VMware Cloud Community
RebeccaW
Enthusiast
Enthusiast

vRA 8.8 - Load Balanced - Connect to Remote Console

Does anyone have a clustered vRA 8.8 environment and also sucessfully use Connect to Remote Console? We have 902 open from the appliances and the cluster VIP to the ESXi hosts yet still have "Cannot establish a remote console connection. Verify that the machine is powered on. If the server has a self-signed certificate, you might need to accept certificate, then close and retry the connection." error. We have a Test environment that is not load balanced which works fine. 

10 Replies
RebeccaW
Enthusiast
Enthusiast

Does anyone have vRA 8.8 behind a load balancer and if so do you entitle the Connect to Remote Console action? Non load balanced environment is fine, load balanced one seems to have an issue. Cannot find any documentation that websockets needs to be enabled on the load balancer but that seems to be what is erroring out first. 

Reply
0 Kudos
RebeccaW
Enthusiast
Enthusiast

In case anyone else has a smilar issue one day...after you double check with networking that the lead balancer is in SSL Bridge mode check again. This wound up being the issue but was not impacting other functionality.

Reply
0 Kudos
evil242
Enthusiast
Enthusiast

Are you able to route all web client traffic through the load balancer including vm management and console access over https:443?  And this is for complete on-prem vRA? 

We had 7.6 on-prem and it worked great behind the load balancer to provide client VM services to client customers. 

We are currently migrating to vRA Cloud SaaS but are looking for reasons to come back to on-prem. 

Damion Terrell  .   +  (He/Him)  +  . *  .  +   @   + .    *  .    +      .                    
Core IT Service Specialist * . + * . + . + . + * +
UNM – IT Platforms – VIS + . . . . . . . . .
. + . + * . + * .
* . . + . . . . + . + * + .
“You learn the job of the person above you, * + . + * @
and you teach your job to the person below you..” . * +
Reply
0 Kudos
evil242
Enthusiast
Enthusiast

Can someone elaborate on the SSL Bridge Mode? Is this the "vra-va - SSL terminated at load-balancer:true" setting? If I need to change this to "false", does that mean I need to redeploy the entire cluster again?  Or is there a way to change this after the fact?

Damion Terrell  .   +  (He/Him)  +  . *  .  +   @   + .    *  .    +      .                    
Core IT Service Specialist * . + * . + . + . + * +
UNM – IT Platforms – VIS + . . . . . . . . .
. + . + * . + * .
* . . + . . . . + . + * + .
“You learn the job of the person above you, * + . + * @
and you teach your job to the person below you..” . * +
Reply
0 Kudos
Ankush11s
VMware Employee
VMware Employee

@evil242 
IN Aria Automation cloud , If a User is trying to connect to remote console we should havebelow requirement.
Machine from which we are accessing Aria Automation deployment , should have ESXi management network access on port 443.

Once above requirement is completed .
once you try to open Remote console , It will ask for certificate to be accepted , Once you click on accept certificate which usually in new tab and after accepting certificates once to same tab and reload the browser it should work .

 Not sure how this is related to this thread because ask is for cloud but here is Load Balancing Guide for on-prem and you can look for SSL .
https://docs.vmware.com/en/vRealize-Automation/8.4/vrealize-automation-load-balancing-guide.pdf

Reply
0 Kudos
evil242
Enthusiast
Enthusiast

Yes, I went through that guide, in particular for the F5. FYI, 8.7 guide appears to be the latest, https://docs.vmware.com/en/vRealize-Automation/8.7/vrealize-automation-load-balancing-guide.pdf

Currently deployed vRA/Aria 8.11.

It doesn't seem to go in depth about terminating SSL at LB.  Why is that even an option?  

The vRA / Aria appliances have management access to the ESXi Hosts.

But again, why should end users/clients require access to the host just to accept a host certificate when everything should be proxied through the appliances and load balancer?

This wasn't a problem in vRA 7.

Damion Terrell  .   +  (He/Him)  +  . *  .  +   @   + .    *  .    +      .                    
Core IT Service Specialist * . + * . + . + . + * +
UNM – IT Platforms – VIS + . . . . . . . . .
. + . + * . + * .
* . . + . . . . + . + * + .
“You learn the job of the person above you, * + . + * @
and you teach your job to the person below you..” . * +
Reply
0 Kudos
evil242
Enthusiast
Enthusiast

VMware KB Cannot establish a remote console connection in VMware Aria Automation 8.10.2 (90655)

We are at vRA / Aria 8.11 

Cause

The remote console functionality changed in the Aria Automation 8.10.2 release.

To resolve the issue in Aria Automation version 8.10.2 you will need to ensure the following requirements are met.

  1.        Network access is required between client machines and ESXI hosts on port 443.

So just to verify, we must expose all of our ESXi hosts to our client machines?  

I am going to try deleting my environment and deploying 8.10.1 tomorrow.

Damion Terrell  .   +  (He/Him)  +  . *  .  +   @   + .    *  .    +      .                    
Core IT Service Specialist * . + * . + . + . + * +
UNM – IT Platforms – VIS + . . . . . . . . .
. + . + * . + * .
* . . + . . . . + . + * + .
“You learn the job of the person above you, * + . + * @
and you teach your job to the person below you..” . * +
Reply
0 Kudos
Ankush11s
VMware Employee
VMware Employee

@evil242 or you could upgrade to 8.11.2 in which it is fixed for on-prem , but for Cloud it is mandate to have esxi mgmt network access 

Reply
0 Kudos
evil242
Enthusiast
Enthusiast

Can you provide the product documentation for it being fixed in 8.11.2?  I just checked and 8.11.2 is not available.  Do you have a guestimate release date?  I'll gladly upgrade if "Network access is required between client machines and ESXI hosts on port 443." is no longer a requirement and it actively proxies customer VM console connections through LB VIP and vRA / Aria Appliances.

Regarding "but for Cloud it is mandate to have esxi mgmt network access", I understand it is a proxy pull vs push notification issue, but from a security standpoint, does this really make sense?  What do Cloud customers do for security?  Or is VM console access just not a thing? 

Damion Terrell  .   +  (He/Him)  +  . *  .  +   @   + .    *  .    +      .                    
Core IT Service Specialist * . + * . + . + . + * +
UNM – IT Platforms – VIS + . . . . . . . . .
. + . + * . + * .
* . . + . . . . + . + * + .
“You learn the job of the person above you, * + . + * @
and you teach your job to the person below you..” . * +
evil242
Enthusiast
Enthusiast

So FYI, I was able to get VM Console through LB VIP using vRA 8.10.1.

I guess we will be at that version until 8.11.2 shows up and removes the host access requirement.

Damion Terrell  .   +  (He/Him)  +  . *  .  +   @   + .    *  .    +      .                    
Core IT Service Specialist * . + * . + . + . + * +
UNM – IT Platforms – VIS + . . . . . . . . .
. + . + * . + * .
* . . + . . . . + . + * + .
“You learn the job of the person above you, * + . + * @
and you teach your job to the person below you..” . * +
Reply
0 Kudos