Some time ago, JC ran into a problem. Some of our security folks were concerned that multiple users could interact with a virtual machine’s console session (MKS). Their concern was that any user that had privileges to access the console of a VM could leverage the privileges of any user currently using the virtual machine. Understandably, this could be a serious concern. JC quickly found a VM configuration setting that could be added to the VM to restrict the maximum console sessions (see below).
Modifying the Maximum Console Connection (Per Virtual Machine)
1. Right-click on the virtual machine and select “Edit Settings”
2. Select the “Options” tab and select “Advanced->General”
3. Click the “Configuration” button.
4. Select “Add Row” and enter the following:
NOTE: The value should reflect the maximum number of connections.
Later, JC and I were talking about it, and we decided there had to be a better way. After some research, we found the virtual machine behavior could be modified on a per host basis. While this may not seem efficient to implementations consisting of a large number of hosts, it is better then modifying each individual VM. In our case, modifying the host’s configuration was the quickest resolution. Not only did this accomplish the goal, it also ensured that any new virtual machine would inherit this setting.
NOTE: The problem with modifying this setting on a per VM basis is the potential to forget to add it to new virtual machines deployed to your environment. Adding it on a per host basis ensures that all virtual machines operating on that host will inherit those settings.
NOTE of the NOTE: Adding this setting to the virtual machine configuration file (.vmx) or the advanced parameters, overrides the per host settings.
Modifying the Maximum Console Connection (Per Host)
1. SSH to the ESXi host.
2. cd /etc/vmware/config
3. vi config
4. Arrow down to the last line in the file.
5. Press O (Capital O). This creates a new line.
6. Enter the following line:
RemoteMKSConnections = “X” RemoteDisplay.maxConnections = “X”
NOTE: Where X is the maximum connections allowed to the server. In our case it was 1.
That completes the task; however, in order for the setting to take effect, the virtual machine needs to be either restarted or migrated. Both of these actions will cause a reload of the virtual machine configuration file.
NOTE: This setting is applied at the host level, indicating that ONLY while the VM is running on said host will the setting be applied. If the virtual machine is migrated to a different host (one without this configuration) the setting will not persist.