Chapter 17. Working with System Virtual Machines
230
The VNC traffic never goes through the guest virtual IP, and there is no need to enable VNC within the
guest.
The console proxy VM will periodically report its active session count to the Management Server. The
default reporting interval is five seconds. This can be changed through standard Management Server
configuration with the parameter consoleproxy.loadscan.interval.
Assignment of guest VM to console proxy is determined by first determining if the guest VM has a
previous session associated with a console proxy. If it does, the Management Server will assign the
guest VM to the target Console Proxy VM regardless of the load on the proxy VM. Failing that, the first
available running Console Proxy VM that has the capacity to handle new sessions is used.
Console proxies can be restarted by administrators but this will interrupt existing console sessions for
users.
The console viewing functionality uses a dynamic DNS service under the domain name realhostip.com
to assist in providing SSL security to console sessions. The console proxy is assigned a public IP
address. In order to avoid browser warnings for mismatched SSL certificates, the URL for the new
console window is set to the form of https://aaa-bbb-ccc-ddd.realhostip.com. Customers will see this
URL during console session creation. CloudPlatform includes the realhostip.com SSL certificate in
the console proxy VM. Of course, CloudPlatform cannot know about DNS records for our customers'
public IPs prior to shipping the software. CloudPlatform therefore runs a dynamic DNS server that is
authoritative for the realhostip.com domain. It maps the aaa-bbb-ccc-ddd part of the DNS name to the
IP address aaa.bbb.ccc.ddd on lookups. This allows the browser to correctly connect to the console
proxy's public IP, where it then expects and receives a SSL certificate for realhostip.com, and SSL is
set up without browser warnings.
17.3.1. Changing the Console Proxy SSL Certificate and Domain
If the administrator prefers, it is possible for the URL of the customer's console session to show a
domain other than realhostip.com. The administrator can customize the displayed domain by selecting
a different domain and uploading a new SSL certificate and private key. The domain must run a DNS
service that is capable of resolving queries for addresses of the form aaa-bbb-ccc-ddd.your.domain
to an IPv4 IP address in the form aaa.bbb.ccc.ddd, for example, 202.8.44.1. To change the console
proxy domain, SSL certificate, and private key:
1. Set up dynamic name resolution or populate all possible DNS names in your public IP range into
your existing DNS server with the format aaa-bbb-ccc-ddd.company.com -> aaa.bbb.ccc.ddd.
2. Generate the private key and certificate signing request (CSR). When you are using openssl to
generate private/public key pairs and CSRs, for the private key that you are going to paste into the
CloudPlatform UI, be sure to convert it into PKCS#8 format.
a. Generate a new 2048-bit private key
openssl genrsa -des3 -out yourprivate.key 2048
b. Generate a new certificate CSR
openssl req -new -key yourprivate.key -out yourcertificate.csr
c. Head to the website of your favorite trusted Certificate Authority, purchase an SSL certificate,
and submit the CSR. You should receive a valid certificate in return