Configuring the VM Access Proxy for Secure VM Connections

The vCommander VM Access Proxy secures your virtualized infrastructure behind a firewall while still permitting your users remote access to their VMs. When you configure a VM Access Proxy, your users can access their VMs within a browser, without the need for a network connection to the managed system.

To minimize geographical distance and network lag, you can configure multiple proxies; for example, you can configure a separate proxy for each public cloud region.

The VM Access Proxy enables:

  • Secure RDP and secure VNC access for Windows VMs on all supported managed system types
  • Secure SSH and secure VNC access for Linux VMs on all supported managed system types
  • Secure console access for vCenter and SCVMM VMs

Using the VM Access Proxy is optional. If you don't install and configure one or more VM Access Proxies, users can still open a direct (non-proxied) console connection to vCenter VMs, and users can open direct RDP and VNC connections where applicable, providing a route exists between the user's computer and the managed system. See Opening a Connection to a VM.

VM Access Proxy architecture

vCommander VM Access Proxy Architecture

The VM Access Proxy is deployed as a separate Linux appliance on vCenter. The configuration process involves:

  1. Reviewing the VM Access Proxy prerequisites
  2. Deploying the VM Access Proxy appliance on vCenter
  3. Changing the default VM Access Proxy password
  4. Configuring the vCommander VM Access Proxy

Optional configuration tasks for the deployed VM Access Proxy appliance include:

vCommander and VM Access Proxy version compatibility

If you deployed an earlier vCommander VM Access Proxy version, we recommend moving to the latest version when you upgrade your vCommander. For instructions, see Redeploying the vCommander VM Access Proxy.

For details on compatibility between vCommander and VM Access Proxy versions, see Redeploying the vCommander VM Access Proxy.

Prerequisites

The following prerequisites must be met to use the VM Access Proxy to establish connections to VMs outside your firewall.

Port requirements

  • For secure RDP and secure SCVMM console connections, you must ensure that port 8443 is accessible (inbound to the VM Access Proxy).
  • For secure vCenter console connections, you must also open port 443 (inbound to the VM Access Proxy).

    Publishing both the Service Portal and the VM Access Proxy to the Internet requires two IP addresses.

Networking requirements

In all connection scenarios, routes must exist between vCommander and the VM Access Proxy. For vCenter and SCVMM, routes must exist between vCommander, the VM Access Proxy, and the host (ESXi or Hyper-V). For RDP, SSH and VNC connections, routes must exist between vCommander, the VM Access Proxy and the target VM.

Important: If users will access their VMs from the managed system's network, as well as through the Service Portal published on the Internet, you must make sure DNS is configured correctly. This is because some network devices won't automatically route requests made to a public IP to its private IP. When on the same network as the managed system and VM Access Proxy, DNS must resolve to their private IP addresses so the traffic doesn't try to leave the network. Over the Internet, DNS must resolve to their public IP addresses.

Other requirements

  • To open a Secure Console session in Internet Explorer, the VM Access Proxy's IP address must be added to either the Local Intranet zone (when on the same network as the VM Access Proxy server) or the Trusted Sites zone (when connecting from a network other than that of the VM Access Proxy server). You may also need to disable Protected Mode in Internet Explorer.
  • Service Portal users must have the Open Console and/or the Open Remote Session permissions. See Customizing Service Portal Roles for End Users.
  • vCommander users must have Administrator or any Operator level of access rights on the VM. See Assigning Access Rights to Administrative Users.
  • You may want to configure credentials for console connections. See Connecting to a vCenter VM.

VMRC is not supported for secure console connections for vCenter 6.0 or higher.

Deploying the VM Access Proxy appliance on vCenter

You can deploy the VM Access Proxy appliance on vCenter as a thick client or as a Web client.

Deploying the VM Access Proxy appliance as a thick client

To deploy the VM Access Proxy appliance as a thick client:

  1. Log in to the Support website and download the vCommander VM Access Proxy package.
  2. Extract the VM Access Proxy archive.
  3. In vCenter, deploy the OVF template:

    Go to File > Deploy OVF Template and complete the wizard.

  4. Right-click the VM Access Proxy deployment and select Edit Settings.
  5. On the Options tab, select the VMware Tools option, then enable Synchronize guest time with host.
  6. synch_time_host
  7. Start the deployed VM.

    Now you're ready to change the VM Access Proxy password.

Deploying the VM Access Proxy appliance as a Web client

Only the vSphere Flash client supports OVF deployment. You can't use this procedure with the HTML5 client.

To deploy the VM Access Proxy appliance on vCenter as a Web client:

  1. Log in to the Support website and download the vCommander VM Access Proxy package.
  2. Extract the VM Access Proxy archive.
  3. In the vCenter web client, right-click the vCenter and select Deploy OVF Template.
  4. Click Local file and browse to the folder where you extracted the VM Access Proxy.
  5. Select all three files and click Open.
  6. Complete the wizard.
  7. Once deployed, right-click the VM and choose Edit Settings.
  8. On the VM Options tab, select VMware Tools, then enable Synchronize guest time with host.
  9. synch_time_host_webclient
  10. Start the deployed VM.

    Now you're ready to change the VM Access Proxy password.

Changing the default VM Access Proxy password

After you have deployed the VM Access Proxy on vCenter, you must change its default password.

  1. If you're not already logged in to the VM Access Proxy, open a console connection to the VM, using the following credentials:

    username: vcommander

    password: gRHrB211

  2. Run the following command:

    passwd

  3. Enter the current password.
  4. Enter and confirm your new password.

Configuring the vCommander VM Access Proxy

Access through:

Configuration menu > System Configuration > Integration tab

Available to:

vCommander Role of Superuser

You can configure one or more VM Access Proxies. You may want to configure more than one proxy to minimize geographical distance and network lag. For example, you can configure a separate proxy for each public cloud region.

To add a VM Access Proxy and configure which VM connection commands are available to users:

  1. On the Integration page, click Add > VM Access Proxy.
  2. On the VM Access Proxy wizard's Configuration page, in the Proxy URL field, enter a fully qualified domain name (FQDN) for the VM Access Proxy Server that uses https and port 8443. For example:

    https://example.vmaccessproxy.com:8443

    The URL you enter must resolve correctly both on your network and over the Internet. While some firewall configurations allow for traffic to leave and re-enter the network, typically you need an internal DNS record that resolves to the private IP and an external DNS record that resolves to the public IP address of the VM Access Proxy server.

  3. In the Name field, enter a name.

    End users won't see this name; it's used only to distinguish multiple proxies.

  4. Click Test to test the connection.

    If the test is successful, the message "Connected to the VM Access Proxy" is displayed, along with the VM Access Proxy version. If you see an error, see Troubleshooting below.

  5. To enable the use of the VM Access Proxy after it has been configured, select Enabled.
  6. Under VM Session Access, select the access options you want to provide in the Open Connection menu for vCommander and Service Portal users:
    • If your vCommander users are inside your firewall, for vCommander, enable the Direct commands and disable the Secure Proxy commands.
    • If your Service Portal users are customers outside your firewall, for the Service Portal, enable the Secure Proxy commands and disable the Direct commands.

    While there's no harm in enabling both Direct and Secure Proxy commands for vCommander users, reducing the number of available commands results in a simpler user experience.

    Access Option

    Open Connection Menu Command

    Description

    Recommended vCommander Setting

    Recommended Service Portal Setting

    VMware Console: Direct

    Open Console

    Open a console connection to a vCenter VM. This command doesn't go through the VM Access Proxy.

    Enabled

    Disabled

    VMware Console: Secure Proxy

    Open Secure Console

    Open a console connection in the browser to a vCenter VM, through the VM Access Proxy.

    Disabled

    Enabled

    RDP:
    Direct

    Open RDP Session

    Open an RDP connection to a running Windows vCenter VM using an RDP client. This command doesn't go through the VM Access Proxy.

    Enabled

    Disabled

    RDP:
    Secure proxy

    Open Secure RDP Session

    Open an RDP connection in the browser to a running Windows vCenter VM, through the VM Access Proxy. When Secure Proxy is enabled, select the security mode to apply to the connection:

    • RDP — Standard RDP encryption
    • TLS — Transport Layer Security encryption
    • NLA — Network Level Authentication
    • Any — Allow the server to decide the protocol

    To use a security mode other than standard RDP encryption, Version 3.3 of the VM Access Proxy is required. If you are using an earlier version of the VM Access Proxy, standard RDP will automatically be used.

    Disabled

    Enabled

    SSH: Secure proxy

    Open Secure SSH Session

    Open an SSH connection in the browser to a running Linux VM, through the VM Access Proxy.

    Disabled

    Enabled

    VNC: Direct

    Open VNC Session

    Open a VNC connection to a running VM, using a VNC client. This command doesn't go through the VM Access Proxy.

    Enabled

    Disabled

    VNC: Secure proxy

    Open Secure VNC Session

    Open a VNC connection in the browser to a running VM, through the VM Access Proxy.

    Disabled

    Enabled

    SCVMM Console: Secure Proxy

    Open Secure Console

    Open a console connection to a Hyper-V VM through the VM Access Proxy.

    Note: The only option for Hyper-V console access is through the VM Access Proxy, so both vCommander and Service Portal users need access to this command.

    Enabled

    Enabled

    Example VM Session Access Configuration

    Consider the following session access configuration.

    VM Access Proxy dialog

    For this example configuration, the Open Connection context menu in both vCommander and the Service Portal for a Windows VM on vCenter would look like this:

    Open VM Connection commands

    In the Service Portal, the Open Connection commands are the same, whether you've enabled the Secure Proxy commands or the Direct commands. In vCommander, by contrast, the secure Open Connection commands are prefixed by "Secure". For example, here is the vCommander Open Connection menu for a Windows VM on vCenter, when both Direct and Secure Proxy commands are enabled:

    Open VM Connection commands

  7. For secure RDP and VNC connections, enable Force manual copy from remote clipboard if you want to force users to manually copy contents from the remote clipboard to the local clipboard.

    When this option is enabled, users see a Copy from Remote Clipboard button in the session. See Forcing manual copying of clipboard contents in secure RDP or VNC sessions below for more information.

  8. Click Next.
  9. On the Targets page, configure the infrastructure that you want the proxy to target:
    • If you want this proxy to target your entire infrastructure (that is, a global target), keep the default selection, Operational.
    • If you want to target only a subset of your infrastructure, clear the Operational target and select one or more targets in the tree. You can select down to the cluster level for on-premise systems, and to the region level for public cloud systems.

      If a global proxy is already configured, Operational is grayed out and can't be cleared; you must select one or more targets below the Operational level.

    Example Infrastructure Targets

    You can configure one global proxy targeting the entire infrastructure, plus one or more secondary proxies targeting portions of your infrastructure. The following image shows the Targets page for a global proxy; the grayed-out checkboxes for kermit and manta show that they're targeted by other proxies.

    VM Access Proxy configuration

  10. Click Next.
  11. On the Summary page, review your changes and click Finish.

Troubleshooting

If you need to retrieve log files from the VM Access Proxy appliance for troubleshooting purposes, see the Knowledge Base article Retrieving VM Access Proxy Logs.

When you have configured the VM Access Proxy and a user is unable to open a connection to a VM, the first step to take is to try to open a connection to the VM outside vCommander and the Service Portal.

After configuring the VM Access Proxy, the first secure console connection attempt will fail, because it acts as a trigger to load required libraries. When you experience this issue, attempt to make a second secure console connection.

Potential errors displayed when testing a connection

Error message

Resolution

Connection Error : VM Access Proxy host URL "<url>" must use https.

Check whether you used http in the URL instead of https.

Connection Error : Failed to connect to "<url>".

or

VM Access Proxy received no response for host "<hostname or IP>": "<error message>"

  • Make sure you entered a valid port number.
  • Try rebooting the VM Access Proxy host server.

Connection Error : VM Access Proxy host URL "<url>" is not valid.

Make sure you typed the URL correctly.

VM Access Proxy not found at "<hostname or IP>"

The specified host is valid, but the VM Access Proxy Service wasn't found on the host. Make sure you specify a host where the VM Access Proxy was installed.

VM Access Proxy host not found: "<hostname or IP>"

or

Failed to connect to "<hostname or IP>"

The specified host isn't valid, or Tomcat is not running on the VM Access Proxy server. Make sure you specify a valid IP address or host name.

VM Access Proxy failed to provide a valid SSL cert for host "<hostname or IP>": "<error message>"

The SSL certificate was not provided, or was not returned correctly. If an SSL certificate was provided as part of the installation process, try rebooting the VM Access Proxy host server.

VM Access Proxy not found at "<url>"

Another service was found at the specified URL, but the VM Access Proxy Service wasn't found. Make sure you enter the URL for the VM Access Proxy Service.

Failed to get a valid response from "<url>". Ensure the port is correct and try again.

Make sure you enter a port as part of the URL.

Bad response from server

The VM Access Proxy service is not running. Try restarting the service.

Server returned HTTP response code: 500 for URL: <url>/RemoteAccess/details

The SSL certificate provided is invalid.

Invalid Proxy URL

The proxy URL sometimes may not resolve unless a common root domain, such as .com or .net is used.

VM Access Proxy Status Field Messages

VM Access Proxy Status

Details

Running

This status is displayed when the VM Access Proxy is enabled and the service is running.

Disabled

The VM Access Proxy is configured, but is disabled. To enable the VM Access Proxy, go to System Configuration > Integration tab. On the VM Access Proxy pane, click Edit. Select Enabled and OK.

Not Configured

The VM Access Proxy has not been configured.

can't communicate with VM Access Proxy

The VM Access Proxy server is not powered on.

VM Access Proxy Error

The VM Access Proxy service is not running, or a Tomcat error has occurred. To see Tomcat errors, click Edit to open the VM Access Proxy dialog and click Test.

Disabling or removing a VM Access Proxy server

Access through:

Configuration menu > System Configuration > Integration tab

Available to:

vCommander Role of Superuser

Disabling a proxy server makes the server unavailable for connections but saves the settings, meaning that you can return to the configuration dialog later and simply re-enable it.

Removing a proxy server clears the settings, meaning that you must reconfigure all of the settings if you want to reintegrate later.

In both cases, users can still open connections to VMs, but the connections don't go through the VM Access Proxy.

If you have configured multiple proxies, disabling or removing a proxy that targets a subset of your infrastructure means that another proxy that targets a higher level of your infrastructure now also targets the subset. Test the available VM commands to ensure that behavior is as expected throughout your infrastructure.

To disable a proxy server:

  1. On the Integration page, locate the server you want to disable and click Edit.
  2. Clear the Enabled checkbox and click OK.

To remove a proxy server:

  1. On the Integration page, locate the server you want to remove and click Remove.
  2. Click Yes to confirm the change.

Forcing manual copying of clipboard contents in secure RDP or VNC sessions

Access through:

Configuration menu > System Configuration > Integration tab

Available to:

vCommander Role of Superuser

There are two ways to allow users to copy content from a remote secure RDP or VNC session to the local clipboard:

  • Automatic method (the default): The content copied from the remote system is automatically copied to the remote clipboard, then to the local system, then to the local clipboard.
  • Manual method: Users first use any of the supported methods to copy content from the remote session to the remote clipboard, and then must click Copy from Remote Clipboard to move the copied content from the remote clipboard to the local clipboard. You may need to configure this method if users experience reliability issues when copying and pasting using the automatic method.

    Notes:

    • To ensure that the Copy from Remote Clipboard button is visible in the session, the user's browser must have Adobe Flash installed.
    • When the manual method is configured, Mac OS users must use Ctrl+C to copy (rather than CMD+C) and CMD+V to paste.

To force users to manually copy clipboard contents from the remote clipboard to the local clipboard:

  1. Choose Configuration > System Configuration, and go to the Integration tab.
  2. Locate the VM Access Proxy in the list of integrations and click Edit.
  3. On the VM Access Proxy dialog, enable Force manual copy from remote clipboard and click OK.

    When this option is enabled, users will see a Copy from Remote Clipboard button in their RDP or VNC session.

Optional configuration

To learn how to change the default keystore password, see Changing the Default Keystore Password.

Changing the default host name

The default host name for the VM Access Proxy server is "vcommander-proxy".

To change the name:

  1. Open a console connection to the VM Access Proxy server.
  2. Edit the file /etc/hostname with the nano utility:

    sudo nano /etc/hostname

  3. Enter the appropriate hostname and save the file.
  4. Edit the file /etc/hosts with the nano utility:

    sudo nano /etc/hosts

  5. Enter the appropriate hostname and save the file.
  6. Reboot the server:

    sudo reboot

Generating or importing an SSL certificate

The vCommander VM Access Proxy includes a self-signed certificate. If you want to use your own self-signed certificate, or one provided by a certificate authority, follow the instructions in the Knowledge Base article Generating and Installing an SSL Certificate for the VM Access Proxy 3.0.

Assigning a static IP address

To assign a static IP address for the VM Access Proxy server:

  1. Open a console connection to the VM Access Proxy server.
  2. Edit the file /etc/network/interfaces with the nano utility:

    sudo nano /etc/network/interfaces

  3. Delete the dhcp line in the file:

    iface ens32 inet dhcp

  4. Add the static IP details, as required, and save the file. For example:

    iface ens32 inet static
    address 192.168.1.5
    netmask 255.255.255.0
    gateway 192.168.1.254
    dns-nameservers 10.10.10.10 10.10.10.11
    dns-search example.com

  5. Restart networking:

    sudo service network-interface restart INTERFACE=ens32

Copy and pasting in secure RDP or VNC sessions

In a secure RDP or VNC session, users can:

  • copy content from the remote system to the local clipboard
  • paste content from the local clipboard to the remote system

"Local clipboard" refers to the end user workstation where you initiated the RDP or VNC connection. "Remote system" refers to the system you're connected to through RDP or VNC.

To copy content from the remote system to the local clipboard, use any of the following:

  • Ctrl+C
  • Ctrl+X
  • The context menu (Edit menu > Copy, or right-click > Copy)

To paste content from the local clipboard to the remote system use:

  • Ctrl+V

On Mac OS, users must use CMD+C and CMD+V to copy and paste, not Ctrl+C and Ctrl+V.

If users experience issues copying and pasting in an RDP or VNC session, see Forcing manual copying of clipboard contents in secure RDP or VNC sessions.