Accessing VM Console From Outside Your Network For VMware

Platform9's managed OpenStack private cloud deployment gives users the ability to launch a VNC console for Virtual Machine instances that are under its' management. However, this is only possible if the browser is on the same network as the Platform9 VMware gateway appliance.

To get around this restriction, administrators can setup a simple proxy to route traffic to the noVNC port on the gateway appliance, then route the VNC traffic via this proxy.

NOTE that this proxy should be accessible to your end users, as well as be able to communicate with the Platform9 VMware gateway appliance.

This Tutorial lays out the steps needed to accomplish this, using nginx as a proxy server, on a CentOS machine.

Step 1 - Install nginx

On CentOS, you can install nginx via yum simply by issuing the following command:

yum install nginx

NOTE: If you already have nginx installed, you may want to ensure that it it updated to the latest version. You can do this directly by issuing the following commands:

yum install http://nginx.org/packages/centos/6/noarch/RPMS/nginx-release-centos-6-0.el6.ngx.noarch.rpm
yum install nginx

Step 2 - Configure nginx

Once nginx has been installed, it will need to be configured to route traffic to the VMware gateway appliance. Since we are setting up a separate proxy, we can also put in an added layer of security by ensuring that all connections are over HTTPS, using appropriate certificates. For e.g., assuming that the host or appliance IP is 192.0.2.10, and the proxy machine has an IP of 203.0.113.55 this is a sample nginx configuration that will accept incoming traffic on HTTPS, and redirect it to the host:

server {
  listen 203.0.113.55:443;
  server_name 203.0.113.55;
  ssl on;
  ssl_certificate /etc/nginx/secure-cert.pem;
  ssl_certificate_key /etc/nginx/secure-key.pem;
  location / {
    proxy_pass http://192.0.2.10:6080/;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_read_timeout 1800s;
    proxy_send_timeout 1800s;
    proxy_buffering off;
  }
}

This configuration should be placed under the /etc/nginx/conf.d folder so that the nginx service can ingest it on startup

Step 3 - Start nginx

Once the configuration is created, nginx can be started.

Note that if you have not removed the pass phrase from your SSL certificate security key, you will need to enter it when starting the nginx service

service nginx start

Step 4 - Modify nova configuration to use the proxy as the noVNC base URL

Login to the VMware appliance. The appliance default root password is pf9vmware.  The noVNC base url entry can be found in /opt/pf9/etc/nova/conf.d/nova_vmw_override.conf. Change the noVNC proxy base URL entry, and restart the pf9-ostackhost and pf9-novncproxy services:

novncproxy_base_url = https://203.0.113.55/vnc_auto.html
service pf9-ostackhost restart
service pf9-novncproxy restart

Now, when the VNC console is loaded from the Platform9 UI, the browser will open a connection to the externally visible proxy server - via HTTPS - which in turn will send that data to the appliance to provide a VNC console view to external users.


January 27, 2016