Set Up VMware Authentication

Create VMware records to perform authenticated mapping and scanning of VMware vSphere components running VMware ESXi 4.x, 5.x and 6.x, and ESX 3.5 and above.

VMware authentication is supported for maps, vulnerability scans and compliance scans. For authenticated maps, the discovery includes only ESXi hosts and the map results identify detected ESXi servers and their guest systems.

Which technologies are supported?

For the most current list of supported authentication technologies and the versions that have been certified for VM and PC by record type, please refer to the following article: 

Authentication Technologies Matrix

Want to launch scans on ESXi hosts using vCenter?

Under Login Credentials, choose the Use vCenter option. Under IPs, enter your ESXi IP addresses. You'll also need a vCenter authentication record with the vCenter IP addresses that map to your ESXi hosts.

To scan ESXi hosts without sending any scan traffic directly to the ESXi hosts, select the Disconnected ESXi check box. This option is currently available for the compliance scan. 

Note: If you select the Disconnected ESXi check box and add IPs that are already associated with a Unix record, an error message is displayed and the VMware ESXi record is not saved. You must remove the IPs from the non-applicable record to resolve the error.

Click here for complete steps >>

Credentials to use

You'll need to provide a service credential with at least Read-Only access to your ESXi hosts. Certain additional privileges are also required.

Learn more >>

Unix authentication may also be required

Please note that Unix shell access is required for scanning certain ESXi controls. This means you'll also need a Unix authentication record for your ESXi hosts when scanning certain controls. See the following article for a list of ESXi controls that require Unix authentication: VMware ESXi Controls That Require Unix Authentication

Authenticated maps

If you run a map using VMware authentication, we'll use a vSphere API call to retrieve a list of virtual guest hosts residing on a VMware server. Only running virtual guests will be enumerated by the vSphere API and shown in your map results. Note only virtual guests that have VMware Tools installed appear in map results.

Communications with VMware

We establish communication against the vSphere API/VI API (port 443 by default) which is provided by each ESXi host. The vSphere API is a SOAP API used by all vSphere components. Note this is the same API which the VI Client uses to communicate with ESXi hosts. Routing and firewalls between scanner appliances and this API must allow this communication.

Help with the record settings

What do I enter in the Username field?What do I enter in the Username field?

Enter an ESXi user name or a Windows domain user name in the format domain\username.

What do I enter in the Hosts field?What do I enter in the Hosts field?

Provide a list of FQDNs for the hosts that correspond to all ESXi host IP addresses on which a custom SSL certificate signed by a trusted root CA is installed. Multiple hosts are comma separated.

Tell me about certificate validation optionsTell me about certificate validation options

Select the "Use SSL" option for a complete SSL certificate validation. Select "Skip Verify" if the host SSL certificate is self-signed or uses an SSL certificate signed by a custom root CA. A list of host FQDNs is not required in this case.

Tell me about the Port settingTell me about the Port setting

By default the service communicates with ESXi web services on port 443. This can be customized.

Want to access the account password from your password vault?Want to access the account password from your password vault?

We support integration with multiple third party password vaults. Just go to Scans > Authentication > Vaults and tell us about your vault system. Then choose Authentication Vault in your record and select your vault name. At scan time, we'll authenticate to hosts using the account name in your record and the password we find in your vault.

Which IPs should I add to my record?Which IPs should I add to my record?

Select the IP addresses for the ESXi servers that the scanning engine should log into using the specified credentials. Note you can add one particular ESXi server to only one VMware record in your account.

Important Notes for Unit ManagersImportant Notes for Unit Managers

When a Unit Manager edits a record, the Unit Manager only sees the IPs in the record that they have permission to. Any changes made by the Unit Manager to the record settings will apply to all hosts defined in the record, regardless of whether all hosts belong to the user's business unit. The record may contain more IPs that are not visible to the Unit Manager.

Learn more

Why use host authentication | VMware Auth PDF Icon