Enable WebMKS for vCenter
This page describes how to install and configure WebMKS proxy and enable WebMKS in an existing environment with VMs running VNC on vSphere 6.x versions.
For an environment with no VMs running VNC, see Install WebMKS proxy and configure WebMKS.
Do not modify remote access or VNC configurations when WebMKS is activated because this will cause an error
VMs with WebMKS active will always have remote access enabled, and you cannot change it in the VM (for example, you cannot disable it)
Introduction to WebMKS proxy
Remote access for vCenter 7 is through WebMKS only and Abiquo supports WebMKS with a proxy.
The purpose of the WebMKS proxy is to allow remote access to VMs in VCenter/ESXi architectures. This is done via Secure WebSocket protocol using the VMware VNC implementation over WSS (WebMKS). Basically, we request a ticket to the vCenter API, and with this ticket we can request VM remote access data to the ESXi host via WSS. The connection to the Abiquo Server is passed by the Apache proxy to an NGINX proxy on the Remote Services.
You can run WebMKS without a proxy configuration but it will require host access from the outside (something which is unacceptable in production but may simplify a test environment).
Install WebMKS proxy
To install WebMKS do these steps.
Log in to the API Server as an administrator
Install and load mod_proxy_wstunnel
Edit
/etc/httpd/conf.modules.d/00-proxy.conf
Go to the end and add
LoadModule proxy_wstunnel_module modules/mod_proxy_wstunnel.so
Edit
/etc/httpd/conf.d/abiquo.conf
and add one Location for each Remote services server. For example, for two servers:<Location /wsdata> ProxyPass wss://rs1.cloud.example.com:7070 ttl=20 timeout=20 ProxyPassReverse wss://rs1.cloud.example.com:7070 Require all granted </Location> <Location /wsdata2> ProxyPass wss://rs2.cloud.example.com:7070 ttl=20 timeout=20 ProxyPassReverse wss://rs2.cloud.example.com:7070 Require all granted </Location>
Edit the /etc/httpd/conf.d/abiquo.conf file and at the end of the VirtualHost section, add the SSL Proxy Engine
SSLProxyEngine On
Check the DNS values in the /etc/resolv.conf
For each Abiquo datacenter, log in to each Remote Services server
Install the WebMKS proxy package
yum install abiquo-webmks-proxy
This will install NGINX and its configuration files, and also enable it in systemctl.
Edit the server configuration at
/etc/nginx/nginx.conf
For
listen
, if you are using another port, change the default of 7070Set the
ssl_certificate
andssl_certificate_key
with the location of the UI certificate files. NGINX must have access to these files.If you are using domain names for your ESXi servers, in the
location
configure theresolver
to point to your DNS servers.If this is a distributed environment and the API server has another IP, set
server_name
to "_"
If this is a distributed environment (the API server has a different IP address), add these two firewall rules on the Remote Services servers:
Enable WebMKS
To enable the WebMKS functionality when VNC is present, do these steps.
Log in to the Remote Services server as an administrator
Edit the abiquo.properties file
Enable WebMKS for all VMs with no VNC configuration.
You cannot disable remote access for VMs using WebMKS
VMs with existing VNC configuration will still use VNC
Do not change the remote access configuration or VNC configuration or it will cause an error
To transition VMs that are using VNC to WebMKS, set the force property to true.
To change a VM, do the step below in the Change VMs from VNC WebMKS section.Define the WebMKS proxy path, for example:
The value of the proxy path property is the FQDN and Location of the proxy in Apache on the Abiquo Server (without the protocol).
Optionally, set or check the remote access properties.
This is a list of the interfaces of the hosts of the DC that Abiquo will use for remote access.
This is part of the remote access configuration for VMware. For more details, see Detect vCenter management IPs
Change VMs from VNC to WebMKS
When you are using the "force" option, to switch a VM over to WebMKS.
Edit the VM in Abiquo and disable Remote access (you can use hot reconfigure)
This tells Abiquo to delete the VNC configuration
Do not make any changes to the VNC configuration, such as the password, because this will cause an error
Save the VM
Restart the VM to activate WebMKS
After you switch a VM to WebMKS, remote access will be always available (you cannot disable it when you edit the VM).
Recovering remote access
If you have VMs with old configuration where remote access with VNC is still enabled but it is not supported anymore, and you get an error when trying to change the Remote access configuration in Abiquo, you can try the following steps.
Log in to vCenter UI, and find your VMs
In vCenter UI, power off the VM
Go to Actions → Edit settings
Go to the VM Options tab, expand Advanced, and scroll down to Configuration parameters
Click Edit Configuration
Find the
RemoteDisplay.vnc.enabled
parameterChange its value to
FALSE
Save the settings
Power on the VM
Now you can go back to Abiquo and try to use Remote access again.
Notes about WebMKS
The VNC user and password are not valid for WebMKS.
Users will now be able to access VM console via WebMKS when:
They are the VM owner
They have the privileges to Access virtual datacenters view and Manage virtual appliances. By default the standard user has these privileges
For more details of the WebMKS properties, see Abiquo configuration properties#esxi.
Copyright © 2006-2024, Abiquo Holdings SL. All rights reserved