Chamon
Commander
Commander

Edit proxy.xml disconnects host from VC

Jump to solution

I have a requirement to lock down our ESXi hosts based off of the vSphere hardening guides. One in particular is to disable the Managed Object Browser on the ESXi hosts. This can be found in the ESX/ESXi Host configuration portion of the vSphere Security hardening document. Code HCM02. If I comment out this section of the /etc/vmware/hostd/proxy.xml file the Host becomes disconnected from VC and the Web interface no longer works. So What am I doing wrong here. This is the portion of the file before I edit it:

So I am just commenting out this section to disable it. Once I restart the services.sh on the ESXi host is when the problems start. This can't be expected behavior is it? Thanks for any help!!

0 Kudos
1 Solution

Accepted Solutions
Charu
Enthusiast
Enthusiast

In the draft hardening guide (Rev B), a step was omitted from this procedure. You need to decrement the <_length> field by one after you remove the "mob" element. This will be corrected in the final version.

Please let us know if it doesn't work for you.

View solution in original post

0 Kudos
8 Replies
Texiwill
Leadership
Leadership

Hello,

I think I will leave this to VMware and will ping the appropriate people.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Charu
Enthusiast
Enthusiast

In the draft hardening guide (Rev B), a step was omitted from this procedure. You need to decrement the <_length> field by one after you remove the "mob" element. This will be corrected in the final version.

Please let us know if it doesn't work for you.

0 Kudos
Chamon
Commander
Commander

This in conjunction with renumbering the elements that followed was the full answer. I tried only decreasing the length number by one but that did not appear to be enough. If I want to remove access to download the VIC can I simply remove the client element and again follow these steps to decrease the length and renumber? Thanks for the help

0 Kudos
Chamon
Commander
Commander

Texiwill thanks for the assist.

0 Kudos
Chamon
Commander
Commander

One more thing. Do you have a projected time for the release of the finalized version? I will be going through a large portion of these configurations. If this forum is monitored by the security team I can post any other issues we run into here.

0 Kudos
Charu
Enthusiast
Enthusiast

I'm going to post it today, actually. But, please do continue to provide feedback on the final version, as we will be issuing updates as needed. Thanks for your help.

0 Kudos
Chamon
Commander
Commander

Will do. How about making the Vic not able to ignore a non trusted

cert. We want to remove the ability to download the Vic from rack host

and vc or replace it with one that will not allow the user to use a

non trusted cert. Any thoughts on that?

On Apr 13, 2010, at 4:45 PM, Charu <communities-emailer@vmware.com

0 Kudos
Charu
Enthusiast
Enthusiast

This is a common request, and we are looking into ways to implement this. Hopefully you see this show up in one of the future releases.

0 Kudos