For paranoiacs? Not only.
If you really want to close down access to your ESXi servers and make your network more secure, you might missed that there is a Total Lockdown Mode available in ESXi hypervizor from VMware. But watch out, when enabled and if you loose an access to your vCenter, the only way to get access to your individual ESXi is to ….. reinstall.
It's what I just discovered in this VMware KB which teaches you the different lockdown modes you're certainly aware.
When the total lockdown mode is enabled, you don't have any possibility to log on. You are not able to:
- log in to the ESXi server locally.
- log in to the ESXi server via SSH.
- connect to the vCenter Server.
- When you log in as root directly to DCUI you see this message:
Authentication denied. Direct console access has been disabled by the administrator for <your_server_hostname>.
Actually, the behavior with a nice recapitulation table can be found on the ESXi Configuration guide where you can see the different possibilities in action.
See the image below:
What you have to do to achieve this is via the vSphere Client to enable/disable the troubleshooting services.
1. Log in to a vCenter Server system using the vSphere Client.
2. Select the host in the inventory panel.
3. Click the Configuration tab and click Security Profile.
4. Select a service from the list.
- Local Tech Support
- Remote Tech Support (SSH)
- Direct Console UI
5. Click Options and select Start and stop manually.
6. Select Start to enable the service.
7. Click OK.
You can find the ESXi Configuration guide PDF file here. (page 190)
Source: VMware KB 1000424