E-mail Comment Del.icio.us Digg Reddit Technorati Furl

Tunneling a vSphere Client connection over SSH

Mar 22, 2010 Blogs

My website is running on a single ESX machine in a remote datacenter somewhere. Because I am hosting the machine myself, I had to do my own routing and firewalling. I solved it by installing a pfSense virtual machine, hooking it up to both an internal and external vSwitch:

This way, my server is secure: both the Service Console as well as the virtual web server are only accessible through the firewall. I’m running OpenVPN on the pfSense machine, so if I need access to the internal subnet, I fire up OpenVPN. Sometimes, however, I don’t have the OpenVPN software running on the PC I’m working on, so I cannot access the Service Console and/or the web server.

A cool little solution for this is to use SSH tunneling. I connect to a third machine which is accessible through the Internet (runs a SSH daemon) and is able to connect to 10.10.100.2, the Service Console IP address. By configuring PuTTY to do some magic for us, I am able to connect my vSphere Client to my ESX server securely, without publishing my ESX-host to the world.

Steps

  • Make sure you have a SSHd accessable from the Internet
  • Make sure the VM running SSHd can access the Service Console IP
  • Open PuTTY, navigate to [Connection] – [SSH] – [Tunnels], and fill in three forwarded ports: 443, 902 and 903. Fill in ‘Destination’ like this: [youresxip]:[port].

  • Add an entry to your hosts file so the real DNS-name of the host refers to 127.0.0.1 (Source)

  • Fire up the vSphere Client and connect to [youresxdnsname].[domain]

This entry was posted on Monday, March 22nd, 2010 at 15:04 and is filed under Blogs. You can follow any responses to this entry through the RSS 2.0 feed.You can leave a response, or trackback from your own site.

8 Responses to “Tunneling a vSphere Client connection over SSH”

  1. Faisal Ghulam Says:

    July 15th, 2010 at 10:52

    Hi,

    We want to implement Pfsense like you have done.

    Please guide me your Setup for Securing Virtula Machine with Pfsense.


  2. Allballs Says:

    August 12th, 2010 at 17:12

    Oh, man. This is beautifully simple. I put your Putty SSH tunnel example to use, and I’m digging it. Perfect. A beer for you.


  3. Joep Piscaer Says:

    August 16th, 2010 at 14:13

    Hmmm, beer. Thanks!


  4. Chris Says:

    October 5th, 2010 at 22:56

    Are you able to access the desktops of your VMs (through the Virtual Machine Console)? When I try this I get a MKS error, so I’m assuming it’s trying to connect to port 902 on the vCenter machine instead of the target VM…either that or I’m not really understanding this.


  5. Joep Piscaer Says:

    October 6th, 2010 at 14:59

    Hi Chris,

    This workaround doesn’t work when connecting to vCenter, as vCenter redirects your consolesession to an ESX-host. You can get is to work if you tunnel the ESX-host directly.


  6. Calagan Says:

    July 23rd, 2011 at 0:43

    Very nice trick.
    For those having trouble connecting, I suggest you use netstat -ano to check for port conflict.

    Obviously, if you run a Web server on your client machine you’re going to need to shut it down in order to be able to tunnel through TCP 443. To my surprise I also noticed that Skype was using TCP 80 and TCP 443 (see http://forum.skype.com/index.php?showtopic=51147).


  7. Eddie Says:

    December 8th, 2011 at 15:32

    Thanks a lot for the tip. Works great! :)


  8. kze Says:

    December 10th, 2011 at 0:35

    Nice work around for SoHo ESX environment. A layer 2 tunnel would be needed for vsphere to work.


Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>