Configuring the VM Access Proxy for Secure VM Connections

The vCommander VM Access Proxy secures your virtualized infrastructure behind a firewall while still permitting your users remote access to their VMs. When you configure one or more VM Access Proxies, your users can access their VMs within a browser, without the need for a network connection to the managed system. To minimize geographical distance and network lag, you can configure multiple proxies; for example, you can configure a separate proxy for each public cloud region.

The VM Access Proxy enables:

  • Secure RDP and secure VNC access for Windows VMs on all supported managed system types
  • Secure SSH and secure VNC access for Linux VMs on all supported managed system types
  • Secure console access for vCenter and SCVMM VMs

Using the VM Access Proxy is optional. If you don't install and configure one or more VM Access Proxies, users can still open a direct (non-proxied) console connection to vCenter VMs, and users can open direct RDP, VNC and SSH connections where applicable, providing a route exists between the user's computer and the managed system. See Opening a Connection to a VM.

The VM Access Proxy is deployed as a separate Linux appliance. It can be deployed on vCenter.

The configuration process involves:

  • Downloading the VM Access Proxy package
  • Deploying the appliance on vCenter
  • Changing the default VM Access Proxy password
  • Configuring one or more VM Access Proxies

Optional configuration tasks:

  • Changing the default host name for the VM Access Proxy
  • Generating a self-signed SSL certificate or importing an SSL certificate
  • Assigning a static IP address to the VM Access Proxy host
  • Changing the default keystore password

All of these tasks are covered in this topic.

Version Compatibility

If you deployed an earlier vCommander VM Access Proxy version, we recommend moving to the latest version when you upgrade your vCommander. For instructions, see Upgrading the vCommander VM Access Proxy.

For complete details on compatibility between vCommander and VM Access Proxy versions, see the readme file packaged with the VM Access Proxy download.

vCommander VM Access Proxy architecture

vCommander VM Access Proxy Architecture

Prerequisites

Port requirements

  • For secure RDP and secure SCVMM console connections, you must ensure that port 8443 is accessible (inbound to the VM Access Proxy).
  • For secure vCenter console connections, you must also open port 443 (inbound to the VM Access Proxy).

    Publishing both the Service Portal and the VM Access Proxy to the internet requires two IP addresses.

Networking requirements

In all connection scenarios, routes must exist between vCommander and the VM Access Proxy. For vCenter and SCVMM, routes must exist between vCommander, the VM Access Proxy, and the host (ESXi or Hyper-V). For RDP, SSH and VNC connections, routes must exist between vCommander, the VM Access Proxy and the target VM.

Important: If users will access their VMs from the managed system's network, as well as through the Service Portal published on the Internet, you must make sure DNS is configured correctly. This is because some network devices won't automatically route requests made to a public IP to its private IP. When on the same network as the managed system and VM Access Proxy, DNS must resolve to their private IP addresses so the traffic doesn't try to leave the network. Over the Internet, DNS must resolve to their public IP addresses.

Prerequisites

  • To open a Secure Console session in Internet Explorer, the VM Access Proxy's IP address must be added to either the Local Intranet zone (when on the same network as the VM Access Proxy server) or the Trusted Sites zone (when connecting from a network other than that of the VM Access Proxy server). You may also need to disable Protected Mode in Internet Explorer.
  • Service Portal users must have the Open Console and/or the Open Remote Session permissions. See Customizing Service Portal Roles for End Users.
  • vCommander users must have Administrator or any Operator level of access rights on the VM. See Assigning Access Rights to Administrative Users.
  • You may want to configure credentials for console connections. See Connecting to a vCenter VM.

VMRC is not supported for secure console connections for vCenter 6.0 or higher.

Deploying the VM Access Proxy appliance on vCenter (Thick Client)

  1. Log in to the Support website and download the vCommander VM Access Proxy package.
  2. Extract the VM Access Proxy archive.
  3. In vCenter, deploy the OVF template:

    Go to File > Deploy OVF Template and complete the wizard.

  4. Right-click the VM Access Proxy deployment and choose Edit Settings.
  5. On the Options tab, choose the VMware Tools option, then enable Synchronize guest time with host.
  6. synch_time_host
  7. Start the deployed VM.

    Now you're ready to change the VM Access Proxy password.

Deploying the VM Access Proxy appliance on vCenter (Web Client)

Only the vSphere Flash client supports OVF deployment. You can't follow this procedure using the HTML5 client.

  1. Log in to the Support website and download the vCommander VM Access Proxy package.
  2. Extract the VM Access Proxy archive.
  3. In the vCenter web client, right-click the vCenter and choose Deploy OVF Template.
  4. Click Local file and browse to the folder where you extracted the VM Access Proxy.
  5. Select all three files and click Open.
  6. Complete the wizard.
  7. Once deployed, right-click the VM and choose Edit Settings.
  8. On the VM Options tab, choose VMware Tools, then enable Synchronize guest time with host.
  9. synch_time_host_webclient
  10. Start the deployed VM.

    Now you're ready to change the VM Access Proxy password.

Change the password for the VM Access Proxy

You must change the default password for the VM Access Proxy.

  1. If you're not already logged in to the VM Access Proxy, open a console connection to the VM, using the following credentials:

    username: vcommander

    password: gRHrB211

  2. Run the following command:

    passwd

  3. Enter the current password.
  4. Enter and confirm your new password.

Configure the vCommander VM Access Proxy

Access through:

Configuration menu > System Configuration > Integration tab

Available to:

vCommander Role of Superuser

To minimize geographical distance and network lag, you can configure multiple proxies; for example, you can configure a separate proxy for each public cloud region.

To enable the VM Access Proxy and configure which VM connection commands are available to users:

  1. On the Integration page, click Add > VM Access Proxy.
  2. On the VM Access Proxy wizard's Configuration page, in the Proxy URL field, enter a fully qualified domain name (FQDN) for the VM Access Proxy Server that uses https and port 8443. For example:

    https://example.vmaccessproxy.com:8443

    The URL you enter must resolve correctly both on your network and over the Internet. While some firewall configurations allow for traffic to leave and re-enter the network, typically you need an internal DNS record that resolves to the private IP and an external DNS record that resolves to the public IP address of the VM Access Proxy server.

  3. In the Name field, enter a name.

    End users won't see this name; it's used only to distinguish multiple proxies.

  4. Click Test to test the connection.

    If the test is successful, the message "Connected to the VM Access Proxy" is displayed, along with the VM Access Proxy version.

    If you see an error, see Troubleshooting VM Access Proxy Errors below.

  5. Under VM Session Access, select the access options you want to provide in the Open Connection menu for vCommander and Service Portal users.

    Access Option

    vCommander Open Connection Menu Command

    Description

    Recommended Setting:
    vCommander

    Recommended Setting:
    Service Portal

    VMware Console: Direct

    Open Console

    Open a console connection to a vCenter VM. This command doesn't go through the VM Access Proxy.

    Enabled

    Disabled

    VMware Console: Secure Proxy

    Open Secure Console

    Open a console connection in the browser to a vCenter VM, through the VM Access Proxy.

    Disabled

    Enabled

    RDP:
    Direct

    Open RDP Session

    Open an RDP connection to a running Windows vCenter VM using an RDP client. This command doesn't go through the VM Access Proxy.

    Enabled

    Disabled

    RDP:
    Secure proxy

    Open Secure RDP Session

    Open an RDP connection in the browser to a running Windows vCenter VM, through the VM Access Proxy.

    Disabled

    Enabled

    SSH: Direct

    Open SSH Session

    Open an SSH connection to a running Linux VM, using an SSH client. This command doesn't go through the VM Access Proxy.

    Enabled

    Disabled

    SSH: Secure proxy

    Open Secure SSH Session

    Open an SSH connection in the browser to a running Linux VM, through the VM Access Proxy.

    Disabled

    Enabled

    VNC: Direct

    Open VNC Session

    Open a VNC connection to a running VM, using a VNC client. This command doesn't go through the VM Access Proxy.

    Enabled

    Disabled

    VNC: Secure proxy

    Open Secure VNC Session

    Open a VNC connection in the browser to a running VM, through the VM Access Proxy.

    Disabled

    Enabled

    SCVMM Console: Secure Proxy

    Open Secure Console

    Open a console connection to a Hyper-V VM through the VM Access Proxy.

    Enabled

    Enabled

    For example, if your vCommander users are inside your firewall, for vCommander, enable the Direct commands and disable the Secure Proxy commands. If your Service Portal users are customers outside your firewall, for the Service Portal, enable the Secure Proxy commands and disable the Direct commands. Note that the only option for Hyper-V console access is through the VM Access Proxy, so in our example, both vCommander and Service Portal users need access to this command.

    This example setup would look like the following:

    VM Access Proxy dialog

    While there's no harm in enabling both Direct and Secure Proxy commands for vCommander users, reducing the number of available commands results in a simpler user experience.

    For this example, the Open Connection context menu in both vCommander and the Service Portal for a Windows VM on vCenter would look like this:

    Open VM Connection commands

    In the Service Portal, the Open Connection commands are the same, whether you've enabled the Secure Proxy commands or the Direct commands. In vCommander, by contrast, the secure Open Connection commands are prefixed by "Secure". For example, here is the vCommander Open Connection menu for a Windows VM on vCenter, when both Direct and Secure Proxy commands are enabled:

    Open VM Connection commands

  6. For secure RDP and VNC connections, enable Force manual copy from remote clipboard if you want to force users to manually copy  contents from the remote clipboard to the local clipboard. When this option is enabled, users see a Copy from Remote Clipboard button in the session. See Forcing Manual Copying of Clipboard Contents in a Secure RDP or VNC Session below for more information.
  7. Click Next.
  8. On the Targets page, if you want this proxy to target your entire infrastructure, keep the default selection, Operational.

    If you want to target only a subset of your infrastructure, deselect Operational and select one or more targets in the tree. You can select down to the cluster level for on-premise systems, and to the region level for public cloud systems.

    If a global proxy is already configured, Operational is grayed out and can't be deselected; you must select one or more targets below the Operational level.

    You can configure one global proxy targeting the entire infrastructure, plus one or more secondary proxies targeting portions of your infrastructure. The following image shows the Targets page for a global proxy; the grayed-out checkboxes for kermit and manta show that they're targeted by other proxies.

    VM Access Proxy configuration

  9. Click Next.
  10. On the Summary page, review your changes and click Finish.

Troubleshooting 

If you need to retrieve log files from the VM Access Proxy appliance for troubleshooting purposes, see the Knowledge Base article Retrieving VM Access Proxy Logs.

When you have configured the VM Access Proxy and a user is unable to open a connection to a VM, the first step to take is to try to open a connection to the VM outside vCommander and the Service Portal.

Important: After configuring the VM Access Proxy, the first secure console connection will fail, because the first connection attempt acts as a trigger to load required libraries. When you experience this issue, attempt to make a second secure console connection.

VM Access Proxy Errors Displayed when Testing a Connection

Error message

Resolution

Connection Error : VM Access Proxy host URL "<url>" must use https.

Check whether you used http in the URL instead of https.

Connection Error : Failed to connect to "<url>".

or

VM Access Proxy received no response for host "<hostname or IP>": "<error message>"

  • Make sure you entered a valid port number.
  • Try rebooting the VM Access Proxy host server.

Connection Error : VM Access Proxy host URL "<url>" is not valid.

Make sure you typed the URL correctly.

VM Access Proxy not found at "<hostname or IP>"

The specified host is valid, but the VM Access Proxy Service wasn't found on the host. Make sure you specify a host where the VM Access Proxy was installed.

VM Access Proxy host not found: "<hostname or IP>"

or

Failed to connect to "<hostname or IP>"

The specified host isn't valid, or Tomcat is not running on the VM Access Proxy server. Make sure you specify a valid IP address or host name.

VM Access Proxy failed to provide a valid SSL cert for host "<hostname or IP>": "<error message>"

The SSL certificate was not provided, or was not returned correctly. If an SSL certificate was provided as part of the installation process, try rebooting the VM Access Proxy host server.

VM Access Proxy not found at "<url>"

Another service was found at the specified URL, but the VM Access Proxy Service wasn't found. Make sure you enter the URL for the VM Access Proxy Service.

Failed to get a valid response from "<url>". Ensure the port is correct and try again.

Make sure you enter a port as part of the URL.

Bad response from server

The VM Access Proxy service is not running. Try restarting the service.

Server returned HTTP response code: 500 for URL: <url>/RemoteAccess/details

The SSL certificate provided is invalid.

Invalid Proxy URL

The proxy URL sometimes may not resolve unless a common root domain, such as .com or .net is used.

VM Access Proxy Status Field Messages

VM Access Proxy Status

Details

Running

This status is displayed when the VM Access Proxy is enabled and the service is running.

Disabled

The VM Access Proxy is configured, but is disabled. To enable the VM Access Proxy, go to System Configuration > Integration tab. On the VM Access Proxy pane, click Edit. Select Enabled and OK.

Not Configured

The VM Access Proxy has not been configured.

can't communicate with VM Access Proxy

The VM Access Proxy server is not powered on.

VM Access Proxy Error

The VM Access Proxy service is not running, or a Tomcat error has occurred. To see Tomcat errors, click Edit to open the VM Access Proxy dialog and click Test.

Disabling or removing a VM Access Proxy server

Access through:

Configuration menu > System Configuration > Integration tab

Available to:

vCommander Role of Superuser

Disabling a proxy server makes the server unavailable for connections but saves the settings, meaning that you can return to the configuration dialog later and simply re-enable it.

Removing a proxy server clears the settings, meaning that you must reconfigure all of the settings if you want to reintegrate later.

In both cases, users can still connect to VMs as described in Connecting to a vCenter VM, but the connections don't go through the VM Access Proxy.

If you have configured multiple proxies, disabling or removing a proxy that targets a subset of your infrastructure means that another proxy that targets a higher level of your infrastructure now also targets the subset. Test the available VM commands to ensure that behavior is as expected throughout your infrastructure.

To disable a proxy server

  1. On the Integration page, locate the server you want to disable and click Edit.
  2. Clear the Enabled checkbox and click OK.

To remove a proxy server

  1. On the Integration page, locate the server you want to remove and click Remove.
  2. Click Yes to confirm the change.

Forcing manual copying of clipboard contents in a secure RDP or VNC session

Access through:

Configuration menu > System Configuration > Integration tab

Available to:

vCommander Role of Superuser

There are two ways to allow users to copy content from a remote secure RDP or VNC session to the local clipboard:

Automatic method (the default): The content copied from the remote system is automatically copied to the remote clipboard, then to the local system, then to the local clipboard.

Manual method: Users first use any of the supported methods to copy content from the remote session to the remote clipboard, and then must click Copy from Remote Clipboard to move the copied content from the remote clipboard to the local clipboard. You may need to configure this method if users experience reliability issues when copying and pasting using the automatic method.

Browser-specific notes

  • To ensure that the Copy from Remote Clipboard button is visible in the session, the user's browser must have Adobe Flash installed.
  • When the manual method is configured, Mac OS users must use Ctrl+C to copy (rather than CMD+C) and CMD+V to paste.

To force users to manually copy clipboard contents from the remote clipboard to the local clipboard:

  1. Choose Configuration > System Configuration, and go to the Integration tab.
  2. Locate the VM Access Proxy in the list of integrations and click Edit.
  3. On the VM Access Proxy dialog, enable Force manual copy from remote clipboard and click OK.

    When this option is enabled, users will see a Copy from Remote Clipboard button in their RDP or VNC session.

Optional configuration

Changing the default host name

The default host name for the VM Access Proxy server is "vcommander-proxy".

To change the name:

  1. Open a console connection to the VM Access Proxy server.
  2. Edit the file /etc/hostname with the nano utility:

    sudo nano /etc/hostname

  3. Enter the appropriate hostname and save the file.
  4. Edit the file /etc/hosts with the nano utility:

    sudo nano /etc/hosts

  5. Enter the appropriate hostname and save the file.
  6. Reboot the server:

    sudo reboot

Generating or importing an SSL certificate

The vCommander VM Access Proxy includes a self-signed certificate. If you want to use your own self-signed certificate, or one provided by a certificate authority, follow the instructions in the Knowledge Base article Generating and Installing an SSL Certificate for the VM Access Proxy 3.0.

Assigning a static IP address

To assign a static IP address for the VM Access Proxy server:

  1. Open a console connection to the VM Access Proxy server.
  2. Edit the file /etc/network/interfaces with the nano utility:

    sudo nano /etc/network/interfaces

  3. Delete the dhcp line in the file:

    iface ens32 inet dhcp

  4. Add the static IP details, as required, and save the file. For example:

    iface ens32 inet static

    address 192.168.1.5

    netmask 255.255.255.0

    gateway 192.168.1.254

    dns-nameservers 10.10.10.10 10.10.10.11

    dns-search example.com

  5. Restart networking:

    sudo service network-interface restart INTERFACE=ens32

Changing the default keystore password

To change the default keystore password:

  1. Open a console connection to the VM Access Proxy server.
  2. Run the following command to change the password on the tomcat key:

    keytool -keypasswd -alias tomcat -keystore keystore -storepass <old_keystore_password>

  3. Run the following command to change the keystore's password:

    keytool -storepasswd -keystore keystore -storepass <old_keystore_password>

  4. In the /var/lib/tomcat/conf folder, open the file nano server.xml for editing.
  5. In the Connector section, locate the Connector element that contains the keystoreFile attribute.
  6. Add the following line, with the appropriate keystore password:

    keystorePass=<new_keystore_password>

    For example:

    <!-- Define a SSL HTTP/1.1 Connector on port 443 -->

       <Connector SSLEnabled="true" clientAuth="false" keystoreFile="${catalina.home}/conf/keystore"

       keystorePass="changeit2"

       maxThreads="150" port="8443" protocol="HTTP/1.1" scheme="https" secure="true"  

       sslProtocol="TLS"

       sslEnabledProtocols="TLSv1,TLSv1.1,TLSv1.2"

       ciphers="TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA,TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256,TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256,TLS_ECDHE_RSA_WITH_3DES_EDE_CBC_SHA"

       />

  7. In the /var/lib/tomcat/conf folder, open the file config.properties for editing.
  8. Add the following line to this file:

    consoleproxy.keystore.password = <new_keystore_password>

  9. Run the following command to restart the tomcat service:

    sudo service tomcat restart

Copying and pasting in a secure RDP or VNC session

In a secure RDP or VNC session, users can:

  • copy content from the remote system to the local clipboard
  • paste content from the local clipboard to the remote system

    "Local clipboard", refers to the end user workstation where you initiated the RDP or VNC connection. "Remote system", refers to the system you're connected to through RDP or VNC.

To copy content from the remote system to the local clipboard use any of the following:

  • Ctrl+C
  • Ctrl+X
  • The context menu (Edit menu > Copy, or right-click > Copy).

To paste content from the local clipboard to the remote system use:

  • Ctrl+V

If users experience issues with copying and pasting in an RDP or VNC session, see Forcing Manual Copying of Clipboard Contents in a Secure RDP or VNC Session.

Note the following limitations:

  • When using Internet Explorer to open a secure RDP or VNC session, copy and paste is supported only in IE 10 and 11.
  • On Mac OS, users must use CMD+C and CMD+V to copy and paste, not Ctrl+C and Ctrl+V.