6.0
Table Of Contents
- vSphere Administration with the vSphere Client
- Contents
- vSphere Administration with the vSphere Client
- Updated Information
- Using the vSphere Client
- Start the vSphere Client and Log In
- Stop the vSphere Client and Log Out
- Status Bar, Recent Tasks, and Triggered Alarms in the vSphere Client
- Getting Started Tabs in the vSphere Client
- View Virtual Machine Console in the vSphere Client
- Using Lists in the vSphere Client
- Save vSphere Client Data
- Panel Sections in the vSphere Client
- Searching the Inventory in the vSphere Client
- Custom Attributes in the vSphere Client
- Select Objects in the vSphere Client
- Manage vCenter Server Plug-Ins in the vSphere Client
- Working with Active Sessions in the vSphere Client
- Configuring ESXi Hosts and vCenter Server in the vSphere Client
- Configuring ESXi Hosts in the vSphere Client
- Host Limitations in the vSphere ClientHost Limitations in the vSphere Client
- Redirect the Direct Console to a Serial Port in the vSphere Client
- Set the Scratch Partition in the vSphere Client
- Configure Syslog on ESXi Hosts in the vSphere Client
- Set Host Image Profile Acceptance Level in the vSphere Client
- Configuring vCenter Server in the vSphere Client
- vCenter Server Limitations in the vSphere Client
- Configure License Settings for vCenter Server in the vSphere Client
- Configure Statistics Intervals in the vSphere Client
- Configure Runtime Settings in the vSphere Client
- Configure Active Directory Settings in the vSphere Client
- Configure Mail Sender Settings in the vSphere Client
- Configure SNMP Settings in the vSphere Client
- Configure Timeout Settings in the vSphere Client
- Configure Logging Options in the vSphere Client
- Configure the Maximum Number of Database Connections in the vSphere Client
- Configure Database Retention Policy in the vSphere Client
- Configure Advanced Settings in the vSphere Client
- Configuring Communication Among ESXi , vCenter Server, and the vSphere Client
- Reboot or Shut Down an ESXi Host in the vSphere Client
- Configuring ESXi Hosts in the vSphere Client
- Organizing Your Inventory in the vSphere Client
- Create Datacenters in the vSphere Client
- Add Hosts in the vSphere Client
- Create Clusters in the vSphere Client
- Create Resource Pools in the vSphere Client
- Create Datastores in the vSphere Client
- Create Host-Wide Networks in the vSphere Client
- Create Datacenter-Wide Networks in the vSphere Client
- Edit General vSphere Distributed Switch Settings in the vSphere Client
- Edit Advanced vSphere Distributed Switch Settings in the vSphere Client
- Add Hosts to a vSphere Distributed Switch in the vSphere Client
- Add a Distributed Port Group in the vSphere Client
- Edit General Distributed Port Group Settings in the vSphere Client
- Edit Advanced Distributed Port Group Settings in the vSphere Client
- Managing License Keys in the vSphere Client
- Managing Tasks in the vSphere Client
- Securing the Management Interface in the vSphere Client
- Securing ESXi Hosts in the vSphere Client
- Securing Virtual Machines in the vSphere Client
- Prevent Virtual Disk Shrinking in the vSphere Client
- Disable Copy and Paste Operations Between Guest Operating System and Remote Console in the vSphere Client
- Modify Guest Operating System Variable Memory Limit in the vSphere Client
- Prevent the Guest Operating System Processes from Sending Configuration Messages to the Host in the vSphere Client
- Prevent a Virtual Machine User or Process from Disconnecting Devices in the vSphere Client
- Configure Syslog on ESXi Hosts in the vSphere Client
- Authentication and User Management in the vSphere Client
- Managing ESXi Users in the vSphere Client
- Assigning Permissions in the vSphere Client
- Managing ESXi Roles in the vSphere Client
- Using Active Directory to Manage Users in the vSphere Client
- Use vSphere Authentication Proxy to Add a Host to a Domain in the vSphere Client
- Adjust the Search List in Large Domains in the vSphere Client
- Managing Hosts with vCenter Server in the vSphere Client
- Using vCenter Maps in the vSphere Client
- Creating Virtual Machines in the vSphere Client
- Start the Virtual Machine Creation Process in the vSphere Client
- Select a Configuration Option for the New Virtual Machine in the vSphere Client
- Enter a Name and Location for the Virtual Machine in the vSphere Client
- Select a Host or Cluster in the vSphere Client
- Select a Resource Pool in the vSphere Client
- Select a Datastore in the vSphere Client
- Select a Virtual Machine Version in the vSphere Client
- Select an Operating System in the vSphere Client
- Select the Number of Virtual CPUs in the vSphere Client
- Configure Virtual Memory in the vSphere Client
- Configure Networks in the vSphere Client
- Select a SCSI Controller in the vSphere Client
- Selecting a Virtual Disk Type in the vSphere Client
- Complete Virtual Machine Creation in the vSphere Client
- Working with Templates and Clones in the vSphere Client
- Clone a Virtual Machines in the vSphere Client
- Create a Scheduled Task to Clone a Virtual Machine in the vSphere Client
- Create a Template in the vSphere Client
- Deploy a Virtual Machine from a Template in the vSphere Client
- Change the Template Name in the vSphere Client
- Deleting Templates in the vSphere Client
- Convert a Template to a Virtual Machine in the vSphere Client
- Customizing Guest Operating Systems in the vSphere Client
- Guest Operating System Customization Requirements in the vSphere Client
- Configure a Script to Generate Computer Names and IP Addresses During Guest Operating System Customization in the vSphere Client
- Customize Windows During Cloning or Deployment in the vSphere Client
- Customize Linux During Cloning or Deployment in the vSphere Client
- Managing Customization Specification in the vSphere Client
- Create a Customization Specification for Linux in the vSphere Client
- Create a Customization Specification for Windows in the vSphere Client
- Create a Customization Specification for Windows Using a Custom Sysprep Answer File in the vSphere Client
- Edit a Customization Specification in the vSphere Client
- Remove a Customization Specification in the vSphere Client
- Copy a Customization Specification in the vSphere Client
- Export a Customization Specification in the vSphere Client
- Import a Customization Specification in the vSphere Client
- Migrating Virtual Machines in the vSphere Client
- Migrate a Powered-On Virtual Machine with vMotion in the vSphere Client
- Migrate a Virtual Machine with Storage vMotion in the vSphere Client
- Migrate a Powered-Off or Suspended Virtual Machine in the vSphere Client
- CPU Compatibility and EVC in the vSphere Client
- Create an EVC Cluster in the vSphere Client
- Enable EVC on an Existing Cluster in the vSphere Client
- Change the EVC Mode for a Cluster in the vSphere Client
- Determine EVC Modes for Virtual Machines in the vSphere Client
- Prepare Clusters for AMD Processors Without 3DNow! in the vSphere Client
- View CPUID Details for an EVC Cluster in the vSphere Client
- Deploying OVF Templates in the vSphere Client
- Configuring Virtual Machines in the vSphere Client
- Virtual Machine Limitations in the vSphere Client
- Virtual Machine Hardware Versions in the vSphere Client
- Locate the Hardware Version of a Virtual Machine in the vSphere Client
- Change the Virtual Machine Name in the vSphere Client
- View the Virtual Machine Configuration File Location in the vSphere Client
- Edit Configuration File Parameters in the vSphere Client
- Change the Configured Guest Operating System in the vSphere Client
- Configure Virtual Machines to Automatically Upgrade VMware Tools in the vSphere Client
- Virtual CPU Configuration in the vSphere Client
- Change CPU Hot-Plug Settings in the vSphere Client
- Change the CPU Configuration in the vSphere Client
- Allocate CPU Resources in the vSphere Client
- Configuring Advanced CPU Scheduling Settings in the vSphere Client
- Change CPU Identification Mask Settings in the vSphere Client
- Change CPU/MMU Virtualization Settings in the vSphere Client
- Virtual Memory configurations in the vSphere Client
- Virtual Machine Network Configuration in the vSphere Client
- Parallel and Serial Port Configuration in the vSphere Client
- Using Serial Ports with Virtual Machines in the vSphere Client
- Adding a Firewall Rule Set for Serial Port Network Connections in the vSphere Client
- Add a Serial Port to a Virtual Machine in the vSphere Client
- Change the Serial Port Configuration in the vSphere Client
- Add a Parallel Port to a Virtual Machine in the vSphere Client
- Change the Parallel Port Configuration in the vSphere Client
- Configure Fibre Channel NPIV Settings in the vSphere Client
- Virtual Disk Configuration in the vSphere Client
- SCSI and SATA Storage Controller Conditions, Limitations, and Compatibility in the vSphere Client
- Other Virtual Machine Device Configuration in the vSphere Client
- Add a DVD or CD-ROM Drive to a Virtual Machine in the vSphere Client
- Change the CD/DVD Drive Configuration in the vSphere Client
- Add a Floppy Drive to a Virtual Machine in the vSphere Client
- Change the Floppy Drive Configuration in the vSphere Client
- Add a SCSI Device to a Virtual Machine in the vSphere Client
- Change the SCSI Device Configuration in the vSphere Client
- Add a PCI Device in the vSphere Client
- Configure Video Cards in the vSphere Client
- Configuring vServices in the vSphere Client
- USB Configuration from an ESXi Host to a Virtual Machine in the vSphere Client
- USB Configuration from a Client Computer to a Virtual Machine in the vSphere Client
- Manage Power Management Settings for a Virtual Machine in the vSphere Client
- Configure the Virtual Machine Power States in the vSphere Client
- Delay the Boot Sequence in the vSphere Client
- Enable Logging in the vSphere Client
- Disable Acceleration in the vSphere Client
- Configure Debugging and Statistics in the vSphere Client
- Managing Virtual Machines in the vSphere Client
- Edit Virtual Machine Startup and Shutdown Settings in the vSphere Client
- Open a Console to a Virtual Machine in the vSphere Client
- Adding and Removing Virtual Machines in the vSphere Client
- Using Snapshots To Manage Virtual Machines in the vSphere Client
- Managing Multi-Tiered Applications with vSphere vApp in the vSphere Client
- Create a vApp in the vSphere Client
- Power On a vApp in the vSphere Client
- Clone a vApp in the vSphere Client
- Power Off a vApp in the vSphere Client
- Suspend a vApp in the vSphere Client
- Resume a vApp in the vSphere Client
- Populating the vApp with Objects in the vSphere Client
- Configuring vApp Settings in the vSphere Client
- Edit vApp Startup and Shutdown Options in the vSphere Client
- Edit vApp Resources in the vSphere Client
- Edit vApp Properties in the vSphere Client
- Edit IP Allocation Policy in the vSphere Client
- Add a vService Dependency in the vSphere Client
- Edit a vService Dependency in the vSphere Client
- Remove a vService Dependency in the vSphere Client
- Configure Advanced vApp Properties in the vSphere Client
- Configuring IP Pools in the vSphere Client
- Edit vApp Annotation in the vSphere Client
- Monitoring Solutions with the vCenter Solutions Manager in the vSphere Client
- Using Host Profiles in the vSphere Client in the vSphere Client
- Host Profiles Usage Model in the vSphere Client
- Access Host Profiles View in the vSphere Client
- Creating a Host Profile in the vSphere Client
- Export a Host Profile in the vSphere Client
- Import a Host Profile in the vSphere Client
- Clone a Host Profile in the vSphere Client
- Edit a Host Profile in the vSphere Client
- Manage Profiles in the vSphere Client
- Checking Compliance in the vSphere Client
- Host Profiles and vSphere Auto Deploy in the vSphere Client
- Networking in the vSphere Client
- Networking Limitations in the vSphere Client
- View Networking Information in the vSphere Client
- View Network Adapter Information in the vSphere Client
- Setting Up Networking with vSphere Standard Switches in the vSphere Client
- Add a Virtual Machine Port Group in the vSphere Client
- Set Up VMkernel Networking on a vSphere Standard Switch in the vSphere Client
- View VMkernel Routing Information on a vSphere Standard Switch in the vSphere Client
- Change the Number of Ports for a vSphere Standard Switch in the vSphere Client
- Change the Speed of an Uplink Adapter in the vSphere Client
- Add Uplink Adapters in the vSphere Client
- Setting Up Networking with vSphere Distributed Switches in the vSphere Client
- Add a vSphere Distributed Switch in the vSphere Client
- Add Hosts to a vSphere Distributed Switch in the vSphere Client
- Manage Hosts on a vSphere Distributed Switch in the vSphere Client
- Set the Number of Ports Per Host on a vSphere Distributed Switch in the vSphere Client
- Edit General vSphere Distributed Switch Settings in the vSphere Client
- Edit Advanced vSphere Distributed Switch Settings in the vSphere Client
- View Network Adapter Information for a vSphere Distributed Switch in the vSphere Client
- Upgrade a vSphere Distributed Switch to a Newer Version in the vSphere Client
- Distributed Port Groups in the vSphere Client
- Private VLANs in the vSphere Client
- Managing Physical Adapters in the vSphere Client
- Managing Virtual Network Adapters in the vSphere Client
- Create a VMkernel Network Adapter on a vSphere Distributed Switch in the vSphere Client
- Migrate an Existing Virtual Adapter to a vSphere Distributed Switch in the vSphere Client
- Migrate a Virtual Adapter to a vSphere Standard Switch in the vSphere Client
- Edit VMkernel Configuration on a vSphere Distributed Switch in the vSphere Client
- View VMkernel Routing Information on a vSphere Distributed Switch in the vSphere Client
- Remove a Virtual Adapter in the vSphere Client
- Configuring Virtual Machine Networking on a vSphere Distributed Switch in the vSphere Client
- Managing Network Resources in the vSphere Client
- vSphere Network I/O Control in the vSphere Client
- Enable Network I/O Control on a vSphere Distributed Switch in the vSphere Client
- Create a Network Resource Pool in the vSphere Client
- Add or Remove Distributed Port Groups from a Network Resource Pool in the vSphere Client
- Edit Network Resource Pool Settings in the vSphere Client
- Delete a Network Resource Pool in the vSphere Client
- TCP Segmentation Offload and Jumbo Frames in the vSphere Client
- DirectPath I/O in the vSphere Client
- Single Root I/O Virtualization (SR-IOV) in the vSphere Client
- vSphere Network I/O Control in the vSphere Client
- Networking Policies in the vSphere Client
- Applying Networking Policies on a vSphere Standard or Distributed Switch
- Teaming and Failover Policy in the vSphere Client
- Edit Failover and Load Balancing Policy for a vSphere Standard Switch in the vSphere Client
- Edit the Failover and Load Balancing Policy on a Standard Port Group in the vSphere Client
- Edit the Teaming and Failover Policy on a Distributed Port Group in the vSphere Client
- Edit Distributed Port Teaming and Failover Policies in the vSphere Client
- VLAN Policy in the vSphere Client
- Security Policy in the vSphere Client
- Traffic Shaping Policy in the vSphere Client
- Edit the Traffic Shaping Policy for a vSphere Standard Switch in the vSphere Client
- Edit the Traffic Shaping Policy for a Standard Port Group in the vSphere Client
- Edit the Traffic Shaping Policy for a Distributed Port Group in the vSphere Client
- Edit Distributed Port or Uplink Port Traffic Shaping Policies in the vSphere Client
- Resource Allocation Policy in the vSphere Client
- Monitoring Policy in the vSphere Client
- Port Blocking Policies in the vSphere Client
- Manage Policies for Multiple Port Groups on a vSphere Distributed Switch in the vSphere Client
- Advanced Networking in the vSphere Client
- Internet Protocol Version 6 (IPv6) Support in the vSphere Client
- VLAN Configuration in the vSphere Client
- Working With Port Mirroring in the vSphere Client
- Port Mirroring Version Compatibility in the vSphere Client
- Port Mirroring Interoperability in the vSphere Client
- Create a Port Mirroring Session with the vSphere Client
- View Port Mirroring Session Details in the vSphere Client
- Edit Port Mirroring Name and Session Details in the vSphere Client
- Edit Port Mirroring Sources in the vSphere Client
- Edit Port Mirroring Destinations in the vSphere Client
- Configure NetFlow Settings in the vSphere Client
- Switch Discovery Protocol in the vSphere Client
- Change the DNS and Routing Configuration in the vSphere Client
- MAC Addresses in the vSphere Client
- Managing Storage in the vSphere Client
- Storage Limitations in the vSphere Client
- Display Storage Devices for a Host in the vSphere Client
- Display Storage Devices for an Adapter in the vSphere Client
- View Storage Adapters Information in the vSphere Client
- Review Datastore Information in the vSphere Client
- Assign WWNs to Virtual Machines in the vSphere Client
- Modify WWN Assignments in the vSphere Client
- Set Up Networking for Software FCoE in the vSphere Client
- Add Software FCoE Adapters in the vSphere Client
- Disable Automatic Host Registration in the vSphere Client
- Setting Up Independent Hardware iSCSI Adapters in the vSphere Client
- Configuring Dependent Hardware iSCSI Adapters in the vSphere Client
- Configuring Software iSCSI Adapters in the vSphere Client
- Setting Up iSCSI Network in the vSphere Client
- Using Jumbo Frames with iSCSI in the vSphere Client
- Configuring Discovery Addresses for iSCSI Adapters in the vSphere Client
- Configuring CHAP Parameters for iSCSI Adapters in the vSphere Client
- Configure Advanced Parameters for iSCSI in the vSphere Client
- Managing Storage Devices in the vSphere Client
- Working with Datastores in the vSphere Client
- Create a VMFS Datastore in the vSphere Client
- Create NFS Datastore in the vSphere Client
- Managing Duplicate VMFS Datastores in the vSphere Client
- Upgrading VMFS Datastores in the vSphere Client
- Increase VMFS Datastore Capacity in the vSphere Client
- Rename VMFS or NFS Datastores in the vSphere Client
- Group VMFS or NFS Datastores in the vSphere Client
- Delete VMFS Datastores in the vSphere Client
- Create a Diagnostic Partition in the vSphere Client
- Turn off Storage Filters in the vSphere Client
- Raw Device Mapping in the vSphere Client
- Understanding Multipathing and Failover in the vSphere Client
- Storage Hardware Acceleration in the vSphere Client
- Storage Thin Provisioning in the vSphere Client
- Using Storage Vendor Providers in the vSphere Client
- Resource Management in the vSphere Client
- Configuring Resource Allocation Settings in the vSphere Client
- Administering CPU Resources in the vSphere Client
- View Processor Information in the vSphere Client
- Enable Hyperthreading in the vSphere Client
- Set Hyperthreading Sharing Options for a Virtual Machine in the vSphere Client
- Assign a Virtual Machine to a Specific Processor in the vSphere Client
- Select a CPU Power Management Policy in the vSphere Client
- Configure Custom Policy Parameters for Host Power Management in the vSphere Client
- Administering Memory Resources in the vSphere Client
- Enable Host-Local Swap for a DRS Cluster in the vSphere Client
- Enable Host-Local Swap for a Standalone Host in the vSphere Client
- Configure Virtual Machine Swapfile Properties for the Host in the vSphere Client
- Configure a Virtual Machine Swapfile Location for a Cluster in the vSphere Client
- Delete Swap Files in the vSphere Client
- Configure the Host Cache in the vSphere Client
- Enable or Disable the Memory Compression Cache in the vSphere Client
- Set the Maximum Size of the Memory Compression Cache in the vSphere Client
- Managing Storage I/O Resources in the vSphere Client
- Managing Resource Pools in the vSphere Client
- Using DRS Clusters to Manage Resources in the vSphere Client
- Creating a DRS Cluster in the vSphere Client
- Adding Hosts to a Cluster in the vSphere Client
- Adding Virtual Machines to a Cluster in the vSphere Client
- Removing Virtual Machines from a Cluster in the vSphere Client
- Removing a Host from a Cluster in the vSphere Client
- Managing Power Resources in the vSphere Client
- Using DRS Affinity Rules in the vSphere Client
- Creating a Datastore Cluster in the vSphere Client
- Using Datastore Clusters to Manage Storage Resources in the vSphere Client
- Using Storage DRS Maintenance Mode in the vSphere Client
- Applying Storage DRS Recommendations in the vSphere Client
- Change Storage DRS Automation Level for a Virtual Machine in the vSphere Client
- Set Up Off-Hours Scheduling for Storage DRS in the vSphere Client
- Storage DRS Anti-Affinity Rules in the vSphere Client
- Clear Storage DRS Statistics in the vSphere Client
- Using NUMA Systems with ESXi in the vSphere Client
- Advanced Attributes in the vSphere Client
- Creating and Using vSphere HA Clusters in the vSphere Client
- Providing Fault Tolerance for Virtual Machines in the vSphere Client
- Fault Tolerance Use Cases in the vSphere Client
- Fault Tolerance Checklist in the vSphere Client
- Preparing Your Cluster and Hosts for Fault Tolerance in the vSphere Client
- Providing Fault Tolerance for Virtual Machines in the vSphere Client
- Viewing Information About Fault Tolerant Virtual Machines in the vSphere Client
- Best Practices for Fault Tolerance in the vSphere Client
- Monitoring and Performance in the vSphere Client
- View Charts in the vSphere Client
- Working with Advanced and Custom Charts in the vSphere Client
- Set Advanced Performance Charts as the Default in the vSphere Client
- Change Advanced Chart Settings in the vSphere Client
- Create a Custom Advanced Chart in the vSphere Client
- Delete a Custom Advanced Chart View in the vSphere Client
- Save Chart Data to a File in the vSphere Client
- Export Performance Data to a Spreadsheet in the vSphere Client
- Monitoring Host Health Status in the vSphere Client
- Monitoring Events, Alarms, and Automated Actions in the vSphere Client
- View Events in the vSphere Client
- View System Logs in the vSphere Client
- Export Events Data in the vSphere Client
- View Triggered Alarms and Alarm Definitions in the vSphere Client
- Set An Alarm in the vSphere Client
- View and Edit Alarm Settings in the vSphere Client
- Specify Alarm Name, Description, and Type in the vSphere Client
- Modify the Definition of the Datastore Usage on Disk Alarm in the vSphere Client
- Specify How the Alarm is Triggered (Event-based) in the vSphere Client
- Specify Alarm Tolerance and Frequency in the vSphere Client
- Specify Which Actions to Perform When Triggered in the vSphere Client
- Enable and Disable Alarm Actions in the vSphere Client
- Acknowledge Triggered Alarms in the vSphere Client
- Reset Triggered Event Alarms in the vSphere Client
- Identify Disabled Alarm Actions in the vSphere Client
- Viewing Solutions in the vSphere Client
- Configure SNMP Settings for vCenter Server in the vSphere Client
- System Log Files in the vSphere Client
- Index
Securing the Management Interface 6
Secure the management Interface of an ESXi host and the virtual machine guest operating system by
restricting the services and management agents that are allowed to interface directly with the host or virtual
machine.
This chapter includes the following topics:
n
“Securing ESXi Hosts,” on page 59
n
“Securing Virtual Machines,” on page 63
Securing ESXi Hosts
The ESXi hypervisor architecture has many built-in security features such as CPU isolation, memory
isolation, and device isolation. You can configure additional features such as lockdown mode, certificate
replacement, and smart card authentication for enhanced security.
An ESXi host is also protected with a firewall. You can open ports for incoming and outgoing traffic as
needed, but should restrict access to services and ports. Using the ESXi lockdown mode and limiting access
to the ESXi Shell can further contribute to a more secure environment. Starting with vSphere 6.0, ESXi hosts
participate in the certificate infrastructure. Hosts are provisioned with certificate that are signed by the
VMware Certificate Authority (VMCA) by default.
See the VMware white paper Security of the VMware vSphere Hypervisor for additional information on ESXi
security.
Allow or Deny Access to an ESXi Service or Management Agent
You can configure firewall properties to allow or deny access for a service or management agent.
You add information about allowed services and management agents to the host configuration file. You can
enable or disable these services and agents using the vSphere Client or at the command line.
NOTE If different services have overlapping port rules, enabling one service might implicitly enable
overlapping services. To minimize the effects of this behavior, you can specify which IP addresses are
allowed to access each service on the host.
Procedure
1 Select the host in the inventory panel.
2 Click the Configuration tab, then in the Software section, click Security Profile.
The vSphere Client displays a list of active incoming and outgoing connections with the corresponding
firewall ports.
VMware, Inc.
59