A little less than 1/2 of all Identity Service Engine installations are on VMWare. Yes it’s true. About 45% of all ISE nodes deployed in this world are Virtual. What I don’t know is: how many are in production and how many are in a lab.
Let me give you another statistic (my own). When I work with a company that is using VMWare in production, 90% of the time the VMWare infrastructure is managed by a completely different team than the one who owns ISE & the management of the appliances (virtual and physical).
One more statistic. Of that 90% who do not manage VMWare, 80% of those are not permitted to access the console of their ISE nodes. That’s right, a security team that has a security appliance installed on a VMWare ESX server & is not permitted to access the console; only SSH / Web into the device.
Whether you suffer from the same affliction of not having rights/permissions to access the console, or you are just looking for a way to simplify console access without having to first launch VMWare VSphere: I have a solution for you! VNC!
That’s right, VMWare had the forethought to build VNC into the ESX server, they just don’t make it obvious on how to enable it. That’s (hopefully) where I come in. Now you just have to get your VMWare administrator to follow this blog post. Let’s get started.
Configure your Virtual Machine for VNC to the Console.
I typically add these changes to my standard procedure when building a new ISE VM. I make the changes before I complete the Virtual Machine creation (use the “Edit the virtual machine settings before completion” check box to make it even easier). However, you can also edit the settings of an existing VM & add the VNC configuration to that VM, too.
Note: the VM must be powered off to make this change.
If your VM is already created, simply edit the settings:
Either way, you end up with this screen. From here Click on OPTIONS.
Now under Advanced, click on General >> and then click on “Configuration Parameters”
This screen may be empty (if a new VM) or it may have a bunch of stuff in it if the VM was already existing (modifying an existing VM). Either way, click Add Row:
Fix the Keyboard Delay. We are doing this because often when working remotely with VMWare consoles, the keyboard repeat rate is too sensitive and you will sssssooooooommmmmmeeeeettttttiiiiiiiiiimmmmmmeeeeeeesssss gggggeeeeeettttt kkkkkkeeeeeeyyyyyy reeeepppeaaaaattttttttttssssss. This fixes that.
In your new row, give the row the name keyboard.typematicMinDelay and then set the Value to 2000000. Then Click Add Row to move on to the next entry.
Name the second entry RemoteDisplay.vnc.enabled and the value should be TRUE. Click Add Row to move onto the next entry.
Name this third entry RemoteDisplay.vnc.port and the value needs to be 59xx (replace xx with a port between 00-64). 5900 – 5964 are the VNC port numbers and need to be unique per Virtual Machine. See the screen shot below
Lastly, add a final row named RemoteDisplay.vnc.password and set the value to whatever password you would like to use.
Before you can connect to the Console via VNC, you may have to modify the ESX Server’s Firewall settings. By default ESX’s firewall does not have a rule for the VNC ports. So, in order to keep this blog post simply & open the ports, we will just go into the Firewall Properties and enable an existing rule named “VM serial port connected over network”. This will allow the connections.
Navigate to the ESX Server itself (not the VM). Click on Configuration >> Security Profile. Then click on the Properties link for the Firewall.
Within the Firewall Properties, enable the check box for the existing “VM serial port connected over network” default rule. This will allow the connections necessary.
Note: Your VMWare administrator could always modify the iptables rules from the ESX Server’s command line interface to only allow the VNC ports that are needed. But we are keeping this simple for the purposes of this blog post.
Now the VM is setup! You are ready to rock this. Let’s setup a VNC Client. You can use whatever client you would like, obviously. I personally use JollyFastVNC on my Mac.
Note: VNC will not connect unless the VM is powered on.
Add a new VNC Connection to your client. The network address should be the IP Address of the ESX server (not the VCenter). The port should match the 59xx port number you chose when adding that entry to the VM.
When you connect, you will be prompted for the VNC Password.
POOF! You are on the console of the VM.
Well, I hope this was helpful! Now you can access the console of all your ISE Virtual Machines without having to go through the VSphere client. As always, feedback is very welcome.
Stay on the lookout for more Tips & Tricks!