VMware Communities > VMTN > VMware Infrastructure™ > VI: ESX 3.5 > Discussions
Up to Discussions in VI: ESX 3.5

This Question is Answered

1 "helpful" answer available (6 pts)
11 Replies Last post: Nov 20, 2008 7:01 AM by Texiwill
Reply

console for individual VMs

Nov 18, 2008 6:13 PM

Click to view BizCON Alex's profile Novice BizCON Alex 14 posts since
Oct 10, 2008

Dear Experts,

I'd just move from VS2005 to ESX. in VS2005, I can assign an individual Console (just a url) for the virtual machine owner (individual department). They can admin their vm even that vm is no-NIC.

However, in ESX, I don't know how to do it.

thx.

alexli

Reply Re: console for individual VMs Nov 18, 2008 6:39 PM
Click to view Craig Baltzer's profile Expert Craig Baltzer 401 posts since
Oct 3, 2005
If you have Virtual Center you can set per-user permissions on the invidual VMs (or create folders for a department and set the permissions there), then have the users goto the web UI in Virtual Center (http://vcserver/ui). Once there they'll login and be only able to see the VMs that they have permission to access, and only have the rights you've granted them in VC. One of the options in the web UI is to generate a URL that can be used to access the VMs console...

Without Virtual Center you don't have "per VM" access control...
Reply Re: console for individual VMs Nov 18, 2008 6:41 PM
Click to view langadi's profile Novice langadi 9 posts since
Oct 26, 2008
I think you can do this using web access .I have copied the web access help to generate how to create console.

Virtual Infrastructure Web Access Help :

Contents
Creating and Sharing Remote Console URLs

Using VI Web Access, you can create a remote console URL of a virtual machine by using ordinary Web browser URLs. When you create a remote console URL, you can customize the VI Web Access user interface controls, or use the remote console URL for personal use. Using remote console URLs, you can:

* Add the remote console URL to a list of favorite Web pages.
* Share the remote console URL with one or more other users in an email message.

To create a virtual machine remote console URL

1. In the status section of a virtual machine's summary, click Generate Remote Console URL.
2. Choose user interface features.

You can disable nonessential controls permanently. This allows a remote console URL user to concentrate on using the guest operating system.
3. Capture the remote console URL for further use.
4. Click Close to return to the Summary tab.

Note: Administrators who want to test a remote console URL should do so by using another browser or computer. If the remote console URL is tested on the administrator's active browser session, all instances of the browser need to be closed before the administrator can log back in with full user interface capabilities.


Hope this helps .

-langadi

Reply Re: console for individual VMs Nov 18, 2008 7:12 PM
Click to view weinstein5's profile Guru weinstein5 5,717 posts since
Nov 19, 2005 VMware
Web Access is the way to go - This document should help you set up and create a remote console URL - http://www.vmware.com/pdf/vi3_35/esx_3/r35u2/vi3_35_25_u2_web_access.pdf


If you find this or any other answer useful please consider awarding points by marking the answer correct or helpful

Reply Re: console for individual VMs Nov 19, 2008 6:54 AM
in response to: weinstein5
Click to view Texiwill's profile Guru Texiwill 9,549 posts since
Jan 13, 2004 Moderator
Hello,

Granting a user access to VC is not the best way to approach this. The best way is to just let them access the console is to just allow RDP as the console for that user or administrator. The only people who should really access VC are the virutalization administrators. Once you add a user into VC, they can then use other administrative tools and opens up possible attack points.

RDP using the console is a well known tool. This way users do not change anything they are doing. If they need a CD mounted, have them make an ISO and use something like VCD.


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/
Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Reply Re: console for individual VMs Nov 19, 2008 12:59 PM
in response to: Texiwill
Click to view Craig Baltzer's profile Expert Craig Baltzer 401 posts since
Oct 3, 2005
Hi Edward. Could you elaborate a bit more on how to set up RDP for a VM with no network connectivity to the user workstation? I'm familiar with using RDP to get a remote desktop or console (/console or /admin depending on the version of MSTSC) to Windows guests but that obviously requires the VM to be network accessible and isn't available for "broken" VMs where the OS doesn't completely boot (original post was asking about VMs that were on isoldated/inaccessible networks). Is this something along the lines of the Remote Display capability with VNC?
Reply Re: console for individual VMs Nov 19, 2008 2:22 PM
in response to: Craig Baltzer
Click to view Texiwill's profile Guru Texiwill 9,549 posts since
Jan 13, 2004 Moderator
Hello,

In the case you mention you can use the remote display with VNC. But in actuality you may have to use the remote console. However if the VM does not boot you may have something else going on. The VIC is just not granular enough to allow just anyone to use. To allow for example someone to connect and disconnect the network may let them change the network they are on as well and that could be very bad indeed.


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/
Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Reply Re: console for individual VMs Nov 19, 2008 3:36 PM
in response to: Texiwill
Click to view Craig Baltzer's profile Expert Craig Baltzer 401 posts since
Oct 3, 2005
Thanks Edward. Agreed, certainly would have to careful granting access to VC. If a new role was created (say VM Minimal User) that only had Power On, Power Off, Reset, Console Interaction and Tools Install from the from the Virtual Machine/Interaction group, and the role applied to individual VMs (or a folder of VMs) on an AD user/group basis, would you see any significant exposures there?
Reply Re: console for individual VMs Nov 20, 2008 1:22 AM
in response to: Craig Baltzer
Click to view NTurnbull's profile Expert NTurnbull 214 posts since
Feb 11, 2008
Hi Craig, I believe that when you generate a URL for web access to the VM it it only valid until the ESX host is restarted/think it also includes the mgmt-vmware service is restarted. Once restarted you'd have to re-generate another URL for the user.

Thanks,
Neil

Reply Re: console for individual VMs Nov 20, 2008 2:11 AM
in response to: NTurnbull
Click to view Craig Baltzer's profile Expert Craig Baltzer 401 posts since
Oct 3, 2005
Hi Neil. I just did a quick test here and the URL continues to work after reboots of both the ESX host housing the VM as well as the VC server itself...
Reply Re: console for individual VMs Nov 20, 2008 2:34 AM
in response to: Craig Baltzer
Click to view NTurnbull's profile Expert NTurnbull 214 posts since
Feb 11, 2008
Hi Craig, must have changed that then - or I was wrong! :)

Thanks,
Neil

Reply Re: console for individual VMs Nov 20, 2008 7:01 AM
in response to: NTurnbull
Click to view Texiwill's profile Guru Texiwill 9,549 posts since
Jan 13, 2004 Moderator
Hello Craig,

The problem with Roles and Permissions is that they are not granular enough. So if you are not careful you could inadvertently let users change things like networks. So you need to be careful that they can not do this, but that generally means something else is not doable.

As for using the VNC connection, that is possible but could create an even larger risk if not implemented properly but there are several ways to mitigate that risk.

I am on the fence on which method is best from a security perspective. Any access to VI Management tools by people who really do not need the access add to the possible risk to the system. I am also under the opinion that if there are issues with the VM that it hangs during boot that there may be other issues that would require the virtualization administrator to be involved at least in the investigation.

BTW, webAccess is the least secure method to access the console of all the available methods.


Best regards,
Edward L. Haletky
VMware Communities User Moderator
====
Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Blog: http://itknowledgeexchange.techtarget.com/virtualization-pro/
Blue Gears Blogs - http://www.itworld.com/ and http://www.networkworld.com/community/haletky
As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization
Actions
Up to Discussions in VI: ESX 3.5