Say you have a remote site to support with a VMWare setup and no direct VPN, how can you check or fix anything on their main VM hosts?
If they have a local Linux or Unix box, there is a way. You can forward all the required VMWare ports over SSH...
sudo ssh -L*:80:192.168.5.8:80 -L*:443:192.168.5.8:443 -L*:902:192.168.5.8:902 \-L*:5989:192.168.5.8:5989 -L*:8000:192.168.5.8:8000 \-L*:8100:192.168.5.8:8100 firstname.lastname@example.org
This relies on the client's firewall having SSH fowarding to a local Linux/Unix box, say 192.168.5.67. And this example has ssh.myclient.com pointing to their external IP, of course.
So, what are we doing here? Run this on a local Linux box (say, 192.168.23.80), and it will SSH to email@example.com. Local port forwarding is set up for ports: 80, 443, 902, 5989, 8000, 8100.
The fowarding is such that any connections to these particular ports on 192.168.23.80 from any PC on your local network are sent over the SSH connection to the remote SSH server you have connected to. From there, the connections are pushed out to 192.168.5.8. The VMWare Host doesn't know the difference and just accepts the connections as if they were local.
The * at the front of each "forwarding option" is what works this magic - it instructs SSH to listen for traffic to forward on ANY external interface.
So now, all you need to do is point your VMWare/VSphere Client at 192.168.23.80 and pop in the username and password, and you have full control of your client's VM Host.
VMClient ---> Local Linux box (SSH) ---> ((INTERNET)) ---> (SSH) Remote Linux box ---> VMHost
Important: If you set yourself up to be able to do this, allowing anything on the net to SSH to your server, be aware of how much control it would give an attacker over your network if they could guess your password.
Lock out unneeded, guessable accounts from login, such as 'root'. Use fail2ban to stop brute force attacks. Use long passwords. Or, if possible, don't even use passwords at all - use ssh key based authentication.