virtuallyGhetto

vmrc

How to audit vSphere Standalone VMRC or HTML5 VMRC connections?

by Leave a Comment

An interesting question that came in last week from one of our TAMs was how to identify and audit Virtual Machine Remote Console (VMRC) logins from vSphere? The TAM was specifically interested in being able to correlate that a particular user had logged into the VMRC of a VM during a specific period of time. Luckily, this is easily retrievable through vCenter Servers's Event sub-system that stores information about everything that happens in your vSphere environment. The Events can be accessed using either the vSphere Web Client shown below or programmatically using the vSphere API which the UI is built on top of.

audit-standalone-vmrc-and-html5-vmrc-logins-1
You can obviously filter your search in the UI and focus on a particular VM, but often times there can be dozens if not hundreds of "Events" generated for a given VM. I personally prefer to leverage Automation when needing to look for a specific type of Event and more importantly, you can further process the results to either send out reports or hook into other third party systems. Now that we know, "where" to find our data, the next thing is identifying the type of Event that is generated for a VMRC connection.

As of vSphere 5.5 Update 2b, the VMRC in the vSphere Web Client can be accessed in one of two ways: The new HTML5 VMRC by clicking onto the VM screenshot thumbnail or the Standalone VMRC by clicking on the link directly beneath the VM screenshot.

audit-standalone-vmrc-and-html5-vmrc-logins-0
Each VMRC connection method will generate a unique vCenter Server Event. For HTML5 VMRC connections, the Event is called VmAcquiredMksTicketEvent and for Standalone VMRC connections, the Event is called VmAcquiredTicketEvent. As I mentioned earlier, the vCenter Server Event sub-system can be accessed using the vSphere API and you can find the complete list of Events documented here. To demonstrate the use of this particular vSphere API, below is a PowerCLI example using the Get-VIEvent cmdlet. My fellow colleague Alan Renouf has actually blogged about working with Events using PowerCLI which I will be adapting one of his examples for our use case.

We first retrieve the VM that we are interested in by running the following command (specify the name of your VM):

$vm = Get-VM -Name "VCSA-60u2"

To retrieve HTML5 VMRC connections, run the following PowerCLI command:

Get-VIEvent -Entity $vm | Where { $_.Gettype().Name -eq "VmAcquiredMksTicketEvent"} | Select CreatedTime, UserName, FullFormattedMessage | ft -wrap -AutoSize

Here is an example of what the output would look like

audit-standalone-vmrc-and-html5-vmrc-logins-2
To retrieve Standalone VMRC connections, run the following PowerCLI command:

Get-VIEvent -Entity $vm | Where { $_.Gettype().Name -eq "VmAcquiredTicketEvent"} | Select CreatedTime, UserName, UserAgent, FullFormattedMessage | ft -wrap -AutoSize

Here is an example of what the output would look like:

audit-standalone-vmrc-and-html5-vmrc-logins-3

How to restrict access to both the Standalone VMRC & HTML5 VM Console?

by 10 Comments

Several weeks back there were a couple of questions from our field asking about locking down access to a Virtual Machine's Console which includes both the new Standalone VMRC (Windows & Mac OS X) which runs on your desktop as well as the new HTML5 VM Console which runs in the browser. Below is a screenshot of the vSphere Web Client showing how to access the two different types of VM Consoles.

restricting-vmrc-and-html5-vm-console-access-1
To prevent users from accessing either of the VM Consoles which also applies to the vSphere C# Client, you can leverage vSphere's extensive Role Based Access Control (RBAC) system. The specific privilege that governs whether a user can access the VM Console is under VirtualMachine->Interaction->Console interaction as seen in the screenshot below.

restricting-vmrc-and-html5-vm-console-access-0
If a user is not granted the following privilege for a particular VM, when they click on either the Standalone VMRC link or the HTML5 VM Console, they will get permission denied and the screen will be blank. Pretty simple if you want to prevent users from accessing the VM Console or allowing only VM Console access when they login.

restricting-vmrc-and-html5-vm-console-access-2

UPDATE (01/31/17): If you are using VMRC 8.1 or greater, you no longer need the additional permission assignment on the ESXi level if you ONLY want to provide VM Console access, just assign it to the VM. However, if you need to provide device management such as mounting an ISO on the client side, then you will still need to assign VMRC role (along with the required privileges for device management) at the ESXi host level.

UPDATE (12/15/15): If you want to restrict users from having ONLY VM Console access which may include the Standalone VMRC, you will need to ensure that the user has the role applied not only on the VMs you wish to restrict but also at the ESXi host level since Standalone VMRC still requires access to ESXi host. You do not need to grant read-only permissions for the user at the ESXi level, but you just need to assign the user "VMRC" only role at the ESXi level or higher to ensure they can connect to the VMRC.

Standalone VMRC now available for Mac OS X

by 55 Comments

Last year, a standalone Virtual Machine Remote Console (VMRC) was released for Windows as part of vSphere 5.5 Update 2b which provides an alternative way of launching the VM console due to NPAPI deprecation. There was of course a huge request for Mac OS X support and the VMRC team has been working hard and today I am please to announce that standalone VMRC is now available for Apple Mac OS X which you can download using the following URL: www.vmware.com/go/download-vmrc

Note: Mac OS X 10.8 or greater is required to use the new Standalone VMRC. The release notes will be updated to reflect this requirement

There are currently two methods of launching a remote console to a Virtual Machine using the vSphere Web Client as seen in the screenshot below:

  1. Using HTML5 VMRC simply by clicking on the thumbnail preview
  2. Using the new Standalone VMRC by clicking on the "Launch Remote Console" link

vmrc-mac-osx-2
When using the Standalone VMRC method, instead of opening the VM console in the browser, it will launch the native VMRC application on your system whether that be Windows or Mac OS X. All basic functionalities of the Standalone VMRC is available as you would expect such as power operations, device management, etc.

Note: There is not a specific version of vSphere that is required to directly launch the Standalone VMRC. However, to launch it within the vSphere Web Client, you will need vSphere 5.5 Update 2b or greater.

vmrc-mac-osx-1
The other great thing about the Standalone VMRC is that it can function without vCenter Server and the vSphere Web Client and you can actually use it to connect to VM directly on an ESXi host. To use the VMRC without the vSphere Web Client, you will need to construct the VMRC URI which looks like the following:

vmrc://clone:[TICKET]@[HOST]:[PORT]/?moid=[VM-MOREF]

where TICKET is obtained by calling the AcquireCloneTicket() method using the SessionManager in vCenter Server. The HOST will either be the Hostname/IP Address of vCenter Server and the PORT should be default to 443 and you will need to specify the VM MoRef ID. In the case of a standalone ESXi host, you would just change the HOST property. If you do not wish to use the clone ticket, you can also just provide the following URI which will prompt for your ESXi credentials

vmrc://@[HOST]:[PORT]/?moid=[VM-MOREF]

Once you have generated the VMRC URI, you MUST launch it through a web browser as that is how it is passed directly to the Standalone VMRC application. In my opinion, this is not ideal especially for customers who wish to automatically generate this as part of a VM provisioning workflow to their end users and not having to require a browser to launch the Standalone VMRC application. If you have some feedback on this, please do leave a comment.

In the mean time, a quick workaround is to use the "open" command on Mac OS X along with the VMRC URI which will automatically load it into your default browser and launch the Standalone VMRC application for you.

open 'vmrc://clone:cst-VCT-52e44ad7-712f-9f45-a9ee-13ec6a74acaf-[email protected]192.168.1.60:443/?moid=vm-18'

UPDATE (05/31/15) - If you are connecting directly to an ESXi host you can either use the vSphere API to query for the VM MoRef ID or you can easily pull it by running the following command directly in the ESXi Shell:

vim-cmd vmsvc/getallvms

I am sure there are probably a few of you asking, what about for Linux users? Well, you can probably guess what is being worked on next 😉

Standalone VMRC (VM Remote Console) re-introduced in vSphere 5.5 Update 2b

by 53 Comments

The VMRC (VM Remote Console) has gone through several transitions from initially being available as a standalone Windows application to an integrated browser based plugin with the release of the vSphere Web Client. In the latest vSphere 5.5 Update 2b release, a new standalone VMRC has been re-introduced to provide an alternative way to launch a VM console. The reason for this is due to the deprecated and eventual removal of NPAPI (Netscape Plugin Application Programming Interface) based plugin support from all modern web browsers which the current VMRC implementation leverages. Here is a quick excerpt from the vSphere 5.5 Update 2b release notes:

Inability to open virtual machine console using Google Chrome browser when NPAPI support is deprecated
When the NPAPI support in Google Chrome is deprecated, the virtual machine console provided in the vSphere Client Integration Plugin might no longer function when the Chrome browser is updated. As a result, you might be unable to open the virtual machine console using the Google Chrome browser and you might not be able to connect to devices.

UPDATE (10/21/14) - Looks like the standalone VMRC has just been made available and you can now download it by either following the link in the vSphere Web Client if you are on vSphere 5.5 Update 2b OR simply by going to http://www.vmware.com/go/download-vmrc

UPDATE (10/12/14) - It looks like the standalone VMRC is currently not available for download just yet. You can continue using the existing methods to connect to your VM Console, the new Standalone VMRC is NOT required but the links have been put in place to proactively get ready for NPAPI deprecation (more details below). You can subscribe to VMware KB 2091284 which will be updated when the download is available.

UPDATE (05/31/15) - If you are connecting directly to an ESXi host you can either use the vSphere API to query for the VM MoRef ID or you can easily pull it by running the following command directly in the ESXi Shell:

vim-cmd vmsvc/getallvms

The deprecation of NPAPI support is nothing new and has actually been communicated by all major web browsers for quite some time now. To ensure that VMware customers are not affected when this change goes into effect, a new standalone VMRC is being introduced to preempt the upcoming change and provides a new way of  launching a VM console using the vSphere Web Client as seen in the screenshot below.

vmrc
To be able to open a VM Console using the new standalone VMRC, you will of course need to have it installed first. You can find the link to the download on VMware.com but there is also a direct link provided on the VM Summary page in the vSphere Web Client. In addition to the new standalone VMRC, you will still be able to use the existing method as well as the HTML5 based VM console. The HTML5 console continues to work if you do not have CIP (Client Integration Package) installed on your Windows system or if you are running on a Mac OS X system. I am sure many of you are probably asking when will there be Mac OS X version of VMRC? I know I definitely am 🙂 The good news is that this is being worked on and hopefully we will see a Mac OS X version in the very near future.

Furthermore, the new standalone VMRC also includes some nice enhancements that I know some of you have been asking for, especially those that have used the previous standalone VMRC application. The new VMRC can now be directly launched using the following two URI methods:

vmrc://[USERNAME]@[VC]/?moid=[VM-MOREF-ID]
vmrc://clone:[VC-TICKET]@[VC]/?moid=[VM-MOREF-ID]

Here is a screenshot of the standalone VMRC application:

vmrc-0
The first method accepts basic authentication using username/password, the vCenter Server address and the VM MoRef Id. Here is an example of what that would look like:

C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe vmrc://*protected email*/?moid=vm-37

The second method accepts a vCenter Server session ticket which you can generate by using vSphere API acquireCloneTicket() method. A quick way to test this example is by using the vSphere MOB and making a call to acquireCloneTicket using the following URL https://[VCENTER-SERVER]/mob/?moid=SessionManager&method=acquireCloneTicket and then specifying the ticket as seen in the example below.

C:\Program Files (x86)\VMware\VMware Remote Console\vmrc.exe vmrc://clone:*protected email*/?moid=vm-37

With the new URI handler, you can automatically associate it with the standalone VMRC application which means you can type this into a browser or into a Windows explorer and it will automatically launch VMRC. The other nice thing about the new standalone VMRC is if you would like to reduce the complexity of getting a regular use connected to their desktop, you can easily use the standalone VMRC and dynamically generating a link for your end users to access their VMs without ever exposing them to the underlying vSphere infrastructure. I suspect there will be some really interesting use cases for the new standalone VMRC and the VMRC team will continue to iterate to make it better based on customer feedback.

HTML5 console now defaults to HTTPS/WSS in vSphere 5.5 Update 2

by 5 Comments

I just found out from one of my readers that with the latest release of vSphere 5.5 Update 2, the HTML5 Console in vCenter Server now goes over a secure connection (HTTPS) as well as using secure web socket connection (WSS) by default. In addition to this change, the HTML5 console port has also been changed from 7331 to 7343. I know customers have asking about this in the past and though this was not possible with previous releases, I am glad to see that VMware Engineering has now added this capablity, another reason to go to vSphere 5.5 Update 2!

This new change is also documented in the vSphere 5.5 Update release notes, which I some how must have missed:

Virtual machines with HTML 5 console in vSphere 5.5 open connections with http:// instead of https://
When the HTML 5 console is launched on a virtual machine, it uses connections like http:// and web sockets like ws:// instead of secure connections like https:// and wss://.

This release resolves the issue by launching the virtual machine console with secure connection over port 7343 instead of the connection over port 7331.

For those of you using my generateHTML5VMConsole script to generate a pre-authenticated HTML5 VM Console, I have updated the script to include a new variable called isvSphere55u2 which will default to "false" but you can set it in the command-line to "true" and this will automatically generate a URL using HTTPS instead of HTTP and use port 7343 instead of 7331. Other than these two minor changes, the URL format is exactly the same and will continue to work.

Here is a quick screenshot of the HTML5 VM Console URL in my lab running vSphere 5.5 Update 2:

vsphere-55u2-html5-console-https-webmks

How to Access vSphere Remote Console Using vSphere & VMRC API

by 42 Comments

Similar to my vCloud Director article, you can also provide access to the remote console of a virtual machine in a vSphere environment to your end users. This can be accomplished by leveraging both the vSphere and VMRC (Virtual Machine Remote Console) APIs and can be useful if you are building a custom portal for users to access their virtual machines. To use the VMRC API, you can download the latest VMRC 5.1 SDK which provides the following:

The VMRC SDK allows you to use a Web-based application to connect to a vCenter- or vCloud Director-managed virtual machine and access that virtual machine’s console in a browser window. You can interact with the virtual machine console input and screen. You can also use the VMRC SDK to manage virtual and physical device connections on a vCenter-managed virtual machine. 

The VMRC SDK includes documentation to the API as well as a sample webpage implementing some basic functionality of the VMRC API. I recently received a question on how to get started with the sample as it was not completely intuitive and thought I take you through the required steps to get the sample working.

Step 1 - Download the VMRC 5.1 SDK and extract the contents to your local desktop.

Step 2 - Open the vmrc-embed-example.html using a web browser located in the docs folder.

Note: In my example, I uploaded both the javascript and html file to a web server and accessed the sample by connecting to the server instead of running it locally on my desktop. This was to show how users could access the custom portal using the VMRC SDK.

Step 3 - At the top of the page where it says "VMRC Modes", make "MKS" is selected in the drop down box and click on the "+" icon to add. Then go ahead and click on the "Start" button to start a VMRC instance and ensure you see a success message on the right hand side of the console box.

Step 4 - To authenticate to VMRC, you will need a session ticket which will be obtained through the use of the vSphere API using the acquireCloneTicket() method provided by the SessionManager managed object. In this example, we will be using the vSphere MOB to quickly retrieve our session ticket, but in a real implementation, you would programamtically retrieve the session ticket along with few othe pieces of information to connect to the VMRC. Open up a new tab in your web browser and connect to the following URL:

https://reflex.primp-industries.com/mob/?moid=SessionManager&method=acquireCloneTicket

Note: Make sure you substitute in your vCenter Server IP Address/Hostname

Once you have authenticated, go ahead and click on the "Invoke Method" which should generate a session ticket:

Step 5 - Copy the session ticket string and go back to our VMRC sample page. We will now need to fill out the following sections before we can access the remote console of a virtual machine:

  • Hostname (IP Address/Hostname of your vCenter Server)
  • Allow SSL Validation Errors (Check this if you are using self signed SSL certificates)
  • Ticket (Paste the session ticket from the previous step here)
  • VM ID (This is the MoRef ID of the VM you wish to connect to the remote console)

Once you have filled out the minimum required fields, go ahead and click on the "Connect" button and if everything was successful, you should now see the remote console of the virtual machine you selected.