Jump to content


Remote connect to XenCenter console

Started by Bill Artemik , 30 September 2008 - 03:05 AM
13 replies to this topic

Bill Artemik Members

Bill Artemik
  • 169 posts

Posted 30 September 2008 - 03:05 AM

We manage several XenServer locations now and need to access these host servers remotely. Since Citrix is KING of virtual application I was wondering how I can access the XenServer host machine at location B from my Windows XP machine at location A (this would be a WAN connection.) I do not want to have to dedicate an XP machine at each location and RDP in just to manage the XenServer host machines.

So...what is the best way to access the XenServer behind a firewall at (example) from my XP machine behind our firewall at

Ultimately I would like to just build a DNS list of these inside our LAN to facilitate rapid access/management of these systems.

What port(s) does XenCenter communicate with? is it natively secure or do I need to provide other means of a secure connection? I need a solution that does not include installing XenCenter on a machine inside the client's location for me to use to connect to the XenServer host.

Jonathan Thorpe Members

Jonathan Thorpe
  • 979 posts

Posted 30 September 2008 - 04:25 AM

Hi Bill,

XenServer uses port 443 for most communication between XenCenter and the XenServer host itself. For Linux guests, it also uses port 5900 to connect to the graphical console.

We normally recommend that you set up a VPN connection so that the host XenCenter is running from can route packets directly to the XenServer host (in other words, the XenCenter host should be on the same subnet as the XenServer host itself).

If you configure your XenServer host behind a gateway performing NAT, you'll find that the XenCenter works for most operations, but cannot connect to the consoles of the VMs. The reason for this is that the XenCenter reports the local IP of the XenServer host and the remote host attempts to connect to the local IP, not being aware that there is NAT in the way.

Hope this helps!

Kind Rgards,

Dmitry Kushak Citrix Employees

Dmitry Kushak
  • 677 posts

Posted 30 September 2008 - 04:29 AM


Xencenter uses port 443 to communicate with Xenserver(s). In your example, you could redirect port 443 to the Xenserver host behind it. There is a problem though - even though you'd be able to connect to Xenserver behind the firewall, VM consoles would be inaccessible due to NAT related issues. See Retrieving VNC consoles for details.

To circumvent this, one could set up a VPN connection to the site and manage Xenservers by their internal IP addresses. I understand that this becomes somewhat inconvenient once multiple sites are in the picture.

Yet another workaround would be to set up a VM inside each Xenserver and remote into it to access Xencenter.

SSH tunnels can also provide VPN functionality. Xenserver by default runs an SSH daemon which can be used to set up bridges. E.g. one could use PuTTY to establish forwarding on ports 443 (Xencenter communication), 5900-59xx (for virtual consoles) etc.

These are pretty much all the options available for the time being.


yalgaar yalgaar Members

yalgaar yalgaar
  • 75 posts

Posted 12 December 2008 - 05:20 PM

I can connect to 1 of my XenServer using PUTTY; but can't connect using XenCentet.

Could you please send me details on how to setup a bridge using PUTTY so I can connect to the XenServer using XenCenter for management.

Jim Wyatt Members

Jim Wyatt
  • 1 posts

Posted 23 February 2009 - 09:57 PM

This is a horrible limitation. It also exposes the lack of security around connecting to graphical consoles from within XenServer. This has halted my evaluation of your product for our virtualization needs.

Jonathan Thorpe Members

Jonathan Thorpe
  • 979 posts

Posted 23 February 2009 - 10:16 PM

Hi Jim,

I'm not sure I understand your concern.

Console traffic is encrypted and authenticated - the only limitation is that your XenCenter needs to be on a network accessible from your XenServer host - XenServer is not "NAT aware".

If you can detail your precise concerns, they can be addressed.

Kind Regards,

nobody nobody Members

nobody nobody
  • 23 posts

Posted 05 June 2010 - 05:57 PM

Anyone figure out a solution to this problem? With vmware you can just forward the console ports and then connect remotely to your datacenter with ease.

I cant afford to dedicate a VM solely for remote management (via running vpn or rdp), that's just absurd.

I need the ability to configure my xenserver host to allow port 5900 from an different subnet. (ie on a different network).

I've spent thousands of dollars duplicating my server that runs vmware, so I can install xenserver and replace it... but this little problem makes xenserver non production deployable.

The reason i decided to switch to xenserver was the iptables on the hypervisor, allowing me to ditch the VM that runs a nat/firewall on my current esxi box. (Which as mentioned earlier, can't afford to create VM's dedicated to running one simple task - in vmwares instance I had to secure the system/management interface with a vm because it didn't have configurable iptables)

So that puts me in a spot looking to still replace vmware esxi that's currently in production (because it's too insecure on its own), and unable to deploy xenserver (because I can't manage it remotely), so now I'd be left looking for an alternative solution...

Someone needs to come up with a viable solution for those of us without physical access to the same network our servers are on that doesn't include wasting valuable resources creating a virtual machine dedicated entirely to viewing remote management consoles....

What do I configure on my xenserver host that says to allow port 5900 remotely?

Tobias Kreidl CTP Member

Tobias Kreidl
  • 17,832 posts

Posted 05 June 2010 - 06:08 PM

It seems that VNC could certainly be a viable alternative, and tunnels through the standard ssh port 22.
With IPTables and/or tcpwrapper, you can certainly control and limit access. The steps are given below:
X and VNC on XenServer

When you install Redhat on XenServer it does not by default enable a virtual video device. You are only given
the text console by default. But Citrix's Virtual Machine Installation Guide does document how to enable the typical X console using VNC.

* Check to make sure that vnc-server and gdm are installed.

rpm -q vnc-server gdm

* If they are not, install them.

yum install vnc-server gdm

* Modify /etc/gdm/custom.conf so the default server is a VNC server; see modifications below:

name=VNC Server
command=/usr/bin/Xvnc -SecurityTypes None -geometry 1024x768 -depth 16 -BlacklistTimeout 0

* When GDM is running it should be listening on port 5900. Make sure that the iptables firewall allows
access to this port from any machine running XenCenter or wanting to connect.

iptables -N vnc
iptables -I INPUT -p tcp -m state --state NEW -m tcp --dport 5900 -j vnc
iptables -A vnc -s -p tcp -m state --state NEW -m tcp --dport 5900 -j ACCEPT
iptables -A vnc -p tcp -m tcp -m state --state NEW --dport 5900 -j REJECT

* Now everything is set up, but by default Redhat on XenServer starts up into runlevel 3. This does
not by default start GDM. So you can modify the default runlevel in /etc/inittab or as I would recommend,
simply use telinit 5 to start it and telinit 3 to turn it off. This saves memory and CPU cycles.{code}

Edited by: Tobias K on Jun 5, 2010 2:14 PM

nobody nobody Members

nobody nobody
  • 23 posts

Posted 05 June 2010 - 07:11 PM

While I appreciate your time and effort to help answer my problems (ps. are you stalking me? ;) ) I don't see this solution as viable either.

I cannot rely on a virtual machine of any sort to handle the ability to connect to a console.

I would consider an ssh tunnel if the xencenter client supported the ability to configure a proxy.

Tobias Kreidl CTP Member
  • #10

Tobias Kreidl
  • 17,832 posts

Posted 05 June 2010 - 09:11 PM

I need the ability to configure my xenserver host to allow port 5900 from an different subnet. (ie on a different network).{quote}
I don't see why IPtables could't handle that (allowing specific IP addresses to access that particular port).

As an aside, there are several third-party products taht allow for remote management, but I have to confess I have not researched them in any detail to know if they might fit your needs. Products like openQRM, Enomalism, and Project ConVirt show up on the Web. You may not want to spend anything, which would of course limit options.

Esa Tähkävuori Members
  • #11

Esa Tähkävuori
  • 1 posts

Posted 27 April 2011 - 10:49 AM

I just don't figure out how to complete new VM installation without console?

Ivo Billien Members
  • #12

Ivo Billien
  • 1 posts

Posted 22 July 2011 - 05:52 PM

Ok, the 'real' problem is not access to the server or firewall/routing, but inside the communication-protocol. ( ie. the use of real ip for VNC-connect instead of for tunneled connections )
Xencenter uses https and VNC for its 'consoles'.
The most simpel work-arround is to install ( yeah sure , they don't like it ) let's say openvpn on the xenserver itself. ( or on any VM as long as it is on the same subnet as the mgmt-if. )
It would/should also be possible to use for instance a F5 bigip to replace every LAN-ip inside the https-communication with ( or any other rev-proxy capable of crypt-ing , decrypt-ing and changing payloads on the fly )
I found using openvpn the more simple solution.


Tim Lund Members
  • #13

Tim Lund
  • 1 posts

Posted 15 June 2012 - 02:48 PM


I got access to the consoles via SSH tunnels by adding a microsoft loopback adapter, with the same IP as the XenServer host, and then binding the local tunnel ports to all interfaces.

Ivan Buil Members
  • #14

Ivan Buil
  • 1 posts

Posted 26 June 2012 - 12:36 PM


As some of you have mentione, I've solved the access to the console using vnc client plus ssh port forwarding, with this workaround I am able to connect to the VM consoles, but I'm still unable to access to some other features of xencenter like: performance graphs, export logs, etc.

Some of them can be obtained through cli commands, but sometimes is useful to have a performance graph directly into the client, without having to check any other monitoring system. Does anybody know how to get this information through a natted environement?

Thanks in advance for your feedback,