VMware vSphere

 View Only

  • 1.  Possible to disable or restrict the use of "Web Console"?

    Posted Feb 01, 2023 09:50 AM

    Hello,

    i'm trying to find a way to disable or restrict the use of the "Web Console" for all VMs or just for a single VM.

    Maybe hide the "Launch Web Console" Button?

    Maybe use a security group?

    The reason for this is that using "Web Console" is destroying screen resolution settings and the use of the mouse.

    I want only the "Remote Console" to be used.



  • 2.  RE: Possible to disable or restrict the use of "Web Console"?

    Broadcom Employee
    Posted Feb 01, 2023 05:04 PM

    See https://williamlam.com/2015/12/how-to-restrict-access-to-both-the-standalone-vmrc-html5-vm-console.html and the note towards bottom



  • 3.  RE: Possible to disable or restrict the use of "Web Console"?

    Posted Feb 03, 2023 11:28 AM

    Hi, hanks for the answer, but this is not working.

    I want to force the admins to use VMRC only.

    If i put them in a security group, they can use both (web console and vmrc) or they are NOT allowed to use any of the consoles.

     

    regards

    Bond



  • 4.  RE: Possible to disable or restrict the use of "Web Console"?
    Best Answer

    Broadcom Employee
    Posted Feb 03, 2023 07:51 PM

    If you want to only allow VMRC (Standalone VMRC Client) connections but block HTML VM Console, then one way to do this is based on technique used in https://williamlam.com/2021/06/how-to-restrict-vsphere-ui-access-while-maintaining-vsphere-api-functionality.html but instead of blocking /ui endpoint, you would add security constraint to /ui/webconsole URI and this would apply globally for ALL users. You could setup additional configurations to restrict it by client IP and/or credentials (see https://www.virtuozzo.com/company/blog/restrict-access-tomcat-web-application-hosting/

    For global block, you can add the following snippet at the bottom (right before the closing "web-app" tag) of /usr/lib/vmware-vsphere-ui/server/conf/web.xml 

     

        <security-constraint>
      <web-resource-collection>
        <url-pattern>/ui/webconsole.html</url-pattern>
        <http-method>GET</http-method>
      </web-resource-collection>
      <auth-constraint />
    </security-constraint>

     

    Save your changes and then restart the vSphere UI for change to go into effect by running following command:

    service-control --restart vsphere-ui

    You should now be able to access VMRC but when you click on HTML VM Console, you'll get a 403 (Forbidden)

     



  • 5.  RE: Possible to disable or restrict the use of "Web Console"?

    Posted Feb 07, 2023 08:17 AM

    Beautiful!

    Works great and is the perfect solution for my "problem".

    Thank you so much!



  • 6.  RE: Possible to disable or restrict the use of "Web Console"?

    Posted Mar 28, 2024 05:58 AM

    Hello lamw,

    If I add the snip to web.xml the vsphere-ui doesn't start anymore

    We use VMware-VCSA-all-8.0.1-22368047

    Please help to fix it 

    Thanks

    Josef