VMware Cloud Community
evil242
Enthusiast
Enthusiast

vRA Cloud SaaS console to VMs not working

We are working to migrate from on-prem vRA 7.6 behind F5 to new vRA SaaS.  On vRA 7.6, we had all connection access flowing through the F5 including console access allowing us to keep vCenter and ESXi hosts on an internal secured network without exposing to client customers or other potential exploits.

We were hoping to use the MFA on vRA SaaS to provide provisioning, VM management including console access to our client customers.

We are having an issue getting VM Consoles from vRA SaaS through on-prem proxy to vCenter / ESXi cluster. From any network (off-prem, wireless, any unsecured network) other than allowed VPN or Datacenter network, we get the error message

Cannot establish a remote console connection. Verify that the machine is powered on. If the server has a self-signed certificate, you might need to link:"accept the certificate", then close and retry the connection.
 
If I click link, it tries to take me directly to the ESXi Host.  Even from Xfinity network.
 
I opened a support case and was told by VMware support:
In order to access the remote console of any VM's deployed under the vCenters they will need to be able to access the ports and trusted certificates of the ESXI and VC hosts on both port 902 and 443 with access from both the remote destination user device, and the vRA appliance if on prem through the cloud proxy appliance in a cloud application variation. 
 
The remote connection is established and connected through vRA to the vCenter appliance for remote console connection but ultimately passes the connection from user to VC directly through those two ports. 443 for the web console view and 902 for auth and control access. 
 
Since vRA does not offer a remote console service, It is all on the ESXI functionality to offer the remote control access port and all communication goes directly to the endpoint in this program.”
 
Does anyone else feel concerned with opening their vCenter and ESXi Hosts up to the public internet over 443 and 902?
 
I was wondering if anyone knew how to solve this issue without creating a security vulnerability to our vCenter and ESXi Hosts.  
Damion Terrell  .   +  (He/Him)  +  . *  .  +   @   + .    *  .    +      .                    
Core IT Service Specialist * . + * . + . + . + * +
UNM – IT Platforms – VIS + . . . . . . . . .
. + . + * . + * .
* . . + . . . . + . + * + .
“You learn the job of the person above you, * + . + * @
and you teach your job to the person below you..” . * +
Reply
0 Kudos
1 Reply
evil242
Enthusiast
Enthusiast

Update from VMware Support


As you have rightly pointed out "  Connect to Remote Console "  section of the ​​​​​​​vRA SaaS VMware document one of the pre-requisite to have a working VMRC is " As a cloud administrator, verify that the ESXi host is accessible over SSL from the network that your consumers are using ".
https://docs.vmware.com/en/vRealize-Automation/SaaS/Using-and-Managing-Service-Broker/GUID-51D6A51D-...

Differences how the VMRC works between the on-prem and SaaS version of vRA is that in vRA on-prem users are going through a proxy living on the vRA appliance whereas on the vRA cloud a direct HTTPS connection from the user's browser to the ESXi host is needed. 
 

 So don't be convinced to use vRA Cloud SaaS solution unless you are an extremely small shop that can manage the security exposure to your ESXi hosts to select networks.  But then why not just allow your customers into your vCenter?

Damion Terrell  .   +  (He/Him)  +  . *  .  +   @   + .    *  .    +      .                    
Core IT Service Specialist * . + * . + . + . + * +
UNM – IT Platforms – VIS + . . . . . . . . .
. + . + * . + * .
* . . + . . . . + . + * + .
“You learn the job of the person above you, * + . + * @
and you teach your job to the person below you..” . * +
Reply
0 Kudos