VMware

VMware GSX Server 2.5.2


Features | Documentation | Knowledge Base | Discussion Forums

previous Prev   Contents   Last   Next next

 Securing Your Remote Sessions

Securing Your Remote Sessions

The username, password and network packets sent to the GSX Server host over a network connection when using the VMware Remote Console or the VMware Management Interface are not encrypted in GSX Server by default. As the Administrator user (Windows hosts) or root user (Linux hosts), you can enable Secure Sockets Layer (SSL) to encrypt these sessions.

When you enable SSL, security certificates are created by GSX Server and stored on your host. However, the certificates used to secure your VMware Management Interface sessions are not signed by a trusted certificate authority; therefore they do not provide authentication. If you intend to use encrypted remote connections externally, you should consider purchasing a certificate from a trusted certificate authority.

Caution: GSX Server does not generate the security certificate for the VMware Management Interface on Windows NT 4.0 hosts. See Enabling SSL for the VMware Management Interface on a Windows NT Host.

With SSL enabled, the remote console and management interface perform exactly as they would if SSL were disabled.

When SSL is enabled for the VMware Remote Console, a lock icon appears in the lower right corner of the console window. Any remote consoles that are already open at the time SSL is enabled do not become encrypted, and the lock icon does not appear in these console windows. These consoles must be closed and new console sessions must be started to ensure encryption.

When SSL is enabled for the VMware Management Interface, the URL to connect to the management interface is https://<hostname>:8333. The management interface automatically redirects users to this URL if they use the original URL (http://<hostname>:8222) to connect. In addition, a lock icon appears in the status bar of the browser window.

Note: After SSL is enabled on a Windows host, any new management interface connections to the non-secure port (8222) are not redirected.

Note: If you disable SSL, users are automatically redirected to http://<hostname>:8222 if they use https://<hostname>:8333 to connect to the management interface.

Using Your Own Security Certificates

Using Your Own Security Certificates

If you prefer, you can use your own security certificate when you enable SSL.

On a Windows host, run the Microsoft Management Console (mmc.exe) and select your certificate. When you upgrade the VMware Management Interface on a GSX Server for Windows host, you need to reassign your certificate to the management interface.

On a Linux host, the VMware Management Interface certificate must be placed in /etc/vmware-mui/ssl. The management interface certificate consists of 2 files: the certificate itself (mui.crt) and the private key file (mui.key). The private key file should be readable only by the root user.

When you upgrade the VMware Management Interface on a Linux host, the certificate remains in place and, in case you removed the management interface, the directory is not removed from your host.

Enabling SSL for Remote Sessions

Enabling SSL for Remote Sessions

You enable SSL in the VMware Management Interface.

Remember that the certificates used in these secure sessions are not signed by a trusted certificate authority; therefore they do not provide authentication. If you intend to use encrypted remote connections externally, you should consider purchasing a certificate from a trusted certificate authority.

  1. Log in to the VMware Management Interface as the Administrator (GSX Server for Windows hosts) or root user (GSX Server for Linux hosts).

  2. On the Status Monitor page, click the Options tab. The Options page appears.

    Click to see full-size image

  3. To secure your management interface sessions, check the Use Secure Sockets Layer (SSL) to encrypt management interface sessions check box.

  4. To secure your remote console connections, check the Use Secure Sockets Layer (SSL) to encrypt remote console connections check box.

  5. To save your settings, click Save Changes. After the changes are saved, a lock icon appears in the status bar of the browser running the VMware Management Interface. You need to accept the certificate in your browser. The lock icon appears in the status bar of any new VMware Remote Console window.

Enabling SSL for the VMware Management Interface on a Windows NT Host

Enabling SSL for the VMware Management Interface on a Windows NT Host

In order to enable SSL for the VMware Management Interface on a Windows NT host, you must first generate a security certificate. Use Microsoft's Certificate Server to create a certificate in order to secure the management interface with SSL. To create the certificate on a Windows NT host, complete the following steps.

  1. Download the Windows NT 4.0 Option Pack. You can find it at www.microsoft.com/msdownload/ntoptionpack/askwiz.asp

  2. Install the option pack.

    Caution: Make sure you install the Certificate Server when you install the option pack.

  3. After the installation completes, open the Services window in the Windows Control Panel (choose Start > Settings > Control Panel > Services) and make sure the Certificate Authority (the name of the Certificate Server service) is running. If it is not running, select the service and click Start.

  4. Create the management interface certificate. Choose Start > Programs > Windows NT 4.0 Option Pack > Microsoft Internet Information Server > Internet Service Manager.

  5. Expand the Internet Information Server tree, then expand the tree for the GSX Server host machine name, then right-click the VMware Management Interface Web site and select Properties.

  6. On the Directory Security tab, under Secure Communications, click Key Manager.

  7. Select WWW, then choose Key > Create New Key.

  8. Follow the wizard. Make sure you select Automatically send the request to an online authority and choose the Microsoft Certificate Server option.

  9. When you are prompted to select the Web server bindings for this key, do one of the following:

    • If your GSX Server host has only one IP address, select All unassigned for the IP address and enter port 8333.
    • If your GSX Server host has multiple IP addresses, enter the correct IP address and port (8333) for this certificate.

  10. After the wizard closes, choose Computers > Exit to return to the Secure Communications dialog box.

  11. Check Require Secure Channel when accessing this resource and click OK to return to the Directory Security tab. Click OK to close the Properties dialog box, then choose Console > Exit to close the Microsoft Management Console. Make sure you save your changes when you exit.

SSL is enabled for your management interface connections.

To disable SSL for your management interface connections, go to the Microsoft Management Console and uncheck Require Secure Channel when accessing this resource in the Secure Communications dialog box.

You do not need to create a certificate for the remote console manually on a Windows NT 4.0 host.

previous Prev   Contents   Last   Next next