How to set up VNC Proxy
Work in Progress
We are currently working to improve this documentation
This guide assumes the reader is familiar with VNC configuration on the Abiquo Platform as described in the Abiquo Administrator's Guide - Configuring Remote Access to Virtual Machines, the configuration of proxy servers and the configuration of their firewall.
This guide will show you how to set up a VNC proxy to allow the Abiquo user to open a console window on their virtual machines from within the browser where they are running the Abiquo client, while hiding the public IP addresses of the hypervisors from outside networks.
VNC connections from the Abiquo client GUI to virtual machines through the eye iconwill connect to the VNC proxy, which runs on a host in the DMZ. These connections will be redirected by the VNC proxy to the hypervisor on which the virtual machines are running. Thus there is no direct connection to the hypervisor.
On the proxy host you will need to add one NIC (virtual or physical) for each hypervisor. Each connection to a virtual machine goes to a different port on the hypervisor, which is running a VNC server.
Before configuring the VNC proxy, you should read the Abiquo Documentation on Configuring Remote Access to Virtual Machines.
You will need to run the VNC proxy on a host in your DMZ, and this would typically be the same host as the DMZ X Server.
Enterprise customers can download the vncproxy.zip file from the enterprise directory of the Abiquo Enterprise downloads website. This archive contains the vncproxyd binary file and the vncproxyd.conf file. The binary was compiled on Abiquo 1.8 CentOS build for 32-bit/64-bit compatibility and should work on most machines running Linux.
Add a physical or virtual interface for each hypervisor.
Use the ifconfig command with the following format:
Here, x.x.x.x is the new IP address and y.y.y.y is the netmask. The virtual interface number is nnn. So, for example, if the address of your proxy host is 10.1.1.10 and the netmask is 255.255.255.0 and the virtual interface number is 1000, you would type the following:
Copy /etc/sysconfig/network-scripts/ifcfg-eth0 and give it the name of the newly created interface. Following the example above, you would type this command:
Edit the file to suit your network. Continuing with the above example, you would replace the contents of the file with the following text. Replace IPADDR with your proxy machine's IP address.
Create one file for each of the virtual interfaces you created.
For example, while logged in as root:
The binary file available from Abiquo is compiled for CentOS/Redhat 5.x 64-bit.
Note that permissions 544 are "read-execute" for root user and "read" for all other users.
Note that permissions 644 are "read-write" for root user and "read" for all other users.
For each hypervisor, add a row for each port (virtual machine) with the following:
Here is a sample vncproxyd.conf file.
The fields in each row are:
Note on Port Numbers:
This step will depend on your firewall configuration. In general, you should allow VNC connections from the DMZ to the hypervisor IPs and ports. Following the above example, you would allow VNC (TCP) connections to the hypervisor hosts with IP addresses 192.168.1.35 and 192.168.1.36 on ports 5900 to 5915.
To use a different port range from the default (5900-65534) set the abiquo.vncport.min and .max in Abiquo Configuration Properties. Check the recommendations for your hypervisor. See Configuring Remote Access to Virtual Machines.
Following on with the example above, the first hypervisor IP management address is 192.168.1.35 and the Service IP would be 10.1.1.10, which is the IP of the proxy server.
If the VNC configuration file needs to be modified (/etc/vncproxyd.conf) you must restart the VNC service with the following command:
Any VNC console connections from the Abiquo client GUI to virtual machines by clicking the eye icon will now go to the DMZ host IP and the redirection will send the request to the hypervisor.