How to disable access to the Managed Object Browser in vCenter Server.
Article ID: 320012
Updated On:
Products
VMware vCenter Server
Issue/Introduction
This article provides steps to disable access to the Managed Object Browser in vCenter Server.
Environment
VMware vCenter Server 6.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x
Cause
There are certain security protocols that requires the deactivation of the /mob and/or /lookupservice/mob endpoints on vCenter Server.
Resolution
Edit the configuration files so that the reverse proxy does not create the Managed Object Browser endpoints at startup.
Disable /mob endpoint on vCenter Server 6.x
The location of the configuration file is:
Find the line that defines the endpoint:
Add a pound sign (#) at the beginning of the line to prevent the reverse proxy from creating the endpoint at service startup:
Save the file and restart the service:
Disable the /lookupservice/mob endpoint
The location of the configuration file is:
Find the line that defines the endpoint:
/lookupservice/sdk local 7080 reject allow
Add a pound sign (#) at the beginning of the line to prevent the reverse proxy from creating the endpoint at service startup:
#/lookupservice/sdk local 7080 reject allow
Save the file and restart the service:
Disable the mob on vCenter Server 7.x and vCenter Server 8.x
Disable /mob endpoint on vCenter Server 6.x
The location of the configuration file is:
- Appliance: /etc/vmware-rhttpproxy/endpoints.conf.d/vpxd-rhttpproxy-endpoint.conf
- Windows: "%VMWARE_CFG_DIR%"\vmware-rhttpproxy\endpoints.conf.d\vpxd-rhttpproxy-endpoint.conf
Find the line that defines the endpoint:
- Appliance: /mob namedpipe /var/run/vmware/vpxd-mob-pipe redirect allow
- Windows: /mob namedpipe \\.\pipe\vmware-vpxd-mob-pipe redirect allow
Add a pound sign (#) at the beginning of the line to prevent the reverse proxy from creating the endpoint at service startup:
- Appliance: #/mob namedpipe /var/run/vmware/vpxd-mob-pipe redirect allow
- Windows: #/mob namedpipe \\.\pipe\vmware-vpxd-mob-pipe redirect allow
Save the file and restart the service:
- Appliance: service-control --stop vmware-rhttpproxy && service-control --start vmware-rhttpproxy
- Windows: "%VMWARE_CIS_HOME%"\bin\service-control --stop rhttpproxy && "%VMWARE_CIS_HOME%"\bin\service-control --start rhttpproxy
Disable the /lookupservice/mob endpoint
The location of the configuration file is:
- Appliance: /etc/vmware-rhttpproxy/endpoints.conf.d/vmidentity.conf
- Windows: "%VMWARE_CFG_DIR%"\vmware-rhttpproxy\endpoints.conf.d\vmidentity.conf
Find the line that defines the endpoint:
/lookupservice/sdk local 7080 reject allow
Add a pound sign (#) at the beginning of the line to prevent the reverse proxy from creating the endpoint at service startup:
#/lookupservice/sdk local 7080 reject allow
Save the file and restart the service:
- Appliance: service-control --stop vmware-rhttpproxy && service-control --start vmware-rhttpproxy
- Windows: "%VMWARE_CIS_HOME%"\bin\service-control --stop rhttpproxy && "%VMWARE_CIS_HOME%"\bin\service-control --start rhttpproxy
Disable the mob on vCenter Server 7.x and vCenter Server 8.x
- Take a backup of the vpxd.cfg file: cp /etc/vmware-vpx/vpxd.cfg /var/core/vpxd.cfg
- Open the vpxd.cfg config file using a text editor: vi /etc/vmware-vpx/vpxd.cfg
- Add the "<enableDebugBrowse>false</enableDebugBrowse>" entry as shown.
For example:
<vpxd>
...
...
<enableDebugBrowse>false</enableDebugBrowse>
...
...
</vpxd>
- Restart the vpxd service for the changes to take effect: service-control --restart vmware-vpxd
Additional Information
Feedback
Yes
No
Powered by
