Remotely managing VMWare servers via SSH

As the cornerstone of any company's server infrastructure it is extremely rare to find VMWare servers (be they Server, ESX or ESXi) directly exposed the the Internet. Generally these important services are hidden behind layers of protection which can make managing them when not onsite quite a challenge. Of course you could setup a VPN or use some remote desktop access software, but why bother when plain old SSH can do the job for you.

Once you have SSH access to a system within the organisation's network it is a fairly simple task to create virtual tunnels to the VMWare servers. This is a secure way to manage the devices because all traffic goes through an encrypted tunnel and beyond the SSH service itself you are not interacting with any other internal services.

Remote VMWare server access requires two SSH tunnels, an HTTPS tunnel (typically port 443) and a console tunnel (typically port 902). Below is a small script that you can use to create these tunnels from Linux, OSX or any other *NIX operating system.

Copy and paste the following text into a file named vmware-manage.sh:

#! /bin/sh

# The local I.P. address for the tunnel endpoint
LOCAL_IP=192.168.1.1

# The SSH connection details
SSH_USER=sshuser
SSH_HOST=ssh.host.com
SSH_PORT=62222

# VMWare server configuration
VMWARE_IP=$2
VMWARE_WEB_PORT=443
VMWARE_CONSOLE_PORT=902

echo "Managing VMWare server at $VMWARE_IP"
echo "Accessible via $LOCAL_IP:$VMWARE_WEB_PORT"
echo "Press CTRL+C to close"

case "$1" in
console)
sudo ssh -N -L $LOCAL_IP:$VMWARE_CONSOLE_PORT:$VMWARE_IP:$VMWARE_CONSOLE_PORT $SSH_USER@$SSH_HOST -p $SSH_PORT
;;
web)
sudo ssh -N -L $LOCAL_IP:$VMWARE_WEB_PORT:$VMWARE_IP:$VMWARE_WEB_PORT $SSH_USER@$SSH_HOST -p $SSH_PORT
;;
esac

At the top of the file edit the LOCAL_IP, SSH_USER, SSH_HOST and SSH_PORT variables to suit your specific setup.

  • LOCAL_IP - Typically your desktop's I.P. address (or 127.0.0.1).
  • SSH_USER - The SSH user account to log in with.
  • SSH_HOST - The hostname with the accessible SSH service.
  • SSH_PORT - The port SSH is running on. For security run SSH on a non-standard port if facing the Internet (i.e. not 22).

Now flag this file as being executable:

chmod a+x vmware-manage.sh

To manage a VMWare server with an internal I.P. address of 10.1.1.5 run the following command:

./vmware-manage.sh web 10.1.1.5

You will be prompted for your local password (for sudo access) and the SSH password.

Once created open a second console and create the second tunnel for console access:

./vmware-manage.sh console 10.1.1.5

You should no be able to access your VMWare server at https://192.168.1.1 (i.e. the LOCAL_IP address value). Or if you are using the VI Client enter 192.168.1.1 as the server address.

Once you have finished managing your system you can close the tunnels by pressing CTRL+C.