vSphere 6.0 – ESXi Strict Lockdown Mode

This post will explore the new ESXi Lockdown feature “Strict Lockdown Mode” where the DCUI is disabled and you can only manage each ESXi 6.0 host from vCenter Server.  If you use “Strict Lockdown Mode”, you need to make sure that you recognise and mitigate the operational risk of vCenter Server failure through availability and recoverability design.

If “Strict Lockdown Mode” is enabled on an ESXi 6.0 host, you will get the following error messages when you try to connect:

  • From the DCUI – pressing F2 to login will report “Authentication Denied – Direct console access has been disabled by the administrator of <FQDN>” .
  • From the vSphere Client – pressing the login button will report “Error Connecting – The vSphere Client could not connect to <IP address/FQDN>.  You do not have permission to login to the server: <IP address/FQDN>” .

ESXi_6.0_DCUI_Disabled ESXi_6.0_vSphere_Client_Strict_Lockdown_Mode

You can configure “Strict Lockdown” when adding an ESXi 6.0 host to vCenter Server:

  1. Login to the vSphere Web Client and enter the administrator credentials.
  2. The vSphere Web Client will open to the “Home” screen.  Select “Hosts and Clusters” and right mouse click on the “Datacenter” or “Cluster” object and then select “Add Host”.
  3. In the “Name and location” window, enter the “Host name or IP address” and press “Next”.
  4. In the “Connection settings” window, enter the “User name”/”Password” and press “Next”.
  5. In the “Host Summary” window, press “Next”.
  6. In the “Assign license” window, press “Next”.
  7. In the “Lockdown mode” window, select “Strict”, press “OK” to the popup message and press “Next”.
  8. In the “VM location” window, press “Next”.
  9. In the “Ready to complete” window, verify the settings and then press “Finish”.
  10. Open the ESXi 6.0 host will now be added to the Datacenter or Cluster object and be ready for continued configuration and customisation.
  11. Note – you can only enable “Normal Lockdown” from the DCUI.  Which makes sense, because if you do not have a vCenter Server, you will lock yourself out.
  12. Note – when you enable Lockdown, it will only be enforced once the current DCUI, SSH and vSphere Client sessions are logged out.
  13. Note – when you place the host in “Maintenance Mode” and “Remove From Inventory”, “Lockdown” is automatically disabled.

esxi_add_host_0esxi_add_host_1 esxi_add_host_2 esxi_add_host_3 esxi_add_host_4esxi_add_host_6 esxi_add_host_5  esxi_add_host_7 esxi_add_host_8ESXi_6.0_DCUI_Lockdown_Mode

You can also configure “Strict Lockdown” for an existing ESXi 6.0 host within vCenter Server:

  1. Login to the vSphere Web Client and enter the administrator credentials.The vSphere Web Client will open to the “Home” screen.
  2. Select “Hosts and Clusters” and select the ESXi 6.0 host in the “Datacenter” or “Cluster” object.
  3. Press the “Manage” menu item, then the “Settings” object and select “Security Profile”.
  4. Scroll down to the “Lockdown Mode” section and press the “Edit” button.
  5. In the “Lockdown Mode” window, select “Strict”, press “OK” to the popup message and then press “OK” in the main window.
  6. If you have 3rd party integrations or administrators that need access during Lockdown, you need to add those accounts to the “Exception Users” list.
  7. In the “Exception Users” window, select the green “+” button to add users and then press “OK”.
  8. The updated “Lockdown Mode” and “Exception Users” will be displayed within the “Security Profile” window.

Web_Client_Security_Profile_1 Web_Client_Security_Profile_2 esxi_add_host_5Web_Client_Security_Profile_3

Published by

vcdx133

Chief Enterprise Architect and Strategist, 4xVCDX#133, NPX#8, DECM-EA.