Installing the ESX UI on ESXi 6

For more information on VMware UI, visit vmware.com

Description:

The ESXi Embedded Host Client is a native HTML and JavaScript application and is served directly from your ESXi host! It should perform much better than any of the existing solutions.

This article will cover installing the VMWare Labs ESXi UI on an ESXi 6 Host, and configuring the ESXi firewall to only be accessible from a selected IP addresses list.

Download the UI:

Download the ESXi offline bundle from here and upload the offline zip bundle to the ESXi Server.

scp esxui-offline-bundle-6.x-3731936.zip 1.2.3.4:/tmp

Install offline UI bundle:

esxcli software vib install -d /tmp/esxui-offline-bundle-6.x-3731936.zip

In order to Update an existing install:
esxcli software vib update -v /tmp/esxui-offline-bundle-6.x-3731936.zip

In order to remove an existing install:
esxcli software vib remove -v /tmp/esxui-offline-bundle-6.x-3731936.zip

Check the install:

esxcli software vib list | grep ui

esx-ui                         0.6.0-3623722                         VMware           VMwareCertified     2016-03-23

Get the IP Address:

esxcli network ip connection list | grep 80

tcp         0       0  127.0.0.1:80       127.0.0.1:36334    ESTABLISHED    709853  newreno  rhttpproxy-work
tcp         0       0  127.0.0.1:36334    127.0.0.1:80       ESTABLISHED     35318  newreno  sfcb-vmware_bas
tcp         0       0  1.2.3.4:22         1.2.3.17:54693     ESTABLISHED     33411  newreno  busybox
tcp         0       0  127.0.0.1:63079    127.0.0.1:80       CLOSED          35318  newreno  sfcb-vmware_bas
tcp         0       0  127.0.0.1:8089     0.0.0.0:0          LISTEN          34731  newreno  vpxa-worker
tcp         0       0  1.2.3.4:427        0.0.0.0:0          LISTEN          34172  newreno
tcp         0       0  0.0.0.0:80         0.0.0.0:0          LISTEN          33895  newreno  rhttpproxy-work
tcp         0       0  0.0.0.0:8000       0.0.0.0:0          LISTEN          33408  newreno
udp         0       0  1.2.3.4:123        0.0.0.0:0                          33577           ntpd

Turn off ipservices proxy:

Turn off proxy to the root page which will result in a 404 when going to https://serverip

vim-cmd proxysvc/remove_service "/" "httpsWithRedirect"
vim-cmd proxysvc/service_list  # Will show that / no longer exists
vim-cmd proxysvc/add_tcp_service "/" httpsWithRedirect localhost 8309

Check IP Rules:

Confirm that the default action is to drop packets that are now manually allowed, and that the firewall is enabled and loaded.

esxcli network firewall get

Default Action: DROP
Enabled: true
Loaded: true

Check the ruleset:

Make sure that webAccess is turned on

esxcli network firewall ruleset list | grep web

webAccess                    true

Verify that the default webAccess Rules:

By default the webAccess rule is set to all, allowing anyone to connect to it. The same is also true for SSH and VSphere, which would allow anyone to attempt a connection to the server via SSH or via the VSphere client.

esxcli network firewall ruleset allowedip list --ruleset-id sshServer
esxcli network firewall ruleset allowedip list --ruleset-id webAccess
esxcli network firewall ruleset allowedip list --ruleset-id vSphereClient

Ruleset    Allowed IP Addresses
---------  --------------------
sshServer  All
webAccess  All
vSphereClient  All

Disable allow all for services:

esxcli network firewall ruleset set --ruleset-id sshServer --allowed-all false
esxcli network firewall ruleset set --ruleset-id webAccess --allowed-all false
esxcli network firewall ruleset set --ruleset-id vSphereClient --allowed-all false

Create IP List for services:

esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 10.0.0.0/24

esxcli network firewall ruleset allowedip add --ruleset-id webAccess --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id webAccess --ip-address 10.0.0.0/24

esxcli network firewall ruleset allowedip add --ruleset-id vSphereClient --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id vSphereClient --ip-address 10.0.0.0/24

Verify the new IP List restrictions:

esxcli network firewall ruleset allowedip list --ruleset-id sshServer
esxcli network firewall ruleset allowedip list --ruleset-id webAccess
esxcli network firewall ruleset allowedip list --ruleset-id vSphereClient

Ruleset    Allowed IP Addresses
---------  -----------------------------------------------------------
sshServer  1.2.3.4, 10.0.0.0/24
webAccess  1.2.3.4, 10.0.0.0/24
vSphereClient  1.2.3.4, 10.0.0.0/24

Command References:

Get a list of all services on the esx server

esxcli network firewall ruleset allowedip list

Post Requisites:

Go and crack yourself a beer.. you deserve one!