Using the DogTag CA with ISE 1.2

What is DogTag and Why Use It?

Dog Tag is an Enterprise-class open source Certificate Authority that Red Hat purchased from AOL back in 2004.  Red Hat opened it up to the open source community in 2008.  Dog Tag supports all aspects of certificate lifecycle management, including key archival, OCSP and smartcard management, and much more.

Most importantly, it is an available CA that has been tested for use with Cisco’s BYOD solution using Cisco’s Identity Services Engine 1.2 & newer.

Note:  There is also an Enterprise level version of DogTag known as the Red Hat Certificate System.

Before we go any further, I need to send a huge call-out to Vivek Santuka who prototyped & pioneered this initiative at work.  Also a call-out to Brian Sak for updating the work that Vivek did.

Prerequisites

Dog Tag will run on most Red Hat variants. For the purposes of this document, we will focus on Fedora Core 15 (32-bit).  This is the version that is known to work and has been tested with ISE 1.2.  This version of Fedora can be installed with the minimum option and will leverage the Apache web server, PHP, and the open source directory server.

Install 32-bit Fedora 15

Step 1 Boot the machine with the 32-bit Fedora 15 ISO file or DVD available here:  http://dl.fedoraproject.org/pub/fedora/linux/releases/15/Fedora/i386/iso/

Step 2 Select “Install system with basic video driver”

The “Minimal” installation type is all that you need for this use-case.

Accept the default choices for the remainder of the installation

Configure Networking

The Certificate Authority should have a static IP Address to ensure that communication is always optimal.  There is a component of the setup wizard that will allow you to configure the network prior to the installation finishing.  However, the majority of the time those settings do not seem to be maintained and when the Fedora operating system is fully installed there is no assigned IP Address, as seen in figure 3.

Note:  It is assumed that you are logged in as “root” to perform the activities in this document.  If not, use the “su –“ command to change your login context to the superuser (root).

After the installation, verify if there is an IP Address.  Use the ifconfig eth0 command.  Figure 3 shows the result when no IP Address has been configured.

Using your favorite editor, edit the ifcfg-eth0 file to setup the network stack for the interface.

Example-1:  Edit the ifcfg-eth0 file

[root@atw-dogtag01 ~]# vi /etc/sysconfig/network-scripts/ifcfg-eth0

  • With the ifcfg-eth0 file open, ensure that the ONBOOT option is set to “yes”.  This is ensuring the interface will be on when the system reboots.
  • Ensure the BOOTPROTO option is set to “none”.  This configures the interface to use a static IP address.
  • Set the IPADDR option to be the desired IP address of the server, and the NETMASK to be the subnet mask for that IP address.
  • The DNS1 and DNS2 options may be used to point the server to the correct DNS server(s).
  • Use the GATEWAY option to specify the IP Address of the default-gateway.

Example-2 below shows the details of a configured ifcfg-eth0 file:

Example-2:  Configured ifcfg-eth0 file

[root@atw-dogtag01 ~]# cat /etc/sysconfig/network-scripts/ifcfg-eth0

DEVICE=”eth0″

HWADDR=”00:50:56:B8:BC:08″

ONBOOT=”yes”

NM_CONTROLLED=”yes”

BOOTPROTO=none

IPADDR=10.1.100.229

NETMASK=255.255.255.0

USERCTL=yes

TYPE=Ethernet

DNS1=10.1.100.103

GATEWAY=10.1.100.1


 Ensure the network starts at boot with the “chkconfig network on” command.

Example-3:  Ensuring network starts at boot, and restarting the service

[root@atw-dogtag01 ~]# chkconfig network on

[root@atw-dogtag01 ~]# service network restart

Install Packages with yum

Fedora uses a software package manager called “yum” to manage the installed packages within the operating system.  yum provides the advantage of identifying dependencies and helping to manage the installation of the application and all of that applications dependencies.  See http://fedoraproject.org/wiki/Yum for more on yum.

We will use yum to update this Fedora 15 server to the latest packages, as well as install needed applications such as NTP.

Configure Proxy (if needed)

The setup used to write this document required a proxy server to access the Internet.  Therefore this procedure was included.  If your environment does not require a proxy to access the Internet, please go to Procedure 2.

Step 1 Use your favorite text editor to edit the yum configuration file located at /etc/yum.conf

Example 4 – Editing the yum configuration file

[root@atw-dogtag01 ~]# vi /etc/yum.conf

Step 2 Add a line for with a field of “proxy=” followed by the URL and Port for your proxy server

Example 5 – Complete yum.conf file

[root@atw-dogtag01 ~]# cat /etc/yum.conf

[main]

cachedir=/var/cache/yum/$basearch/$releasever

keepcache=0

debuglevel=2

logfile=/var/log/yum.log

exactarch=1

obsoletes=1

gpgcheck=1

plugins=1

installonly_limit=3

proxy=http://proxy.esl.cisco.com:8080

Update system with yum

Step 1 Add a yum plugin to choose the fastest location to download from.  This plugin saved hours during the writing of this paper.

Example 6 – Installing the fastest mirror plugin

[root@atw-dogtag01 ~]# yum install yum-plugin-fastestmirror

 

Step 2 Update all installed packages with the “yum update” command

Example 7 – Updating all installed packages with yum

[root@atw-dogtag01 ~]# yum update

Loaded plugins: fastestmirror

Determining fastest mirrors

<<SNIP>>

Transaction Summary

================================================================================

Install       4 Package(s)

Upgrade     104 Package(s)

Total download size: 89 M

Is this ok [y/N]:

Install and Configure the NTP Service

Certificates require strict time synchronization.  It’s recommended to use the network time protocol (NTP) to ensure the time is accurate on the Certificate Authority.  The NTP service (aka: NTP daemon) is not installed by default with the minimal installation of Fedora 15, so we will use yum to install it.

  1. Install the NTP Service with the “yum install ntp” command
  2. Use the “chkconfig ntpd on” command to ensure ntp daemon starts at boot
  3. Use the ntpdate ntp_server_ip_address command to sync to an NTP source
  4. Ensure the service is started with the “ntpd start” command

Example 8 – Installing, syncing and starting NTP

[root@atw-dogtag01 ~]# yum install ntp

[root@atw-dogtag01 ~]# chkconfig ntpd on

[root@atw-dogtag01 ~]# ntpdate 172.25.73.1

31 Jul 13:47:44 ntpdate[11361]: step time server 172.25.73.1 offset 64.503042 sec

[root@atw-dogtag01 ~]# /etc/init.d/ntpd start

Starting ntpd (via systemctl):                             [  OK  ]

[root@atw-dogtag01 ~]#

 

Install the LDAP server

Dog Tag uses an open source LDAP server called “Directory Server” to store its data.  Before you can install Dog Tag, Directory Server must be installed and prepared. 

Step 1 Install the LDAP server package with the “yum install 389-ds” command

Step 2 Create a new user named “ds389” to be used by the Directory Server

Example 9 – Installing Directory Server and creating the service account

[root@atw-dogtag01 ~]# yum install 389-ds

[root@atw-dogtag01 ~]# useradd ds389


 

Step 3 Launch the Directory Server configuration wizard using the setup-ds.pl script located in /usr/sbing/setup-ds.pl

Example 10 – Launching the setup script

[root@atw-dogtag01 ~]#  /usr/sbin/setup-ds.pl

Step 4 Accept the defaults.  Once you reach the portion where the wizard is asking for a System User, you will need to change the default (nobody) to the ds389 user.  Use the ds389 for the group as well, as seen in Example – 11

Example 11 – Setting the System User and Group to ds389

==============================================================================

The server must run as a specific user in a specific group.

It is strongly recommended that this user should have no privileges

on the computer (i.e. a non-root user).  The setup procedure

will give this user/group some permissions in specific paths/files

to perform server-specific operations.

If you have not yet created a user and group for the server,

create this user and group using your native operating

system utilities.

System User [nobody]: ds389

System Group [nobody]: ds389

Step 5 Set the password for the Directory Manager

Example 12 – Setting the Directory Manager password and successs message

Directory Manager DN [cn=Directory Manager]:

Password:

Password (confirm):

Your new DS instance ‘atw-dogtag01’ was successfully created.

Exiting . . .

Log file is ‘/tmp/setupo0Vx6g.log’

Install the PHP services

Step 1 Use yum to install php as seen in example 13

Example 13 – installing php with yum

[root@atw-dogtag01 ~]# yum install php

Setting up Install Process

Resolving Dependencies

–> Running transaction check

—> Package php.i686 0:5.3.13-1.fc15 will be installed

–> Processing Dependency: php-common(x86-32) = 5.3.13-1.fc15 for package: php-5.3.13-1.fc15.i686

–> Processing Dependency: php-cli(x86-32) = 5.3.13-1.fc15 for package: php-5.3.13-1.fc15.i686

–> Running transaction check

—> Package php-cli.i686 0:5.3.13-1.fc15 will be installed

—> Package php-common.i686 0:5.3.13-1.fc15 will be installed

–> Finished Dependency Resolution

Dependencies Resolved

================================================================================

 Package            Arch         Version                  Repository       Size

================================================================================

Installing:

 php                i686         5.3.13-1.fc15            updates         1.1 M

Installing for dependencies:

 php-cli            i686         5.3.13-1.fc15            updates         2.2 M

 php-common         i686         5.3.13-1.fc15            updates         547 k

Transaction Summary

================================================================================

Install       3 Package(s)

Total download size: 3.9 M

Installed size: 13 M

Is this ok [y/N]: y

Downloading Packages:

Running Transaction

  Installing : php-common-5.3.13-1.fc15.i686                                1/3

  Installing : php-cli-5.3.13-1.fc15.i686                                   2/3

  Installing : php-5.3.13-1.fc15.i686                                       3/3

Installed:

  php.i686 0:5.3.13-1.fc15                                                     

Dependency Installed:

  php-cli.i686 0:5.3.13-1.fc15          php-common.i686 0:5.3.13-1.fc15        

Complete!

[root@atw-dogtag01 ~]#

Step 2 Start the apache (httpd) and Directory Server (dirsrv) services and configure them to start on bootup as seen in example 4

Example 14 – Starting the apache and directory server services

[root@atw-dogtag01 ~]# service httpd start

Starting httpd (via systemctl):                            [  OK  ]

[root@atw-dogtag01 ~]# service dirsrv start

Starting dirsrv:

    atw-dogtag01… already running                        [  OK  ]

[root@atw-dogtag01 ~]# chkconfig dirsrv on

[root@atw-dogtag01 ~]# chkconfig httpd on

[root@atw-dogtag01 ~]#

Install DogTag

Step 1 Install DogTag with the yum install pki-ca command as seen in Example 15

Example 15 – installing DogTag

[root@atw-dogtag01 ~]# yum install pki-ca

Setting up Install Process

Resolving Dependencies

–> Running transaction check

—> Package pki-ca.noarch 0:9.0.20-1.fc15 will be installed

–> Processing Dependency: pki-selinux = 9.0.20-1.fc15 for package: pki-ca-9.0.20-1.fc15.noarch

–> Processing Dependency: pki-common = 9.0.20-1.fc15 for package: pki-ca-9.0.20-1.fc15.noarch

–> Processing Dependency: pki-ca-theme >= 9.0.0 for package: pki-ca-9.0.20-1.fc15.noarch

–> Running transaction check

—> Package dogtag-pki-ca-theme.noarch 0:9.0.11-1.fc15 will be installed

–> Processing Dependency: dogtag-pki-common-theme = 9.0.11-1.fc15 for package: dogtag-pki-ca-theme-9.0.11-1.fc15.noarch

—> Package pki-common.noarch 0:9.0.20-1.fc15 will be installed 

Modify the Firewall Rules (IPTables)

In order to connect to the DogTag service on the ports used in procedure 3, you must modify the Linux server’s host-firewall (iptables) to allow the connections.  Since this is not an iptables document, and in order to keep this simple, let’s just turn off iptables.

Step 1 Stop the firewall service with the “service iptables stop” command

Step 2 Keep the firewall from starting when the server is booted with the “chkconfig iptables off” command.

Example 16 – Shutting off the Firewall

[root@atw-dogtag01 ~]# service iptables stop

Stopping iptables (via systemctl):                         [  OK  ]

[root@atw-dogtag01 ~]# chkconfig iptables off

[root@atw-dogtag01 ~]#

Create a new CA Instance

Now that DogDag is installed, you need to create a new Certificate Authority instance. The following is using ports that we have preferred to use.  You may change any of the parameters in the following section to suite the needs of your organization.

Step 1 Create a pki instance using the pkicreate command with the following options:

·       pki_instance_root=/var/lib

#This is setting the root location to store the pki instance.  Based on the settings used in example 17, it will be placed in the following directory: /var/lib/ise-ca.

·       pki_instance_name=ise-ca 

#This is naming the new CA instance “ise-ca”.  you may replace this with another name, to suit the needs of your organization.

·       subsystem_type=ca 

#Sets the subsystem to be a certificate authority.  Other possible sub-systems are not applicable to this guide.

·       agent_secure_port=9443 

# Agent Services are where an administrator can see what certificate has been provisioned, revoke them, etc.

·       ee_secure_port=9444 

# Sets the SSL port for End-Entities web services. 

·       ee_secure_client_auth_port=9446  

# Sets the SSL port for End-Entities authentication.

·       admin_secure_port=9447 

# This is the default port to use to access the CA Services Page as the administrator.

·       unsecure_port=9180 

# Sets the regular port number. When not specified, it will be randomly generated.

·       tomcat_server_port=9701  #

·       user=pkiuser  #

·       group=pkiuser  #

·       redirect conf=/etc/ise-ca  

# configures the configuration data to be stored in /etc/ise-ca

·       redirect logs=/var/log/ise-ca 

# configures the logs to be in the /var/log/ise-ca directory.

·       verbose 

# sets the install to be in verbose mode, to provide you with as much detail as possible.

Example 17 – Creating the pki instance

pkicreate    -pki_instance_root=/var/lib -pki_instance_name=ise-ca -subsystem_type=ca -agent_secure_port=9443 -ee_secure_port=9444 -ee_secure_client_auth_port=9446 -admin_secure_port=9447 -unsecure_port=9180 -tomcat_server_port=9701 -user=pkiuser -group=pkiuser -redirect conf=/etc/ise-ca -redirect logs=/var/log/ise-ca -verbose

Step 2  Proceed with the Graphical Configuration of the DogTag CA

Once the setup script complete running, a message will be displayed with a unique URL to access the DogTag GUI and complete the CA installation, as seen in example 18.

Example 18 – Example of Unique URL to DogTag GUI

Installation information recorded in /var/log/ise-ca-install.log.

[debug] run_command(/sbin/service pki-cad restart ise-ca)

Before proceeding with the configuration, make sure

the firewall settings of this machine permit proper

access to this subsystem.

Please start the configuration by accessing:

https://atw-dogtag01.ise.local:9447/ca/admin/console/config/login?pin=UUVMDHRvTojQrdeod91e

After configuration, the server can be operated by the command:

    /sbin/service pki-cad restart ise-ca

Step 3 Click Next from the Welcome Screen

Step 4 Create a “New Security Domain”.  Name it “ISE BYOD Domain” & click Next

ISE BYOD Domain

Step 5 Name the Subsystem “Certificate Authority” & click Next

Certificate Authority

Step 6 Make this a Self-Signed Root CA within this new PKI Hierarchy.  Of course this could become a subordinate CA of an existing CA.  However, that is not the focus of this post.

Self-Signed Root

Step 7 The Internal Database is the Directory Server (ds389) that we installed earlier.  All settings should be filled in correctly.  Please add the Directory Manager password created earlier in Example 12.

Directory Manager password from Example 12

Step 8 Generate the Keypairs.  The default of RSA w/ SHA256 and a key size of 2048 bits will work fine, then click next.

Default Values + 2048 bit

Step 9 The certificate subject lines can be left at their default values, and click next

Subject Names

Step 10 If there are actions needed, they will be in red.  If not, click Next

Actions will be in Red, if any

Step 11 Provide a password, and export the CA’s key pair.  Store the key pair in a secure location.

Export the Keys and Store in safe location

Step 12 The new root CA certificate will be imported into your browser or your local certificate store, to ensure your system trusts certificates signed by this new CA.

Trusting your new CA

Step 13  You should now be asked to install an Administrative Certification.  This is a personal certificate to identify you (the admin) to the CA for administrative tasks.  Please ensure you backup and store this key in a secure location, as you will not be able to administer the CA without this identity certificate.

Import the admin cert
You are finished with the GUI-Based configuration.
Done!
Note:  while the GUI Configuration is complete, we are not ready to begin using the CA just yet.  We still need to add a custom script and modify some more configuration files.

Enable and Configure SCEP

Here you will be enabling and configuring Simple Certificate Enrollment Protocol (SCEP) by directly modifying the CS.cfg file.

Step 1 Backup the CS.cfg file before making any changes.

 Example 20 – Backup of the CS.cfg file

[root@atw-dogtag01 ~]# cp /etc/ise-ca/CS.cfg /etc/ise-ca/CS.cfg.bak

Step 2 Open up the CS.cfg file in a text editor.

Example 21 – Edit the CS.cfg file

[root@atw-dogtag01 ~]# vi /etc/ise-ca/CS.cfg

Step 3 Add the following lines to the bottom of the CS.cfg file and save the changes.

ca.scep.allowedEncryptionAlgorithms=DES3

ca.scep.allowedHashAlgorithms=SHA1,SHA256,SHA512

ca.scep.enable=true

ca.scep.encryptionAlgorithm=DES3

ca.scep.hashAlgorithm=SHA256

ca.scep.nonceSizeLimit=16

Step 4 Backup the caRouterCert.cfg file before making any changes.

Example 22 – Backing up the caRouterCert.cfg file

[root@atw-dogtag01 ~]# cp /var/lib/ise-ca/profiles/ca/caRouterCert.cfg /var/lib/ise-ca/profiles/ca/caRouterCert.cfg.bak

Step 5 Edit the caRouterCert.cfg file using a text editor.  Delete the value for the variable auth.instance_id and save your changes.  The end result should look like Example 24.

Example 23 – Edit the caRouterCert.cfg file

[root@atw-dogtag01 ~]# vi /var/lib/ise-ca/profiles/ca/caRouterCert.cfg

Example 24 – The final setting for auth.instance_id= field in the caRouterCert.cfg file

[root@atw-dogtag01 ise-ca]# cat /var/lib/ise-ca/profiles/ca/caRouterCert.cfg

desc=This certificate profile is for enrolling router certificates.

visible=false

enable=true

enableBy=admin

auth.instance_id=

name=One Time Pin Router Certificate Enrollment

input.list=i1,i2

input.i1.class_id=certReqInputImpl

input.i2.class_id=submitterInfoInputImpl

output.list=o1

<<SNIP>>

Step 6 Restart the CA services with the “service pki-cad restart“command

Example 25 – Restart the CA Services

[root@atw-dogtag01 ise-ca]# service pki-cad restart

Stopping ise-ca:                                           [  OK  ]

Starting ise-ca:                                           [  OK  ] 

Prepare Apache

Step 1 Move the Apache Welcome.conf file to disable the default installation

Example 26 – Move the welcome.conf file

[root@atw-dogtag01 ise-ca]# mv /etc/httpd/conf.d/welcome.conf /etc/httpd/conf.d/welcome.conf.bak

Step 2 Create a new file called scepproxy.php at /var/www/html.

Example 27 – Creating the scepproxy.php file

[root@atw-dogtag01 ise-ca]# vi /var/www/html/scepproxy.php

Step 3 Populate the file with the following PHP script and save the file when completed.

<?php

$ops = $_GET[‘operation’];

$msg= $_GET[‘message’];

$order   = array(“\r\n”, “\n”, “\r”, ” “);

$msg = str_replace($order, “”, $msg);

$msg = rawurldecode($msg);

$msg=urlencode($msg);

if ($ops == “GetCACaps”)

{

echo “”;

}

else

{

$url = http://127.0.0.1/ca/cgi-bin/pkiclient.exe?operation=.$ops.“&message=”.$msg;

$ch = curl_init();

curl_setopt($ch, CURLOPT_PORT, 9180);

curl_setopt($ch, CURLOPT_URL, $url);

curl_setopt($ch, CURLOPT_HEADER, 0);

curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);

//curl_setopt($ch, CURLOPT_POST, 1);

$body = curl_exec($ch);

curl_close($ch);

if ($ops==“PKIOperation”)

{

header(“Content-Type: application/x-pki-message”);

}

else

{

header(“Content-Type: application/x-x509-ca-cert”);

}

echo $body;

}

?>

 

Step 4 Restart the Apache service to reflect your changes with the “service httpd restart” command

[root@atw-dogtag01 ise-ca]# service httpd restart

Restarting httpd (via systemctl):                          [  OK  ]

[root@atw-dogtag01 ise-ca]#

The DogTag installation is complete.  You are ready to add this CA to ISE for BYOD certificate provisioning.

Configure ISE to use the new DogTag CA

This document is assuming your already have your BYOD policies ready, or you will create them afterwards.  In this section, we will focus on the simple task of adding the new DogTag CA to ISE for purposes of SCEP provisioning the BYOD certificates.

For more on configuring ISE for BYOD, please see the BYOD How-To Guides here:  http://www.cisco.com/en/US/solutions/ns340/ns414/ns742/ns744/landing_DesignZone_TrustSec.html

Add DogTag to the SCEP RA Profiles

From the ISE administrative GUI, we will add the DogTag server to the SCEP RA Profiles

Step 1 Navigate to Administration >> System >> Certificates >> SCEP RA Profiles & Click Add

Step 2 Name the RA “DogTag” & Enter a Description

Step 3 Enter the DogTag Server URL of http://<server_name>/scepproxy.php

Step 4 Click “Test Connectivity”

SCEP RA Profile

Click Submit.  You are finished & ready to onboard.

Thanks so much for taking the time to read my boring blog posts.  I hope they are useful.  Please feel free to send your comments.

 

 

 

 

 

Using VNC for Console Access to ISE (and other) VM’s

A little less than 1/2 of all Identity Service Engine installations are on VMWare.  Yes it’s true.  About 45% of all ISE nodes deployed in this world are Virtual.  What I don’t know is:  how many are in production and how many are in a lab.

Let me give you another statistic (my own).  When I work with a company that is using VMWare in production, 90% of the time the VMWare infrastructure is managed by a completely different team than the one who owns ISE & the management of the appliances (virtual and physical).

One more statistic.  Of that 90% who do not manage VMWare, 80% of those are not permitted to access the console of their ISE nodes.  That’s right, a security team that has a security appliance installed on a VMWare ESX server & is not permitted to access the console; only SSH / Web into the device.

Whether you suffer from the same affliction of not having rights/permissions to access the console, or you are just looking for a way to simplify console access without having to first launch VMWare VSphere:  I have a solution for you!  VNC!

That’s right, VMWare had the forethought to build VNC into the ESX server, they just don’t make it obvious on how to enable it.  That’s (hopefully) where I come in.  Now you just have to get your VMWare administrator to follow this blog post.  Let’s get started.

Configure your Virtual Machine for VNC to the Console.

I typically add these changes to my standard procedure when building a new ISE VM.  I make the changes before I complete the Virtual Machine creation (use the “Edit the virtual machine settings before completion” check box to make it even easier).  However, you can also edit the settings of an existing VM & add the VNC configuration to that VM, too.

Note:  the VM must be powered off to make this change.

Edit before complete check box

If your VM is already created, simply edit the settings:

Edit Settings on existing VM

Either way, you end up with this screen.  From here Click on OPTIONS.

Click the Options Tab

Now under Advanced, click on General >> and then click on “Configuration Parameters”

Click Configuration Parameters

This screen may be empty (if a new VM) or it may have a bunch of stuff in it if the VM was already existing (modifying an existing VM).  Either way, click Add Row:

Click Add Row

Fix the Keyboard Delay.  We are doing this because often when working remotely with VMWare consoles, the keyboard repeat rate is too sensitive and you will sssssooooooommmmmmeeeeettttttiiiiiiiiiimmmmmmeeeeeeesssss gggggeeeeeettttt kkkkkkeeeeeeyyyyyy  reeeepppeaaaaattttttttttssssss.  This fixes that.

In your new row, give the row the name keyboard.typematicMinDelay and then set the Value to 2000000.  Then Click Add Row to move on to the next entry.

Name the second entry RemoteDisplay.vnc.enabled  and the value should be TRUE.  Click Add Row to move onto the next entry.

Name this third entry RemoteDisplay.vnc.port  and the value needs to be 59xx (replace xx with a port between 00-64).  5900 – 5964 are the VNC port numbers and need to be unique per Virtual Machine.  See the screen shot below

Lastly, add a final row named RemoteDisplay.vnc.password and set the value to whatever password you would like to use.

All 4 rows

Before you can connect to the Console via VNC, you may have to modify the ESX Server’s Firewall settings.  By default ESX’s firewall does not have a rule for the VNC ports.  So, in order to keep this blog post simply & open the ports, we will just go into the Firewall Properties and enable an existing rule named “VM serial port connected over network”.  This will allow the connections.

Navigate to the ESX Server itself (not the VM).  Click on Configuration >> Security Profile.  Then click on the Properties link for the Firewall.

ESX Security Profiles

Within the Firewall Properties, enable the check box for the existing “VM serial port connected over network” default rule.  This will allow the connections necessary.

Note:  Your VMWare administrator could always modify the iptables rules from the ESX Server’s command line interface to only allow the VNC ports that are needed.  But we are keeping this simple for the purposes of this blog post.

Now the VM is setup!  You are ready to rock this.  Let’s setup a VNC Client.  You can use whatever client you would like, obviously.  I personally use JollyFastVNC on my Mac.

Note:  VNC will not connect unless the VM is powered on.

Add a new VNC Connection to your client.  The network address should be the IP Address of the ESX server (not the VCenter).  The port should match the 59xx port number you chose when adding that entry to the VM.

JollyFastVNC Client Settings

When you connect, you will be prompted for the VNC Password.

VNC Password Prompt

POOF!  You are on the console of the VM.

It Works!!!
It is ALIVE!

Well, I hope this was helpful!  Now you can access the console of all your ISE Virtual Machines without having to go through the VSphere client.  As always, feedback is very welcome.

Stay on the lookout for more Tips & Tricks!

Aaron