Solved: Re: Possible to disable or restrict the use of "We...

Bond33 · ‎02-01-2023

Hello,

i'm trying to find a way to disable or restrict the use of the "Web Console" for all VMs or just for a single VM.

Maybe hide the "Launch Web Console" Button?

Maybe use a security group?

The reason for this is that using "Web Console" is destroying screen resolution settings and the use of the mouse.

I want only the "Remote Console" to be used.

lamw · ‎02-03-2023

If you want to only allow VMRC (Standalone VMRC Client) connections but block HTML VM Console, then one way to do this is based on technique used in https://williamlam.com/2021/06/how-to-restrict-vsphere-ui-access-while-maintaining-vsphere-api-funct... but instead of blocking /ui endpoint, you would add security constraint to /ui/webconsole URI and this would apply globally for ALL users. You could setup additional configurations to restrict it by client IP and/or credentials (see https://www.virtuozzo.com/company/blog/restrict-access-tomcat-web-application-hosting/)

For global block, you can add the following snippet at the bottom (right before the closing "web-app" tag) of /usr/lib/vmware-vsphere-ui/server/conf/web.xml

    <security-constraint>
      <web-resource-collection>
        <url-pattern>/ui/webconsole.html</url-pattern>
        <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint />
    </security-constraint>

Save your changes and then restart the vSphere UI for change to go into effect by running following command:

service-control --restart vsphere-ui

You should now be able to access VMRC but when you click on HTML VM Console, you'll get a 403 (Forbidden)

View solution in original post

lamw · ‎02-01-2023

See https://williamlam.com/2015/12/how-to-restrict-access-to-both-the-standalone-vmrc-html5-vm-console.h... and the note towards bottom

Bond33 · ‎02-03-2023

Hi, hanks for the answer, but this is not working.

I want to force the admins to use VMRC only.

If i put them in a security group, they can use both (web console and vmrc) or they are NOT allowed to use any of the consoles.

regards

Bond

lamw · ‎02-03-2023

If you want to only allow VMRC (Standalone VMRC Client) connections but block HTML VM Console, then one way to do this is based on technique used in https://williamlam.com/2021/06/how-to-restrict-vsphere-ui-access-while-maintaining-vsphere-api-funct... but instead of blocking /ui endpoint, you would add security constraint to /ui/webconsole URI and this would apply globally for ALL users. You could setup additional configurations to restrict it by client IP and/or credentials (see https://www.virtuozzo.com/company/blog/restrict-access-tomcat-web-application-hosting/)

For global block, you can add the following snippet at the bottom (right before the closing "web-app" tag) of /usr/lib/vmware-vsphere-ui/server/conf/web.xml

    <security-constraint>
      <web-resource-collection>
        <url-pattern>/ui/webconsole.html</url-pattern>
        <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint />
    </security-constraint>

Save your changes and then restart the vSphere UI for change to go into effect by running following command:

service-control --restart vsphere-ui

You should now be able to access VMRC but when you click on HTML VM Console, you'll get a 403 (Forbidden)

Bond33 · ‎02-07-2023

Beautiful!

Works great and is the perfect solution for my "problem".

Thank you so much!

joe4VMware · ‎03-27-2024

Hello lamw,

If I add the snip to web.xml the vsphere-ui doesn't start anymore

We use VMware-VCSA-all-8.0.1-22368047

Please help to fix it

Thanks

Josef

All

Possible to disable or restrict the use of "Web Console"?