VMRC-Link Creation Package for vRO

1 Kudo

Hi guys,

I'd like to share a new package with you which will take off abit of the pressure that was generated with the recent VMRC vulnerability VMSA-2014-0013.

As you may know, a recent bug in the vRA VMRC implementation forced VMware to remove the VMRC from the latest vRA release 6.2. As much as I personally endorse the security policy VMware is runing here I also understand the need of many customers to provide VMRC access to their users. Within secured network infrascructures the possible risk of exploitation is minimal and limited to people who have access to the network. In such cases you may want to ignore the VMRC flaws and just use it anyways - the decision should be within the hands of the administrator.

However, the yet better solution which will work for most customers is using the vSphere VMRC for this job till the flaw in the vRA VMRC is fixed (since only the vRA VMRC is affected by VMSA-2014-0013). The only requirement here is that your users are able to access vCenter on the ports required for the VMRC (depending on the VMRC type - defaults: 7331,9443,443).

Please note that this package will also empower you to provide HTML5 based VMRCs to your users, BUT since the HTML5 VMRC URI specification is not final yet, the links this package creates for you may stop working with future updates of vSphere. If that ever happens: let me know and I'll take a look into it.

About

This package for vRO will create HTML5, Flash or standalone VMRC console links for a given VM. Visiting the link will open the VMRC to that VM and allow access to the VM.
vRA OGNL workflows are prepared for you so you're ready to use this with vRA's ASD day-2-operations. The images attached show you a quick&dirty example of the integration.

Requirements:

in order to access the links the user has to be able to reach the vCenter used for VM-hosting on the ports that the VMRC implementations use (differs depending on what type of VMRC you want to use)
vCenter 5.5 and vCenter 5.5.2 vRO Plugin installed
vRealize Orchestrator 5.5.2 installed and the vCenter that hosts your VM added to the vRO vCenter plugin

Limitations

I didn't have much time for error handling. The scripts are robust enough, though if you run into any issues, please let me know and I promisse amendment
As I already said: the HTML5 VMRC URI specification is not final yet, which may cause the generated HTML5 VMRC links not to function if you ever update your vSphere (which of course you should)
Except of the standalone VMRC workflow all scripts assume defaults vSphere ports. Edit them to your needs if you changed your ports.

Thanks to

William Lam for his cool blog post about the vSphere API involved

Licensing

This program is free software: you can redistribute it and/or modify

it under the terms of the GNU Lesser General Public License as published

by the Free Software Foundation, either version 3 of the License, or

(at your option) any later version.

This program is distributed in the hope that it will be useful,

but WITHOUT ANY WARRANTY; without even the implied warranty of

MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

See the GNU Lesser General Public License for more details.

You should have received a copy of the GNU Lesser General Public License

along with this program. If not, see <http://www.gnu.org/licenses/>.

cmbwml1 · ‎02-06-2015

I added the Flash and HTML5 workflows into vRA as "Resource Actions". They both work but the user has to go into each VM in their item list and submit the requests and then go into the requests tab to get the console links to their VMs. Is there a way to have the resource action wait for the workflow to execute and then open a new browser tab with the returned url?

That is as far as the user gets currently because we don't allow open access to VM consoles in vCenter. We will have to automate the VM permission changes during creation. Unfortunately I haven't figured out how to edit the server provisioning workflow (CloneWorkflow), that is referenced in the machine blueprints, to set console permissions on the VM as it is created in vCenter. Does anyone know where the CloneWorkflow resides and if it is editable? I'm hopeful that I can pass VirtualMachine.Admin.Owner custom property to the workflow so that it can find that username in AD and assign a role on the VM.

Thoughts? Thanks!

rszymczak · ‎02-06-2015

Yes thats possible and that's exactly what makes the difference between the "normal" workflows and the vRA workflows (illustrated here within shot2). When calling the workflow a OGNL request will be made for the "url" input field based on what "vm" object was automaticly provided by vRA. Make sure that you set the url-field within the ASD forms designer to "read only" and use the field-type "link" for it. After running the action the user should see the "input"-field url that will be automaticly populated by the workflow. In vRA 6.2 you should even see a "loading" spinning cycle while the OGNL expression is executed which is kinda cool.

There are plenty examples in the formuns showing you how to implement OGNL workflows within vRA - although it may differ a little bit depending on the vRA version you are using.

defmania · ‎04-03-2017

Hey, this is really useful and great work! As far as you know, is there any way to limit the "amount" of permissions the user gets by using this approach? I mean, if one is interested in simply allowing the user to mount an ISO and basic "ctrl-alt-del" commands, how can you limit the Manage/Virtual Machine Settings options? By using this approach one does get console + mount local ISO, but it'll also allow the user the edit the VM.

Thanks!

SiteRecoveryMan · ‎05-12-2017

Hi Guys..

I have been looking for this solution for a long time...

Thank you a lot..

But I am new to vRA .. I unzipped the package but I don't know how to use them .. where to import them & what to change inside..

please help in this ..

Thank you

All

VMRC-Link Creation Package for vRO

VMRC-Link Creation Package for vRO