VMware Cloud Foundation 4.5

5.2 5.1 5.0 4.5
Deutsch Français Italiano 日本語 English

Securing Management Virtual Machines

You connect to the management domain vCenter Server and use a script to perform multiple configurations on the management virtual machines that belong to the management domain. vSphere Cluster Services (vCLS) nodes are not in scope of this procedure as they are service VMs.
To harden the management VMs, you must power off the VMs one by one and run the script. To harden the vCenter Server VM, follow the instructions below:
  1. Disable the lockdown mode on the ESXi host that hosts vCenter Server VM.
  2. PowerOff the vCenter Server VM.
  3. Run the below script by connecting to ESXi Host using
    Connect-VIServer -Server <ESXi host FQDN which hosts vCenter Server VM>
     cmdlet.
  4. Login to ESXi host client that hosts the vCenter Server VM.
  5. Power on the vCenter Server VM.
  6. Enable the lockdown mode on the ESXi host.
If ESXi is version 7.0 U3i or above, you can run the script without powering off the management VMs. You must shut down the guest OS and power on (cold boot) the VMs for the advanced settings to take effect. Do not reboot the VMs. To prevent service interruption, cold boot must be performed one virtual machine at a time. Cold boot of vCenter Server and SDDC Manager requires a maintenance window.
Perform cold boot in the following order:
  1. NSX Edge nodes
  2. NSX Manager nodes
  3. vCenter Server
  4. SDDC Manager
Configuration ID
Description
VMW-VC-00096
Limit console connection sharing
  1. Log in to the management domain vCenter Server by using a PowerCLI console.​
    Setting
    Value
    Command
    Connect-VIServer -Server
    management-domain-vcenter-server-fqdn
    ​​ -Protocol https
    User name​
    administrator@vsphere.local​
  2. Configure advanced settings on all management virtual machines by running the script.
    You must enter the name of the VM that you are reconfiguring in the first line of the script. For example,
    $VMs = ("sddc-manager")
    . If ESXi is version 7.0 U3i, you can enter a comma separated list of VMs.
    $VMs = (
    management-domain-VM-name
    )
Foreach ($vm in $VMs){		 	
        $advancedSetting = "RemoteDisplay.maxConnections" 	
	$setting = Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Select-Object -Property Name, Value 	
	if(!$setting.Name){ 		
		Get-VM $vm | New-AdvancedSetting -Name $advancedSetting -Value 1 -Confirm:$false 	
	} 	
	elseif($setting.Value -ne 1){ 		
		Get-VM $vm | Get-AdvancedSetting -Name $advancedSetting | Set-AdvancedSetting -Value 1 -Confirm:$false
        }
}

Content feedback and comments