If you have a lot of configurations in a lab the way we do in VMware, then most of them are using private networks that are not even routable inside your company, let alone the internet. So you can very quickly get into a nested rathole of RDP/SSH sessions from your terminal to a jump-box and from there to machines you are actually performing operations on. Worse you probably have nested windows of multi-connection tools, so your actual target keeps getting squashed to the right of your monitor. Sometimes your terminal itself might be an RDP session or Horizon Desktop, so it quickly becomes some kind of geeky Inception thing
Incidentally that image fits on multiple levels for me. Apart from the squinty look, thats the back of Cillian Murphy’s head. I went to school with him way back when. Closest I’ll get to a claim to fame (or to Batman for that matter) 🙂
A nice trick to overcome the spiralling console windows (there’s no fix for my desire to be Batman) is to put an NSX edge and SNAT rule in place to allow those private networks to reach the outside world and then use DNAT rules to port-forward to your individual machines. Lo and behold, one RDP/SSH window, more real estate for the connection on your screen and little less likely to go mad.
Once you have the NSX Edge setup with the relevant interfaces and addresses configured on it, here’s a couple of powershell commands that will get you up and running.
You need PowerCLI and PowerNSX installed to achieve.
CONNECT TO NSX MANAGER
Before you issue the commands get connected to the NSX Manager. So open an PowerCLI window and issue the following
Connect-NsxServer -NsxServer 10.10.10.5 -Username nsx-administrator -Password nsx-password -VIUserName vcenter-administrator -VIPassword vcenter-password
Replace the IP and the credential bits appropriately.
Only one of these, so PowerShell or UI….your choice. For me, never do it via the UI when you can script it. Who knows when you will want to automate or repeat it right?
Get-NSXEdge -name My-NSX-Edge-Name | Get-NSXEdgeNat | New-NSXEdgeNatRule -Vnic 0 -OriginalAddress any -TranslatedAddress 10.10.10.15 -action snat -Enabled
Where 10.10.10.15 is the routable IP address on the Uplink interface of the Edge and the My-NSX-Edge-Name is whatever you called the Edge itself
You should now be able to reach the internet from those private networks….assuming they are using the correct interface on the NSX Edge as their default gateways.
Definitely one you want to script…especially if you have lots of VMs or hosts that you want to connect to.
Assuming you are still connected to NSX manager, issue commands like the following for RDP:
Get-NSXEdge -name My-NSX-Edge-Name | Get-NSXEdgeNat | New-NSXEdgeNatRule -Vnic 0 -OriginalAddress 10.10.10.15 -TranslatedAddress 192.168.1.4 -action dnat -Protocol tcp -Enabled -OriginalPort 30004 -TranslatedPort 3389
Where 10.10.10.15 is the public interface of the NSX Edge, 30004 is the port you want to forward to port 3389 on 192.168.1.4 behind the edge
Or the following for SSH:
Get-NSXEdge -name My-NSX-Edge-Name | Get-NSXEdgeNat | New-NSXEdgeNatRule -Vnic 0 -OriginalAddress 10.10.10.15 -TranslatedAddress 192.168.1.5 -action dnat -Protocol tcp -Enabled -OriginalPort 20005 -TranslatedPort 22
Where 10.10.10.15 is the public interface of the NSX Edge, 20005 is the port you want to forward to port 22 on 192.168.1.5 behind the edge
Copy/paste/change the TranslatedAddress and OriginalPort as many times as you have connections
Personally I like to use some form of logical mapping between the port I am forwarding and the connection type / IP address of the target. For instance, I would always start an SSH port with 2 (as the target port is 22 typically) and an RDP port with 3 (as the target port is 3389 typically) and then map the last octet of the target IP to the end of the port I am forwarding. So RDP to 192.168.1.4 would use port 30004 and SSH to 192.168.1.5 would use 20005
SETTING UP THE CONNECTIONS
Now in your tool of choice, every connection will be configured to point at the public interface of the NSX Edge (10.10.10.15 in the above examples) and all you need to do is change the port to reach a different target. Most multi-connection tools such as mRemote, Royal TS/TSX will have fields for the port. If you are using Remote Desktop Connection, just use 192.168.1.4:30004 as the connection target.
So tell me….did I steal thoughts from your head or plant an idea 🙂
Leave a Reply