Access to the server vCenter Server security policy

Scenario:

Users must have different levels of access to virtual machines.  Some need only to be able to turn it on, restart and shut down the virtual machines.  Some need taking pictures, power on, power off, then restart.

Others must be able to do anything.

There is an existing Active Directory server.

We do not want to overwhelm vCenter server with too many concurrent connections.  More than 3000 users must turn on and off the virtual machines and take snapshots.

Less than 50 administrators full privileges in vCenter Server.

We must use AD when it is possible to set up groups of users who have different privileges.

What are the strategies to achieve this?  We should create a 'leap VMs' set in an area of special security for those who need access to vCenter Server to power on virtual machines and take pictures?

What security products facilitate such scenarios?

Subsequently vcloud or Automation Center vCenter vCenter Operations Manager will be used.  The solution must be able to integrate all the products of VMware management as opposed to replacing them.

Thanks for your comments.

Hello

Actually, you are not generically allow access to a virtual machine, a console instead, if you allow access to a virtual machine that you want to monitor access very closely because it (other than RDP) console through the virtualization management services (ala vCenter). I would use tools such as HyTrust, Xceedium, Thycotic, etc. for monitor/audit access. Personally, I'm just saying my system administrators use RDP as it does not pass through the layers of virtualization management. If they need access CD for example, I provide other ways to access the ISOs of a common share (VCD, loop media) instead of asking someone to use vCenter.

A poor man to get the same functionality is to create a proxy service that connects to all requests for access to the consoles and serves as additional security gateway in the virtualization management devices (ala vCenter). This way a request to go directly to the virtual console is properly logged and you can use this same proxy to make queries to Mount/unmount images, etc. By using a proxy, hytrust, Xceedium or Thycotic you can let him manage the 3000 user requests, limit the number of connections allowed at any time (which is a must), set timeouts, but especially you can delegate all through a service inside of vCenter account so that you can get the best control of your environment. Logging, these tools provide is enough to meet verification requirements.

However, the best suggestion is to enable all simply do not. I have been broadcast to a virtual environment for years and I would order access to the console of a virtual computer was simply not necessary. You want a complete separation between the management of virtualization and the rest of the world.

Best regards
Edward L. Haletky
VMware communities user moderator, VMware vExpert 2009, 2010, 2011,2012,2013,2014

Author of the books ' VMWare ESX and ESXi in the business: Planning Server Virtualization Deployment, Copyright 2011 Pearson Education. ' Of VMware VSphere and Virtual Infrastructure Security: securing the virtual environment ', Copyright 2009 Pearson Education.

Virtualization and Cloud Security Analyst: The Practice of virtualization, LLC - vSphere Upgrade Saga - virtualization security Table round Podcast

Tags: VMware

Similar Questions

  • AppPortal error: remote access to the server is not enabled

    I'm lost on this one.

    Using the full client of AppPortal on a Win7 64 bit machine (version 8.0 of the customer)

    Double-click the icon, download authenticated - published applications show, then double click a published application, the end user receives:

    Remote access to the server is not enabled.

    This happens only on a single computer

    From this profile of users on the given computer I can MSTSC on the same server without problem

    The error also follows the profiles on the given computer.

    I have closed the Antivirus and Windows Firewall and still can not get this to work.

    Even uninstalled and reinstalled the client.

    From my computer, I can easily log in as this user.

    Customers get automatically configured through an XML file.

    After installation, I tested this laptop and he always gave the same error.

    I ended up him to give me the phone for a few hours.

    Uninstalled the version that was there (build 8.0.0.forget) and scoured the Windows Explorer for all left overs (a little here and there in user profiles and delete).

    Then scoured the registry for expressions; vWorkspace, Quest Software and Provision Networks and remove all instances

    Reinstalled all THE SUCCESS with the new connector to our servers (8.0.306.1427)

    Thanks for the help Dave

  • Access to the server

    Hello

    Im trying to make a public Server Terminal Server from outside. I have a SonicWall firewall, but I can't connect to the DMZ server.

    I used the Connection Wizard to give public access to the terminal server, I changed the Port TS on the server and when I try to connect to public_ip:port the web displays an error like "Connection refused".

    Could you help me please? There's a tutorial about it?

    Thanks in advance.

    You need a loop return policy if you are trying to access the server by its public of the n/w internal IP address (IE behind the sonicwall).

    Below the video will help you with the political feedback loop.

    cs_setInnerHtml ('video_5745f812 - 4 c 21-4eea-8da2-bfc9afcb0fc9', ");

  • Win 7 Pro - make a name of user and password request when accessing to the server computer in the workgroup. Credentials, then considered non valid.

    Recently bought a Dell Dimension 3847 with Windows 7 Pro to replace a workstation that is connected to a network that uses Windows Server 2003. I already set up two other PC's (not same model) with Win 7 Pro, for existing users and had no problems whatsoever. The user of this workstation is an existing one (implemented as an administrator).  I've set up his account and she joined the working group. The other computers in the workgroup are listed under network location. However, when I tried to access the server computer in the Working Group, I got a pop-up window asking for a username and password. This would not have taken place. However, I entered the username and password for that particular user and received a message that the user name and password were not valid. I set up my user account (it has administrative privileges too), on this computer, joined the Working Group, Windows recognizes the other computers in the workgroup, but when I tried to access the server computer I got the same pop-up and had the same problem with my credentials not being recognized. While remaining under my user name, I tried and then access the server computer again but when I arrived at the prompt for the user name and password, I used the 'Administrator' user name with the appropriate password (the credentials used to connect to the server computer) and it worked. I registered to the account of the other user and used the same method to access the server and it worked as well. Any ideas why the user credentials, other than the administrator account, are not recognized?

    Hello

    Sorry for the late reply.

    This problem is better suited in the TechNet forum where we have experts working on the same topic.

    Please post your request in the below link:

    https://social.technet.Microsoft.com/forums/en-us/home

    I hope this information helps, get back to us if you need help with Windows.

    Thank you.

  • Direct connection on the desktop - clients still losing access when the server goes down or rebooted service

    I set up the connection to the server with a link Direct is TICKING, I did that once the initial connection has been made for the broker and an assigned desktop computer, connect directly to the desktop and so not care about the State of the connection to the server. After restart or just restart the VMware View Server service all customers lost access until it is facing up.

    Is it right, that we use View 3.1.

    Thank you

    It's strange that I can restart my server connection without worrying about all the users.   How brokers connection you have and do you have activated all at direct connection?

    If you have found this device or any other useful post please consider the use of buttons useful/correct to award points

  • Access to the server of BC e-mail via a script?

    We would like to have a course of training automatically email the instructor when a student successfully completes the course/quiz. I can integrate the javascript code in the course to do, but it needs to interact with a script on the Server Web that would actually send the email. I can code this script, but the need for information on the Colombia-British mail server and what script language you use.  Can one tell me if the mail BC server can be accessed for this?  Thank you!

    I think that I have answered your question in your other post on the forum: http://forums.adobe.com/message/5368954#5368954

  • denied access to the server but the certificate of security on files

    I get a 'Not reliable' connection even if certificates are available and have been able to connect to this page in the past.

    I don't have this problem with OPERA or IE8.

    DoD certificates are only recognized as valid if you have the required root certificates installed.

  • Routing and remote access to the Server 2003

    I configured the remote access and routing service in my Server 2003 duly NAT enabled. All my clients are not in the field. All use internet and intranet connection using my proxy authentication provided by the administrator of the proxy server. I would like to restrict the clients except intranet connection. How to limit the customer?

    Post in the Windows Server Forums:
    http://social.technet.Microsoft.com/forums/en-us/category/WindowsServer/

  • Access to the server via hostname linux virtual

    Hello

    I use Fusion Professional 6.0.2 and I have two questions:

    1. I installed a virtual server CentOS 6.5 and another Openfiler.

    I can't ssh access to machines through name of host or ping by host name. It is only possible via IP.

    I won't change my hosts file or the virtual server hosts file.

    The network of the virtual server is set to bridged mode. I use a router with DHCP active.

    I have read that I need to enable "DHCP_HOSTNAME" in the virtual server DHCP client: Configuration Linux Clients DHCP static by sending host name

    I tried and now I see the host name in the DHCP of the router table, but it still does not work.

    If I do not select "send hostname", I don't even see the host name in the DHCP table.

    * This question was also held in VMware ESXI free 5.5 VM, in which I installed linux VM.

    2 resolution of the VMs is very low, and VMware Fusion is not automatically choose a higher resolution, even after the installation of the integration tools.

    I restarted the virtual machines after the integration Tools installation.


    Please help.

    Thank you!

    1. it seems that the solution is the following:

    DNSMasq is required: DNSMasq as DHCP server - DD - WRT Wiki

    I discovered that the machines virtual Linux must be configured to send the hostname to the DHCP server: Configuration Linux Clients DHCP static by sending host name

    * The long answer: network - how to make a machine accessible from the LAN using its host name - Unix & Linux stack Exchange

    2. it looks like 640 x 480, I guess.

    Currently, I have a workaround: SSH to the virtual machine.

    Edit: found the solution: #1 Linux: change the resolution to Console Mode on the GRUB - YouTube

  • Connection via the server security using PCOIP

    Hello

    When I try a wan using PCOIP connection, it allows me to authenticate and gives me the option to choose the virtual machine, and then I just get a white screen.

    It says it's connected, but I do not see the desktop computer

    PCoIP does not work via the Security server. If you want to use PCoIP over the WAN, you need to connect in a different way, like VPN (SSL). If RDP is also enabled on your pool that view fall back using RDP.

    Kind regards

    -Poort

  • Why isn't my gadget weather access to the server?

    Maybe this isn't really a problem in Mozilla (it just occurred to me). I selected Gadgets in the right click menu on my desktop (Dell with Windows 7) and selected the weather gadget. It worked fine for months, but about six days ago he ceased to update when I turned on my modem. Little by little he showed predictions less and less (normally it would show current day and three days in advance). Now it just displays an information icon and the message unable to connect to the service. I was wondering if it was more compatible with Mozilla Firefox, or maybe they are independent. Thank you!

    Most of the Google desktop gadgets using the built-in features of Windows, plumbing even under Internet Explorer. It is possible that some are using Mozilla technology, but I think that those still communicate directly to the internet without count/use Firefox.

    If you got this gadget from Dell, they may offer an update for it. If not, are there any built-in update type or if you click to access its Internet site (where the data comes from), is there any explanation he?

  • I've just updated firefox to the latest version. I have a network in which access us the server with remote desktop. Now, I can just open firefox on one of the remote terminals or the server. I need to be able to use firefox on all terminals.

    I get an error message indicating that an instance of mozilla firefox is already running, close it to continue.

    The question already explains the situation. I need all three terminals to use firefox at the same time.

    Not had this problem with the previous version.

    What happens if all instances use the same profile folder.
    A single instance can use a specific profile.

  • View the connections of the server to connect to the Security Server 5.2

    So, I wonder if it is anyway possible to not expose a subnet of office to the DMZ during the deployment of a security server?  I think remember me, there was a way to have the tunnel of security server all traffic through the connection to the server, but for the life of me, I can't seem to understand.

    Even in your previous PoC you should always have allowed some ports (PCoIP, RDP if use you it and the frame channel) from the server security for virtual offices. This has always been the case.

    The role of the Security Server is to protect exposure of desktop to the Internet. It provides a monitoring of protocols of the Internet (for example PCoIP) so make it succeed to check if the traffic is in the name of an authenticated user, and to ensure that if it is valid, it is transmitted over an office whose user is authorized to access. It is important to configure your internal firewall so that Office (PCoIP etc.) protocols can come only security servers. Then you give the required insurance. If such packets only packets UDP PCoIP arrive in your DMZ that are not on behalf of an authenticated user and then they are ignored in the DMZ without ever be passed in your data center. You know that all protocols for virtual desktops have been validated by the Security server.

    The Security server should also communicate with the login server and that's why you should also allow JMS, AJP13, and IPsec through. These should be only to the servers again only from servers to security and connection.

    You can always route the PCoIP packages through a proxy in your data center, but the security required inspection happens before that the Security Server so that eventually they can be thrown into the demilitarized zone.

    Mark

  • How to configure vswitch security policy using the API?

    Hello world

    Does anyone know how to set up a vswitch on ESXi Server security policy by using the management API (the idea is to do this in a script)?

    I think specifically the macchange and forgedxmit parameters which are set to true by default, and I want to change false.  Note that I also need a way to control the value from a script.

    I used to do with vmware-vim-cmd hostsvc/net/vswitch_setpolicy-securepolicy-macchange = false vSwitchn and vmware-vim-cmd hostsvc/net/vswitch_setpolicy-securepolicy-forgedxmit = false vSwitchn in the ESX 3.x service console, but I'll try (unsuccessfully so far) to find an equivalent using RCLI or Powershell (I don't want to enable ssh on my ESXi and use vim - cmd as I want to be able to do remote securely.

    Ideally, it would work while the host is in active locking mode (so I only need to authenticate on my server vCenter).

    Advice would be appreciated.

    See you soon,.

    Stéphane

    To update the security policy, you will need to watch the HostNetworkSecurityPolicy : http://www.vmware.com/support/developer/vc-sdk/visdk25pubs/ReferenceGuide/vim.host.NetworkPolicy.SecurityPolicy.html#allowPromiscuous

    You'll want to access the vSwitch you are interested using the following:

    [hostSystem->-> networkSystem configManager - >-> vSwitch networkConfig]

    Once the reference to the vSwitch, you'll want to create HostVirtualSwitchConfig spec: changes to http://www.vmware.com/support/developer/vc-sdk/visdk25pubs/ReferenceGuide/vim.host.VirtualSwitch.Config.html or policies make-> security which will contain (allowPromiscuous, forgedTransmits, macChanges) for changes that are just Boolean parameters.

    =========================================================================

    William Lam

    VMware vExpert 2009

    Scripts for VMware ESX/ESXi and resources at: http://engineering.ucsb.edu/~duonglt/vmware/

    http://Twitter.com/lamw

    If you find this information useful, please give points to "correct" or "useful".

  • The Apache 2.2 Server CONNECTION_REFUSED (the channel to the server weblogic 10.3.6)

    • I have created a web service using Jdeveloper 11.1.1.7 application and deployed on weblogic 10.3.6 on physical server we call let back-end server.


    • I don't want customer to give direct access to back-end server so I make use of Apache 2.2 , to be in the middle of client and back-end server. Apache 2.2 is configured on different physical servers call the middle Server.


    • I set the application root context (which has deployed in back-end server) on middle Server in the file httpd.conf of Apache.


    • I shared WSDL to the client of the file location ( WSDL URL which referring to the domain name Server middle ). The external client can access the URL thorug browser where they can see the WSDL content

    • But when the client attempts to send queries to Server Middle URL he get rejected with the following error:

    [error] [Public IP of the customer - clinet goes here-] ap_proxy: POST by train / [insert here the root of the application context] to the back-end host "[back-end local IP Server] / [insert here the port];" "except ' CONNECTION_REFUSED [operating system error = 0, line URL.cpp 1602]: call apr_socket_connect failed with error = 730061, local = [back-end IP Server] host, port = [insert here the port]"

    This error of Server Middle Apache error log file. No backend server log

    What happened so far:

    1. I check if I have access to the Server Middle user external to use the Telnet order. Telnet IP port . He works and the Server middle is listening.
    2. I also checked for all ports. external client and Server middle, between middle Server and back-end server , also using telnet. All ports work.
    3. In this answer: ssl - Apache 2 with Redirection of plug-ins for Weblogic, original location still requested to backend - lack of server

    It is suggestion to increase the value to accept orders of weblogic server setting. I did to the back-end server , but still the issue is not resolved.

    Problem solved

    I need to activate the option (WebLogic plugin active) WebLogic server where the application is deployed

    the structure of the field (left in the administration console Panel) - > environment - > servers-> (select the server where you deploy your application in this topic)--> general tab (from the server parameter)-> Advance - > (ICT option) WebLogic plugin activated

    Then restarted the server.

    Hereby you are telling the server you'll get indirect request through server proxy or balancer for example

    You can do this on several levels, such as cluster or a server based on your needs check out this site for more information

    http://www.Ateam-Oracle.com/WLS-plugin-enabled/

Maybe you are looking for

  • How can I get the previous update back?

    This new update absolutely sucks. No single click to get the bookmarks bar. No button reload of the toolbar. Can't add empty spaces in the toolbar. A huge step backwards.

  • Massage of error: Update XML file Malformed 200.

    After downloading fire 3.4.16, I received a massage of error: Update XML File malformed 200.I can only do this issue using Windows Internet Explorer.So my logic says it's software from Firefox and not my machine. But what?Yours sincerelyDerek

  • Yoga 20175 13 fresh install UEFI mode

    Hello.I had problems to install a new copy of Windows 8 in UEFI mode lately. The software I'm using is original, and I installed Windows 8 in other laptops with it have no problem. The situation is that it does not work, but I am able to use the comp

  • K1 does not load

    Someone else has the workload problem I describe here? After a few hours on charge February 22, K1 battery indicator indicated that he was unloading. Power outlet wall provided electricity, it seems that K1 charging system had not somehow. The most o

  • Audio help honks at random

    I have a new ProBook s of the HP 4730 (3 months) and when I watch the videos on the Internet, the audio will occasionally "honk".  I can't describe the sound he does everything better than that... it looks a lot like a goose "honk".  This is not any