ESXi Tech Support Mode

As a security recommendation you should always disable Tech Support Mode (TSM) on your ESXi servers, but sometimes it’s helpful if you’re able to connect to your ESXi server using Secure Shell (SSH). When you want to enable TSM, you have 3 options: 

  1. Use the Direct Console User Interface (DCUI)
  2. Use the vSphere Client
  3. Script it (using PowerCLI for example).

Enabling TSM using the DCUI

  1. Connect to the server console of your ESXi host.
  2. At the DCUI screen (Alt-F2) of the ESXi host, press F2 and provide credentials when prompted.
  3. Select Troubleshooting Options and press Enter.
     
  4. If you want to enable local TSM, select Enable Local Tech Support and press Enter. This allows you to login using the local console (ALT-F1) of the ESXi host.
  5. If you want to enable remote TSM, select Enable Remote Tech Support (SSH) and press Enter. This allows you to login to the ESXi host via SSH.
  6. Optionally you can configure a timeout that specifies the availability of TSM. After the timeout expires, TSM will be disabled again. Active sessions won’t be terminated however. To specify a TSM timeout:
    1. Select Modify Tech Support timeout and press Enter.
    2. Enter the desired timeout value in minutes and press Enter.
  7. Press Esc three times to return to the main DCUI screen.

Enabling TSM using the vSphere Client

  1. Select the host and go to its Configuration tab.
  2. Select Security profile and click on the Properties link.
  3. Select Local Tech Support or Remote Tech Support (SSH) and click the Options button.
  4. Click Start. Optionally you can choose the desired startup policy. Click OK to close the window.
  5. Verify that the daemon selected in step 3 shows as running in the Services Properties window.
  6. Optionally you can configure a timeout that specifies the availability of TSM. After the timeout expires, TSM will be disabled again. Active sessions won’t be terminated however. To specify a TSM timeout using the vSphere Client:
    1. Select the host and go to its Configuration tab.
    2. Select Advanced Settings.
    3. Locate the UserVars.TSMTimeOut key and change its value to the desired timeout in seconds. Notice that the timeout is specified is seconds here.
    4. Click OK.

Enabling TSM using PowerCLI

Enabling and disabling Tech Support Mode using the DCUI or vSphere client is a cumbersome task, especially when troubleshooting. Let me remind you of the golden rule of scripting:

“Whenever you need to do a task more than once, Script It!”

Enabling Tech Support Mode using PowerCLI can be done using the Start-VMHostService and Stop-VMHostService cmdlets. To start Remote Tech Support on host ESX001, use the following: 

Get-VMHost ESX001 | Get-VMHostService | Where {$_.key –eq "TSM-SSH"} | Start-VMHostService

To avoid memorizing and typing in the complete syntax over and over again, I wrote two little functions to make my life easier: 

  • Enable-TSM
  • Disable-TSM

I find these functions very useful in my everday tasks, therefore I’ve included them in my PowerShell profile. This way the functions are always available to me whenever I start a PowerCLI shell.

Enable-TSM

The Enable-TSM function accepts a hostname (wildcards are supported) or a VMHost object returned by the Get-VMHost cmdlet. The function also accepts objects from the pipeline. 

To enable remote TSM on host ESX001: 

Enable-TSM ESX001

To enable remote TSM on all hosts that start with ESX0: 

Enable-TSM ESX0*

To enable local TSM on host ESX001 and ESX002, use the -Local switch: 

Get-VMHost ESX001,ESX002 | Enable-TSM -Local

Function Enable-TSM {
  Param (
    [parameter(valuefrompipeline = $true, mandatory = $true,
    HelpMessage = "Enter an ESX(i) entity")]
      [PSObject]$VMHost,
    [switch]$Local)

  process {
    switch ($VMHost.gettype().name) {
      "String" {
        if ($Local) {$VMHost = Get-VMHost -Name $VMHost | Enable-TSM -Local}
        else {$VMHost = Get-VMHost -Name $VMHost | Enable-TSM}
      }
      "VMHostImpl" {
        if ($Local) {
          $VMHost | Get-VMHostService | Where {$_.Key -eq "TSM"} | %{
            if ($_.running -eq $false) {
              $_ | Start-VMHostService -Confirm:$false | Out-Null
              Write-Host "$($_.Label) on $VMHost started"
            }
            else {Write-Warning "$($_.Label) on $VMHost already started"}
          }
        }
        else {
          $VMHost | Get-VMHostService | Where {$_.Key -eq "TSM-SSH"} | %{
            if ($_.running -eq $false) {
              $_ | Start-VMHostService -Confirm:$false | Out-Null
              Write-Host "$($_.Label) on $VMHost started"
            }
            else {Write-Warning "$($_.Label) on $VMHost already started"}
          }
        }
      }
      default {throw "No valid type for parameter -VMHost specified"}
    }
  }
}

Disable-TSM

The Disable-TSM function works likewise, except that it disables TSM on the host.

Function Disable-TSM {
  Param (
    [parameter(valuefrompipeline = $true, mandatory = $true,
    HelpMessage = "Enter an ESX(i) entity")]
      [PSObject]$VMHost,
    [switch]$Local)

  process {
    switch ($VMHost.gettype().name) {
      "String" {
        if ($Local) {$VMHost = Get-VMHost -Name $VMHost | Disable-TSM -Local}
        else {$VMHost = Get-VMHost -Name $VMHost | Disable-TSM}
      }
      "VMHostImpl" {
        if ($Local) {
          $VMHost | Get-VMHostService | Where {$_.Key -eq "TSM"} | %{
            if ($_.running -eq $true) {
              $_ | Stop-VMHostService -Confirm:$false | Out-Null
              Write-Host "$($_.Label) on $VMHost stopped"
            }
            else {Write-Warning "$($_.Label) on $VMHost already stopped"}
          }
        }
        else {
          $VMHost | Get-VMHostService | Where {$_.Key -eq "TSM-SSH"} | %{
            if ($_.running -eq $true) {
              $_ | Stop-VMHostService -Confirm:$false | Out-Null
              Write-Host "$($_.Label) on $VMHost stopped"
            }
            else {Write-Warning "$($_.Label) on $VMHost already stopped"}
          }
        }
      }
      default {throw "No valid type for parameter -VMHost specified"}
    }
  }
}

Related posts:

  1. PowerCLI: Match VM and Windows harddisks – Part 2 Tweet This is a follow up on a post I did a couple of weeks ago to create a mapping table between Windows- and VMware hard disks. In another previous...
  2. Collect VMware ESX Host PCI Device Information Tweet Whenever you need to install a new box with ESX, there’s the struggle with matching physical ports to VMware devices. Which network adapter becomes vmnic0?, Which hostbus adapter becomes...
  3. PowerCLI: Disable/Enable HA and DRS Tweet Before upgrading my Virtual Center 2.5 server to vCenter Server 4.0, I decided to temporarily disable HA and DRS. This is just a precaution taken to avoid waiting for...
  4. List HBA WWPNs and LUNs using Powershell Tweet Lately I’m moving around my VMs and storage luns between my ESX clusters a lot to accomplish a complete redesign of my Virtual Infrastructure. At some point I got...
  5. PowerCLI: Get WMI info from isolated guests Tweet A few weeks back I posted an article on matching Windows and VMware disks. Unfortunately this would work only if you could remotely query WMI information from that VM....

2 Comments on “ESXi Tech Support Mode”

  1. #1 My Week in Geek – January 21, 2011 - My Geek Finds
    on Jan 21st, 2011 at 12:08 pm

    [...] Enabling Tech Support Mode on ESXi Nice step by step how-to on the different ways to enable Tech Support Mode (TSM) on ESXi.   [...]

  2. #2 Online Tech Support
    on Jul 21st, 2011 at 2:27 am

    Awesome, thank you very much

Leave a Comment