I'm trying to get a better sense of the connection path between a vCenter user and a VM's web console in order to diagnose why users can open some web consoles but not others.
When you're connected to to the web client of [VC1] and you open the web console of a VM on [VC2] (which is in the same SSO domain and shows up on the same web client), does the path go like this:
Me -> [TCP 443] -> VC1 -> [TCP/UDP 902] -> VC2 -> [TCP/UDP 902] -> VC2Host -> VM
Or is it this:
Me -> [TCP 443] -> VC1 -> [TCP/UDP 902] -> VC2Host -> VM
And are those ports accurate? Are there any other ports needed for the web console to work (whether from one VC directly or from a linked VC)?
Here's the actual problem I'm having:
I have these two vCenter appliances (both v6.7):
If I log in to vc-toronto from our corporate LAN, I can open web consoles for VMs in that vCenter, but if I try to open a console for a VM on vc-portland, it hangs and then times out. The opposite is also true if I log in to vc-portland. However, if I use the VMRC, I can open the consoles of any of the VMs regardless of which of the two vCenters I'm logged in to.
Meanwhile, I have one user working from home, connecting via VPN1, who reports the same behavior as me, and a second user, connecting via VPN2, who can open web consoles on either vCenter, regardless of which one he's logged in to.
So the implication is that this is a firewall/routing issue. I just need to figure out which ports need to be open and from where to where.