How to set up a VNC Proxy

Owned by MS (Unlicensed)
Last updated: Aug 17, 2020
5 min read

Deprecated documentation

This documentation will be deprecated in Abiquo 3.8

This guide assumes the reader is familiar with VNC configuration on the Abiquo Platform as described in the Abiquo Administrator's Guide - Configuring Remote Access to Virtual Machines, the configuration of proxy servers and the configuration of their firewall.

This guide will show you how to set up a VNC proxy to allow the Abiquo user to open a console window on their virtual machines from within the browser where they are running the Abiquo client, while hiding the public IP addresses of the hypervisors from outside networks.

VNC connections from the Abiquo client GUI to virtual machines through the eye icon will connect to the VNC proxy, which runs on a host in the DMZ. These connections will be redirected by the VNC proxy to the hypervisor on which the virtual machines are running. Thus there is no direct connection to the hypervisor.

On the proxy host you will need to add one NIC (virtual or physical) for each hypervisor. Each connection to a virtual machine goes to a different port on the hypervisor, which is running a VNC server.


1. Prerequisites

Before configuring the VNC proxy, you should read the Abiquo Documentation on Configuring Remote Access to Virtual Machines.

You will need to run the VNC proxy on a host in your DMZ, and this would typically be the same host as the DMZ X Server.

Enterprise customers can download the vncproxy.zip file from the enterprise directory of the Abiquo Enterprise downloads website. This archive contains the vncproxyd binary file and the vncproxyd.conf file. The binary was compiled on Abiquo 1.8 CentOS build for 32-bit/64-bit compatibility and should work on most machines running Linux.

2. Add an interface to the VNC Proxy host for each hypervisor

Add a physical or virtual interface for each hypervisor.

2.1. Example of how add a virtual interface

Use the ifconfig command with the following format:

ifconfig eth0:nnn x.x.x.x netmask y.y.y.y

Here, x.x.x.x is the new IP address and y.y.y.y is the netmask. The virtual interface number is nnn. So, for example, if the address of your proxy host is 10.1.1.10 and the netmask is 255.255.255.0 and the virtual interface number is 1000, you would type the following:

ifconfig eth0:1000 10.1.1.10 netmask 255.255.255.0

Copy /etc/sysconfig/network-scripts/ifcfg-eth0 and give it the name of the newly created interface. Following the example above, you would type this command:

# cp /etc/sysconfig/network-scripts/ifcfg-eth0 /etc/sysconfig/network-scripts/ifcfg-eth0:1000

Edit the file to suit your network. Continuing with the above example, you would replace the contents of the file with the following text. Replace IPADDR with your proxy machine's IP address.

/etc/sysconfig/network-scripts/ifcfg-eth0:1000
# Intel Corporation 82540EM Gigabit Ethernet Controller
DEVICE=eth0:1000
BOOTPROTO=none
ONBOOT=yes
NETWORK=10.1.1.0
NETMASK=255.255.255.0
IPADDR=10.1.1.10
USERCTL=no

Create one file for each of the virtual interfaces you created.

3. Copy the compiled VNC Proxy binary file to /usr/sbin and change file permissions to 544

For example, while logged in as root on the VNC proxy server, use the scp command to copy the file from your machine to the /usr/sbin folder on the VNC proxy server.

scp username@machine_ip:/home/username/Downloads/vncproxyd /usr/sbin

chmod 544 /usr/sbin/vncproxyd

The binary file available from Abiquo is compiled for CentOS/Redhat 5.x 64-bit.
Note that permissions 544 are "read-execute" for root user and "read" for all other users.

4. Configure /etc/vncproxyd.conf

4.1. Create /etc/vncproxyd.conf and set permissions to 644

touch /etc/vncproxyd.conf
chmod 644 /etc/vncproxyd.conf

Note that permissions 644 are "read-write" for root user and "read" for all other users.

4.2. Edit /etc/vncproxyd.conf

For each hypervisor, add a row for each port (virtual machine) with the following:

ProxyIP ProxyPort HypervisorIP HypervisorPort

Here is a sample vncproxyd.conf file.

Sample /etc/vncproxyd.conf
logfile /var/log/vncproxy.log
10.1.1.10 5900 192.168.1.35 5900
10.1.1.10 5901 192.168.1.35 5901
10.1.1.10 5902 192.168.1.35 5902
10.1.1.10 5903 192.168.1.35 5903
10.1.1.10 5904 192.168.1.35 5904
10.1.1.10 5905 192.168.1.35 5905
10.1.1.10 5906 192.168.1.35 5906
10.1.1.10 5907 192.168.1.35 5907
10.1.1.10 5908 192.168.1.35 5908
10.1.1.10 5909 192.168.1.35 5909
10.1.1.10 5910 192.168.1.35 5910
10.1.1.10 5911 192.168.1.35 5911
10.1.1.10 5912 192.168.1.35 5912
10.1.1.10 5913 192.168.1.35 5913
10.1.1.10 5914 192.168.1.35 5914
10.1.1.10 5915 192.168.1.35 5915

10.1.1.11 5900 192.168.1.36 5900
10.1.1.11 5901 192.168.1.36 5901
10.1.1.11 5902 192.168.1.36 5902
10.1.1.11 5903 192.168.1.36 5903
10.1.1.11 5904 192.168.1.36 5904
10.1.1.11 5905 192.168.1.36 5905
10.1.1.11 5906 192.168.1.36 5906
10.1.1.11 5907 192.168.1.36 5907
10.1.1.11 5908 192.168.1.36 5908
10.1.1.11 5909 192.168.1.36 5909
10.1.1.11 5910 192.168.1.36 5910
10.1.1.11 5911 192.168.1.36 5911
10.1.1.11 5912 192.168.1.36 5912
10.1.1.11 5913 192.168.1.36 5913
10.1.1.11 5914 192.168.1.36 5914
10.1.1.11 5915 192.168.1.36 5915

  • Configure the log with the line:

    logfile /var/log/vncproxy.log
  • The sample /etc/vncproxyd.conf is for 2 hypervisors
  • Each hypervisor has 15 ports open for 15 virtual machines, so there are 15 lines for each hypervisor (one for each port)
  • The format of each row is: ProxyIP ProxyPort HypervisorIP HypervisorPort

The fields in each row are:

  • ProxyIP: The IP addresses of the virtual interfaces on the proxy server for these hypervisors are 10.1.1.10 and 10.1.1.11. These interfaces should be accessible to the Internet for VNC (TCP) connections from the Abiquo client. In Abiquo, this is the "Service IP" for the hypervisor.
  • ProxyPort: The ports open on the virtual interfaces on the proxy server for these hypervisors are 5900 to 5915. These ports should be accessible to the Internet for VNC (TCP) connections from the Abiquo client.
  • HypervisorIP: The IP addresses of the hypervisors on the internal network are 192.168.1.35 and 192.168.1.36. The proxy server in the DMZ should be able to connect to the hypervisors with TCP on these addresses through the firewall
  • HypervisorPort: The ports for VNC connections on the hypervisors are 5900 to 5915. The proxy server in the DMZ should be able to connect to the hypervisors with TCP on these ports through the firewall

Note on Port Numbers:

  • The ports used for the proxy and the hypervisor are the same: they start from 5900 and go to 5915. If possible, map the proxy ports to the ports with the same number on the hypervisor to avoid confusion (i.e. proxy 5900 to hypervisor 5900). Note that you need one port on the hypervisor for each virtual machine that will require a VNC connection. See Configuring Remote Access to Virtual Machines

5. Configure firewall rules to allow VNC connections from the DMZ to the hypervisor host

This step will depend on your firewall configuration. In general, you should allow VNC connections from the DMZ to the hypervisor IPs and ports. Following the above example, you would allow VNC (TCP) connections to the hypervisor hosts with IP addresses 192.168.1.35 and 192.168.1.36 on ports 5900 to 5915.

6. Set Abiquo Configuration Properties if necessary

To use a different port range from the default (5900-65534) set the abiquo.vncport.min and .max in Abiquo Configuration Properties. Check the recommendations for your hypervisor. See Configuring Remote Access to Virtual Machines.

7. In the Abiquo GUI change the Service IP to the DMZ host IP address

  1. In Infrastructure View, locate the hypervisor, and click the configuration button to modify its settings.
  2. Change the Service IP setting to the corresponding IP address in the /etc/vncproxyd.conf file and click Accept.

Following on with the example above, the first hypervisor IP management address is 192.168.1.35 and the Service IP would be 10.1.1.10, which is the IP of the proxy server.

8. Start the VNC service with the command /usr/sbin/vncproxyd

If the VNC configuration file needs to be modified (/etc/vncproxyd.conf) you must restart the VNC service with the following command:

pkill vncproxyd;/usr/sbin/vncproxyd

Any VNC console connections from the Abiquo client GUI to virtual machines by clicking the eye icon will now go to the DMZ host IP and the redirection will send the request to the hypervisor.

Unable to render {include} The included page could not be found.