VMware Cloud Community
fast_cat
Contributor
Contributor
‎09-21-2018 04:39 AM

VCSA 6.5 Web client redirect - again

Hi,

I know this discussion/ or similar has been had before , but I am unable to find a definitive solution.

The scenario is this - (simplified of course with example dns names) - and also note that all of this infrastructure was built by someone else who has now left the company.

VCSA 6.5       - domain name is vc.a.b

external PSC - domain name is psc.a.b

This all works fine when connected on our internal lan.

HOWEVER, when connected remotely via a VPN  the company in their wisdom have decided to block all access from a web browser (eg IE) to any URL with suffix 'a.b'

For example -

Browsing to vc.a.b gets the message -

Your requested URL has been blocked

The URL has been blocked by policy

However the policy is setup to allow for browsing to suffix x.y   - this is the recommendation from the security team  (ie to set up all web sites etc with x.y suffixes).

So I have got dns aliases set up as follows -

vc.a.b        ->    vc.x.y    

psc.a.b      ->     psc.x.y

So now when I browse remotely I can use - https://vc.x.y

This works in as much as I get the Vcenter welcome screen and I can then select - 'Vsphere Web Client -(Flash).

This then redirects to -  psc.a.b/websso/SAML/ etc...

But this fails  fails due to policy blocking the URL with suffix 'a.b'

So my question - where is the reference to - psc.a.b in the VCSA or PSC appliance ?  Can I change it so that it says - psc.x.y ?  It will be the same ip address

PS:  on my vc 5.5 environment on windows I can solve this issue by modifying one of the redirect settings in the proxy.xml file.  Is there any equivalent on the 6,5 vcsa /psc environment ?

Any thoughts welcome

regards

0 Kudos
3 Replies
daphnissov
Immortal
Immortal
‎09-21-2018 08:03 AM

This is the same problem people encounter when trying to access vCenter from the public Internet. In short, it's not going to work this way and your team are going to have to provide access to the a.b. domain for VPN users. When that redirect to the PSC happens, it needs to be able to access it on the URL listed for the auth token to be generated. There is no way of changing that without redeploying with a different DNS name.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
fast_cat
Contributor
Contributor
‎09-21-2018 08:45 AM

thanks for the update.

I guess that was confirmation of what I thought -  A new install rather changing something a setting/ config on the existing environment ?

So would I need to deploy a new VCSA and PSC or just PSC ?

0 Kudos
daphnissov
Immortal
Immortal
‎09-21-2018 08:47 AM

Well, as I said, any sort of domain redirection isn't going to work, so even if you did re-deploy (both), you still have to choose one domain or another. That's the domain over which it needs to be accessible. The proper fix is to make that domain accessible to VPN users, or communicate to the company that they will not have access. It basically comes down to that.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos