VMware Communities
rschwabe
Contributor
Contributor

Connection to shared VMs via SSH tunneling -> black screen on client

Hi,

I'd like to connect with a Workstation 8 client to a Workstation 8 server via SSH tunneling.

Connecting directly from client to server, I am able to login and start VMs successfully.

Connection via SSH tunneling from client to server, I am able to login. But when starting a VM I get a certificate error (see screenshot) and the screen on the client stays black. Looking at the server however, I can see, that the VM was successfully started and is booting up.

What is the reason for the clients screen to stay black, when connection via SSH tunnel? Might it be due to the certificate error or are loopback connections not supported.

For clarification on how the ssh tunnel is used: The client connects to the ssh server port of the Workstation Server and forwards all requests going from 127.0.0.1:443 (client side) to 127.0.0.1:443 (server side). So when connecting to the Workstation Server on the client, the server sees the connection request coming from 127.0.0.1 instead of the actual client ip address. Thus my question if loopback connections are prohibited. And, if so, if this limitation can be reconfigured somehow?

Thanks,

Robert

Reply
0 Kudos
9 Replies
satya1
Hot Shot
Hot Shot

Hi check this artile and tried through default port instead of SSH which will help where is exact problem

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=749640

Yours,

Satya

Reply
0 Kudos
rschwabe
Contributor
Contributor

Hi,

in the past days, I did some extensive testing, so far, with no success.

I analysed network traffic and port usage with Wireshark and CurrPorts. I was able to figure out the following:

1. The "black screen" issue is not related to some blocked ports or the firewall.

When tunneling through SSH, the VMWare Authentification Service of the client is successfully able to connect the the Authentification Service of the server. Furthermore, when artificially blocking Port 902 (which is used by the service) on the server and connecting directly (without ssh tunnel), I get a different error message when starting the VM ("Unable to connect to the MKS: Failed to connect to server 10.64.16.70:902") then when connecting via ssh tunnel ("Unable to connect to the MKS: The remote host certificate has these problems: ...").

2. Changing the servers certificate didnt help.

As the attached certificate error message in my first post suggests. Either one of these two things is wrong with the certificate:

- self signed certificate

- Host name does not match the subject name in certificate

Since the certificate is always self signed (even when connecting directly), I ruled out this possibility for the cause of the black screen.

When connecting via ssh tunnel, the connecting client source address is changed to 127.0.0.1. So I assumed, by changing the certificate subject name to 127.0.0.1 I would get rid of the error message. But I didnt. It still appeared.

3. Loopback connection on the server works.

Since the server didnt seem to like loopback connections (127.0.0.1), on the server I tried to establish a connection to itself (File -> Connect to Server -> 127.0.0.1:443). Doing that, I was able to connect to the server itself and I was even able to start a VM (with no error message appearing).

This leaves me still to the question:

Why am I getting a certificate error message and a black screen when connecting the a VM Workstation Server when connection via ssh tunnel?

The VM does start. But I dont see anything on the clientside. It all stays black. Is there some way to deactivate this certificate authentification? Is the black screen even related to this or am I on the wrong track??

Tested with VMWare Workstation Version 8.0.1.

Reply
0 Kudos
jojodancer
Contributor
Contributor

Running into the same issue here. For security reasons, I'd much rather have ssh exposed instead of a web service/443.

Reply
0 Kudos
jojodancer
Contributor
Contributor

Figured it out. In addition to tunneling 443, you need to tunnel 902 as well.

Reply
0 Kudos
ru2
Contributor
Contributor

I'm also having this issue with the error message:

6-2-2012 9-54-07 AM.png

I tried various tactics from replies on this thread with no luck.. Does anyone have any other ideas how to get around this? Is it possible to change the certificate somehow?

Reply
0 Kudos
ru2
Contributor
Contributor

@jojodancer - Is it possible you could give me a hint how to also tunnel 902 as well? It seems like that worked for you, and I'd like to try it out but am not sure I can.. I get an error that say I can't bind that address... any thoughts?

Reply
0 Kudos
jojodancer
Contributor
Contributor

So here's my setup with fake IP addresses:

remote Windows box (192.168.1.1) -> linux box (10.0.0.1) -> Windows box hosting VMware workstation (10.0.0.2)

First, make sure you have Shared VMs set up correctly on your VMware Windows machine.

Firewall stuff

- On the VMware Windows box, open TCP 443 and TCP 902 to the linux box

- On the Linux box, open ssh (TCP 22) to where ever the remote location is

Remote access setup

- On the remote Windows box, install Putty (http://www.chiark.greenend.org.uk/~sgtatham/putty/)

- In Putty, create a new session that will allow you to connect to your linux box and save it (e.g. username@10.0.0.1)

- Once that works, edit the Session, and go to Connection -> SSH -> Tunnels

- Create the following tunnels:

- L902 10.0.0.2:902

- L443 10.0.0.2:443

- Save when you're done so you can reuse the session

Connecting to the VMware workstation Windows machine

- on the remote box

- start your putty client and connect to the linux box

- start up VMware workstation

- select "File" -> "Connect to Server"

- for server name put "127.0.0.1:443"

- enter username and password

- if you get any cert warnings, ignore them (at least that's what I think I did)

And at this point, you should be good.

Reply
0 Kudos
ru2
Contributor
Contributor

Nevermind! I got the tunnel working, I originally could not bind it because the Authorization process was already in use (port 902), so I first killed the process, then created the tunnel and then successfully saw no black screen Smiley Happy. Thanks!

Reply
0 Kudos
ru2
Contributor
Contributor

@jojodancer - Thanks for your reply! It was really helpful! Smiley Happy

Reply
0 Kudos