How to disable access to the Managed Object Browser in vCenter Server.
book
Article ID: 320012
calendar_today
Updated On: 09-19-2024
Products
VMware vCenter Server
Issue/Introduction
This article provides steps to disable access to the Managed Object Browser in vCenter Server.
Environment
VMware vCenter Server 6.x
VMware vCenter Server 7.x
VMware vCenter Server 8.x
Cause
There are certain security protocols that requires the deactivation of the /mob and/or /lookupservice/mob endpoints on vCenter Server.
Resolution
Edit the configuration files so that the reverse proxy does not create the Managed Object Browser endpoints at startup.
Disable /mob endpoint on vCenter Server 6.xThe location of the configuration file is:
- Appliance: /etc/vmware-rhttpproxy/endpoints.conf.d/vpxd-rhttpproxy-endpoint.conf
- Windows: "%VMWARE_CFG_DIR%"\vmware-rhttpproxy\endpoints.conf.d\vpxd-rhttpproxy-endpoint.conf
Find the line that defines the endpoint:
- Appliance: /mob namedpipe /var/run/vmware/vpxd-mob-pipe redirect allow
- Windows: /mob namedpipe \\.\pipe\vmware-vpxd-mob-pipe redirect allow
Add a pound sign (#) at the beginning of the line to prevent the reverse proxy from creating the endpoint at service startup:
- Appliance: #/mob namedpipe /var/run/vmware/vpxd-mob-pipe redirect allow
- Windows: #/mob namedpipe \\.\pipe\vmware-vpxd-mob-pipe redirect allow
Save the file and restart the service:
- Appliance: service-control --stop vmware-rhttpproxy && service-control --start vmware-rhttpproxy
- Windows: "%VMWARE_CIS_HOME%"\bin\service-control --stop rhttpproxy && "%VMWARE_CIS_HOME%"\bin\service-control --start rhttpproxy
Disable the /lookupservice/mob endpointThe location of the configuration file is:
- Appliance: /etc/vmware-rhttpproxy/endpoints.conf.d/vmidentity.conf
- Windows: "%VMWARE_CFG_DIR%"\vmware-rhttpproxy\endpoints.conf.d\vmidentity.conf
Find the line that defines the endpoint:
/lookupservice/sdk local 7080 reject allowAdd a pound sign (#) at the beginning of the line to prevent the reverse proxy from creating the endpoint at service startup:
#/lookupservice/sdk local 7080 reject allowSave the file and restart the service:
- Appliance: service-control --stop vmware-rhttpproxy && service-control --start vmware-rhttpproxy
- Windows: "%VMWARE_CIS_HOME%"\bin\service-control --stop rhttpproxy && "%VMWARE_CIS_HOME%"\bin\service-control --start rhttpproxy
Disable the mob on vCenter Server 7.x and vCenter Server 8.x
- Take a backup of the vpxd.cfg file: cp /etc/vmware-vpx/vpxd.cfg /var/core/vpxd.cfg
- Open the vpxd.cfg config file using a text editor: vi /etc/vmware-vpx/vpxd.cfg
- Add the "<enableDebugBrowse>false</enableDebugBrowse>" entry as shown.
For example:
<vpxd>
...
...
<enableDebugBrowse>false</enableDebugBrowse>
...
...
</vpxd>
- Restart the vpxd service for the changes to take effect: service-control --restart vmware-vpxd
Feedback
Was this article helpful?
thumb_up
Yes
thumb_down
No