'm trying to figure out right now.
Am thinking maybe building a pfsense instance with vpn on it. Maybe that could be used as the public entry point to all of the vms on this host.

I don't know, I've never had to deal with such nonsense.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial