mcrampton
Enthusiast
Enthusiast

Launching console for VM's across a VPN connection

Hi, I am trying to launch a console window for a VM. I am connected to Virtual Centre using the VI client, on a NAT'd address across a VPN (ie: local internal address of VC server is 10.x.x.x, but I am entering 125.x.x.x in my VI client connection window). I can successfully log in and perform all tasks using the VI except launch a console window.

When I attempt to launch a console, I receive the following error: "Host address lookup for <servername.domain.com> failed: the requested name is valid and was found in the database, but it does not have the correct associated data being resolved for"

If I add the line

<nat IP address> <servername.domain.com>

to my local hosts file on my laptop, I get a different error: "Error connecting: Cannot connect to host <servername.domain.com>: Acconection attempt failed because the connected party did not properly respond after a period of time, or established connection failed because connected host has failed to respond. Do you want to try again?"

If I try again I get the same error message.

I realize this is not an ideal way to connect, however I am not able to modify the network settings on my laptop, as it is a locked down laptop provided by the company I am contracting to. The only other method I can use to connect to the VM's is to RDP to the VC server and launch the VI locally. However, there are 10 of us on the team and contention for RDP sessions is going to be a problem.

So, does anyone have any ideas how I can successfully launch a console window for VM's, given my set of circumstances? Thanks.

0 Kudos
5 Replies
Texiwill
Leadership
Leadership

Hello,

Moved to the vCenter Server forum.

This is not possible. While your VPN can access vCenter it can not resolve the IP addresses of the ESX hosts. for Remote Console to work your VPN client must be able to resolve vCetner as well as the ESX hosts.

The best solution to this is to create a VM running XP or something like that to which you can RDP into from the VPN. Then from that VM you access vCenter and ESX hosts. Yes this would be a management VM. The key here is that if the VPN is dropped your work is also not lost.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Author of the books 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment' available for pre-order now
'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
mcrampton
Enthusiast
Enthusiast

Hi,

Thanks for the reply. Thing is, I can add the ESX hosts NAT'd addresses to my local hosts file and ping them by name. I think the problem may be a firewall one, in that port 903 is not opened. I've sent a request to have it opened up for the VPN subnet and I guess we'll see if it works.

We already have RDP access to the virtual centre server, however there are 14 of us on the team, and being limited to 2 RDP connections concurrently is causing a major management headache.

Thanks.

0 Kudos
Texiwill
Leadership
Leadership

Hello,

Create 7 Administrative VMs then. 2 connections per VM gives you 14 connections available. Each Admin in effect has their own connection to use. They fire up the VIC from within these VMs.

This is the safest way, less firewall items to add.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Author of the books 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment' available for pre-order now
'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos
mcrampton
Enthusiast
Enthusiast

I'm pretty sure the client will not be willing to do this. I am on a contract team taking over the intel server infrastructure.

Do you think the firewall rule will work?

Thanks.

0 Kudos
Texiwill
Leadership
Leadership

Hello,

It may. I ended up using the 'administrative VMs' as it is a) more secure (less firewall rules, and there are per VM access controls) b) easier to manage and c) network flakiness resistant... I.e what you were doing will not be lost if the network dies for some reason.

You open up something like RDP only and use that through the VPN so everything is encrypted. Then all should be well. If it a) improves their user/administrator experience b) improves security c) takes less security changes to implement I am not sure why anyone will not wish to do this.


Best regards,
Edward L. Haletky
VMware Communities User Moderator, VMware vExpert 2009, DABCC Analyst
====
Author of the books 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing ESX and the Virtual Environment' available for pre-order now
'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education.
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

--
Edward L. Haletky
vExpert XIV: 2009-2022,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
0 Kudos