Cannot establish a remote console connection in Aria Automation on-prem and Cloud
search cancel

Cannot establish a remote console connection in Aria Automation on-prem and Cloud

book

Article ID: 314900

calendar_today

Updated On:

Products

VMware Aria Suite

Issue/Introduction

This article describes the remote console traffic and procedures when establishing connections to Aria Automation managed machines.

Symptoms:

  • Establishing a remote console connection in Aria Automation fails with:
Cannot establish a remote console connection. Verify that the machine is powered on. If the server has a self-signed certificate, you might need to accept the certificate, then close and retry the connection.

or 

Http failure response : 500 OK



Environment

VMware Aria Automation 8.x

Cause

VMRC connectivity utilized in Aria Automation may stop working following vCenter upgrade to 8.x or using specific Aria Automation 8.10.2 or 8.11.0 versions which support only WebMKS.

There are two methods to connect to VMRC. Older MKS and a newer WebMKS.

  • vCenter 6.x and 7.x support both MKS and WebMKS
  • vCenter 8.x supports only WebMKS

 

In addition to establish secure VMRC connectivity you can leverage either:

  • Aria Automation console proxy supporting only MKS.
  • vCenter console proxy supporting WebMKS.

 

Aria Automation on-prem versions 8.10.2 and 8.11.0 support only WebMKS, all other versions support both methods of VMRC connectivity.

Table of supported methods

image.png

Resolution

The Table below outlines the required Aria Automation and vCenter console proxy configurations based on the product versions to allow successful VMRC connectivity.


 

Necessary steps to configure console proxies to allow secure VMRC connectivity:

You may encounter a similar issue with VMware Aria Automation version 8.18 when using VMware vCenter Server 7.0u3 versions. As shown in the attached screenshot, after clicking "Accept the certificate," a new browser tab opens and navigates to the VMware Aria Automation URL. Refreshing the remote console page will prompt the "Accept the certificate" option again. This issue occurs because the cloud account state does not contain the certificate details.

To resolve this, follow the steps outlined in the KB to update the cloud account with vCenter's certificate.
https://knowledge.broadcom.com/external/article?legacyId=88531

 

On-premise Aria Automation installs:

1.1 Review existing on-prem Aria Automation console proxy configuration following the steps in workaround section 2.1.
1.2 Using the table above chose the required console proxy status based on your Aria Automation and vCenter versions.
1.3 Steps to disable or enable Aria Automation console proxy are covered in workaround sections 2.2 or 2.3.
1.4 vCenter console proxy is not configured and disabled by default. To enable it you can follow workaround section 2.4.
1.5 Retry the VMRC connection

Aria Automation Cloud:

Only follow sections 1.4 and 1.5

Note:  Utilization of WebMKS requires end-users to accept for the first time a self-signed or intermediate vCenter certificates in order to establish VMRC connections.

Alternative Flow chart to augment the information in the table above

 


Workaround:

2.1 Steps to validate existing on-prem Aria Automation console proxy configuration:

  • SSH / PuTTy into one vRA virtual appliance in the cluster.
  • View the provisioning service deployment to validate the console proxy configuration.    

kubectl -n prelude describe deployment provisioning-service-app | grep -i "Denable.remote-console-proxy"

  • Go to section 1.2

2.2  Steps to disable on-prem Aria Automation console proxy:

 

Prerequisites

  • Take simultaneous non-memory snapshots of each virtual appliance(s) in the cluster.
  • You have access to root user and password.
  • You have SSH or console access to each virtual appliance

 

Procedure

  • SSH / PuTTy into one vRA virtual appliance in the cluster.
  • Edit the provisioning service deployment by running the following command.
kubectl -n prelude edit deployment provisioning-service-app
  • Set the following property in the JAVA_OPTS list to false
-Denable.remote-console-proxy=false
Note: To edit, move the cursor to the line where you want to make the change, and press the i key on the keyboard to enter insert mode. Change the value.
Note: Be careful with spacing, do not use TABs.
  • Save the changes, press the escape key on the keyboard, and then save the change by pressing :wq. If you make a mistake you can exit without saving by entering :q! instead.
  • Monitor the provisioning-service-app pod restart by running:

watch "kubectl get pods -n prelude|grep -i 'provisioning-service-app'"

  • Once the pods are restarted and in a Ready state, go to section 1.4

 

2.3 Steps to enable on-prem Aria Automation console proxy:

 

Prerequisites
 

  • Take simultaneous non-memory snapshots of each virtual appliance(s) in the cluster.
  • You have access to root user and password.
  • You have SSH or console access to each virtual appliance.

 

Procedure

  • SSH / PuTTy into one vRA virtual appliance in the cluster.
  • Edit the provisioning service deployment by running the following command.

kubectl -n prelude edit deployment provisioning-service-app

  • Set the following property in the JAVA_OPTS list to true

-Denable.remote-console-proxy=true

Note: To edit, move the cursor to the line where you want to make the change, and press the i key on the keyboard to enter insert mode. Change the value.
Note: Be careful with spacing, do not use TABs.

  • Save the changes, press the escape key on the keyboard, and then save the change by pressing :wq. If you make a mistake you can exit without saving by entering :q! instead.
  • Monitor the provisioning-service-app pod restart by running:

watch "kubectl get pods -n prelude|grep -i 'provisioning-service-app'"

  • Once the pods are restarted and in a Ready state go to section 1.5

 

2.4 Steps to enable vCenter console proxy.

 

Alternative option to allow remote console access requires the use of vCenter proxy as long as the following prerequisites are met:

Prerequisites

  • Allowing users machines network access to vCenter server.
  • Enabled vCenter console proxy settings.

Procedure

config.mksdevproxy.connLimit
config.mksdevproxy.enable
config.mksdevproxy.readthrottler
config.mksdevproxy.writethrottler
Example:

 
  • Go to Step 1.5

 

 

Additional Information

Architectural Flow Diagram of Aria Automation Cloud



 

Flow of traffic with vSphere Remote Console Proxy service enabled


3.1 End-user is connected to Aria Automation Cloud using their credentials and is entitled to use the remote console day action. They request the remote console access.
3.2 Aria Automation Cloud requests for a ticket to the vCenter service. It goes through Aria Automation Cloud Proxy and uses the existing vCenter account. On vCenter, the request for a ticket is checked for the “Virtual machine.Interaction.Console” privilege. 
3.3 vCenter answers with the webMKS ticket URL which looks like:    
mks://vCENTER/remote-console/vm-kkkkkk?ticket=nnnnnnnnnnnnnn/mmmmmmmmmmmmmmmm 
This is one time ticket with 2 minutes expiration  
3.4 Aria Automation Cloud send this ticket to End-user browser which launches a new browser windows for the remote console UI.  
3.5 The End-user browser establishes a proxied connection to the ESXi host using WebMKS ticket through VMware Remote Console Proxy for vSphere service. This service is disabled by default and must be enabled and configured as per the steps above.

 

Additional Information

https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-vm-administration/GUID-CCE94BE6-106C-4EDF-90C7-D3877889F0CB.html

Impact/Risks:
Users are unable to use VMware Aria Automation SaaS remote console feature if network access is not available between end user client browsers and Esxi hosts.