Friday, 27 May 2016

Lockdown Mode vSphere 6.0 and 6.5


In order to improve security of ESXi host which is being managed by vCenter server centrally, we enable lockdown mode on ESXi hosts.

ESXi 5.x and prior:

When Lockdown mode is enabled, only the vpxuser has authentication permissions. Other users cannot perform any operations directly on the ESXi host. Lockdown mode forces all operations to be performed through vCenter Server.

When the ESXi host is in lockdown mode, we cannot use vCLI commands, script, or vSphere Management Assistant against the host directly bypassing vCenter Server. External software's or tools like backup agents also might not be able to retrieve or modify information from the ESXi host directly.


ESXi 6.x

With vSphere 6, VMware introduced couple of new concepts into lockdown mode as listed below in order to make it more flexible in nature as compared to its predecessors:
  • Normal Lockdown Mode
  • Strict Lockdown Mode
  • Exception Users 

Normal Lockdown Mode
  • In normal lockdown mode all the direct connections to ESXi servers are blocked.
  • You can manage ESXi Servers via vCenter Server or the other option is that, we can use the direct console user interface (DCUI). DCUI service is not stopped in Normal lockdown mode.
  • If the connection to the vCenter Server system is lost, privileged user accounts can log in to the ESXi host’s Direct Console User Interface (DCUI) and exit from lockdown mode.
Only the following accounts can access the Direct Console User Interface:
  • User accounts in the Exception User list for lockdown mode who have administrative privileges on the host. VMware vSphere 6.0 introduced the Exception User list. Exception users do not lose their privileges when the host enters lockdown mode. We can use the Exception User list to add the accounts of third-party solutions and external applications like backup agents that need to have access to ESXi host directly when the host is in lockdown mode.
  • Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
Strict Lockdown Mode
  • In strict lockdown mode, which is newly introduced in vSphere 6.0, the DCUI service is also stopped.
  • In the event where connection to vCenter serer is lost and we cannot restore the connection to the vCenter Server system, we will have to reinstall the ESXi host.
  • If the connection to vCenter Server is lost, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users list is populated.
  • ESXi Shell and SSH services are independent of lockdown mode. However these services are disabled by default.
  • When a host is in lockdown mode, users on the Exception Users list can access the ESXi host from the ESXi Shell and through SSH.

How to Enable Lockdown Mode:
  • While adding ESXi Host vCenter Server system through add host wizard. 



  • From vSphere Web Client. We can enable both Normal and Strict Lockdown Mode from ESXi server Manage Tab -> Security Profile ->click Edit as highlighted below. 



Select the appropriate mode you want to set on below screen.

  • From Direct Console User Interface (DCUI) 



Note: Privileged users can disable lockdown mode from the vSphere Web Client.

Note: Privileged users can disable normal lockdown mode from the Direct Console Interface (DCUI). These users cannot disable strict lockdown mode from the Direct Console Interface.

Note: DCUI doesn’t have the option of Normal or Strict lockdown mode. When you enable lockdown mode from the DCUI you will get Normal mode by default. Also, If you enable or disable lockdown mode using the Direct Console User Interface, permissions for users and groups on the host are discarded. To preserve these permissions, you can enable and disable lockdown mode using the vSphere Web Client.

Note: If you upgrade a host that is in lockdown mode to ESXi version 6.0 without exiting lockdown mode, and if you exit lockdown mode after the upgrade, all the permissions defined before the host entered lockdown mode are lost. The system assigns the administrator role to all users who are found in the DCUI.Access advanced option to guarantee that the host remains accessible. To retain permissions, disable lockdown mode for the host from the vSphere Web Client before the upgrade.

3 comments:

  1. Would you know the set of commands to run on the esxi to change the lockdown mode if it is set to strict and say you did create an exception list?

    ReplyDelete
    Replies
    1. You can refer VMware KB 1008077 article for command line and PowerShell cmdlets.

      Delete
  2. You have post a good article. You have write so many thing that are really important for me. And you have added some pictures that make this post useful. I like your post keep writing. You can use this mathematics statement of purpose. This is really effective.

    ReplyDelete

Popular Posts This Week