How to disable access to the Managed Object Browser in vCenter Server.
search cancel

How to disable access to the Managed Object Browser in vCenter Server.

book

Article ID: 320012

calendar_today

Updated On: 09-19-2024

Products

VMware vCenter Server

Issue/Introduction

This article provides steps to disable access to the Managed Object Browser in vCenter Server. 

Environment

VMware vCenter Server 6.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x

 

Cause

There are certain security protocols that requires the deactivation of the /mob and/or /lookupservice/mob endpoints on vCenter Server.

Resolution

Edit the configuration files so that the reverse proxy does not create the Managed Object Browser endpoints at startup.

Disable /mob endpoint on vCenter Server 6.x
The location of the configuration file is:
  • Appliance: /etc/vmware-rhttpproxy/endpoints.conf.d/vpxd-rhttpproxy-endpoint.conf
  • Windows: "%VMWARE_CFG_DIR%"\vmware-rhttpproxy\endpoints.conf.d\vpxd-rhttpproxy-endpoint.conf

Find the line that defines the endpoint:
  • Appliance: /mob namedpipe /var/run/vmware/vpxd-mob-pipe redirect allow
  • Windows: /mob namedpipe \\.\pipe\vmware-vpxd-mob-pipe redirect allow

Add a pound sign (#) at the beginning of the line to prevent the reverse proxy from creating the endpoint at service startup:
  • Appliance: #/mob namedpipe /var/run/vmware/vpxd-mob-pipe redirect allow
  • Windows: #/mob namedpipe \\.\pipe\vmware-vpxd-mob-pipe redirect allow

Save the file and restart the service:
  • Appliance: service-control --stop vmware-rhttpproxy && service-control --start vmware-rhttpproxy
  • Windows: "%VMWARE_CIS_HOME%"\bin\service-control --stop rhttpproxy && "%VMWARE_CIS_HOME%"\bin\service-control --start rhttpproxy

Disable the /lookupservice/mob endpoint

The location of the configuration file is:
  • Appliance: /etc/vmware-rhttpproxy/endpoints.conf.d/vmidentity.conf
  • Windows: "%VMWARE_CFG_DIR%"\vmware-rhttpproxy\endpoints.conf.d\vmidentity.conf

Find the line that defines the endpoint:

/lookupservice/sdk local 7080 reject allow


Add a pound sign (#) at the beginning of the line to prevent the reverse proxy from creating the endpoint at service startup:

#/lookupservice/sdk local 7080 reject allow


Save the file and restart the service:
  • Appliance: service-control --stop vmware-rhttpproxy && service-control --start vmware-rhttpproxy
  • Windows: "%VMWARE_CIS_HOME%"\bin\service-control --stop rhttpproxy && "%VMWARE_CIS_HOME%"\bin\service-control --start rhttpproxy

Disable the mob on vCenter Server 7.x and vCenter Server 8.x
  • Take a backup of the vpxd.cfg file: cp /etc/vmware-vpx/vpxd.cfg /var/core/vpxd.cfg
  • Open the vpxd.cfg config file using a text editor: vi /etc/vmware-vpx/vpxd.cfg
  • Add the "<enableDebugBrowse>false</enableDebugBrowse>" entry as shown. 

For example:

<vpxd>
...
...
<enableDebugBrowse>false</enableDebugBrowse>
...
...
</vpxd>

  • Restart the vpxd service for the changes to take effect: service-control --restart vmware-vpxd
 

Additional Information