Setting Up VM Access Proxies

You can set up VM Proxies for users to provide them with remote access to their VMs while your virtualized infrastructure is secured behind a firewall.

In this topic:

VM Access Proxy architecture

A VM Access Proxy must be deployed on a separate machine from Commander. The VM Access Proxy (as of Version 3.4) runs in a container and can be deployed on any Linux machine that meets the requirements.

The following diagram provides an example deployment of a VM Access Proxy.

Commander VM Access Proxy Architecture

VM Access Proxy setup steps

The basic setup steps required to use a VM Access Proxy with Commander are:

  1. Meeting Host and Network Prerequisites
  2. Deploying VM Access Proxies
  3. Adding VM Access Proxies to Commander

Meeting Host and Network Prerequisites

The following prerequisites must be met to use the VM Access Proxy version 3.4 to establish connections to VMs outside your firewall.

Best Practice: If you deployed an earlier Commander VM Access Proxy version, we recommend moving to version 3.4 when you upgrade Commander. For instructions, as well as details on compatibility between Commander and VM Access Proxy versions, see Upgrade and Redeploy the Commander VM Access Proxy.

Host machine minimum requirements

Minimum requirements:

  • Dedicated 64-bit Linux machine
  • Version 3.10 or higher of the Linux kernel
  • iptables version 1.4 or higher
  • Docker engine 18.09+
  • Docker-compose tool 1.8.0+
  • 2 CPUs

    Tip: The more CPUs available, the more concurrent connections the VM Access Proxy can handle.

  • 2 GB memory
  • 10 GB disk space
  • Time synchronization using either an NTP server or vCenter host

Port requirements

  • For secure RDP and secure SCVMM console connections, you must ensure that port 8443 is accessible (inbound to the VM Access Proxy).
  • For secure vCenter console connections, you must open port 443 (inbound to the VM Access Proxy).

    Note: Publishing both the Service Portal and the VM Access Proxy to the Internet requires two IP addresses.

Networking requirements

In all connection scenarios, routes must exist between Commander and the VM Access Proxy. For vCenter and SCVMM, routes must exist between Commander, the VM Access Proxy, and the host (ESXi or Hyper-V). For RDP, SSH, and VNC connections, routes must exist between Commander, the VM Access Proxy, and the target VM.

Important: If users will access their VMs from the cloud account's network, as well as through the Service Portal published on the Internet, you must make sure DNS is configured correctly. This is because some network devices won't automatically route requests made to a public IP to its private IP. When on the same network as the cloud account and VM Access Proxy, DNS must resolve to their private IP addresses so the traffic doesn't try to leave the network. Over the Internet, DNS must resolve to their public IP addresses.

Other requirements

  • To open a Secure Console session in Internet Explorer, the VM Access Proxy's IP address must be added to either the Local Intranet zone (when on the same network as the VM Access Proxy server) or the Trusted Sites zone (when connecting from a network other than that of the VM Access Proxy server). You may also need to disable Protected Mode in Internet Explorer.
  • Service Portal users must have the Open Console or the Open Remote Session permissions. See Customizing Service Portal Roles for Users.
  • Commander users must have Administrator or any Operator level of access rights on the VM. See Assigning Access Rights to Administrative Users.
  • You may want to configure credentials for console connections. See Configuring console credentials for connections to vCenter VMs.

Note: VMRC isn't supported for secure console connections for vCenter 6.0 or higher.

Deploying VM Access Proxies

A VM Access Proxy runs in a docker container and can be deployed on any Linux machine that meets the requirements.

Note: Running the VM Access Proxy container in Docker Swarm or Kubernetes isn't supported.

To deploy a VM Access Proxy:

  1. Go to the Support Downloads page and download the Commander VM Access Proxy bundle.
  2. Extract the VM Access Proxy archive on the Linux machine that will be dedicated to the VM Access Proxy.
  3. Log in to the container registry with the credentials provided in the archive with the following command:

    cat snow-proxy.token | docker login -u Pulls --password-stdin cmpcontainer.azurecr.io

  4. Create the directories for logs and configuration files with the following command:

    sudo mkdir /var/data /var/data/logs /var/data/conf

  5. Configure your system to redirect traffic from port 443 to port 9443 using your distribution's preferred method.

    An example of how to do this using iptables would be:

    sudo iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 9443

    Ensure that this redirection is persisted between reboots using your distribution's preferred method. An example of how to do this would be to add this line to the end of the /etc/rc.local startup script.

  6. Start the VM Access Proxy containers with the following command:

    sudo docker-compose up -d

Optional configuration tasks

After you have deployed a VM Access Proxy, you may want to perform the following optional configuration tasks to improve security:

Adding VM Access Proxies to Commander

After you have deployed a VM Access Proxy, you can add the deployed proxy to Commander so that Commander and Service Portal users can use it to connect to VMs. When you add a VM Access Proxy, you must configure the:

  • VM session access options to offer users for connecting to VMs.
  • Infrastructure that it will target.

VM session access options

You can set the VM session access options that you want the VM Access Proxy to provide to Commander and Service Portal users in the Open Connection menu.

Infrastructure to target

You can configure the infrastructure that the VM Access Proxy will target. By default, it will have a global target (that is, it will target your entire infrastructure). However, you can configure a proxy to target only a subset of that infrastructure. For example, you can select down to the cluster level for on-premise systems and to the region level for public cloud systems.

If you configure multiple proxies, you can set different infrastructure targets for each one. For example, you can configure a global proxy targeting the entire infrastructure, plus one or more secondary proxies targeting portions of your infrastructure.

Access through:

Configuration > System

Available to:

Commander Role of Superuser

To add a VM Access Proxy and configure which VM connection commands are available to users:

  1. Click the Integration tab.
  2. On the Integration page, click Add > VM Access Proxy.
  3. On the Configuration page of the VM Access Proxy wizard, in the Proxy URL field, enter a fully qualified domain name (FQDN) for the VM Access Proxy Server that uses https and port 8443.

    For example:

    https://example.vmaccessproxy.com:8443

    Note: The URL you enter must resolve correctly both on your network and over the Internet. While some firewall configurations allow for traffic to leave and re-enter the network, typically you need an internal DNS record that resolves to the private IP and an external DNS record that resolves to the public IP address of the VM Access Proxy server.

  4. In the Name field, enter a name.

    This name is used only to distinguish multiple VM Access Proxies. End users won't see this name.

  5. To test the connection, click Test.

    If the test is successful, the message "Connected to the VM Access Proxy" is displayed, along with the VM Access Proxy version. If you see an error, see Troubleshooting below.

  6. To enable the use of the VM Access Proxy after it has been configured, select Enabled.
  7. In the VM Session Access area, select the access options you want to provide in the Open Connection menu for Commander and Service Portal users:
    • If your Commander users are inside your firewall, enable the Direct commands and disable the Secure Proxy commands.
    • If your Service Portal users are customers outside your firewall, disable the Direct commands and enable the Secure Proxy commands.

    Tip: While there's no harm in enabling both Direct and Secure Proxy commands for Commander users, reducing the number of available commands results in a simpler user experience.

    Access Option

    Open Connection Menu Command

    Description

    Recommended Commander Setting

    Recommended Service Portal Setting

    VMware Console: Direct

    Open Console

    Open a console connection to a vCenter VM. This command doesn't go through the VM Access Proxy.

    Enabled

    Disabled

    VMware Console: Secure Proxy

    Open Secure Console

    Open a console connection in the browser to a vCenter VM, through the VM Access Proxy.

    Disabled

    Enabled

    RDP:
    Direct

    Open RDP Session

    Open an RDP connection to a running Windows vCenter VM using an RDP client. This command doesn't go through the VM Access Proxy.

    Enabled

    Disabled

    RDP:
    Secure proxy

    Open Secure RDP Session

    Open an RDP connection in the browser to a running Windows vCenter VM, through the VM Access Proxy. When Secure Proxy is enabled, select the security mode to apply to the connection:

    • RDP — Standard RDP encryption
    • TLS — Transport Layer Security encryption
    • NLA — Network Level Authentication
    • Any — Allow the server to decide the protocol

    Note: To use a security mode other than standard RDP encryption, a VM Access Proxy Version 3.3 or higher is required. If you're using an earlier version of the VM Access Proxy, standard RDP will automatically be used.

    Disabled

    Enabled

    SSH: Secure proxy

    Open Secure SSH Session

    Open an SSH connection in the browser to a running Linux VM, through the VM Access Proxy.

    Disabled

    Enabled

    VNC: Direct

    Open VNC Session

    Open a VNC connection to a running VM, using a VNC client. This command doesn't go through the VM Access Proxy.

    Enabled

    Disabled

    VNC: Secure proxy

    Open Secure VNC Session

    Open a VNC connection in the browser to a running VM, through the VM Access Proxy.

    Disabled

    Enabled

    SCVMM Console: Secure Proxy

    Open Secure Console

    Open a console connection to a Hyper-V VM through the VM Access Proxy.

    Note: The only option for Hyper-V console access is through the VM Access Proxy, so both Commander and Service Portal users need access to this command.

    Enabled

    Enabled

  8. Click Next.
  9. On the Targets page, select the infrastructure that you want the proxy to target:
    • If you want the proxy to target your entire infrastructure (that is, a global target), keep the default selection, Infrastructure view or the Applications view.
    • If you want the proxy to target only a subset of your infrastructure, clear the Infrastructure view or the Applications view target and select one or more targets in the tree. You can select down to the cluster level for on-premise systems and to the region level for public cloud systems.

      Note: If a global proxy is already configured, the Infrastructure and the Applications views will be grayed out and can't be cleared; you must select one or more targets below the Infrastructure view or the Applications view level.

  10. Click Next.
  11. On the Summary page, review your changes and click Finish.

Troubleshooting

If you need to retrieve log files from the VM Access Proxy appliance for troubleshooting purposes, see Retrieving VM Access Proxy Logs in the Snow Globe user community.

When you have configured the VM Access Proxy and a user is unable to open a connection to a VM, the first troubleshooting step is to try to open a connection to the VM outside Commander and the Service Portal.

Note: After configuring the VM Access Proxy, the first secure console connection attempt will fail, because it acts as a trigger to load required libraries. When you experience this issue, attempt to make a second secure console connection.

Potential errors displayed when testing a connection

Error message

Resolution

Connection Error : VM Access Proxy host URL "<url>" must use https.

Check whether you used http in the URL instead of https.

Connection Error : Failed to connect to "<url>".

or

VM Access Proxy received no response for host "<hostname or IP>": "<error message>"

  • Make sure you entered a valid port number.
  • Try rebooting the VM Access Proxy host server.

Connection Error : VM Access Proxy host URL "<url>" is not valid.

Make sure you typed the URL correctly.

VM Access Proxy not found at "<hostname or IP>"

The specified host is valid, but the VM Access Proxy Service wasn't found on the host. Make sure you specify a host where the VM Access Proxy was installed.

VM Access Proxy host not found: "<hostname or IP>"

or

Failed to connect to "<hostname or IP>"

The specified host isn't valid, or Docker container isn't running on the VM Access Proxy server. Make sure you specify a valid IP address or host name.

VM Access Proxy failed to provide a valid SSL cert for host "<hostname or IP>": "<error message>"

The SSL certificate was not provided, or was not returned correctly. If an SSL certificate was provided as part of the installation process, try rebooting the VM Access Proxy host server.

VM Access Proxy not found at "<url>"

Another service was found at the specified URL, but the VM Access Proxy Service wasn't found. Make sure you enter the URL for the VM Access Proxy Service.

Failed to get a valid response from "<url>". Ensure the port is correct and try again.

Make sure you enter a port as part of the URL.

Bad response from server

The VM Access Proxy service isn't running. Try restarting the service.

Server returned HTTP response code: 500 for URL: <url>/RemoteAccess/details

The SSL certificate provided is invalid.

Invalid Proxy URL

The proxy URL sometimes may not resolve unless a common root domain, such as .com or .net is used.

VM Access Proxy Status Field Messages

VM Access Proxy Status

Details

Running

This status is displayed when the VM Access Proxy is enabled and the service is running.

Disabled

The VM Access Proxy is configured, but is disabled. To enable the VM Access Proxy, go to System > Integration tab. On the VM Access Proxy pane, click Edit. Select Enabled and OK.

Not Configured

The VM Access Proxy hasn't been configured.

Can't communicate with VM Access Proxy

The VM Access Proxy server isn't powered on.

VM Access Proxy Error

The VM Access Proxy service isn't running, or a Tomcat error has occurred. To see Tomcat errors, click Edit to open the VM Access Proxy dialog and click Test.

Disabling or removing VM Access Proxy servers

Access through:

Configuration > System

Available to:

Commander Role of Superuser

Disabling a proxy server makes the server unavailable for connections but saves the settings — you can return to the configuration dialog later and re-enable it.

Removing a proxy server clears the settings — you must reconfigure all of the settings if you want to reintegrate later.

In both cases, users can still open connections to VMs, but the connections don't go through the VM Access Proxy.

If you've configured multiple proxies, disabling or removing a proxy that targets a subset of your infrastructure means that another proxy that targets a higher level of your infrastructure now also targets the subset. Test the available VM commands to ensure that behavior is as expected throughout your infrastructure.

To disable a proxy server:

  1. Click the Integration tab.
  2. On the Integration page, locate the server you want to disable and click Edit.
  3. Clear the Enabled checkbox and click OK.

To remove a proxy server:

  1. Click the Integration tab.
  2. On the Integration page, locate the server you want to remove and click Remove.
  3. Click Yes to confirm the change.