Understanding Lockdown Mode vSphere 6.0 and 6.5
Lockdown mode is a security feature for vSphere Host connected to vCenter Server.
- ESXi 5.x and earlier versions:
When Lockdown mode is enabled, only the vpxuser (vCenter Server User) has all the authentication permissions. Other users cannot perform any operations directly on the ESXi host. Lockdown mode forces all operations to be performed through vCenter Server.
When the ESXi host is in lockdown mode, we cannot use vCLI commands, script, or vSphere Management Assistant on the host directly bypassing vCenter Server. External software’s or tools like backup agents also might not be able to retrieve or modify information from the ESXi host directly.
- ESXi 6.x
With vSphere 6, Vmware has introduced couple of new concepts in lockdown mode to make it more flexible in nature as compared to previous versions
- Normal Lockdown Mode
- Strict Lockdown Mode
- Exception Users
1.Normal Lockdown Mode
In normal lockdown mode all the direct connections to ESXi servers are blocked.
You can manage ESXi Servers via vCenter Server or through direct console user interface (DCUI). DCUI service keeps running normal lockdown mode.
If the connection to the vCenter Server is lost, privileged user accounts can log in to the ESXi host’s Direct Console User Interface (DCUI) and exit from lockdown mode.
Only the following accounts can access the Direct Console User Interface:
- User accounts in the Exception User list for lockdown mode who have administrative privileges on the host – VMware vSphere 6.0 introduced the Exception User list. Exception users do not lose their privileges when the host enters lockdown mode. We can use the Exception User list to add the accounts of third-party solutions and external applications like backup agents that need to have access to ESXi host directly when the host is in lockdown mode.
- Users defined in the DCUI.Access advanced option for the host – This option is for emergency access to the Direct Console Interface in case the connection to vCenter Server is lost. These users do not require administrative privileges on the host.
2. Strict Lockdown Mode
Strict lockdown mode has been newly introduced in vSphere 6.0. The DCUI service is also stopped in strict lockdown mode.
If connection to vCenter server is lost and the connection to the vCenter Server cannot be restored, we will have to reinstall ESXi on the host.
If the connection to vCenter Server is lost, the ESXi host becomes unavailable unless the ESXi Shell and SSH services were previously enabled and Exception Users list is populated.
ESXi Shell and SSH services are independent of lockdown mode. However these services are disabled by default.
When a host is in lockdown mode, users on the Exception Users list can access the ESXi host from the ESXi Shell or through SSH.
How to Enable Lockdown Mode:
While adding ESXi Host vCenter Server system through add host wizard.
From vSphere Web Client – We can enable Normal and Strict Lockdown Mode from ESXi server Manage Tab -> Security Profile ->click Edit as highlighted below.
Select the mode you want to set on below screen.
From Direct Console User Interface (DCUI)
- Privileged users can disable lockdown mode from the vSphere Web Client.
- Privileged users can disable normal lockdown mode from the Direct Console Interface (DCUI). However these users cannot disable strict lockdown mode from the Direct Console Interface (DCUI).
- DCUI doesn’t have the option of Normal or Strict lockdown mode. When you enable lockdown mode from the DCUI you will get Normal mode by default. If you enable or disable lockdown mode using the DCUI, permissions for users and groups on the host are discarded. To preserve these permissions, you can enable and disable lockdown mode using the vSphere Web Client.
- If you upgrade a host that is in lockdown mode to ESXi 6.0 without exiting lockdown mode on you previous install, and if you exit lockdown mode after performing the upgrade, all the permissions defined before the host entered lockdown mode are lost. The system assigns the administrator role to all users who are found in the DCUI.Access advanced option to guarantee that the host remains accessible. To avoid this issue, disable lockdown mode for the host from the vSphere Web Client before the upgrade.
***For more information you can refer to Vmware Knowledgebase article 1008077 (kb.vmware.com/kb/1008077)***