security, virtualization

How To: vSphere Client to vCenter Using HTTP

When developing SimDK I had to perform a lot of traffic captures to see what was actually occurring between vSphere clients and the vSphere SDK web service. Wireshark worked wonderfully for listening to messages between PowerShell or Perl and vCenter because these clients can connect to the vCenter server over HTTP without SSL encryption. The vSphere client, however, is (seemingly) hardwired to use SSL, and I was having no luck listening to the traffic between it and the vCenter server. Even when I decrypted the traffic using VMware’s provided key, Wireshark was not able to reassemble all the packets in the correct order, and anything short of all the traffic was useless to me. Hence began my quest to discover how to connect to the vCenter server with the vSphere client using HTTP. The official response from VMware was that you cannot configure the vSphere client to communicate with the vCenter server without SSL.

Here’s how to configure the vSphere client to communicate with the vCenter server without SSL.

It’s actually a deceptively simple process.

  1. On the vCenter server edit the file C:\Documents and Settings\All Users\Application Data\VMware\VMware VirtualCenter\proxy.xml and change all instances of httpsWithRedirect to httpAndHttps.
  2. Open the Service Control Manager (SCM) and restart the VMware VirtualCenter Management Webservices and VMware VirtualCenter Server services (you may only need to restart the first one, I cannot remember, so restart them both to be safe).
  3. On your client open the path the vSphere client Launcher folder. For example, C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher.
  4. Copy the files VpxClient.exe and VpxClient.exe.config. Name the copies VpxClient-http.exe and VpxClient-http.exe.config.
  5. Edit the file VpxClient-http.exe.config and change the line <add key = “protocolports” value = “https:443″/> to <add key = “protocolports” value = “http:80″/>.
  6. Launch the vSphere client with the copied executable and try connecting to the vCenter server you just reconfigured to accept non-SSL connections. You should receive a warning similar to the following:
    Connecting to a vCenter server with the vSphere client using HTTP
    Connecting to a vCenter server with the vSphere client using HTTP

Congratulations! You just did what VMware said couldn’t be done :)

And FYI, if you tell the vSphere client to remember your response above, you can tell it to forget that memory by removing the server you connected to from this registry key HKEY_CURRENT_USER\Software\VMware\Virtual Infrastructure Client\Preferences\UI\SavedDialogResponses.

Advertisements

4 thoughts on “How To: vSphere Client to vCenter Using HTTP

  1. Hi Andrew, thanks for those instructions! We have been using an intermediary SSL-“proxy” (socat, linux-based, I guess there are similar apps for Windows) to dump the traffic up until now, but this here might be a viable alternative. P.S.: The sourceforge URL for SimDK in this post has a typo (fourge instead of forge).

  2. FYI: There is no actual need to edit anything on the client, you can just enter “http://your.address” into the “IP address / Name” field and it will use http instead of https.

    The bit about the server setting was helpful though, thanks.

  3. Hi, Thanks for the instructions. I tried to do this on my vCenter and I want to access it through the browser or webservices using both http and https. But, restarting the two services does not start any service listening on port 80 (verified using netstat -an) and I am unable to access the vcenter using http from the browser.Any pointers to check other things?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s