Several weeks back there were a couple of questions from our field asking about locking down access to a Virtual Machine's Console which includes both the new Standalone VMRC (Windows & Mac OS X) which runs on your desktop as well as the new HTML5 VM Console which runs in the browser. Below is a screenshot of the vSphere Web Client showing how to access the two different types of VM Consoles.

restricting-vmrc-and-html5-vm-console-access-1
To prevent users from accessing either of the VM Consoles which also applies to the vSphere C# Client, you can leverage vSphere's extensive Role Based Access Control (RBAC) system. The specific privilege that governs whether a user can access the VM Console is under VirtualMachine->Interaction->Console interaction as seen in the screenshot below.

restricting-vmrc-and-html5-vm-console-access-0
If a user is not granted the following privilege for a particular VM, when they click on either the Standalone VMRC link or the HTML5 VM Console, they will get permission denied and the screen will be blank. Pretty simple if you want to prevent users from accessing the VM Console or allowing only VM Console access when they login.

restricting-vmrc-and-html5-vm-console-access-2

UPDATE (12/15/15): If you want to restrict users from having ONLY VM Console access which may include the Standalone VMRC, you will need to ensure that the user has the role applied not only on the VMs you wish to restrict but also at the ESXi host level since Standalone VMRC still requires access to ESXi host. You do not need to grant read-only permissions for the user at the ESXi level, but you just need to assign the user "VMRC" only role at the ESXi level or higher to ensure they can connect to the VMRC.

9 thoughts on “How to restrict access to both the Standalone VMRC & HTML5 VM Console?

  1. hi
    I have a question regarding vsphere 6, how to generate web shortcuts for machine console specially Linux.

    Regards
    Sandy

  2. William,

    I have benefited from your blog over the years. I currently have a BCS case open on something that you might have insight on. We have a need for PCI/DSS 3.0 requirement to restrict access to remote consoles to a limited set of IPs that we know can only be accessed with two factor authentication. This is currently possible through the ESXi existing firewall rules on port 902 except for remote consoles that use HTML5, which it appears use the vCenter IP as a proxy. We would prefer not to restrict at the vCenter firewall since we are hoping to restrict access only on one cluster within vCenter and leave the other clusters without that restriction. Support Request # 16917222703. If you have time for your thoughts that would be appreciated.

    -Robert Reynolds
    Indiana University

    • Robert,

      The only thing that comes to mind is by creating a role that either allows/prevents HTML5 access and you can apply it at the appropriate inventory level, else you would have to create the firewall as you’ve mentioned at the VC level. I think the RBAC approach is more scalable and you can easily add/remove users based on their group membership over firewall rules.

      • Thank you William for the quick reply. We do not want to prevent HTML5 access, just restrict it to certain IP ranges. Am I correct in thinking that HTML5 does not use port 902 on the ESXi host but rather 7343? That is why we were looking for a way to restrict on ESXi. Are customized ESXi firewall rules a viable solution?

        • Robert,

          That’s correct, HTML5 uses WebMKS which runs over a different port. For vSphere 5.5, that was 7343 and in with vSphere 6.0 is it 9443 (same port as the vSphere Web Client itself) and you could also change the default HTML5 port as well.

          For what you’re trying to accomplish, the options would be to filter at VC level restricting the IPs or doing this higher up the stack at the networking infrastructure level which is also pretty common when needing to set ACLs. There’s nothing to do on ESXi itself and best method is to do this somewhere where you can easily manage it and I personally wouldn’t recommend doing it at the ESXi host level, even if it was possible.

          • In looking at the filter option for VC I am having a hard time getting a definite list of ports for vSphere 6 that we would need to restrict. Is it still 902 for the Windows client and then 9443 for the Web client and HTML5. Are there any other ports to be concerned about for the remote console?

  3. Hi, Is there any way we can apply the permission all hosts at a cluster level to apply to the hosts without it recursing down to other VMs? We have a few different tenants in the same vcenter and we currently restrict visibility by restricting permissions to the resource pool.

    It would be nice to not have to set it to all hosts manually or via script it as its not persistent when hosts move in and out of a cluster. Setting this at the cluster level with recursion 1, exposes too much to different groups and 2, doesn’t seem like a secure thing to do.

    • Yes, you can always use a script to apply to all hosts within a Cluster and not recurse down. Obviously the UI won’t have these levels of granularity but that’s where Automation can help.

Thanks for the comment!