Solved: VLANs, Accounts, and Passwords

proden20 · ‎02-21-2008

We had an ESX environment installed and passed on to us with little security tweaking after integration. Unfortunately, the integrator did not tell us we'd need seperate vlans so at the time we had only an unmanaged switch. All ESX nics are connected to this unmanged switch. Our concern is that some of our developers might find these hosts and attempt to play with the VMWare API out of curiosity and simply for fun.

There are 3 ESX servers, each with 4 nics.

ESX-1

vSwitch0 (nic 0&2)

Service Console x.x.2.12

Vmotion: x.x.3.12

vSwitch1 (nic 1&3): x.x.2.0/24 - virtual machine network

ESX-2

vSwitch0 (nic 0&2)

Service Console x.x.2.13

Vmotion: x.x.3.13

vSwitch1 (nic 1&3): x.x.2.0/24 - virtual machine network

ESX-3

vSwitch0 (nic 0&2)

Service Console x.x.2.14

Vmotion: x.x.3.14

vSwitch1 (nic 1&3): x.x.2.0/24 - virual machine network

The questions:

- If I apply new IP addresses to the service consoles now that this is up and running, will it disrupt the virtual machines? I assume it would obviously disrupt management consoles and cluster behavior.

- The Vmotion and service consoles are on the same virtual switch in order to get redundancy from the 2 available nics, but the aim is to put them on different vlans as well as change the subnet for the service consoles. Can the same virtual switch address seperate VLAN's?

- Aside from creating the VLANs on the Cisco switch, what needs to be done on the VMware side of things?

- I am not happy with the root password. All the docs I have seen indicate that the system needs to be powered down and interrupted to change the password. What is the best way of changing the root pwd, and are there typically any dependencies on root outside of the local ESX host? I want to make sure nothing is interrupted.

- I am having one heck of a time finding out how we are authenticating to our Virtual Center. The integrator set up PAM authentication on the ESX hosts. It seems that our admins can log in to Virtual Center via VI Client, but test domain user accounts cannot (which is good). Is Virtual Center authentication set by members of local groups on the Virtual Center server? If so, then what is PAM all about?

My apologies, perhaps my questions are valid and can help more than myself. I'm trying to reverse engineer what the integrators did as we didn't have time for complete training.

Thanks!

Texiwill · ‎02-21-2008

Hello,

We had an ESX environment installed and passed on to us with little security tweaking after integration. Unfortunately, the integrator did not tell us we'd need seperate vlans so at the time we had only an unmanaged switch. All ESX nics are connected to this unmanged switch. Our concern is that some of our developers might find these hosts and attempt to play with the VMWare API out of curiosity and simply for fun.

Unless they have the root or administrative passwords of the ESX servers the API will not work. They need to be able login first.

- If I apply new IP addresses to the service consoles now that this is up and running, will it disrupt the virtual machines? I assume it would obviously disrupt management consoles and cluster behavior.

No they will not affect the VMs, you are correct in that the consoles and clusters will be affected until things are restored.

- The Vmotion and service consoles are on the same virtual switch in order to get redundancy from the 2 available nics, but the aim is to put them on different vlans as well as change the subnet for the service consoles. Can the same virtual switch address seperate VLAN's?

Yes. VMware calls them Portgroups.

- Aside from creating the VLANs on the Cisco switch, what needs to be done on the VMware side of things?

Create a portgroup for each VLAN on the appropriate vSwitch and assign the VLAN value where it is required. The VIC can be used to do this easily.

- I am not happy with the root password. All the docs I have seen indicate that the system needs to be powered down and interrupted to change the password. What is the best way of changing the root pwd, and are there typically any dependencies on root outside of the local ESX host? I want to make sure nothing is interrupted.

You do not need to reboot to change the root password. Just change it. However, note that if you use Virtual Center, you should first disconnect the VI3 servers from the VCMS and then reconnect after changing the passwords. You will be asked to type on the root password again. Note the changing of this password should be done from the service console.

- I am having one heck of a time finding out how we are authenticating to our Virtual Center. The integrator set up PAM authentication on the ESX hosts. It seems that our admins can log in to Virtual Center via VI Client, but test domain user accounts cannot (which is good). Is Virtual Center authentication set by members of local groups on the Virtual Center server? If so, then what is PAM all about?

If the system is setup for Active Directory authentication there are various pam modules that will be used to control this access, specifically pam_krb5, pam_access, etc. Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for more information on the various ways this is accomplished. Note that Virtual Center uses what evern authentication scheme that the host Windows system uses. While the VI3 server has to be specifically changed to handle more than local password authentication.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Texiwill · ‎02-21-2008

Hello,

We had an ESX environment installed and passed on to us with little security tweaking after integration. Unfortunately, the integrator did not tell us we'd need seperate vlans so at the time we had only an unmanaged switch. All ESX nics are connected to this unmanged switch. Our concern is that some of our developers might find these hosts and attempt to play with the VMWare API out of curiosity and simply for fun.

Unless they have the root or administrative passwords of the ESX servers the API will not work. They need to be able login first.

- If I apply new IP addresses to the service consoles now that this is up and running, will it disrupt the virtual machines? I assume it would obviously disrupt management consoles and cluster behavior.

No they will not affect the VMs, you are correct in that the consoles and clusters will be affected until things are restored.

- The Vmotion and service consoles are on the same virtual switch in order to get redundancy from the 2 available nics, but the aim is to put them on different vlans as well as change the subnet for the service consoles. Can the same virtual switch address seperate VLAN's?

Yes. VMware calls them Portgroups.

- Aside from creating the VLANs on the Cisco switch, what needs to be done on the VMware side of things?

Create a portgroup for each VLAN on the appropriate vSwitch and assign the VLAN value where it is required. The VIC can be used to do this easily.

- I am not happy with the root password. All the docs I have seen indicate that the system needs to be powered down and interrupted to change the password. What is the best way of changing the root pwd, and are there typically any dependencies on root outside of the local ESX host? I want to make sure nothing is interrupted.

You do not need to reboot to change the root password. Just change it. However, note that if you use Virtual Center, you should first disconnect the VI3 servers from the VCMS and then reconnect after changing the passwords. You will be asked to type on the root password again. Note the changing of this password should be done from the service console.

- I am having one heck of a time finding out how we are authenticating to our Virtual Center. The integrator set up PAM authentication on the ESX hosts. It seems that our admins can log in to Virtual Center via VI Client, but test domain user accounts cannot (which is good). Is Virtual Center authentication set by members of local groups on the Virtual Center server? If so, then what is PAM all about?

If the system is setup for Active Directory authentication there are various pam modules that will be used to control this access, specifically pam_krb5, pam_access, etc. Check out http://www.astroarch.com/wiki/index.php/Remote_Authentication for more information on the various ways this is accomplished. Note that Virtual Center uses what evern authentication scheme that the host Windows system uses. While the VI3 server has to be specifically changed to handle more than local password authentication.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

proden20 · ‎02-21-2008

Thank you for the details and tips. I'm sure I'll have more questions for this thread.

Texiwill · ‎02-22-2008

Hello,

Please remember to award points for helpful or correct answers. These points keep us going.

Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill