Disabling the Web Access log in page, MOB, and Datastore Browser on an ESX or ESXi host
search cancel

Disabling the Web Access log in page, MOB, and Datastore Browser on an ESX or ESXi host

book

Article ID: 341080

calendar_today

Updated On:

Products

VMware vSphere ESXi

Issue/Introduction

Symptoms:
  • Attempting to prepare an ESXi host for vCloud Director and the operation fails with a broken pipe error.
  • In the vcloud-container-debug.log file on the vCD cell, you see entries similar to:
YYYY-MM-DD TIME ,886 | ERROR | pool-preparehost-9035-thread-2 | EsxCliAgentBundle | Failed to copy agent binary /opt/vmware/vcloud-director/agent/vcloudagent-esx51-5.1.0-799577.vib on xxx.domain.com | vcd=a6162db1-a9a3-44ec-9a47-0bbf6c046a39,task=3e459c94-94fc-3a78-8c7b-c853b7c9f5a5
java.io.IOException: java.net.SocketException: Broken pipe
...
Caused by: java.net.SocketException: Broken pipe

 
Note:
  • ESX/ESXi 4.x hosts are also affected when they are managed by vCenter Server 5.0.
  • The preceding log excerpts are only examples. Date, time, and environmental variables may vary depending on your environment.
     
 


Environment

VMware vSphere ESXi 5.0
VMware ESXi 3.5.x Embedded
VMware ESX 4.1.x
VMware vSphere ESXi 6.0
VMware ESXi 4.0.x Embedded
VMware ESXi 4.1.x Installable
VMware ESXi 3.5.x Installable
VMware ESXi 4.1.x Embedded
VMware ESX 4.0.x
VMware vSphere ESXi 5.1
VMware vSphere ESXi 5.5
VMware ESX Server 3.5.x
VMware ESXi 4.0.x Installable

Resolution

To resolve this issue, disable the Web Access login page for an ESXi 5.x, ESXi/ESX 4.x, or 3.5 host in a security hardened environments.
 
Note: These changes do not persist after a reboot on ESXi 5.5 prior to Update 2. For more information, see:

Note: VMware recommends that you take a text backup of the ESXi/ESX host web access configuration before modifying it. The backup may be useful if you want to re-enable these features in the future.

To back up the web access configuration, run these commands:

To disable the Web Access login page:
 
Caution: VMware recommends that you do not disable the Web Access login page on ESXi 5.0 prior to Update 2, as it breaks vSphere HA and log collections, and error messages collected by the MOB over port 443.
  1. Connect to the ESXi/ESX host directly.
  2. Run these commands:
     
    • ESX 3.5, 4.0:

      vmware-vim-cmd proxysvc/remove_service "/ui" "httpsWithRedirect"
       
    • ESXi 3.x, 4.x, 5.x:

      vim-cmd proxysvc/remove_service "/ui" "httpsWithRedirect"

To re-enable the Web Access login page:
  1. Connect to the ESXi/ESX host directly.
  2. Run these commands:
     
    • ESX 3.5:

      vmware-vim-cmd proxysvc/add_tcp_service "/ui" httpsWithRedirect localhost 8080
       
    • ESX 4.x:

      vmware-vim-cmd proxysvc/add_tcp_service "/ui" httpsWithRedirect localhost 8308
       
    • ESXi 4.x and ESXi 5.x:

      vim-cmd proxysvc/add_tcp_service "/ui" httpsWithRedirect localhost 8308

To disable an ESXi/ESX host's Managed Object Browser (MOB):
  1. Connect to the ESXi/ESX host directly.
  2. Run these commands:
     
    • ESX 4.x:

      vmware-vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect"
       
    • ESXi 4.x, 5.x, and 6.0:

      vim-cmd proxysvc/remove_service "/mob" "httpsWithRedirect"
       
    Notes:
  • You may have cached information in your web browser.
  • In vSphere 6.0, the MOB is disabled by default. For more information, see The Managed Object Browser is disabled by default in vSphere 6.0 (2108405).
    In vSphere 6.0, the Advanced System Setting Config.HostAgent.plugins.solo.enableMob is used to enable or disable the MOB. This variable also exists in vSphere 5.5, but it is read only and cannot be used to enable or disable the MOB. If you disable the MOB on an ESXi 5.5 host using the steps above, the value of the Config.HostAgent.plugins.solo.enableMob variable remains true.

To re-enable an ESXi/ESX host's Managed Object Browser (MOB):
  1. Connect to the ESXi/ESX host directly.
  2. Run these commands:
     
    • ESX 4.x:

      vmware-vim-cmd proxysvc/add_np_service "/mob" httpsWithRedirect /var/run/vmware/proxy-mob
       
    • ESXi 4.x, 5.x, and 6.0:

      vim-cmd proxysvc/add_np_service "/mob" httpsWithRedirect /var/run/vmware/proxy-mob

To disable the Host Welcome login web page:
  1. Connect to the ESXi/ESX host directly.
  2. Run these commands:
     
    • ESX 4.x:

      vmware-vim-cmd proxysvc/remove_service "/" "httpsWithRedirect"
       
    • ESXi 4.x, ESXi 5.x, ESXi 6.0:

      vim-cmd proxysvc/remove_service "/" "httpsWithRedirect"

Note:

  • Running this command in-turn disables the Datastore Browser as well.
  • This does not disable vSphere Web Services SDK. See vmware-vim-cmd proxysvc/service_list .

To re-enable the Host Welcome login web page:
  1. Connect to the ESXi/ESX host directly.
  2. Run these commands:
     
    • ESX 3.5:

      vmware-vim-cmd proxysvc/add_np_service "/" httpsWithRedirect /var/run/vmware/proxy-webserver
       
    • ESX 4.x:

      vmware-vim-cmd proxysvc/add_tcp_service "/" httpsWithRedirect localhost 8309
       
    • ESXi 4.x, ESXi 5.x and ESXi 6.0:

      vim-cmd proxysvc/add_tcp_service "/" httpsWithRedirect localhost 8309
Note: Running this command in-turn enables the Datastore Browser as well.

Additional Information

For more information on security hardening, see the VMware Security Hardening Guides page. Tech Support Mode for Emergency Support
Using Tech Support Mode in ESXi 4.1, ESXi 5.x, and ESXi 6.x
Connecting to an ESX host using an SSH client
Cannot configure HA after disabling the Host Welcome login page on an ESXi host
vSphere Client fails to export log bundles when ESX/ESXi host’s Web Acess login page is disabled
ESX または ESXi ホストでの [Web Access] ログイン ページ、MOB およびデータストア ブラウザの無効化
在 ESX 或 ESXi 主机上禁用 Web Access 登录页面、MOB 和数据存储浏览器
The Managed Object Browser is disabled by default in vSphere 6.x

Powered by Wolken Software