VMware Cloud Community
netlib
Enthusiast
Enthusiast
‎08-18-2019 12:19 PM

Accessing VCenter from the Internet side

Using VCenter 6.5 Appliance on ESXi 6.5. I would like to access the Appliance over the Internet. However, I read several posts saying that this is impossible by design.

Sorry if this is a silly newbie question, but then what is the use of a FQDN if not for that? And how does VCenter "know" that it is being used over the Internet? (assuming the proper port forwarding on the Router).

0 Kudos
7 Replies
daphnissov
Immortal
Immortal
‎08-18-2019 01:18 PM

Exposing vCenter or ESXi across the Internet is a terrible idea from a security standpoint and should absolutely be avoided. A FQDN and Internet accessibility have nothing to do with each other. It's simply a way to resolve a name within a specified domain to the correct IP regardless of how traffic to it gets routed

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
netlib
Enthusiast
Enthusiast
‎08-18-2019 01:49 PM

>> Exposing vCenter or ESXi across the Internet is a terrible idea from a security standpoint and should absolutely be avoided.

Why is it any more terrible idea than making a Web Server accessible over the Internet?

Are you saying it should be avoided or that it is not possible?

0 Kudos
Alex_Romeo
Leadership
Leadership
‎08-18-2019 02:04 PM

Hi,

Instead of making an Internet access to the vcenter, can't you make a Radius or VPN access to an internal server and use it to connect to the vcenter?

Best regards,

Alessandro Romeo

Blog: https://www.aleadmin.it/
0 Kudos
daphnissov
Immortal
Immortal
‎08-18-2019 02:11 PM

Because vCenter and esxi have not been designed with the hardening in mind to expose to the internet like many web servers have been. They should only be made accessible from a LAN.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net
0 Kudos
netlib
Enthusiast
Enthusiast
‎08-18-2019 06:14 PM

At the moment we RDP into a Windows Server behind the same router as VCenter and connect to VCenter that way. Not the most convenient but it works.

As an aside, I find the browser based VCenter client far inferior and much slower than the old Windows Client. I'm sorry they got rid of it.

0 Kudos
a_p_
Leadership
Leadership
‎08-19-2019 02:58 AM

Why is it any more terrible idea than making a Web Server accessible over the Internet?

Think of it this way. A publicly accessible web server is usually located in a company's DMZ, and has only limited/secured access to production resources.

vCenter Server is comparable with a server room. With access to it, one could e.g. bring down your whole infrastructure.

André

Alex_Romeo
Leadership
Leadership
‎08-19-2019 04:48 AM

Hi Andre'

I agree with you

Alessandro Romeo

Blog: https://www.aleadmin.it/
0 Kudos