VMware Cloud Community
DJRyanJ
Contributor
Contributor
‎06-18-2009 04:02 PM

vSphere Client Can't Connect Over SSH Tunnel

I have a couple of ESX 4.0 servers sitting in a lab on campus, which is usually not where I am. Typically, I set up an SSH tunnel to connect remotely to my network and forward some ports over the tunnel and connect to things that way. I do this for a few reasons - 1) my network at work has all of 3 ports open; 22 (SSH), 80, and 443; 2) dumping everything over the SSH tunnel is just far easier and more secure than port forwarding a bunch of ports over the internet; 3) I'm rarely at the lab and working remotely is much better for me.

I don't have my vCenter server set up as yet, but it's on the todo list.

When I'm physically in the lab and connect to the IP's of the hosts, I can access things fine with the vSphere Client. When I try over the tunnel, it tells me I can't connect with a "vSphere Client could not connect to vCenter Server <name>. Details: A connection failure occured (Unable to connect to remote server)".

I have ports 443, 902 and 903 forwarded to the Service Console IP on the host.

Would it matter that the VMKernel port is on a separate IP?

Anyway, any help anyone can offer about getting vSphere Client running over an SSH tunnel would be fantastic.

Thanks in advance.

-r-

Reply
0 Kudos
19 Replies
MagicMonkey
Contributor
Contributor
‎06-19-2009 02:24 PM

I'm having problems too. I'm trying to connect to ESXi 4 with vSphere client over SSH tunnel. Forwarded 902, 903, 443 and it won't connect. I have forwarded ports to VM's on that box and I have no problems connecting to them.

When I open those ports in my NAT router I am able to connect.

Reply
0 Kudos
AndreTheGiant
Immortal
Immortal
‎06-20-2009 12:08 AM

Use OpenVPN or other VPN instead.

There are too much port to redirect, and also name resolution could be a problem with port forwarding in ssh tunnel.

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro
Reply
0 Kudos
MagicMonkey
Contributor
Contributor
‎06-20-2009 01:14 AM

Since it works when i open the ports in my NAT router, I should not have to forward more ports when SSH tunneling. I have used SSH tunneling without problems before when using the VI client.

Reply
0 Kudos
DJRyanJ
Contributor
Contributor
‎06-20-2009 12:45 PM

Also, OpenVPN or other VPN's are simply not possible in this situation.

Also, unless I miss my guess, name resolution is a moot point here given that I connect to everything using IP.

-r-

Reply
0 Kudos
CONV4-BETA
Contributor
Contributor
‎06-20-2009 06:01 PM

I also ran into the same problem.

We have several ESXi 3.5s (standalone) behind a firewall in the private IP range, and everything works just fine when SSH-tunneling port 443 and 902 and connecting to localhost.

After upgrading VI client to vSphere I cannot anymore connect to the ESXi's with the upgraded client when usng SSH tunneling. In the error message it mentions the DNS reverse-resolved name of the workstation I'm running vSphere on.

I still can connect to a ESXi which has the 443 and 902 ports open (and NAT'ed). Of course when vSphere client is put on the same subnet as the ESXi's, everything works fine.

Reply
0 Kudos
nickbertrand
Contributor
Contributor
‎06-25-2009 02:14 AM

I was able to get it to work by adding a line to the C:\WINDOWS\system32\drivers\etc\hosts file:

127.0.0.1 esxserver

Nick

Reply
DJRyanJ
Contributor
Contributor
‎06-25-2009 08:05 AM

Hm, an interesting solution, especially given that one of the error messages pops up saying it can't connect to server "localhostname" (where localhostname is the DNS name of the local computer) even though I'm specifically pointing it at 127.0.0.1.

However, this didn't work for me. I assume that your "esxserver" name is actually the dns name of the far server?

-r-

Reply
0 Kudos
CONV4-BETA
Contributor
Contributor
‎06-25-2009 08:10 AM

Great, worked for me!

Port 902 though still seems to be required for data transfers (VM consoles, datastore etc)

Thx!

Reply
0 Kudos
DJRyanJ
Contributor
Contributor
‎06-25-2009 08:33 AM

Scratch that, it did work.

The caveat is that you have to connect using the actual DNS name of the server and NOT 127.0.0.1; this is why the "hosts" file works. It also allows you to connect to a vcenter server the same way, not just ESX.

My hosts file:

127.0.0.1 esx1 esx2 vcenter

That allows me to connect to any of them just by moving my tunnel destination around.

Of course, when on the local subnet, it's a good idea to remove or comment out the entries in hosts, otherwise it'll still fail. :smileysilly:

Thanks!

-r-

Reply
0 Kudos
CONV4-BETA
Contributor
Contributor
‎06-25-2009 09:25 AM

You don't need to use a real DNS name.

The thing is that vShere client seems to treat 127.0.0.1 or localhost in a special way, but any other name resolved to 127.0.0.1 works

Reply
0 Kudos
rikske
Contributor
Contributor
‎07-10-2009 07:08 AM

Instead of using 127.0.0.1 use 127.0.0.2 this way the

connection works without modifing hosts file etc.

The ssh command looks like this:

ssh -L 127.0.0.2:443:@<ssh_server

When using putty add: 127.0.0.2: to the source port.

When the ssh connection is established you can use 127.0.0.2 as the host to connect to using the vSphere client.

Message was edited by: rikske

Reply
0 Kudos
packetgod
Contributor
Contributor
‎11-24-2009 02:47 PM

Say I just tried this with ports 443, 901, and 902 forwarded and it didn't work. When I setup an entry in my hosts file as suggested it worked great with no other changes, not sure why ip doesn't work but hostname does.

Thanks much for the help!

Reply
0 Kudos
GarryG
Contributor
Contributor
‎12-09-2009 11:28 PM

Can't get it to work, even with the hosts change ...

Main problem seems to be that the new VIclient changes "localhost" or 127.0.0.1 to the regular local IP of your machine, thus not going through the tunnel (noticed that by the access shown by my firewall). Also, after changing to something else, like "tunnel", for the console it will still do a lookup based on the VM name, which again messes up the tunnel access ...

I guess I will have to resort to a regular VPN for the site I need access to, as neither the web-based console nor the VIclient seems to work ... Smiley Sad

Reply
0 Kudos
dc1975
Contributor
Contributor
‎01-14-2011 10:13 AM

After some test the final solution who full worked for me is :

1) connect to ESXI server with putty with forwarded ports 443 and 902 (see putty ssh tunel procedure on the web) -  note port 903 is not necessary.

2) open file C:\WINDOWS\system32\drivers\etc\hosts with text editor.

3) add a name that you want after "127.0.0.1 localhost" on same line and save the file

    eg.    127.0.0.1  localhost  localvsphere

4) With vSphere Client connect to your esxi server by use nameserve you add on hosts file  (eg. "localvsphere")

that all !  Smiley Wink

Reply
0 Kudos
L1quid
Contributor
Contributor
‎03-03-2011 05:44 PM

Port 903 is necessary if you want to use the VM console.

Reply
0 Kudos
natan770
Contributor
Contributor
‎03-09-2011 11:31 PM

I confirm that.

I've just added this line to my hosts file:

127.0.0.1   esxi

(where esxi is the name of my remote ESX host), and it worked out.

Great suggestion, guys...

Reply
0 Kudos
nextar
Contributor
Contributor
‎03-06-2012 10:06 AM

There is a simplest way to do this if you trust in your network. You don't need to mess with your host file, just check the radio box

putty.png

"Local ports accept connections from other hosts" in Putty at the tunnel settings.

Reply
0 Kudos
zstar69
Contributor
Contributor
‎03-08-2013 10:23 AM

THE SOLUTION:

vCenter get's messed up if you are tunnelling and trying to use "LOCALHOST" to connect.

Open your hosts file,

change 127.0.0.1 localhost

to:

something like (just for example)

127.0.0.1 localhost2

will make it work.

Something about "localhost" makes ESXI not try to use the tunnel, but rather it literally tries to connect to itself, even with an established tunnel. AND even if https://localhost brings up the vCenter page! So don't be thrown off and say "IT'S WORKING CUZ I CAN HIT THE WEBPAGE" Same problem here, changing from localhost to something else fixed for me.

Reply
0 Kudos
alta3
Contributor
Contributor
‎01-12-2023 09:50 AM

Here is how I do this from a windows host.

0. In the steps below, replace every instance of "<vcenter_FQDN>" with the actual FQDN of your vcenter appliance

1. On your windows host, install wsl2 (https://alta3.com/blog/installing-windows-subsystem-for-linux-2-wsl2). Once you get accustomed to WSL2, putty will pale in comparison.

2. Of course you will need a bastion host to handle the ssh-tunneling relay. It is implied that you already have this, based on the question.

3. On your windows host, run notepad as administrator and edit C:\Windows\System32\drivers\etc. In this file, add the following line:

127.0.0.1       vcenter_FQDN

 

4. In WSL2, add the following config to your ~/.ssh/config file

Host my-bastion-host
  Hostname my-bastion-host.example.com
  user ubuntu (your bastion's user)
  port 22  (your bastion's port)
  IdentityFile ~/.ssh/id_rsa (your ssh private key file)

 

5. Make sure you can ssh to the bastion. If you cannot, your key is most likely not present there. If this fails, nothing else will work.

ssh my-bastion-host

 

6. At the WSL command line, enter: 

sudo ssh \
    -F /home/<your_home_dir>/.ssh/config \
    -i /home/your_home_dir/.ssh/id_rsa \
    -A <vcenter_FQDN> \
    -L 443:<vcenter_IP>:443 \
    -L 902:<vcenter_IP>:902 \
    -L 903:<vcenter_IP>:903

Please do NOT skip sudo, as you need to forward well known ports, which is forbidden for a normal user. This is why you need to point on the ssh config file (-F) and the ssh keys (-i). Note the THREE port forwards, which is what makes the magic happen.

6. Open up a browser tab and go to:

    https://vcenter_FQDN

 

Reply
0 Kudos