Using VC 2.5 and the converter enterprise plug-in, a machine fails to import after selecting the target datastore with the following error msg: "Unable to verify remote host's SSL certificate. The host certificate chain is not complete or the host name used for the connection does not match certificate."
The VC is a windows 2003 server. The physical machine is also a windows 2003 server, but on a DMZ. Here's what I've done to troubleshoot:
1) Confirm connectivity using telnet and ping:
VC-->Physical Machine TCP 139,445
Physical Machine-->VC TCP 443
Physical Machine-->ESX Hosts TCP 902
2) Connect to VC via https:
Open https://IPofVCServer
Works for any system with TCP/IP connectivity to VC. Welcome to VC screen displays.
Fails for any system in DMZ with 'Page cannot be displayed'
3) Telent to VC from DMZ system using TCP 443
*http response is 'Error: Access Denied Access Denied by security policy'
4) Review converter client log file on Physical Machine (bolded what I thought was indicative of the problem):
volume name
?\Volume{8a72c385-2d1d-11d9-9c09-806e6f6e6963}\ length 49
Entering UFAD at CheckDestAvailable
VmiCheckDestAvailableTask initialized
Connecting to host 10.189.39.100 on port 443 using protocol https
SSL cert. verification failed for host 10.189.39.100. Vmacore::Ssl::SSLException: SSL Exception: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number
VmiCheckDestAvailableTask::task: Image processing task has failed with MethodFault::Exception: sysimage.fault.SSLCertificateError
Is seems to me that this is an issue with the network from the DMZ to the VC, but I'm unsure what is being blocked. Am I pinpionting the cause correctly? Has anyone run into this?
Regards,
Ray
I would probably suggest that you simplify this a little bit.
If you install VMware Converter Standalone directly on the system in the DMZ, and convert directly to the ESX host you'll need the following:
1. port 443 & 902 for UDP/TCP traffic between the two systems
2. proper host name resolution between the two systems
Those are the 2 main catches. I don't know if that's feasible for you.
Thanks for your input! I've determined the issue and of course it was a firewall issue. Port 443 was being blocked. What I didn't realize was that the firewall was actually creating the http response of 'access is denied'. Bad assumption on my part that by getting a response via telnet 443 the port was open.
Ray
Greetings,
In my case the forum helped identifying the ports needed as well as fqdn my exception only was one further issue. My attempt was on a web server in the dmz network with a local group policy putting a stop to my conversion.
The group policy was under:
Local Policies-Security Options-Network security: Lan Manager authentication Level- (Security Setting was set to) "Send NTLMv2 response only \refuse LM & NTLM"
I had to set it to Send LM & NTLM -use NTLMv2 sesssion security if negotiated.
Afterwards I was able to use converter and communicate with the server via ms-ports normally and P2V the system.