VMware Cloud Community
rayabueg
Contributor
Contributor
‎07-23-2008 11:41 AM

VMware converter import fails from DMZ

Using VC 2.5 and the converter enterprise plug-in, a machine fails to import after selecting the target datastore with the following error msg: "Unable to verify remote host's SSL certificate. The host certificate chain is not complete or the host name used for the connection does not match certificate."

The VC is a windows 2003 server. The physical machine is also a windows 2003 server, but on a DMZ. Here's what I've done to troubleshoot:

1) Confirm connectivity using telnet and ping:

VC-->Physical Machine TCP 139,445

Physical Machine-->VC TCP 443

Physical Machine-->ESX Hosts TCP 902

2) Connect to VC via https:

Open https://IPofVCServer

  • Works for any system with TCP/IP connectivity to VC. Welcome to VC screen displays.

  • Fails for any system in DMZ with 'Page cannot be displayed'

3) Telent to VC from DMZ system using TCP 443

*http response is 'Error: Access Denied Access Denied by security policy'

4) Review converter client log file on Physical Machine (bolded what I thought was indicative of the problem):

volume name C:\ length 3

volume name
?\Volume{8a72c385-2d1d-11d9-9c09-806e6f6e6963}\ length 49

Entering UFAD at CheckDestAvailable

VmiCheckDestAvailableTask initialized

Connecting to host 10.189.39.100 on port 443 using protocol https

SSL cert. verification failed for host 10.189.39.100. Vmacore::Ssl::SSLException: SSL Exception: error:1408F10B:SSL routines:SSL3_GET_RECORD:wrong version number

VmiCheckDestAvailableTask::task: Image processing task has failed with MethodFault::Exception: sysimage.fault.SSLCertificateError

Is seems to me that this is an issue with the network from the DMZ to the VC, but I'm unsure what is being blocked. Am I pinpionting the cause correctly? Has anyone run into this?

Regards,

Ray

Tags (3)
0 Kudos
3 Replies
IamTHEvilONE
Immortal
Immortal
‎07-24-2008 05:38 AM

I would probably suggest that you simplify this a little bit.

If you install VMware Converter Standalone directly on the system in the DMZ, and convert directly to the ESX host you'll need the following:

1. port 443 & 902 for UDP/TCP traffic between the two systems

2. proper host name resolution between the two systems

Those are the 2 main catches. I don't know if that's feasible for you.

rayabueg
Contributor
Contributor
‎07-24-2008 03:22 PM

Thanks for your input! I've determined the issue and of course it was a firewall issue. Port 443 was being blocked. What I didn't realize was that the firewall was actually creating the http response of 'access is denied'. Bad assumption on my part that by getting a response via telnet 443 the port was open.

Ray

0 Kudos
jsantiago
Contributor
Contributor
‎03-04-2009 01:30 PM

Greetings,

In my case the forum helped identifying the ports needed as well as fqdn my exception only was one further issue. My attempt was on a web server in the dmz network with a local group policy putting a stop to my conversion.

The group policy was under:

Local Policies-Security Options-Network security: Lan Manager authentication Level- (Security Setting was set to) "Send NTLMv2 response only \refuse LM & NTLM"

I had to set it to Send LM & NTLM -use NTLMv2 sesssion security if negotiated.

Afterwards I was able to use converter and communicate with the server via ms-ports normally and P2V the system.

0 Kudos