These factors tend to be the reason for connectivity issues with vCloud VMRC consoles.
NTP
ESXi Hosts, vCenter Server, vCloud Cells and database servers should be able to communicate effectively. If one of these entities has an inaccurate time setting by even a few seconds this can cause issues with a request being interpreted as being in the future, that is the destination entity has a time setting behind that of the source.
Ensure that a single time source is in use so that in the case of time slip it still ensures the servers remain synchronized as the single time source is serving all the hosts. In such a situation all the servers have the identical incorrect time setting.
DNS
It is essential that all facets of DNS are able to be resolved in the environment as SSL certificates rely on DNS resolving the IP addresses to their self-contained FQDN names for the device instances.
Public Address Configuration
If vCloud Director must be publicly accessible, configure Public Address within the vCloud Director UI. To configure this setting go to System > Administration > Public Addresses: Console Proxy.The end client needs to be able to resolve this address to a corresponding Console Proxy address configured on your vCloud Cell. If this field is not populated, your client is given an Internal/Private IP of the responding Cell for which it must connect.
SSL certificates
The certificates come in two formats: Self signed or Certificate Authority (CA) signed.
Note: In vCloud Director for Service Providers 5.6.x and 8.0, if using a self-signed certificate the VMRC will be disconnected. To connect, open a web browser and go to the consoleproxy IP or DNS name and accept the certificate as trusted.
If the certificate is Self signed, it contains a single link in the certificate chain, a Root certificate needs to be added to the Trusted Root Store within your clients operating system. This shall be used by the browser to validate the chain when connecting. Self signed certs may need to contact Microsoft to validate; this generally takes place every 60 days.
If the certificate is CA signed, it contains multiple links in the certificate, a Root and one or more Intermediate certificates need to be added to the Trusted Root and Trusted Intermediate Stores within your clients operating system. If any part of the chain is not present in the Trusted Stores, the chain shall not be trusted. CA signed certs may require internet access to validate CA (the signing authorities if not already added to the local browsers) to check revocation lists.
The Common Name (CN) value of the certificate needs to match the FQDN of the Console Proxy exactly. The only time this does not apply is when Subject Alt Name is used in the certificate, where the CN is ignored. The Subject Alt Name contains the FQDN as well as other information you wish to match.
Note: When creating or requesting certificates, make the CN name unique. As this is used to validate against an FQDN, it would not make sense for two IPs in your environment to map to the same FQDN/Domain Name.
Client Browser Proxies
If you are using a proxy for internet access on a client local to VCD within the private infrastructure, you may need to omit or exclude the console proxy target address in the Proxy Configuration of the local browser. If you do not wish for the Console Proxy address to be resolved externally you need to add the FQDN of the Console Proxy to the exclusion list. If the FQDN is console.company.com, nothing other than this string is sufficient.
Local Java Client
To test if there are underlying BEAN or JDBC errors in the connection chains, add the target Cloud URL to the local Java consoles security tab exclusion list, found in the Windows control panel and drop it to low for test purposes.
Notes:
- Only the 32-bit version of Java is supported. Ensure that the client is not engaging the x64 version of the app, uninstall the 64-bit version, if both are installed on the client.
- If all the checks pass, then gather the VCD logs as well as the VMRC client side logs. Open a Support Request with VMware Technical Support and attach the Logs to the Support Request. For more information on collecting the VCD log bundle, see Collecting diagnostic information for VMware products (1008524).
- For more information on collecting the Cloud Director VMRC client log files, see Location of vCloud Director VMRC client log files (2001071).