Installing the ESX UI on ESXi 6
For more information on VMware UI, visit vmware.com
Description:
The ESXi Embedded Host Client is a native HTML and JavaScript application and is served directly from your ESXi host! It should perform much better than any of the existing solutions.
This article will cover installing the VMWare Labs ESXi UI on an ESXi 6 Host, and configuring the ESXi firewall to only be accessible from a selected IP addresses list.
Download the UI:
Download the ESXi offline bundle from here and upload the offline zip bundle to the ESXi Server.
scp esxui-offline-bundle-6.x-3731936.zip 1.2.3.4:/tmp
Install offline UI bundle:
esxcli software vib install -d /tmp/esxui-offline-bundle-6.x-3731936.zip
esxcli software vib update -v /tmp/esxui-offline-bundle-6.x-3731936.zip
esxcli software vib remove -v /tmp/esxui-offline-bundle-6.x-3731936.zip
Check the install:
esxcli software vib list | grep ui
esx-ui 0.6.0-3623722 VMware VMwareCertified 2016-03-23
Get the IP Address:
esxcli network ip connection list | grep 80
tcp 0 0 127.0.0.1:80 127.0.0.1:36334 ESTABLISHED 709853 newreno rhttpproxy-work tcp 0 0 127.0.0.1:36334 127.0.0.1:80 ESTABLISHED 35318 newreno sfcb-vmware_bas tcp 0 0 1.2.3.4:22 1.2.3.17:54693 ESTABLISHED 33411 newreno busybox tcp 0 0 127.0.0.1:63079 127.0.0.1:80 CLOSED 35318 newreno sfcb-vmware_bas tcp 0 0 127.0.0.1:8089 0.0.0.0:0 LISTEN 34731 newreno vpxa-worker tcp 0 0 1.2.3.4:427 0.0.0.0:0 LISTEN 34172 newreno tcp 0 0 0.0.0.0:80 0.0.0.0:0 LISTEN 33895 newreno rhttpproxy-work tcp 0 0 0.0.0.0:8000 0.0.0.0:0 LISTEN 33408 newreno udp 0 0 1.2.3.4:123 0.0.0.0:0 33577 ntpd
Turn off ipservices proxy:
Turn off proxy to the root page which will result in a 404 when going to https://serverip
vim-cmd proxysvc/remove_service "/" "httpsWithRedirect"
vim-cmd proxysvc/service_list # Will show that / no longer exists
vim-cmd proxysvc/add_tcp_service "/" httpsWithRedirect localhost 8309
Check IP Rules:
Confirm that the default action is to drop packets that are now manually allowed, and that the firewall is enabled and loaded.
esxcli network firewall get
Default Action: DROP Enabled: true Loaded: true
Check the ruleset:
Make sure that webAccess is turned on
esxcli network firewall ruleset list | grep web
webAccess true
Verify that the default webAccess Rules:
By default the webAccess rule is set to all, allowing anyone to connect to it. The same is also true for SSH and VSphere, which would allow anyone to attempt a connection to the server via SSH or via the VSphere client.
esxcli network firewall ruleset allowedip list --ruleset-id sshServer
esxcli network firewall ruleset allowedip list --ruleset-id webAccess
esxcli network firewall ruleset allowedip list --ruleset-id vSphereClient
Ruleset Allowed IP Addresses --------- -------------------- sshServer All webAccess All vSphereClient All
Disable allow all for services:
esxcli network firewall ruleset set --ruleset-id sshServer --allowed-all false
esxcli network firewall ruleset set --ruleset-id webAccess --allowed-all false
esxcli network firewall ruleset set --ruleset-id vSphereClient --allowed-all false
Create IP List for services:
esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 10.0.0.0/24
esxcli network firewall ruleset allowedip add --ruleset-id webAccess --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id webAccess --ip-address 10.0.0.0/24
esxcli network firewall ruleset allowedip add --ruleset-id vSphereClient --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id vSphereClient --ip-address 10.0.0.0/24
Verify the new IP List restrictions:
esxcli network firewall ruleset allowedip list --ruleset-id sshServer
esxcli network firewall ruleset allowedip list --ruleset-id webAccess
esxcli network firewall ruleset allowedip list --ruleset-id vSphereClient
Ruleset Allowed IP Addresses --------- ----------------------------------------------------------- sshServer 1.2.3.4, 10.0.0.0/24 webAccess 1.2.3.4, 10.0.0.0/24 vSphereClient 1.2.3.4, 10.0.0.0/24
Command References:
Get a list of all services on the esx server
esxcli network firewall ruleset allowedip list
Post Requisites:
Go and crack yourself a beer.. you deserve one!