- Normal Lockdown Mode
- Strict Lockdown Mode
- Exception Users
- In normal lockdown mode all the direct connections to ESXi servers are blocked.
- You can manage ESXi Servers via vCenter Server or the other option is that, we can use the direct console user interface (DCUI). DCUI service is not stopped in Normal lockdown mode.
- If the connection to the vCenter Server system is lost, privileged user accounts can log in to the ESXi host’s Direct Console User Interface (DCUI) and exit from lockdown mode.
- User accounts in the Exception User list for lockdown mode who have administrative privileges on the host. VMware vSphere 6.0 introduced the Exception User list. Exception users do not lose their privileges when the host enters lockdown mode. We can use the Exception User list to add the accounts of third-party solutions and external applications like backup agents that need to have access to ESXi host directly when the host is in lockdown mode.
- Users defined in the DCUI.Access advanced option for the host. This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
- In strict lockdown mode, which is newly introduced in vSphere 6.0, the DCUI service is also stopped.
- In the event where connection to vCenter serer is lost and we cannot restore the connection to the vCenter Server system, we will have to reinstall the ESXi host.
- If the connection to vCenter Server is lost, the ESXi host becomes unavailable unless the ESXi Shell and SSH services are enabled and Exception Users list is populated.
- ESXi Shell and SSH services are independent of lockdown mode. However these services are disabled by default.
- When a host is in lockdown mode, users on the Exception Users list can access the ESXi host from the ESXi Shell and through SSH.
- While adding ESXi Host vCenter Server system through add host wizard.
- From vSphere Web Client. We can enable both Normal and Strict Lockdown Mode from ESXi server Manage Tab -> Security Profile ->click Edit as highlighted below.
- From Direct Console User Interface (DCUI)
Note: Privileged users can disable lockdown mode from the vSphere Web Client.
Note: Privileged users can disable normal lockdown mode from the Direct Console Interface (DCUI). These users cannot disable strict lockdown mode from the Direct Console Interface.
Note: DCUI doesn’t have the option of Normal or Strict lockdown mode. When you enable lockdown mode from the DCUI you will get Normal mode by default. Also, If you enable or disable lockdown mode using the Direct Console User Interface, permissions for users and groups on the host are discarded. To preserve these permissions, you can enable and disable lockdown mode using the vSphere Web Client.
Note: If you upgrade a host that is in lockdown mode to ESXi version 6.0 without exiting lockdown mode, and if you exit lockdown mode after the upgrade, all the permissions defined before the host entered lockdown mode are lost. The system assigns the administrator role to all users who are found in the DCUI.Access advanced option to guarantee that the host remains accessible. To retain permissions, disable lockdown mode for the host from the vSphere Web Client before the upgrade.