Using VNC for Console Access to ISE (and other) VM's

VMware had the foresight to build VNC into the ESX server, it just didn't make it obvious on how to enable it. That's (hopefully) where I come in.

It Works!

Figure10 - It Works!

Credit: Aaron Woland

A little less than 1/2 of all Identity Service Engine installations are on VMWare.  Yes it’s true.  About 45% of all ISE nodes deployed in this world are Virtual.  What I don’t know is:  how many are in production and how many are in a lab.

Let me give you another statistic (my own).  When I work with a company that is using VMWare in production, 90% of the time the VMWare infrastructure is managed by a completely different team than the one who owns ISE & the management of the appliances (virtual and physical).

One more statistic.  Of that 90% who do not manage VMWare, 80% of those are not permitted to access the console of their ISE nodes.  That’s right, a security team that has a security appliance installed on a VMWare ESX server & is not permitted to access the console; only SSH / Web into the device.

Whether you suffer from the same affliction of not having rights/permissions to access the console, or you are just looking for a way to simplify console access without having to first launch VMWare VSphere:  I have a solution for you!  VNC!

That’s right, VMWare had the forethought to build VNC into the ESX server, they just don’t make it obvious on how to enable it.  That’s (hopefully) where I come in.  Now you just have to get your VMWare administrator to follow this blog post.  Let’s get started.

Configure your Virtual Machine for VNC to the Console.

I typically add these changes to my standard procedure when building a new ISE VM.  I make the changes before I complete the Virtual Machine creation (use the “Edit the virtual machine settings before completion” check box to make it even easier).  However, you can also edit the settings of an existing VM & add the VNC configuration to that VM, too.

Note:  the VM must be powered off to make this change.

Edit Before Complete Aaron Woland

Figure1 - Edit Before Completing VM

If your VM is already created, simply edit the settings:

Edit Settings Aaron Woland

Figure2 - Edit Settings

Either way, you end up with this screen.  From here Click on OPTIONS.

Click Options Aaron Woland

Figure3 - Click Options

Now under Advanced, click on General >> and then click on “Configuration Parameters”

Configure Parameters Aaron Woland

Figure4 - Configure Parameters

This screen may be empty (if a new VM) or it may have a bunch of stuff in it if the VM was already existing (modifying an existing VM).  Either way, click Add Row:

Add Row Aaron Woland

Figure5 - Add Row

Fix the Keyboard Delay.  We are doing this because often when working remotely with VMWare consoles, the keyboard repeat rate is too sensitive and you will sssssooooooommmmmmeeeeettttttiiiiiiiiiimmmmmmeeeeeeesssss gggggeeeeeettttt kkkkkkeeeeeeyyyyyy  reeeepppeaaaaattttttttttssssss. This fixes that.

In your new row, give the row the name keyboard.typematicMinDelayand then set the Value to 2000000.  Then Click Add Row to move on to the next entry.

Name the second entry RemoteDisplay.vnc.enabled  and the value should be TRUE.  Click Add Row to move onto the next entry.

Name this third entry RemoteDisplay.vnc.port  and the value needs to be 59xx (replace xx with a port between 00-64).  5900 – 5964 are the VNC port numbers and need to be unique per Virtual Machine.  See the screen shot below

Lastly, add a final row named RemoteDisplay.vnc.password and set the value to whatever password you would like to use.

All Parameters Aaron Woland

Figure6 - All parameters

Before you can connect to the Console via VNC, you may have to modify the ESX Server’s Firewall settings.  By default ESX’s firewall does not have a rule for the VNC ports.  So, in order to keep this blog post simply & open the ports, we will just go into the Firewall Properties and enable an existing rule named “VM serial port connected over network”.  This will allow the connections.

Navigate to the ESX Server itself (not the VM).  Click on Configuration >> Security Profile.  Then click on the Properties link for the Firewall.

Security Settings Aaron Woland

Figure7 - Security Settings

Within the Firewall Properties, enable the check box for the existing “VM serial port connected over network” default rule.  This will allow the connections necessary.

Note:  Your VMWare administrator could always modify the iptables rules from the ESX Server’s command line interface to only allow the VNC ports that are needed.  But we are keeping this simple for the purposes of this blog post.

Firewall Aaron Woland

Figure8 - Firewall

Now the VM is setup!  You are ready to rock this.  Let’s setup a VNC Client.  You can use whatever client you would like, obviously.  I personally use JollyFastVNC on my Mac.

Note:  VNC will not connect unless the VM is powered on.

Add a new VNC Connection to your client.  The network address should be the IP Address of the ESX server (not the VCenter).  The port should match the 59xx port number you chose when adding that entry to the VM.

VNC Settings Aaron Woland

Figure9 - VNC Settings

When you connect, you will be prompted for the VNC Password.

Password Aaron Woland

Figure10 - Password

POOF!  You are on the console of the VM.

It Works! Aaron Woland

Figure11 - It Works!

Aaron Woland

Well, I hope this was helpful!  Now you can access the console of all your ISE Virtual Machines without having to go through the VSphere client.  As always, feedback is very welcome.

Stay on the lookout for more Tips & Tricks!

Aaron

This article is published as part of the IDG Contributor Network. Want to Join?

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.