====== XenServer (XenCenter) Remote Access ======

  * Remote Access is a weak spot in XenServer since the primary management tool is XenCenter on Windows.
  * XenCenter is not NAT-friendly.
  * Most XenCenter-to-XenServer communications happen on ports 22 (SSH) and 443 (HTTPS).
  * Linux guest consoles use VNC starting on port 5901.
  * Since standard SSH is available, the first management tool to grab is ''xsconsole''.

===== xsconsole =====

  * ''xsconsole'' is the built-in text-mode console on XenServer.
  * ''xsconsole'' is useful, but it doesn't provide guest console visibility.
  * If you can SSH into the XenServer, just run ''xsconsole'' at the CLI.

===== Remote XenCenter =====

:!: For best security, you should limit access to your remote XenServer by source IP address in the firewall at the remote site.

You can get **partial functionality** by simply forwarding TCP port 443 into the remote XenServer, but not console access (XenServer or VM).  Even if you forward a non-standard port (i.e. 4443) in to port 443 on the XenServer, you can still add the remote server to XenCenter:

''remote.host.or.ip:4443'' 

===== Remote Console =====

<note tip>A **VPN connection** makes the following workaround unnecessary!</note>

Without a VPN connection, the easiest way I've found to access the console of a VM running on a XenServer behind NAT is:

  - Enable remote SSH access directly to the XenServer
    * You can forward a non-standard port at the firewall (i.e. 22222) to the standard port 22 at the XenServer
  - To access a VM's console, you must tunnel through localhost (the XenServer)
  - Use SSH port forwarding to forward a VM's VNC port (5901, 5902, 5903, etc.) to 'localhost'
    * Each VM runs on a different VNC port
    * Each VM's VNC console is only available to localhost (the XenServer)
  - The IP address of the VM doesn't matter and can even change without affecting remote access

You can determine which VNC port is assigned to which VM like this:

Log into the XenServer via SSH:

<file>
ssh -p 22222 -l root <your-remote-xenserver>
</file>

Determine the domain ID and VNC port of your target VM:

<file>
xe vm-list
list_domains
netstat -lp|grep -w <domid> |awk '{print $4}'|cut -d: -f2
</file>

Now you can forward the port(s) and access the VNC console of the VM from another terminal on your remote workstation:

<file>
ssh -p 22222 -l root -L <local-vnc-port>:localhost:<vm-vnc-port> <your-remote-xenserver>

vncviewer localhost:<last-vnc-port-digit>
</file>