Web-server – Setup vCenter 6.0 site accessible from networks with strict firewall


How can I set up a vCenter (VCSA) site that allows external access from networks that have strict egress firewalls (i.e. HTTP/HTTPS only, no high numbered ports open)? Though the base web client works, webconsole breaks when port 9443 is blocked/filtered.

I have an answer for this question that I'd like to preserve in the public in case anyone else runs into this problem (below). I'm also open to criticism of my solution and proposed improvements.

Best Answer

The easiest way that I've found to do this is to make a slight change to the webclient configuration and then reverse proxy using nginx.

First, one setting on the VCSA needs to be changed. Currently, the links to open a webconsole point to port 9443. We need this to be over 443, as we only have access over HTTPS. This setting does not actually change the port that the webconsole service is active on - it just changes the links generated by the vsphere webclient:

  1. In /etc/vmware/vsphere-client/webclient.properties, change the setting for html.console.port to 443.

  2. Reboot the vsphere-client service (this usually takes a while to reload). If you need to change the ssl certificates using /usr/lib/vmware-vmca/bin/certificate-manager (the one presented to the user is the machine certificate), do this now as that requires a reboot of the service anyway.

Then, the rest is done on a http server box. I used debian stable with nginx. If you use debian stable, be aware that you should use the version of nginx that's in backports. The version in the stable repository doesn't have the websocket plugin.

It turns out that the main method of communication between the client and the server within webconsole is a websocket set to connect over port 443. Using a reverse proxy, we can proxy the webconsole endpoint back to the machine over port 443. The nginx configuration that I'm using looks like this:

# Redirect HTTP to HTTPS
server {
        listen 80 default_server;
        listen [::]:80 default_server;
        server_name _;
        return 301 https://$host$request_uri;
# Main Server Configuration
server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        # SSL Configuration
        ssl_certificate /etc/ssl/fullchain.pem;
        ssl_certificate_key /etc/ssl/privkey.pem;
        ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_dhparam /etc/ssl/dhparam.pem;

        # Doesn't really matter - everything is proxied
        root /var/www/html;
        index index.html;
        server_name _;

        # By default, proxy over 443 to vsphere webclient
        location / {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_ssl_verify off; # No need on isolated LAN
                proxy_pass; # vCSA IP Address

        # Proxy webconsole websocket endpoint to port 9443
        location /vsphere-client/webconsole/ {
                proxy_set_header Host $host;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_ssl_verify off;
                # For websocket upgrade support
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";

If you then browse to the proxy, you should be able to open up webconsole sessions without needing access to high numbered ports. If there are any other vsphere web features that need access, they can be handled in a similar way (and if you find them, please comment!).

HTH someone (or perhaps my future self).