Installing the ESX UI on ESXi 6

in linux •  8 years ago  (edited)

Installing the ESX UI on ESXi 6




ESXi

For more information on VMware UI, visit vmware.com


Description:

The ESXi Embedded Host Client is a native HTML and JavaScript application and is served
directly from your ESXi host! It should perform much better than any of the existing solutions.

This article will cover installing the VMWare Labs ESXi UI on an ESXi 6 Host, and configuring the ESXi firewall
to only be accessible from a selected IP addresses list.


Download the UI:

Download the ESXi offline bundle from here
and upload the offline zip bundle to the ESXi Server.

scp esxui-offline-bundle-6.x-3731936.zip 1.2.3.4:/tmp


Install offline UI bundle:

esxcli software vib install -d /tmp/esxui-offline-bundle-6.x-3731936.zip


In order to Update an existing install:

esxcli software vib update -v /tmp/esxui-offline-bundle-6.x-3731936.zip

In order to remove an existing install:

esxcli software vib remove -v /tmp/esxui-offline-bundle-6.x-3731936.zip


Check the install:

esxcli software vib list | grep ui

esx-ui                         0.6.0-3623722                         VMware           VMwareCertified     2016-03-23


Get the IP Address:

esxcli network ip connection list | grep 80

tcp         0       0  127.0.0.1:80       127.0.0.1:36334    ESTABLISHED    709853  newreno  rhttpproxy-work
tcp         0       0  127.0.0.1:36334    127.0.0.1:80       ESTABLISHED     35318  newreno  sfcb-vmware_bas
tcp         0       0  1.2.3.4:22         1.2.3.17:54693     ESTABLISHED     33411  newreno  busybox
tcp         0       0  127.0.0.1:63079    127.0.0.1:80       CLOSED          35318  newreno  sfcb-vmware_bas
tcp         0       0  127.0.0.1:8089     0.0.0.0:0          LISTEN          34731  newreno  vpxa-worker
tcp         0       0  1.2.3.4:427        0.0.0.0:0          LISTEN          34172  newreno
tcp         0       0  0.0.0.0:80         0.0.0.0:0          LISTEN          33895  newreno  rhttpproxy-work
tcp         0       0  0.0.0.0:8000       0.0.0.0:0          LISTEN          33408  newreno
udp         0       0  1.2.3.4:123        0.0.0.0:0                          33577           ntpd


Turn off ipservices proxy:

Turn off proxy to the root page which will result in a 404 when going to https://serverip

vim-cmd proxysvc/remove_service "/" "httpsWithRedirect"
vim-cmd proxysvc/service_list  # Will show that / no longer exists
vim-cmd proxysvc/add_tcp_service "/" httpsWithRedirect localhost 8309


Check IP Rules:

Confirm that the default action is to drop packets that are now manually allowed,
and that the firewall is enabled and loaded.

esxcli network firewall get

Default Action: DROP
Enabled: true
Loaded: true


Check the ruleset:

Make sure that webAccess is turned on

esxcli network firewall ruleset list | grep web

webAccess                    true


Verify that the default webAccess Rules:

By default the webAccess rule is set to all, allowing anyone to connect to it.
The same is also true for SSH and VSphere, which would allow anyone to attempt a
connection to the server via SSH or via the VSphere client.

esxcli network firewall ruleset allowedip list --ruleset-id sshServer
esxcli network firewall ruleset allowedip list --ruleset-id webAccess
esxcli network firewall ruleset allowedip list --ruleset-id vSphereClient

Ruleset    Allowed IP Addresses
---------  --------------------
sshServer  All
webAccess  All
vSphereClient  All


Disable allow all for services:

esxcli network firewall ruleset set --ruleset-id sshServer --allowed-all false
esxcli network firewall ruleset set --ruleset-id webAccess --allowed-all false
esxcli network firewall ruleset set --ruleset-id vSphereClient --allowed-all false


Create IP List for services:

esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id sshServer --ip-address 10.0.0.0/24

esxcli network firewall ruleset allowedip add --ruleset-id webAccess --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id webAccess --ip-address 10.0.0.0/24

esxcli network firewall ruleset allowedip add --ruleset-id vSphereClient --ip-address 1.2.3.4/32
esxcli network firewall ruleset allowedip add --ruleset-id vSphereClient --ip-address 10.0.0.0/24


Verify the new IP List restrictions:

esxcli network firewall ruleset allowedip list --ruleset-id sshServer
esxcli network firewall ruleset allowedip list --ruleset-id webAccess
esxcli network firewall ruleset allowedip list --ruleset-id vSphereClient

Ruleset    Allowed IP Addresses
---------  -----------------------------------------------------------
sshServer  1.2.3.4, 10.0.0.0/24
webAccess  1.2.3.4, 10.0.0.0/24
vSphereClient  1.2.3.4, 10.0.0.0/24


Command References:

Get a list of all services on the esx server

esxcli network firewall ruleset allowedip list


Post Requisites:

Go and crack yourself a beer.. you deserve one!


References:

clusterfrak.com

linux esxi esx ui esx-ui
8 years ago by

Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

  • Disagreement on rewards
  • Fraud or plagiarism
  • Hate speech or trolling
  • Miscategorized content or spam

Submit
$0.17
  • Past Payouts $0.17
  • - Author $0.15
  • - Curators $0.03
5 votes
1
Authors get paid when people like you upvote their post.
If you enjoyed what you read here, create your account today and start earning FREE STEEM!
Sort Order:  
  • Trending
    • [-]
      ·  7 years ago 

    Well described

    Downvoting a post can decrease pending rewards and make it less visible. Common reasons:

    • Disagreement on rewards
    • Fraud or plagiarism
    • Hate speech or trolling
    • Miscategorized content or spam

    Submit
    $0.00