When you modify Web proxy settings, you have several encryption and user security guidelines to consider.
- Do not set up certificates that use a password or pass phrases. ESXi does not support Web proxies that use passwords or pass phrases, also known as encrypted keys. If you set up a Web proxy that requires a password or pass phrase, ESXi processes cannot start correctly.
-
To support encryption for user names, passwords, and packets, SSL is activated by default for vSphere Web Services SDK connections. If you want to configure these connections so that they do not encrypt transmissions, deactivate SSL for your vSphere Web Services SDK connection by switching the connection from HTTPS to HTTP.
Consider deactivating SSL only if you created a fully trusted environment for these clients, where firewalls are in place and transmissions to and from the host are fully isolated. Deactivating SSL can improve performance, because you avoid the overhead required to perform encryption.
-
To protect against misuse of ESXi services, most internal ESXi services are accessible only through port 443, the port used for HTTPS transmission. Port 443 acts as a reverse proxy for ESXi. You can see a list of services on ESXi through an HTTP welcome page, but you cannot directly access the Storage Adapters services without proper authorization.
You can change this configuration so that individual services are directly accessible through HTTP connections. Do not make this change unless you are using ESXi in a fully trusted environment.
- When you upgrade your environment, the certificate remains in place.