When it comes to managing ESXi hosts, there are a few interfaces available to perform management tasks:
Remote TSM has been covered in the Accessing hosts via SSH recipe in this chapter. Local TSM and DCUI are console options available if you have physical access to the host or remote console access such as iDRAC.
All interfaces except vSphere API can be managed from vCenter under host Configuration | Security Profile | Services:
Both TSM options can also be configured from the DCUI console.
The following table summarizes different management interfaces and where each one can be configured:
Management interface |
Description |
Configuration from vCenter |
Configuration from DCUI |
---|---|---|---|
CIM |
vCenter access |
Host's Services | |
DCUI |
ESXi console |
Host's Services | |
Local TSM |
Console CLI |
Host's Services |
Troubleshooting menu |
Remote TSM |
Host's Services |
Troubleshooting menu | |
APIs |
vSphere Client, PowerCLI, vCLI |
VMware offers a way to secure management access to hosts called Lockdown mode.
Lockdown mode is a security feature, which limits the administrator's ability to manage the ESXi host only through vCenter. When a host is in this mode, the administrator cannot use the command line or run scripts. Also, any third-party software cannot get or change any settings on this host.
The following table summarizes each management interface's behavior in Normal and Lockdown modes:
Management interface |
Normal mode |
Lockdown mode |
---|---|---|
CIM |
User and group permissions |
Only vCenter server |
DCUI |
User root and users with administrator rights |
Only root user |
Local TSM |
Only root user |
None |
Remote TSM |
Only root user |
None |
APIs |
User and group permissions |
Only vCenter vpxuser |
Additional security always means inconvenience. If the vCenter VM crashed or didn't come up after the reboot, and access to vCenter has been lost, ESXi has to be reinstalled on hosts that are in Lockdown mode to restore access.
To enable lockdown mode from vCenter, execute the following steps:
Note
All the existing vCenter Client connections to the host will be dropped immediately.
Users that are currently logged in to DCUI or TSM will still have access after Lockdown mode has been enabled until they log off. Logged in users will not be able to switch Lockdown mode off in this case.
All the existing user and group permissions will be restored once Lockdown mode is disabled if it was enabled from vCenter.
To enable Lockdown Mode from Web Client, execute the following steps:
Select a host.
Go to Manage | Settings | Security Profile.
Scroll down to the Lockdown Mode section.
Click on the Edit next to the section.
Check Enable Lockdown Mode.
Click on OK.