This post will explore the new ESXi Lockdown feature “Strict Lockdown Mode” where the DCUI is disabled and you can only manage each ESXi 6.0 host from vCenter Server. If you use “Strict Lockdown Mode”, you need to make sure that you recognise and mitigate the operational risk of vCenter Server failure through availability and recoverability design.
If “Strict Lockdown Mode” is enabled on an ESXi 6.0 host, you will get the following error messages when you try to connect:
- From the DCUI – pressing F2 to login will report “Authentication Denied – Direct console access has been disabled by the administrator of <FQDN>” .
- From the vSphere Client – pressing the login button will report “Error Connecting – The vSphere Client could not connect to <IP address/FQDN>. You do not have permission to login to the server: <IP address/FQDN>” .
You can configure “Strict Lockdown” when adding an ESXi 6.0 host to vCenter Server:
- Login to the vSphere Web Client and enter the administrator credentials.
- The vSphere Web Client will open to the “Home” screen. Select “Hosts and Clusters” and right mouse click on the “Datacenter” or “Cluster” object and then select “Add Host”.
- In the “Name and location” window, enter the “Host name or IP address” and press “Next”.
- In the “Connection settings” window, enter the “User name”/”Password” and press “Next”.
- In the “Host Summary” window, press “Next”.
- In the “Assign license” window, press “Next”.
- In the “Lockdown mode” window, select “Strict”, press “OK” to the popup message and press “Next”.
- In the “VM location” window, press “Next”.
- In the “Ready to complete” window, verify the settings and then press “Finish”.
- Open the ESXi 6.0 host will now be added to the Datacenter or Cluster object and be ready for continued configuration and customisation.
- Note – you can only enable “Normal Lockdown” from the DCUI. Which makes sense, because if you do not have a vCenter Server, you will lock yourself out.
- Note – when you enable Lockdown, it will only be enforced once the current DCUI, SSH and vSphere Client sessions are logged out.
- Note – when you place the host in “Maintenance Mode” and “Remove From Inventory”, “Lockdown” is automatically disabled.
You can also configure “Strict Lockdown” for an existing ESXi 6.0 host within vCenter Server:
- Login to the vSphere Web Client and enter the administrator credentials.The vSphere Web Client will open to the “Home” screen.
- Select “Hosts and Clusters” and select the ESXi 6.0 host in the “Datacenter” or “Cluster” object.
- Press the “Manage” menu item, then the “Settings” object and select “Security Profile”.
- Scroll down to the “Lockdown Mode” section and press the “Edit” button.
- In the “Lockdown Mode” window, select “Strict”, press “OK” to the popup message and then press “OK” in the main window.
- If you have 3rd party integrations or administrators that need access during Lockdown, you need to add those accounts to the “Exception Users” list.
- In the “Exception Users” window, select the green “+” button to add users and then press “OK”.
- The updated “Lockdown Mode” and “Exception Users” will be displayed within the “Security Profile” window.