ESXI 6.5 webinterface

Hello,

Have an Vmware ESXI host with hosts a Sophos UTM home.

 

The UTM has the external IP and does work.

 

What i need to get working is this 

the ESXI host Version 6.5 is only managed trough a web interface, this interface listens on HTTPS.

 

but it has a specified site path /ui 

 

I already tried to setup a vertual webserver and a real one. under Webserver Protection --> Web Application Firewall

If is set it up there i only get 403 or 503 errors .

 

 

Setup is as follows 

Virtual Webserver 

Name : ESXI 

Interface: External  (WAN) (Adress) xxx.xxx.112.190 

Type: Encrypted (HTTPS)

Domains

Exernal IP 

Firewall profile : Basic Protection

 

Real Webserver 

Name: esxi

Host: ESXI internal host 192.168.2.2

Type: Encrypted

port:443

Site Patch Routing

Name: /ui 

Virtual webserver : ESXI

path /ui

reverse authentication: no profile

Real webservers 

esxi

acess control not ticked 

 

Does someone knows why and can point me in the right direction so it will work, i cant manage my virtual mashines now due to the fact that vmware esxi 6.5 does not support vsphere client anymore

 

  • Hoi Michel,

    Please show pictures of the Edits of  the Virtual and Real Servers.

    Cheers - Bob

  • It's unclear what you're trying to do.

    Is the esxi host on the same interface and subnet as the utm management console?

    If you have a multi nic system, did you specify the correct nic during installation?  Is this the same nic that's mapped to the LAN side of UTM's vm?

    What happens if you configure a static ip on a pc in the same subnet as the esxi host.  Are you able to access the esxi management console then?

    I'm running utm under esxi as well.  In fact, for security reasons I chose to use different subnets for the local lan and and esxi management.  Esxi's management subnet was added as an additional address under interfaces.  I set up a few firewall rules so very few clients can access the esxi host.

    Note, IMO it's really poor practice to allow external access to the esxi host.  If anything, it should be done through a vpn connection.

  • In reply to Jay Jay:

    I am not sure that from a security point of view, as already mentioned, exposing ESX webif is a good idea.

    We have a Windows VM running which we use for management, and which is accessed via RDP through a VPN tunnel.

  • In reply to Harro Verton:

    ^^That's an interesting approach. Is this windows VM on all the time? 

    Is the goal then in essence to eliminate any offsite utm webif access?

    I suppose this fortifies the utm further by only allowing local admin access. 

    I can see such security in a commercial environment.  Not so much in a home setting.

     

    Edit:  Just realized, WOL is a level 2 function as it relies on mac address for functionality.  So this would not work directly over a vpn.  One would need to ssh into the utm or some other server to issue a wol command (or run a wol script).  I have several wifi routers serving as AP's.  Their webui has a wol function which can be access remotely.

    I too am running a windows vm. It's used for htpc purposes with passthrough gpu and bt for input.  It's on only when watching tv, then shuts off shortly after.

  • In reply to Jay Jay:

    Our ESX servers are on 24/7, yes.

  • ESXi uses Websockets, which is not support in the WAF.

  • In reply to darrellr:

    I hope that is will be in the future becouase that system is a standard since 2011.. 

    and esxi does use it since version 6 and up even form version 6.5 the desktop clients wont work any more you need to use the webclient.

  • In reply to Michel Boon:

    WEB client on ESXi 6.7 is VERY functional.  You can easily upgrade VCSA via your vcsa.mydomain.local:5480 web page now, provided you have a running firewall and a running domain controller running elsewhere in your organisation.  (i.e. any firewall and DNS running anywhere else than on your ESXi host you want to upgrade, at least)

    As a bonus, it is now realistic to ditch Adobe "Flash Player" once and for all.

    Paul Jr

  • In reply to Big_Buck:

    Problem is that the hosts we use have an oem esxi image on it and the 6.7 image doesnt support the hosts they are older dell R serries servers. 

     

    But they are almost top of the line models and are more then enough for the vm work we host on them so 6.7 is out of the question, that version doesnt support the nics and sas controllers in our dell servers.

     But thanks for the point out maybe that if one or all needs to be replaced we will have this option checked out.

  • In reply to Michel Boon:

    Hello Michael.  ESXi OEM images are customizable.  We are using servers with customized images.  Meaning I have pumped drivers from the original OEM ISO, and injected these drivers into a standard ESXi 6.5 ISO, installed it on the host, then upgraded to version 6.7.  The latest OEM version available for our servers is HP ESXi 5.5  I did not find the trick to inject drivers in ESXi6.7.  This is why I have upgraded from 6.5 to 6.7.

    Some reading here: https://blog.monstermuffin.org/fixing-esxi-6-5-hpe-g7-servers/

    As usual, it is very easy to do once you read for two weeks and hit walls many times meanwhile.

    Install PowerCLI.  Be aware that on windows 10, PowerCLI installs via a powershell command.  No need to download any installers anymore.

    Download the ESXi ISO form VMWare.

    Download latest OEM ISO.  OEM ISO I have downloaded was more recent than the one mentioned previously in the link.  That have affected smx-provider name in PowerCLI commands that you will see later below.

    Follow instructions.  There are some errors in the link.  like "hpe-smx-provider" should have been "smx-provider" ...  But in general commands are the same for all OEM.  Only file names will change ...  Below you will find all outputs I have done while doing so.  Typos and erroneous commands included.

    Good luck.

    Paul Jr Robitaille

     

    PowerCLI C:\> Add-EsxSoftwareDepot -DepotUrl C:\HPE\ESXIHP65.zip

    Depot Url

    ---------

    zip:C:\HPE\ESXIHP65.zip?index.xml

     

    PowerCLI C:\> Get-EsxImageProfile | format-list

    Name            : HPE-ESXi-6.5.0-Update1-650.U1.10.2.0.23

    Vendor          : Hewlett Packard Enterprise

    Author          :

    Description     : HPE Custom Image Profile for ESXi 6.5.0 Depot

    CreationTime    : 2017-12-18 11:40:25

    ModifiedTime    : 2018-02-05 11:00:37

    ReadOnly        : True

    VibList         : {ne1000 0.8.0-16vmw.650.1.26.5969303, vmkplexer-vmkplexer 6.5.0-0.0.4564106, sata-ata-piix

                      2.12-10vmw.650.0.0.4564106, net-usbnet 1.0-3vmw.650.0.0.4564106...}

    AcceptanceLevel : PartnerSupported

    Guid            : bdfa2f99-f6c7-40ce-8317-c113a32be00d

    Rules           :

    StatelessReady  : False

     

    PowerCLI C:\> New-EsxImageProfile -CloneProfile HPE-ESXi-6.5.0-Update1-650.U1.10.2.0.23 -Name "ESXICUST"

    cmdlet New-EsxImageProfile at command pipeline position 1

    Supply values for the following parameters:

    (Type !? for Help.)

    Vendor: Custom

     

    Name                           Vendor          Last Modified   Acceptance Level

    ----                           ------          -------------   ----------------

    ESXICUST                       Custom          2018-02-05 1... PartnerSupported

     

    PowerCLI C:\> Get-EsxImageProfile | format-list

    Name            : ESXICUST

    Vendor          : Custom

    Author          :

    Description     : HPE Custom Image Profile for ESXi 6.5.0 Depot

    CreationTime    : 2017-12-18 11:40:25

    ModifiedTime    : 2018-02-05 11:00:37

    ReadOnly        : False

    VibList         : {ne1000 0.8.0-16vmw.650.1.26.5969303, vmkplexer-vmkplexer 6.5.0-0.0.4564106, sata-ata-piix

                      2.12-10vmw.650.0.0.4564106, net-usbnet 1.0-3vmw.650.0.0.4564106...}

    AcceptanceLevel : PartnerSupported

    Guid            : 1c4f4a83-981c-4f62-b179-2af8c45aaf19

    Rules           :

    StatelessReady  : False

     

    Name            : HPE-ESXi-6.5.0-Update1-650.U1.10.2.0.23

    Vendor          : Hewlett Packard Enterprise

    Author          :

    Description     : HPE Custom Image Profile for ESXi 6.5.0 Depot

    CreationTime    : 2017-12-18 11:40:25

    ModifiedTime    : 2018-02-05 11:00:37

    ReadOnly        : True

    VibList         : {ne1000 0.8.0-16vmw.650.1.26.5969303, vmkplexer-vmkplexer 6.5.0-0.0.4564106, sata-ata-piix

                      2.12-10vmw.650.0.0.4564106, net-usbnet 1.0-3vmw.650.0.0.4564106...}

    AcceptanceLevel : PartnerSupported

    Guid            : bdfa2f99-f6c7-40ce-8317-c113a32be00d

    Rules           :

    StatelessReady  : False

     

    PowerCLI C:\> Remove-EsxSoftwarePackage ESXICUST hpe-smx-provider

    WARNING: Package hpe-smx-provider could not be found in image profile ESXICUST, not removing.

    Name                           Vendor          Last Modified   Acceptance Level

    ----                           ------          -------------   ----------------

    ESXICUST                       Custom          2018-03-08 1... PartnerSupported

     

    PowerCLI C:\> Remove-EsxSoftwarePackage ESXICUST smx-provider

    Name                           Vendor          Last Modified   Acceptance Level

    ----                           ------          -------------   ----------------

    ESXICUST                       Custom          2018-03-08 1... PartnerSupported

     

    PowerCLI C:\> Add-EsxSoftwareDepot -DepotUrl C:\HPE\ESXIHP6U2.zip

    Depot Url

    ---------

    zip:C:\HPE\ESXIHP6U2.zip?index.xml

     

    PowerCLI C:\> Get-EsxImageProfile | format-list

    Name            : ESXICUST

    Vendor          : Custom

    Author          :

    Description     : HPE Custom Image Profile for ESXi 6.5.0 Depot

    CreationTime    : 2017-12-18 11:40:25

    ModifiedTime    : 2018-03-08 14:33:45

    ReadOnly        : False

    VibList         : {ne1000 0.8.0-16vmw.650.1.26.5969303, vmkplexer-vmkplexer 6.5.0-0.0.4564106, sata-ata-piix

                      2.12-10vmw.650.0.0.4564106, net-usbnet 1.0-3vmw.650.0.0.4564106...}

    AcceptanceLevel : PartnerSupported

    Guid            : 1c4f4a83-981c-4f62-b179-2af8c45aaf19

    Rules           :

    StatelessReady  : False

     

    Name            : HPE-ESXi-6.0.0-Update3-600.10.2.0.23

    Vendor          : Hewlett Packard Enterprise

    Author          :

    Description     : HPE Custom Image Profile for ESXi 6.0.0 Depot

    CreationTime    : 2017-10-18 07:00:11

    ModifiedTime    : 2018-02-05 11:00:18

    ReadOnly        : True

    VibList         : {brcmfcoe 11.4.1216.0-1OEM.600.0.0.2768847, sata-sata-sil 2.3-4vmw.600.0.0.2494585, scsi-ips

                      7.12.05-4vmw.600.0.0.2494585, ehci-ehci-hcd 1.0-4vmw.600.3.69.5572656...}

    AcceptanceLevel : PartnerSupported

    Guid            : ea3b9692-ede9-4e21-b174-9dc3aa202053

    Rules           :

    StatelessReady  : True

     

    Name            : HPE-ESXi-6.5.0-Update1-650.U1.10.2.0.23

    Vendor          : Hewlett Packard Enterprise

    Author          :

    Description     : HPE Custom Image Profile for ESXi 6.5.0 Depot

    CreationTime    : 2017-12-18 11:40:25

    ModifiedTime    : 2018-02-05 11:00:37

    ReadOnly        : True

    VibList         : {ne1000 0.8.0-16vmw.650.1.26.5969303, vmkplexer-vmkplexer 6.5.0-0.0.4564106, sata-ata-piix

                      2.12-10vmw.650.0.0.4564106, net-usbnet 1.0-3vmw.650.0.0.4564106...}

    AcceptanceLevel : PartnerSupported

    Guid            : bdfa2f99-f6c7-40ce-8317-c113a32be00d

    Rules           :

    StatelessReady  : False

     

    PowerCLI C:\> Get-EsxImageProfile

    Name                           Vendor          Last Modified   Acceptance Level

    ----                           ------          -------------   ----------------

    ESXICUST                       Custom          2018-03-08 1... PartnerSupported

    HPE-ESXi-6.0.0-Update3-600.... Hewlett Pack... 2018-02-05 1... PartnerSupported

    HPE-ESXi-6.5.0-Update1-650.... Hewlett Pack... 2018-02-05 1... PartnerSupported

     

    PowerCLI C:\> Get-EsxSoftwarePackage | findstr smx

    smx-provider             650.03.13.00.6-4240417         HPE        2017-10-04 07...

    smx-provider             600.03.13.00.5-2768847         HPE        2017-10-04 07...

     

    PowerCLI C:\> add-esxsoftwarepackage -imageprofile ESXICUST -softwarepackage "hpe-smx-provider 600.03.11.00.9-2768847"

    add-esxsoftwarepackage : Cannot add VIB 'hpe-smx-provider' which is not in the depot

    At line:1 char:1

    + add-esxsoftwarepackage -imageprofile ESXICUST -softwarepackage "hpe-s ...

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo          : NotSpecified: (:) [Add-EsxSoftwarePackage], SoapException

        + FullyQualifiedErrorId : System.Web.Services.Protocols.SoapException,VMware.ImageBuilder.Commands.AddProfilePackage

     

    PowerCLI C:\> add-esxsoftwarepackage -imageprofile ESXICUST -softwarepackage "smx-provider 600.03.11.00.9-2768847"

    add-esxsoftwarepackage : Cannot add VIB 'smx-provider' which is not in the depot

    At line:1 char:1

    + add-esxsoftwarepackage -imageprofile ESXICUST -softwarepackage "smx-p ...

    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

        + CategoryInfo          : NotSpecified: (:) [Add-EsxSoftwarePackage], SoapException

        + FullyQualifiedErrorId : System.Web.Services.Protocols.SoapException,VMware.ImageBuilder.Commands.AddProfilePackage

     

    PowerCLI C:\> add-esxsoftwarepackage -imageprofile ESXICUST -softwarepackage "smx-provider 600.03.13.00.5-2768847"

    Name                           Vendor          Last Modified   Acceptance Level

    ----                           ------          -------------   ----------------

    ESXICUST                       Custom          2018-03-08 1... PartnerSupported

     

    PowerCLI C:\> Export-EsxImageProfile -ImageProfile ESXICUST -ExportToIso -filepath "c:\HPE\ESXI65CUST.iso"