VMware UMDS: Internet Proxies and HTTPS Inspection

Since update manager is part of the vCenter Server appliance (VCSA), from a security perspective I don’t like the idea of providing the vCenter Server with internet access and here is where the beautiful UMDS (Update Manager Download Service) comes to play (a virtual machine that is in the DMZ with internet access and not joined to the domain).

The setup was fine and straight forward without any issues, and internet access was allowed to the VMware repository website via the internet proxy.

When we started to download the patches and updates I noticed that the VA files were only being downloaded and the rest were not, when listing the repository resources (using the -G option) I noticed that the VA repository was HTTP and the rest of the repositories were HTTPS.

I knew that HTTPS inspection was enabled and I had some concerns around it (noticed it when I tried to browse for the respository via an internet browser), going back to the logs:

[2018-02-06 09:47:40:197 ‘httpDownload’ 3004 WARN]  [httpDownload, 423] Download https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml failed: Error 12002 from WinHttpSendRequest for url https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

[2018-02-06 09:47:40:212 ‘httpDownload’ 3004 ERROR]  [httpDownload, 438] Reached retry download limit

[2018-02-06 09:47:40:215 ‘DownloadMgr’ 3004 ERROR]  [downloadMgr, 627] Executing download job {50170224} throws error: Reached retry download limit

[2018-02-06 09:47:40:220 ‘DownloadMgr’ 3004 INFO]  [downloadMgr, 713] Download failed but destination file C:\Users\ADMINI~1\AppData\Local\Temp\1\vcibvnllkxg.tmp exists and is valid. Ignoring error

[2018-02-06 09:47:40:229 ‘DownloadMgr’ 3004 INFO]  [downloadMgr, 575] Download job {50170224} finished, bytes downloaded = 0

[2018-02-06 09:47:40:232 ‘DownloadMgr’ 3580 DEBUG]  [downloadMgr, 466] Download job {50170224} finished

[2018-02-06 09:47:40:232 ‘DownloadMgr’ 3580 DEBUG]  [downloadMgr, 479] Removing download job {50170224} in queue

[2018-02-06 09:47:40:232 ‘DownloadMgr’ 3580 DEBUG]  [downloadMgr, 498] Current download count: 0

The security team was against disabling HTTPS inspection and to be honest I was not in favor of doing it as well, so I tried something simply stupid. From a thought process I put myself instead of the UMDS download service and thought that if I am reaching the certificate not trusted window and I don’t know how to click continue :-P then I will not be able to reach to the end website which is the repository URL.

Long story short, I added the CA root certificate to the trusted root certificates on the UMDS virtual machine and EURIKA =) retried the download and it worked like a charm.

I hope this helps,
(Abdullah)^2

1063 Total Views 29 Views Today

Abdullah

Knowledge is limitless.

Leave a Reply

Your email address will not be published. Required fields are marked *