DSeaman
Enthusiast
Enthusiast

ESXi lockdown with virtualized vCenter? Chicken and the egg problem.

We are in the planning stage of a ESXi deployoment, and security best practices recommends that ESXi be installed in lockdown mode. This prevents VIC connections, but they can of course be managed by vCenter. However, we will likely virtualize our vCenter. Should we need to power down all ESXi hosts or the vcenter VM go belly up, we would be unable to use VIC for any type of trouble shooting or controlling the VMs. Yes we could go to the local console of each host and disable lockdown, but that adds confusion and extra steps and increases potential downtime.

Our ESXi management ports will be on a non-routed private subnet, with the vCenter VM having one NIC on this isolated subnet. So it seems to me that you can't really use ESXi in lockdown mode with a virtualized vCenter server. Given the management port will be on a private VLAN with no routing, I don't see too much security risk in running in non-lockdown mode. But we need to justify to our security folks why we aren't performing the lockdown.

Am I missing another solution?

Derek Seaman
0 Kudos
5 Replies
vishy123
Enthusiast
Enthusiast

0 Kudos
dconvery
Champion
Champion

I don't know how many times a week I hear someone say "Use SSH in ESXi." It is disabled for a reason. What should REALLY be done is to use the Perl based vCLI, vMA or Powershell based PowerCLI to perform management functions instead of circumventing the security of lockdown mode.

Don't get me wrong. There may be valid reasons to enable SSH on ESXi, but there is a reason why you must type "unsupported" to get to the shell.

Dave Convery

VMware vExpert 2009

http://www.dailyhypervisor.com

Careful. We don't want to learn from this.

Bill Watterson, "Calvin and Hobbes"

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
0 Kudos
bulletprooffool
Champion
Champion

Enabling lockdown disabled root access.

The way to go is to create a different account for the remote management, enable lockdown . .and you're goog to go

One day I will virtualise myself . . .
0 Kudos
DSeaman
Enthusiast
Enthusiast

Excellent, I'll try the alternate account method!

Derek Seaman
0 Kudos
dconvery
Champion
Champion

Great catch Alan! I just assumed that there was a second administrative account already set up.

Dave Convery

VMware vExpert 2009

Careful. We don't want to learn from this.

Bill Watterson, "Calvin and Hobbes"

Dave Convery, VCDX-DCV #20 ** http://www.tech-tap.com ** http://twitter.com/dconvery ** "Careful. We don't want to learn from this." -Bill Watterson, "Calvin and Hobbes"
0 Kudos