VMware Cloud Community
slashji
Contributor
Contributor
‎03-05-2019 03:24 AM

Accessing vCenter Server 6.7 web panel from external network

We have 8x ESXi hosts and vCenter Server for management.

Our system is build for studing (virtualization) enviroment at Vocational Educational Center.

We´d like to be able to access the web UI from outside networks directly.

For example students/teachers  away from school network type in the browser https://vsphere.edu.domain.com and the access vCenter UI panel.

Like usually webservers need ports forwarded to them and some "holes" in firewall - i have done it thousands of times with different routers and servers on daily production and for testing purpouses.

So we opened up ports :80 and :443 in our firewall and did port forwarding to our vCenter Server - but as soon as we try to open the UI (HTML5) panel. Traffic drops and the addressbar shows the internal IP address of our vCenter Server.

Security is not an concerne here because the whole system is build for studing purposes.

Using VPN is also not an option because we dont need the extra hustle configuring hundres of PC´s VPN profiles and settings up "Help Desk" for VPN setups.

We just need to access vCenter HTML5 panel like any normal web service.

Note we used internal IP address instead of FQDN at the vCenter Installation.

Somehow vCenter Server web is not an typical web server...

Any tips?

0 Kudos
5 Replies
didarsm
Contributor
Contributor
‎03-05-2019 04:44 AM

Hi slashji​,

Can you please explain your environment a little bit more e.g. do you use external PSC or embedded PSC with vCenter.

1> If you use external PSC, you neet to allow 443 port of PSC server.

2> Need a custom host file in each machine from where you are trying to access vCenter UI. Host file should contain the hostname of vCenter Appliance & PSC

3> Make sure that you are able to resolve these hostname/IP's from VPN PC's

4> Check your firewall configuration. VPN profile should allow both PSC and vCenter IP's

Sample:

192.168.100.101     vcenter.local.com

192.168.100.102     psc.local.com

If you use embedded PSC, make sure above points except no # 1.

Good Luck!

Regards.//

0 Kudos
sk84
Expert
Expert
‎03-05-2019 05:04 AM

Security is not an concerne here because the whole system is build for studing purposes.

Even if you want to ignore that, but nowadays security is always a concern. Even if you don't have important data on these systems, these systems pose a danger to all other Internet users if they are compromised. vSphere is not designed to run on the Internet and is not hardened accordingly. It is therefore simply irresponsible to connect such unsafe systems to the Internet.

We just need to access vCenter HTML5 panel like any normal web service.

Note we used internal IP address instead of FQDN at the vCenter Installation.

Somehow vCenter Server web is not an typical web server...

As already indicated, vCenter is not designed for such port forwarding use cases and therefore such setups are not supported. It isn't a normal web service, but a very special web application. To be more specific: When you open the vSphere client, some components redirects internally to the vCenter hostname, so it always redirects also your initial request. This is by design.

--- Regards, Sebastian VCP6.5-DCV // VCP7-CMA // vSAN 2017 Specialist Please mark this answer as 'helpful' or 'correct' if you think your question has been answered correctly.
0 Kudos
slashji
Contributor
Contributor
‎03-13-2019 06:01 AM

Thank you everyone for the replies.

So my question continues...

As told vCenter Server webapp doest act like classic webserver.

Is there any ways i can use Reverse Proxy to access the web panel?

0 Kudos
sjesse
Leadership
Leadership
‎03-13-2019 10:25 AM

Its possible but really tough to get it to work, can you setup a vpn  connection into the same management network? You could even setup a free server like openvpn and just provide instruction to those that need it.

0 Kudos
minivlab
Enthusiast
Enthusiast
‎03-13-2019 12:20 PM

As others have already mentioned - it is going to be a real pain trying to set this up to work remotely the way you intend, and it is not smart from a security standpoint.  Have you considered deploying a VDI solution like Horizon? Users could access a Windows desktop via their web browser and have the ability to access whatever environment you'd like.  Horizon is meant to be publicly accessible and has a security appliance/broker for this purpose.

0 Kudos