In the VMware Cloud Director (VCD) Tenant Portal, when launching a Virtual Machine (VM) web console, the connection fails to establish and immediately displays a "Disconnected" status.

Symptoms
The following errors are recorded in the browser's Developer Tools Console tab:

• WebSocket connection to 'wss://<VCD_FQDN>/443;cst-...' failed
• wmks-console.js:81 Error occurred jQuery.Event {type: 'wmkserror', ...}

Additionally:

• No entries related to the affected session are found in the VCD Cell logs (console-proxy.log or request.log).
• When inspecting the SSL certificate in the browser, the certificate presented is different from the original certificate configured on the VCD Cell/Load Balancer.

VMware Cloud Director 10.x

This issue occurs because a proxy server or security appliance between the client and the VCD Cell is performing SSL/TLS Inspection (SSL Decryption).

VCD utilizes Certificate Pinning for Web Console (WSS) connections. The console connection URL generated by VCD contains the expected SHA-1 thumbprint of the VCD certificate.
When a proxy intercepts the traffic and replaces the certificate with its own for decryption purposes, the thumbprint received by the browser no longer matches the one specified in the URL.
Consequently, the browser's security mechanism identifies the connection as untrusted and terminates the WebSocket session immediately.

To resolve this issue, exclude the communication from the client terminal to the VCD Cell from proxy mediation and SSL decryption as follows:

1. Proxy Bypass Configuration:
   Configure the VCD FQDN to be excluded from proxy settings.
2. SSL Inspection Exclusion:
   Disable SSL decryption for the VCD destination (FQDN and Port 443) on network security devices such as Proxies, Firewalls, or IPS.
3. WebSocket Authorization:
   Ensure that the WSS protocol and its associated headers are allowed to pass through the network path without modification.

VMware Cloud Director で仮想マシンの Web コンソールが「切断済み」となり接続に失敗する