VM /ETC

VMware’s VI Client is the remote management tool for VirtualCenter Server, ESX hosts, and Virtual Machines. In a default installation of VI 3.5 it can be downloaded without user authentication from the web interface of any ESX host or instance of VirtualCenter. Assuming restricted desktop permissions are in place, users may already be prohibited from installing the VI Client, and even if the client can be installed VirtualCenter and ESX permissions prevent unauthorized user access. But what if you want to prevent users from downloading the client in the first place?

Maybe you don’t want to manage multiple copies of the VI Client on your network. Maybe you don’t want support calls from users who are trying to get rogue administrative access. Perhaps you are just trying to ensure that your users who do have access to VI components always use the web interface. Whatever your reason, there are multiple methods for disabling the VI Client download from the ESX and VC 2.5 web interfaces. Some alternatives are:

• Close the web ports on the local firewall of each VMware Server
• Restrict access from non admin computers on your network
• Stop the web services on the VMware servers

The problem with doing any of the above is that you either end up breaking or limiting other features of your virtual infrastructure solution or it could require significant planning and configuration to implement.

This post explains how to leave the default VMware web ports and services open and active, and instead modify the web interface page content so that the unwanted links are no longer available. When finished with the steps below the “Log in to Web Access” link is the only content available from the web interface. It’s a simple alternative that doesn’t have any of the “gotchas” of the previously mentioned possibilities.

This tip is not officially supported by VMware, and you should use it at your own risk – although it is basic html editing so I doubt you could do any serious damage to your implementation!

Modify ESX 3.5 Web Interface
The default ESX 3.5 web page interface
Use WinSCP (or the tool of your choice) to remotely browse your ESX host(s)	** SAVE A COPY OF THE ORIGINAL FILE BEFORE CONTINUING ** Edit /usr/lib/vmware/hostd/docroot/index.html
Comment out the sections you do not want users to have access to	Use “<!–” to start commenting and “//–>” to end commenting
Example of a modified and restricted ESX 3.5 web interface
Modify VC 2.5 Web Interface
The default VC 2.5 Web page interface
Log on locally to the VC 2.5 Server	** SAVE A COPY OF THE ORIGINAL FILE BEFORE CONTINUING ** Edit C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\docRoot\index.html
Use Notepad to comment out the sections you do not want users to have access to	Use “<!–” to start commenting and “//–>” to end commenting
Example of a modified and restricted VC 2.5 web interface

For those who are satisfied with the appearance of the web interface in the images above I am providing a .zip file containing both the modified VC and ESX index.html files. Just rename the file currently in your VMware server’s directory for backup, and then extract the .zip contents to the appropriate servers and rename them to “index.html”.

I’ve never tried it, but I can’t think of a reason why you couldn’t rename the original file something similar to “admin.hmtl”. Then you also have the option to tell your authorized users to browse to “http://hostname/admin.html” to download the VI Client.

Related Posts

• Script for VMware HA Feature without VirtualCenter (4)
• MAC Address Identifies a Remote Server is a VMware VM (13)
• Virtualcenter Directions #TA3807 (6)
• Why do I need to install VMware Tools? (11)
• Use VMware Converter to Solve ESX Snapshot Issues (5)
• Use the VI Client to bulk upgrade VM tools (2)
• Use the VI Client to grow a virtual disk (0)
• Use the VI Client to configure ESX NTP time sync (8)
• FREE Disk space monitoring solutions for VMware virtual infrastructure (1)
• Changing the IP address of ESX 3.x (8)