Enable WebMKS for vCenter

Owned by MS (Unlicensed)
Jan 17, 2023
4 min read

This page describes how to install and configure WebMKS proxy and enable WebMKS in an existing environment with VMs running VNC.
For an environment without VMs running VNC, see Install WebMKS proxy and configure WebMKS.

  • Do not modify remote access or VNC configurations when WebMKS is activated because this will cause an error

  • VMs with WebMKS active will always have remote access enabled, and you cannot change it in the VM (for example, you cannot disable it)

 

Introduction to WebMKS proxy

Remote access for vCenter 7 is through WebMKS only and Abiquo supports WebMKS with a proxy.

The purpose of the WebMKS proxy is to allow remote access to VMs in VCenter/ESXi architectures. This is done via Secure WebSocket protocol using the VMware VNC implementation over WSS (WebMKS). Basically, we request a ticket to the vCenter API, and with this ticket we can request VM remote access data to the ESXi host via WSS. The connection to the Abiquo Server is passed by the Apache proxy to an NGINX proxy on the Remote Services.

You can run WebMKS without a proxy configuration but it will require host access from the outside (something which is unacceptable in production but may simplify a test environment).

 Install WebMKS proxy

To install WebMKS do these steps.

  1. Log in to the API Server as an administrator

  2. Install and load mod_proxy_wstunnel

    1. Edit /etc/httpd/conf.modules.d/00-proxy.conf

    2. Go to the end and add LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so

  3. Edit /etc/httpd/conf.d/abiquo.conf and add one Location for each Remote services server. For example, for two servers:

    <Location /wsdata> ProxyPass wss://rs1.cloud.example.com:7070 ttl=20 timeout=20 ProxyPassReverse wss://rs1.cloud.example.com:7070 Require all granted </Location> <Location /wsdata2> ProxyPass wss://rs2.cloud.example.com:7070 ttl=20 timeout=20 ProxyPassReverse wss://rs2.cloud.example.com:7070 Require all granted </Location>

  4. Edit the /etc/httpd/conf.d/abiquo.conf file and at the end of the VirtualHost section, add the SSL Proxy Engine

    SSLProxyEngine On 

  5. Check the DNS values in the /etc/resolv.conf

  6. For each Abiquo datacenter, log in to each Remote Services server

  7. Install the WebMKS proxy package

    yum install abiquo-webmks-proxy

    This will install NGINX and its configuration files, and also enable it in systemctl.

  8. Edit the server configuration at /etc/nginx/nginx.conf

    1. For listen, if you are using another port, change the default of 7070

    2. Set the ssl_certificate and ssl_certificate_key with the location of the UI certificate files. NGINX must have access to these files.

    3. If you are using domain names for your ESXi servers, in the location configure the resolver to point to your DNS servers.

    4. If this is a distributed environment and the API server has another IP, set server_name to "_"

       

  9. If this is a distributed environment (the API server has a different IP address), add these two firewall rules on the Remote Services servers:

     

 Enable WebMKS

To enable the WebMKS functionality when VNC is present, do these steps.

  1. Log in to the Remote Services server as an administrator

  2. Edit the abiquo.properties file

  3. Enable WebMKS for all VMs with no VNC configuration. 

     

    1. You cannot disable remote access for VMs using WebMKS 

    2. VMs with existing VNC configuration will still use VNC

    3. Do not change the remote access configuration or VNC configuration or it will cause an error

  4. To transition VMs that are using VNC to WebMKS, set the force property to true.
    To change a VM, do the step below in the Change VMs from VNC WebMKS section. 

     

  5. Define the WebMKS proxy path, for example:

    The value of the proxy path property is the FQDN and Location of the proxy in Apache on the Abiquo Server (without the protocol). 

  6. Optionally, set or check the remote access properties.

    This is a list of the interfaces of the hosts of the DC that Abiquo will use for remote access.
    This is part of the remote access configuration for VMware. For more details, see Detect vCenter management IPs

Change VMs from VNC to WebMKS

When you are using the "force" option, to switch a VM over to WebMKS.

  1. Edit the VM in Abiquo and disable Remote access (you can use hot reconfigure)

    • This tells Abiquo to delete the VNC configuration

  2. Do not make any changes to the VNC configuration, such as the password, because this will cause an error

  3. Save the VM

  4. Restart the VM to activate WebMKS

After you switch a VM to WebMKS, remote access will be always available (you cannot disable it when you edit the VM).

Notes about WebMKS

The VNC user and password are not valid for WebMKS.

Users will now be able to access VM console via WebMKS when:

  1. They are the VM owner

  2. They have the privileges to Access virtual datacenters view and Manage virtual appliances. By default the standard user has these privileges 

For more details of the WebMKS properties, see Abiquo configuration properties#esxi



Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved