turn off UI on esxi 6.5

micze · ‎11-29-2018

hello,

I am administering hundreds of ESXi (currently at 6.5 u1g) servers via vcenter (6.5 u1g) and was recently tasked to replace all self signed/vmca issued certificates used by esxi with certificates signed by our internal CA. Given the amount of work that's involved in that, I am exploring a way of disabling UI logon page directly on ESXi hosts.

Does anyone know how to achieve this?

The only KB's for stopping HTTP/S I've found, refer to old version of esx and the command provided by vmware support for esxi does not work (vim-cmd proxysvc/remove_service "/ui" "httpsWithRedirect").

Enabling lockdown mode does not turn off UI logon page.

thanks for your input.

sjesse · ‎11-29-2018

Is that a Microsoft CA or a ca that can provide intermediate ca certificates?

https://thewificable.com/2018/05/02/vmca-6-5-with-embedded-psc-as-an-intermediate-ca/

basically you make vcsa a CA and that provides certificates all vcenter and esxi servers. I personally wouldn't disable the UI interface just to fix a certificate issue.

micze · ‎11-30-2018

thanks, @sjesse. I am considering making vcsa a subordinate CA, but there are security challenges related to it (all the security requirements that our PKI infra needs to meet). If we follow that path, would you know what would be the best approach to renew/replace already existing certificates?

As for disabling UI on esxi... we don't login to esxi directly, disabling UI is a step towards security hardening of vsphere... considering that it's not required by other vsphere services/components.

Looks like there is no way to turn off UI in 6.5?

alphadog00 · ‎12-02-2018

How about lockdown mode?

micze · ‎12-03-2018

tested it and it does not turn off UI login page (user still can reach it and has to accept self-signed cert).

daphnissov · ‎12-03-2018

I am administering hundreds of ESXi (currently at 6.5 u1g) servers via vcenter (6.5 u1g) and was recently tasked to replace all self signed/vmca issued certificates used by esxi with certificates signed by our internal CA. Given the amount of work that's involved in that, I am exploring a way of disabling UI logon page directly on ESXi hosts.

I'm trying to understand what these two functions have to do with each other. The cert replacement process is done at the vCenter level. How would disabling the esx-ui help or ease that? If it doesn't and they're two separate things, why the interest in trying to do so in the first place?

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

micze · ‎12-03-2018

hey daphnissov, our security team does not want users to be prompted to accept untrusted certs on any running web servers in corp, hence the choice of either replacing self signed certs on esxi or disable UI/stop web service since, we've no interest in using it directly on esxi (same as ssh), so users won't be prompted at all.

daphnissov · ‎12-03-2018

our security team does not want users to be prompted to accept untrusted certs on any running web servers in corp

But...if they can't login to ESXi because they have no permissions anyhow, and the self-signed cert is only ever applicable to a single host, what's the concern exactly? There's no compromise the client experiences in that case, or that would lead to another potential compromise. Plus, users shouldn't be hitting the ESXi hosts directly in the first place but only vCenter. So I'm not so sure this makes a lot of sense in the first place.

------------------
How to Ask for Help on Tech Forums
https://neonmirrors.net

micze · ‎12-04-2018

it's about following security practices, where any user (weakest link) hitting that page will be prompted to accept untrusted cert. The bottom line is that this is exposed to network, it runs a web server and it has an untrusted cert.

All

turn off UI on esxi 6.5