Custom VM Endpoints

Prev Next

Overview

Traditionally, users established remote desktop or SSH connections manually through intermediate Virtual Machines (VMs). The VM Endpoint Connections feature streamlines access by letting users configure multiple endpoints per VM, all accessible directly from the lab client interface.

This feature eliminates the need for complex workarounds —like connecting through intermediary VMs— by enabling direct access to VM endpoints within a lab environment. It significantly improves the user experience, especially for terminal connections, services, and other nested VM environments.

Key Features

  • Multi-Endpoint Support: Define multiple terminal endpoints on a single VM.

  • Tab-Based UI: View each endpoint as a separate tab within the lab interface.

  • Flexible Protocol Support: Connect using SSH, RDP, HTTP/HTTPS, VNC and Telnet endpoints.

  • Secure Access: Route web traffic using an internal secure network and a proxy for HTTP endpoints.

  • Persistent Connections: Switch between endpoints without losing active sessions.

  • Nested VM Support: Interact with child VMs hosted inside a parent VM.

  • Endpoint Access Gateway: Simplify configuration for accessing resources on complex networks or nested environments.

Requirements

Custom VM endpoints are configured on Lab Profiles. After they're configured, they become available in your lab:

  • Linux VMs are configured to support programmatic access.

  • Lab authors define the endpoints each VM needs to support the lab.

  • VMs in the lab are configured to receive the connection types specified in the lab profile(s).

Once custom VM endpoints are configured in the lab, lab users can interact with terminals or web interfaces directly within the lab client. The endpoints appear as selectable tabs in the lab interface.

Custom Client URLs on Custom VM Endpoints

Using custom client URLs can affect the functionality of Custom VM Endpoints in certain scenarios. Specifically, HTTP/HTTPS-based custom endpoints may not work as expected if the web application relies on cookies (e.g., for managing login or status information).

This issue occurs because cookies are issued based on the domain name of the reverse proxy that connects to the custom VM endpoint. The domain name is based on the default Skillable domain for the lab client application (either skillable.com or labondemand.com).

In some cases, it may be possible to adjust the application's handling of third-party cookies to mitigate this issue, but these adjustments depend on the specific application.

Configuring Custom VM Endpoints

To configure custom VM endpoints:

  1. Optionally define an Endpoint Access Gateway in the lab profile’s Networks tab.

  2. Define the VM endpoints in the lab profile (from the Virtual Machines tab).

  3. Configure VMs to accept the endpoint connections.

  4. Configure the VM connections.

  5. Test and validate your connections.

Define an Endpoint Access Gateway

The Endpoint Access Gateway (EAG) allows lab authors to use Custom VM Endpoints with less configuration, particularly in nested scenarios. While the EAG is never required, we recommend it for most labs. Since EAG connects to the user’s lab network the same as a default gateway, there may be scenarios where lab developers want to minimize the number of hosts on the lab network, especially for network cybersecurity labs.

To configure an EAG:

  1. In Skillable Studio, navigate to the Lab Profile and click Edit Profile in the upper-right corner of the page.

  2. Select the Networks tab.

  3. Find the network(s) you wish to add EAG to, and then check Enable Endpoints.

  4. Select whether you want the EAG to obtain its IP address Automatically from DHCP or if you wish to specify a static address.

IP Address Allocation for the EAG

If the EAG is configured to obtain its IP address Automatically from DHCP, it can use either the DHCP service from the NAT service, if enabled, or a DHCP service within the lab network(s). Using a DHCP service within the lab network is especially useful for complex lab environments with advanced routing and VLANS.

If the EAG is configured to use a Static Address, it won’t be provided with additional network configuration, including default gateway or DNS server addresses.

Understand endpoint connectivity with and without the EAG

Without an EAG, Studio provisions proxy devices on the ShellNet network to access the VM. With an EAG, the device is provisioned directly onto the lab network.

The ShellNet network originally allowed Life Cycle Actions (LCAs) and Automated Activities to send scripts into a VM, execute them, and collect the results. In the original implementation, endpoints required all tasks for LCAs and automated activities to be completed on the target VM, and any endpoint target had to be accessed through the ShellNet (172.20.X.Y) interface.

When an EAG is enabled, services are accessed through the lab network and are targeted based on the IP address of the VM hosting the service. This is particularly effective with nested resources, as any resource available on the lab network can be targeted directly.

As shown in the diagrams below, using an EAG reduces the need for complex network translation configurations within the VM.

Define the VM Endpoints

To define VM endpoints, edit the lab profile for the lab you want to configure:

  1. In Skillable Studio, navigate to the Lab Profile and click Edit Profile in the upper-right corner of the page.

  2. Select the Virtual Machines tab.

  3. Toward the bottom of the page, select + Add Endpoint.

  4. Configure the endpoint:

    • In the first text field, enter your custom endpoint name to replace the default name.

    • In the second text field, enter the token name to be used in the instructions (this cannot contain spaces).

    • (Optional) In the Description text field, enter a description for your custom endpoint.

    • Use the Protocol dropdown to choose the connection type.

    • Specify the relevant port number and any required authentication details (Username and Password).

    • Optionally if using the EAG select the network the EAG server to be used is on and specify the IP Address the service is running on.

  5. Repeat the above steps for any additional endpoints that you want to configure for this virtual machine.

Configure the VM to Accept Endpoint Connections

After configuring lab profiles to expose an endpoint in the Lab Client, you must configure your VMs to accept the endpoint connections.

Follow these steps for each endpoint configured in the VM profile:

  1. Ensure VM readiness:

    • Configure the VM to expose the defined endpoints.

    • Open necessary ports in the VM’s firewall settings.

    • Verify that any required services (e.g., SSH, web server, RDP) are running.

  2. Configure network and security settings:

    • Ensure the VM is connected to the correct network (e.g., ShellNet or the Lab Network).

    • Use static IP mapping for consistent connectivity in nested VM environments.  This would be the default choice however some services/applications for example Cisco Modeling Labs perform dynamic port address translation over the primary network interface.

    • Apply security best practices, such as limiting endpoint exposure and using strong authentication methods.

  3. After configuring the VMs for all required endpoints, save a differencing disk to make the VM settings available for future lab launches.

Configure the VM Connections

Configure an SSH Connection

Configuring a VM for an SSH connection varies depending on the operating system. Windows and Linux desktops typically don't have an SSH server installed by default.

Windows VMs

Linux VMs

  1. Install OpenSSH Server:

    Add-WindowsFeature -Name OpenSSH-Server

  2. Open port 22 in Windows Firewall:

    New-NetFirewallRule -Protocol TCP -LocalPort 22 -Direction Inbound -Action Allow -DisplayName "OpenSSH"

  3. Ensure the SSH service starts on boot:

    Set-Service -Name sshd -StartupType Automatic

  1. Install and start an OpenSSH Server:

    • CentOS/RHEL:

      yum install openssh-server -y && systemctl start ssh && systemctl enable ssh

    • Ubuntu:

      apt install openssh-server-y && systemctl start ssh && systemctl enable ssh

  2. Open port 22 in firewall:

    • CentOS/RHEL:

      firewall-cmd --add-service=ssh --permanent && firewall-cmd --reload

    • Ubunutu:

      ufw allow ssh && ufw reload

Configure an HTTP Connection

Configuring a VM for an HTTP connection varies depending on the operating system.

Windows VMs

Linux VMs

  1. Install IIS Web Server:

    Install-WindowsFeature -name Web-Server -IncludeManagementTools

  2. Start the IIS service:

    Start-Service W3SVC

  3. Open port 80 in Windows Firewall:

    New-NetFirewallRule -Protocol TCP -LocalPort 80 -Direction Inbound -Action Allow -DisplayName "HTTP"

  4. Place web content in C:\inetpub\wwwroot\

  1. Install and start an Apache web server:

    • CentOS/RHEL:

      yum install httpd -y && systemctl start httpd && systemctl enable httpd

    • Ubuntu:

      apt install apache2 -y && systemctl start apache2 && systemctl enable apache2

  2. Open port 80 in firewall:

    • CentOS/RHEL:

      firewall-cmd --add-service=http --permanent && firewall-cmd --reload

    • Ubunutu:

      ufw allow 80/tcp && ufw reload

  3. Place web content in /var/www/html/

Configure a Remote Desktop (RDP) Connection

RDP configuration is supported on both Windows and Linux VMs. Windows requires only basic configuration, while Linux requires additional software installation.

These instructions assume the Linux VM is running a distribution with a desktop environment already installed.

Windows VMs

Linux VMs

Step 1: Enable remote desktop

  1. Start the VM and log in.

  2. Open the Settings app and search for Remote Desktop settings.

  3. Turn on the Enable Remote Desktop option.

  4. Uncheck the Only allow connections from computers running Remote Desktop with Network Level Authentication (recommended) checkbox. Deselecting this option doesn’t pose a security risk, as the connection is limited to the internal Skillable network.

  1. Install and start xrdp:

    • CentOS/RHEL:

      yum install xrdp -y && systemctl start xrdp && systemctl enable xrdp

    • Ubuntu:

      apt install xrdp -y && systemctl start xrdp && systemctl enable xrdp

  2. Open port 80 in firewall:

    • CentOS/RHEL:

      firewall-cmd --add-port=3389 --permanent && firewall-cmd --reload

    • Ubunutu:

      ufw allow 3389/tcp && ufw reload

Step 2: Verify RDP access on the user account

To give a user RDP permissions, add them to the Remote Desktop Users group on the target machine using either the GUI or the CLI.

Using the GUI

  1. Navigate to Local Users and Groups:

    • Press Win + R, type lusrmgr.msc, and then press Enter.

    • In the left pane, select Groups.

  2. Add the user to the Remote Desktop Users group:

    • In the middle pane, double-click on Remote Desktop Users.

    • Click Add.

    • In the text field, enter the username of the user you want to add, then click OK.

Using the Command Line

Open the command prompt as an administrator:

  1. Press Win + X and select Command Prompt (Admin).

  2. Add the user to the Remote Desktop Users group, replacing [username] with the actual username:

    net localgroup "Remote Desktop Users" /add [username]

Using PowerShell

Open PowerShell as an administrator:

  1. Press Win + X and select Windows PowerShell (Admin).

  2. Add the user to the Remote Desktop Users group, replacing [username] with the actual username:

    Add-LocalGroupMember -Group "Remote Desktop Users" -Member [username]

Step 3: Verify RDP configuration

  1. In the terminal, verify the user has RDP rights by checking the user’s group membership:

    Get-LocalGroupMember -Group "Remote Desktop Users"

  2. Navigate to Settings > System > Remote Desktop and ensure the Enable Remote Desktop option is enabled.

Configure a Telnet Connection

Telnet connections are generally recommended for use with appliance-style devices that do not support SSH, such as routers and switches. Telnet can be configured on both Windows and Linux; however, only Linux includes native support for Telnet. For Windows, a third-party application must be installed, and each application would have its own configuration steps.

Windows VMs

Linux VMs

While using Telnet with a Windows Server is uncommon, it is possible. Several Telnet server applications are available for Windows. If you're unsure where to start, here are a few examples to consider:

  1. Install and start inet network utilities:

    • CentOS/RHEL:

      sudo dnf install telnet-server telnet xinetd -y

    • Ubuntu:

      sudo apt install inetutils-inetd telnetd

  2. Edit the configuration file:

    • CentOS/RHEL:

      sudo nano /etc/xinetd.d/telnet

    • Ubunutu:

      sudo nano /etc/inetd.conf

    For CentOS/RHEL, change disable = yes to disable = no. For Ubuntu, remove the comment #<off># in front of the line that contains telnet stream tcp nowait telnetd /usr/sbin/telnetd telnetd.

Test and Validate

After configuring lab profiles and VMs with custom VM endpoints, it is best practice to test and validate that everything works as expected:

  1. Launch the lab and verify that all defined endpoints appear in the interface.

  2. Test each endpoint connection to ensure functionality.

  3. Adjust configurations as needed based on testing results.