[Discuss] Securing a VMware ESXi server at a colo site?
John Abreau
abreauj at gmail.com
Tue Mar 10 09:54:44 EDT 2015
Is the vSphere Client part of the free edition of ESXi? I thought I had
read somewhere that it was only for the commercial edition of ESXi, and
that you had to manage the free edition through a web interface.
On Tue, Mar 10, 2015 at 9:46 AM, Edward Ned Harvey (blu) <blu at nedharvey.com>
wrote:
> > From: Discuss [mailto:discuss-bounces+blu=nedharvey.com at blu.org] On
> > Behalf Of John Abreau
> >
> > I'm considering using the free edition of VMware ESXi 5.5 at a
> co-location
> > site. If I understand correctly, the free edition doesn't include the
> > management console application, so I would have to manage it via a web
> > browser.
> >
> > How do I set it up so I can manage it remotely in a secure manner?
> >
> > My initial thoughts are to close every port on the host server except
> ssh,
> > and lock down ssh in the usual manner: disable protocol 1, disable
> password
>
> Nope, nope, nope, nope.
>
> First of all, ESXi is not to be managed via ssh. Although you can enable
> ssh, and lots of useful things can be done that way, it's the most
> difficult way to do anything, it's unsupported, and lots of unexpected
> gotchas will certainly getchya. The "right" thing to do is to install
> vSphere Client on a windows machine, and use it to remote admin the
> server. The *only* thing you should do outside of vSphere Client, is to
> boot from the install disk, enter IP address, and root password during bare
> metal installation. Also configure your RAID card in BIOS.
>
> That being said - you absolutely, definitely, should not open vSphere
> traffic over the internet. You'll need a VPN, connected to the "primary"
> network interface of the ESXi host, which you'll use for management. Let
> all the VM's use a different ethernet jack, so the VM traffic is isolated
> from the management traffic. The only way to get to the management
> interface is via your VPN.
>
--
John Abreau / Executive Director, Boston Linux & Unix
Email: abreauj at gmail.com / WWW http://www.abreau.net / PGP-Key-ID 0x920063C6
PGP-Key-Fingerprint A5AD 6BE1 FEFE 8E4F 5C23 C2D0 E885 E17C 9200 63C6
More information about the Discuss
mailing list