Today we will talk about lockdown mode. Although lockdown mode has been around for several years not many people are actually using that feature either because they do not even know that it exists or because the is not that many articles about it.
I have to say that I have not been using lockdown mode as well but once I have started to work on bigger, more distributed environments within different colocations I found that feature quite interesting.
So, what lockdown mode actually do? Well, it locks down the entire ESXi server and you can’t touch the configuration from DCUI and you have to perform everything from vCenter server itself. As said its quite useful when somebody might have physical access to your ESXi server and you want to add another layer of protection to your environment.
It’s really easy to configure lockdown mode. It’s just one radio button from vCenter server or you can also do that directly from DCUI but there is much more to talk about.
ESXi lockdown mode has been introduced in ESXi 5.0 in its simpler version, which has been expanded with ESXi 6.0 and ESXi 6.5
So, what happens when you enable lockdown mode and you will try to login directly to ESXi server using ESXi web client? Your connection will be denied and you won’t be able to perform any action. In lockdown mode, operations must be performed through vCenter Server by default. It was in vSphere 6.0 first where you can choose either between a normal lockdown mode or strict lockdown mode.
There is also something called Exception Users. Users in this group will still have possibility to login to ESXi server directly.
A list of user accounts that keep their permissions when the host enters lockdown mode. The accounts are used by third-party solutions and external applications that must continue their function in lockdown mode. To keep lockdown mode uncompromised, you should add only user accounts that are associated with applications.
Normal Lockdown Mode – The host can be accessed through vCenter Server. Only users who are on the Exception Users list and have administrator privileges can log in to the Direct Console User Interface. If SSH or the ESXi Shell is enabled, access might be possible.
Strict Lockdown Mode – The host can only be accessed through vCenter Server. If SSH or the ESXi Shell is enabled, running sessions for accounts in the DCUI.Access advanced option and for Exception User accounts that have administrator privileges remain enabled. All other sessions are terminated.
How to add an account to the Exception Users list?
You’d have to first create a local ESXi user and then specify this advanced setting on per-host base. In my case I have created local ESXi user “recovery” through ESXi host client.
To access this setting, you Select your host > System > Advanced System Settings > within the list find the DCUI.Access > click to add another local ESXi user there. The root user is already present there by default.
The exception users can only perform tasks for which they have privileges for. So, do not forget to configure appropriate permissions as well.
Connect to the ESXi host via ESXi Host Client > Actions > Permissions.
The UI will change and here you have the possibility to pick the user you have previously created and then assign a privilege to this user.
You can have a look at following article that describes permission model of VMware vSphere.
Enable/Disable ESXi lockdown mode from DCUI
Note: This applies if a host is in Normal lockdown mode only. Otherwise you would be able to lock yourself out from within the DCUI.
Open server console > Press F2 to Customize System/View Logs > Open Configure Lockdown Mode > Press SPACE to enable or disable lockdown mode
You will be able to login when lockdown mode is activated and set to Normal mode. In the Strict mode, you won’t be able to connect to DCUI at all.
You can also check official documentation of ESXi lockdown mode here.
VMware ESXi Lockdown Mode limits users from logging directly to the host. The host will only be accessible through a local console or vCenter Server. If there are local ESXi users configured, if they have enough privileges to log in locally AND if they are on the Exceptions list of the lockdown more, then they CAN login locally via Host client.
Be careful before activating the VMware ESXi Lockdown Mode, the “strict” one. If this mode is ON, you removed ALL users from Exceptions AND you lost vCenter server connection between this particular host and your vCenter, then have a big problem. You won’t be able to log in locally.