Question

What is the Correct Network Design?

Asked by: Whisky-Will

Hi

I have created a virtual network using VMware ESXi which has an Untangle VM at the network perimeter. The untangle box acts as a VPN/Firewall for my network which consists of an External, Internal and DMZ segments.

When installed the VMWare was allocated localhost.localdomain and the web server in the DMZ has been working fine.

On the Internal segment of the virtual network Im looking to install MS SBS 2008 and during installation the SBS virtual box was set up as SBS1.MyDomain. I have since added three clients to the .MyDomain.

Looking back at what I have done Im now not sure of the interaction between the VMware and the SBS, should they both have the same domain name as they are on the same virtual network? Could someone please explain what would be the norm in this situation?

Cheers, Will

This Question has been solved and asker verified All Experts Exchange premium technology solutions are available to subscription members.

Subscribe now for full access to Experts Exchange and get

Instant Access to this Solution

  • Plus...
  • 30 Day FREE access, no risk, no obligation
  • Collaborate with the world's top tech experts
  • Unlimited access to our exclusive solution database
  • Never be left without tech help again

Subscribe Now

Asked On
2009-04-21 at 01:47:37ID24340483
Tags

Networking

,

DNS

,

VMWare

,

SBS

Topics

Network Design & Methodology

,

VMware

,

SBS Small Business Server

Participating Experts
2
Points
500
Comments
21

Trusted by hundreds of thousands everyday for fast, accurate and reliable tech support.

  • "The time we save is the biggest benefit of Experts Exchange to Warner Bros. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange." Mike Kapnisakis, Warner Bros.
  • "Our team likes having a resource that is more secure than just using Google and most experts using this service really know their stuff. It's nice to look here first versus using Google." Dayna Sellner, Lockheed Martin
  • "Anytime that I've been stumped with a problem, 9 out of 10 times Experts Exchange has either the accepted solution or an open discussion of the potential solution to the problem." Kenny Red, eBay Inc.

See what Experts Exchange can do for you.

Got a question?

We've got the answer.

Experts Exchange has been collecting answers to technology questions since 1996…3 million and counting! If you have a question, chances are we already have your answer.

Screenshot of Experts Exchange Knowledgebase

Need individual assistance?

Our experts are ready to help.

If you can't find the exact answer you're looking for, ask our exclusive community of 50,000 experts. You’ll get a personalized answer from a trusted professional.

Screenshot of Experts Exchange Knowledgebase

Want to learn from the best?

Read articles from industry experts.

Thousands of free tech tips, tricks, how-to’s and tutorials are available in our peer reviewed articles section. See for yourself how smart our experts are, no login required.

Screenshot of an Article

Working on a long term project?

Store your work and research.

Save solutions to your questions, answers you’ve discovered through searching plus helpful articles in your personal knowledgebase for easy future access.

Screenshot of Experts Exchange Knowledgebase

Access the answers to your technology questions today.

Subscribe Now

30-day free trial. Register in 60 seconds.

What Makes Experts Exchange Unique?

Members of the expert community talk about why the experience at Experts Exchange is different than what you will find anywhere else.

Trusted by the world's most respected brands.

image of each brand's logo

Faithfully serving IT professionals since 1996.

Experts Exchange Logo

Try it out and discover for yourself.

Subscribe Now

30-day free trial. Register in 60 seconds.

Related Solutions

  1. VMWare Networking
    I currently have a windows 2003 server on our LAN, it is hosting 3 virtual machines, 1 of which is another 2003 server and the other 2 are windows xp pro machines. The 3 VM's are networked together but cannot see the LAN which the host machine is part of. This is clump 1. I...
  2. VMware Network Design Questions
    I am pitching for a new client network setup of 50 users. They want to run Exchange and WSS 3.0 on seperate servers. They also want me to start working on a DR plan where if one servers goes down, the other can take over, without too much fuss. Sounds to me VMware is the way ...
  3. VPN into VLAN'd VM
    Having issues using a Cisco IPSEC VPN into a VLAN'd VM. To this point I think it is a VMware issue but not completely satisfied with that conclusion. Attached is a ESX network config along with a basic diagram of what I am attempting to accomplish. Basically I have 1 physic...
  4. VMWare ESXi 4.0: VMs hidden from production environ…
    I've been searching and found some good responses on here, but I cant find anything that directly match my situation. Pardon my ignorance, I'm new to VMWare. I'm attempting to install a SBS 2008 server on a network that already has an existing SBS 2003 server up and running...

Free Tech Articles

  1. WARNING: 5 Reasons why you should NEVER fix a computer for free.
    It is in our nature to love the puzzle. We are obsessed. The lot of us. We love puzzles. We love the challenge. We thrive on finding the answer. We hate disarray. It bothers us deep in our soul. W...
  2. SCCM OSD Basic troubleshooting
    SCCM 2007 OSD is a fantastic way to deploy operating systems, however, like most things SCCM issues can sometimes be difficult to resolve due to the sheer volume of logs to sift through and the dispe...
  3. Migrate Small Business Server 2003 to Exchange 2010 and Windows 2008 R2
    This guide is intended to provide step by step instructions on how to migrate from Small Business Server 2003 to Windows 2008 R2 with Exchange 2010. For this migration to work you will need the fo...
  4. Create a Win7 Gadget
    This article shows you how to create a simple "Gadget" -- a sort of mini-application supported by Windows 7 and Vista. Gadgets can be dropped anywhere on the desktop to provide instant information, ...
  5. Outlook continually prompting for username and password
    There have been a lot of questions recently regarding Outlook prompting for a username and password whilst using Exchange 2007. There are a few reasons why this would happen and I will try to cover t...
  6. Backup Exchange 2010 Information Store using Windows Backup
    There seems to be quite a lot of confusion around the ability to backup Exchange 2010 using the built in Windows Backup feature. This stems from the omission of this feature prior to Exchange 2007 s...

Cloud Class Webinars

  1. Avoiding Bugs in Microsoft Access
    Alison Balter takes and in-depth look at avoiding bugs in Access. In this webinar you will learn about using the immediate window to debug your applications, invoking the debugger, using breakpoints to troubleshoot, stepping through code, setting the next statement to execute, ...
  2. Top 10 Best New Features in Visio 2010
    Scott Helmers gives live demonstrations of the top 10 new features in Visio 2010. This webinar will teach you how to create compelling diagrams by adding shapes to the page with a single click, linking the shapes in a diagram to data in Excel (or SQL Server, or SharePoint), ...
  3. IT Consultant Business Secrets Revealed
    Michael Munger, Experts Exchange tech pro and IT consultant, pulls back the curtain on his very successful businesses and answers question on every IT consultant and business owner should know about. He shares secrets on what he did to solve the 5 most common problems in IT, ...
  4. Disaster Recovery and Business Continuity
    Quest CTO, Mike Billon, gives an overview of the steps involved in building a dunamic disaster recovery plan. Through case studies and an examination of software/hardware tooles for monitoring and testing, you'll gain a better understandin of where you are, where you want ...
  5. Organize Your Visio Diagrams with Containers and Lists
    Scott Helmers uses cross functional flowcharts, wireframe diagrams, data graphic legends and seating charts to teach you: how to ustilize all three new structured diagram components in Visio 2010, the best practices for organizeing shapes in previous version of Visio, how to organize ...
  6. How to Us Objects, Properties, Events and Methods in Microsoft Access
    Alison Dalter gives an in-depbth look at objects, properties, events and methods in Microsoft Access. In this webinar you will learn about using the object browser, referring to objects, working with properties and methods, working with object variables, understanding the ...

Join the Community

Give a Little. Get a Lot.

Join the community of experts here and help other tech pros by answering question in your area of expertise. You can earn FREE access to all Experts Exchange's premium features and resources.

Join the Community

Answers

 

by: kumarnirmalPosted on 2009-04-21 at 02:57:40ID: 24192477

Virtual Networks are connected through various Port Groups which are in turn connected to vSwitches which are finally connected to Physical NICs.

For example, I can create 3 VMs which have 3 different IP Subnets

The NICs connected to the ESXi Server should be connected to different Physical Switches in order to segment them using Networking Concepts.

You can also use VLANs to segment different VMs.

Please bear in mind that the SBS and VMware ESXi Server need not be in the same Domain.

 

by: Whisky-WillPosted on 2009-04-21 at 03:44:40ID: 24192757

Hi kumarnirmal

I think I have the network structured correcly, diagram attached;

You indicate in your reply that the SBS and VMware ESXi Server need not be in the same Domain but surley this cant just be a random choice.

In my particular case should the Domain be the same or different, what is the concequence of going either way?

Regards
William

 

by: kumarnirmalPosted on 2009-04-21 at 04:17:18ID: 24193002

The Internal SBS Server should have an uplink connected to the vSwitch since u cannot connect to the SBS Server if you do not map it to a vSwitch as indicated in the attachment.

 

by: kumarnirmalPosted on 2009-04-21 at 04:19:26ID: 24193012

Just like how your vSwithc1 is connected to vmnic1, vSwitch3 should be connected to a vmnic or physical NIC if you intend to have SBS Connectivity to physical network.


 

by: Whisky-WillPosted on 2009-04-21 at 05:08:01ID: 24193330

Hi kumarnirmal

The SBS Server uses the Gateway Server on its segment of the Lan to reach the External network. In reverse all traffic arriving on the Virtual network has to go through the Gateway Server to reach either the Internal or DMZ segments. Is this not best practice?

That aside my question remains, In my particular case should the Domain on the VMWare be the same or different as the Domain on the SBS Server, and what is the consequence of going either way?

Regards
William

 

by: kumarnirmalPosted on 2009-04-21 at 05:32:59ID: 24193508

Sorry as I completely missed the Gateway Server 1 in picture.This is a good security practice.

The SBS Domain would be an Active Directory Domain.
Keeping the ESX Server in the same domain would cause no harm.

By the way are you using VIrtualCenter Server in your environment to manage ESX Hosts ?

You would have to put a DNS Host entry in the Windows / Linux DNS Server in your environment.

 

by: Whisky-WillPosted on 2009-04-21 at 06:13:52ID: 24193856

Hi kumarnirmal

As we are only a small business we are using VMWare Infrastructure Client to Manage the ESXi Hosts.

Our Gateway (Linux) is set up to get its DNS from the OpenDNS servers and all of our other VM's are Windows machines that get their DNS from the Gateway.

On the Domain front is it not the other way around?

My whole network was built in the .localdomain, so have I not then come along and created a .myDomain for the SBS within it. I'm really confused?

Regards
William  

 

by: kumarnirmalPosted on 2009-04-21 at 07:10:06ID: 24194559

Which version (2003 or 2008) and what edition (Standard or Premium) of Small Business Server are you using ?

For what purpose have you installed SBS ?

 

by: aldanchPosted on 2009-04-21 at 12:34:14ID: 24198222

You have two domains, .localdomain (physical infrastructure, where ESXi is), and .mydomain (virtual infrastructure, where SBS is).

"That aside my question remains, In my particular case should the Domain on the VMWare be the same or different as the Domain on the SBS Server, and what is the consequence of going either way?"

In this question, what does "VMWare" refer to? The host or the VMs? SBS is isolated and can only be accessed through routing conducted by your Gateway VM. The host should be on the same subnet as the VI client used to manage it.

Did you want to have two separate domains/forests wherein you'll enable uni- or bidirectional forest trusts or are you looking to unify them into one domain?

 

by: Whisky-WillPosted on 2009-04-21 at 15:59:06ID: 24200130

 
Hi aldanch

 Apologies for confusing things with a poor explanation.

 I have only 1 physical box that contains 2 physical network cards. This machine is collocated in an ISP's data center. I receive a feed into each network card from the ISP's switch. I have been provided with two public IP addresses (92.60.105.12 and 92.60.105.9) both of which have a mask of 255.255.255.128. I was given an address of 92.60.105.1 to use as a gateway and 92.60.105.8 to use for DNS.
 
All other NIC's, switches and machines are virtual and all other addressing uses private IP numbers.

 Im using ESXi embedded, so when the physical server was first turned on the VMWare was booted from an internal USB key. During setup I was asked to provide an IP address for the VMWare Management Network, I used one of my public IP addresses (92.60.105.9) and this was virtually bridged to the ISP's network via one of my physical Nic's.
 
Also during setup the VMware asked for a host name and defaulted "localhost.localdomain"

 I then proceeded to establish the virtual machine containing the Untangle Firewall, VPN and NAT device. This was given three virtual Nic's as follows:-

 External: Assigned my second public address (92.60.105.12) and was virtually bridged to my ISP's network via second physical Nic.

 Internal: Given a private IP address of 192.168.2.1/24

 DMZ: Given a private IP address of 10.0.10.1/8

 The Untangle box is set to get its DNS from OpenDns on 208.67.222.222

 I set up a virtual machine running an IIS server in the DMZ segment. This was given a private address of 10.0.10.2, a gateway of 10.0.10.1 and a DNS of 10.0.10.1. This all appeared to work fine and web pages could be served to the internet.

 I set up a virtual machine running the back end of my website on the internal segment. This was given a private address of 192.168.2.2, a gateway of 192.168.2.1 and a DNS of 192.168.2.1. This all appeared to work fine and I could VPN in to the Untangle box and reach the internal network and my back end could upload to the website to the DMZ

 I now want to install SBS 2008 on the Internal segment of the network. During setup I provided the following information: -

 Server Name: SBS1

 Internal Domain Name (NetBIOS): Indigolime

 Full Internal DNS Name: indigolime.local

 External Domain Name: indigolime.net
 
IP address: 192.168.2.2

 Gateway: 192.168.2.1

 DNS: 192.168.2.1

 This appears to work fine but I'm concerned that the settings on the SBS virtual box "indigolime.local" and the settings on the VMware host "localhost.localdomain" need to be related in some way. They do after all exist on the same virtual network.

 Im very confused, what is best practice in this case?

 Will  

 

by: kumarnirmalPosted on 2009-04-21 at 18:22:47ID: 24200797

A single network can contain multiple Domains as long as your requirement is fulfilled.

localhost.localdomain is just a generic name which is assigned to an ESX Host when it is installed  if you do not assign a normal domain name such as myesxhost.domain.com.

Besides that, what is the role of the SBS in your Network ?

 

by: aldanchPosted on 2009-04-21 at 18:47:57ID: 24200888

Will,

Thanks for the detailed explanation of your network layout. I've attached a diagram that matches it (hopefully).

Let me start with the bottomline first: treat your ESX server as a member of a workgroup environment that is separate from your internal network (indigolime.local).

In this scenario, your ESX server's FQDN is "localhost.localdomain" which is a generic name assigned to the ESXi server when it's first created. This is usually changed to match the domain that your ESX server is on. However, since the server is on your ISP's datacenter in one of their subnets (92.60.105.x), it's not necessary for you to match it to your network (192.168.2.x for indigolime.local).

The "localhost.localdomain" FQDN is for DNS resolution (accessing ESX server and managing your virtual infrastructure - VMs, vSwitches, Datastores, etc), allowing you to conveniently access your ESX server by it's FQDN or NetBIOS name (for example, typing ESX1.domain.local or ESX1 in your VI client or on a web browser address bar) rather than its IP address (92.60.105.9). This applies when your ESX server is on the same subnet as your Domain Controllers, DNS servers, and the like. In your case, ESX server is transparent to your Internal network. It's just a resource pool for CPU, memory, and storage for your VMs as well as network connectivity in and out of your Internal network.

 

by: aldanchPosted on 2009-04-21 at 19:00:23ID: 24200931

Will,

How are you accessing your ESX server? Is it through it's Public IP or did your ISP give your a portal to use to access it?

 

by: Whisky-WillPosted on 2009-04-22 at 00:55:46ID: 24202173

Hi kumarnirmal

The SBS will be used to provide a small number of small SharePoint sites used b y a small number of users, Web Access to email and centralised control for the file storage and backup of the 4 clients and 1 server in the SBS domain.

Regards
William

 

by: Whisky-WillPosted on 2009-04-22 at 01:40:40ID: 24202411

Aldanac

Diagram was spot on, a great answer triggering one of those Eureka! moments where every thing falls into place.

I access ESXi directly through the public IP address, is this a problem?

A true expert on a great site.

Regards
Will


 

by: aldanchPosted on 2009-04-22 at 10:41:19ID: 24207496

Will,

It's more of a security issue. ESXi's Management Network (VMkernel) is typically placed in a private network and is not directly accessible through the Internet. Your current predicament is that anyone can simply type in your ESX server's IP address on their favorite web browser, download the VI client, and attempt to gain access by brute forcing their way into your virtual environment.

There was a similar posting in the VMware Communities forum: http://communities.vmware.com/thread/194030

This post also mentions protecting your ESX server behind a firewall and setting up a VPN server that enables you to access your ESX via VI Client.

Did your ISP set up your ESX and then grant you access through a Public IP? Do they have an SLA regarding security of it?

 

by: Whisky-WillPosted on 2009-04-23 at 04:13:00ID: 24213717

aldanch

Thanks for the additional advice.

The problem I have is that the firewall is virtual so if I move the VMKernal behind the firewall I could end up in a situation where I cant get to the firewall because of a problem in ESXi and I cant get to ESXi because of a problem in the firewall or the other way around.

The ISP provides only power,cooling,ip addresses, a rack to hold the box and a network connection and the rest is down to me.

Without buying some physical hardware and paying to colocate it with the server, I cant see any other options?

Regards
William

 

by: aldanchPosted on 2009-04-23 at 11:37:02ID: 24218324

Willliam,

Wouldn't it be in the best interest of your company to safeguard your ESXi server as it is the openly exposed to anyone with an Internet connection? IMHO, I think that it's worth the investment (if budget allows).

Bringing hardware (hardware firewall/vpn router) and co-locating it with the server would add a layer of security for your ESX server (which currently only has a username and password as its ownly defense), albeit it will come with a price. I would stake that cost against a security breach that may ruin your company's reputation (and yours) or use your resources for malicious agendas.

 

by: Whisky-WillPosted on 2009-04-27 at 05:24:11ID: 24240940

aldanch:

Will take on board your comments

Regards

William

 

by: Whisky-WillPosted on 2009-04-27 at 05:27:00ID: 31572626

Aldanch; Thank you very much for all your help. Kind Regards William

 

by: aldanchPosted on 2009-04-27 at 10:01:26ID: 24243592

You're welcome! Glad to be of help!

20120131-EE-VQP-002

3 Ways to Join

30-Day Free Trial

The Experts

98% positive feedback on 31,087 answers since March 2000. angeliii is a Microsoft Most Valuable Professional for his work with MS SQL Server & Develoment.

He has also proven his knowledge of Visual Basic Programming, PHP Scripting and Oracle Databases.

The Experts

97% positive feedback on 10,752 answers since July 2000. lrmoore has more than 18 years experience in the networking industry.

The six-time Mircosoft MVPs specialties include firewalls, virtual private networking, and network management.

Testimonials

"...and excellent source for support... Kind of like having your very own IT dept." Electriciansnet

Testimonials

"I was apprehensive at signing up at first. However... it has already made my life as an IT administrator much easier." JaCrews

Testimonials

"WOW! You guys have great, active, and knowledgeable people on here." moore50

Business Clients

Business Clients

In the Press

"If you’ve got a question... Experts Exchange can supply an answer.”

In the Press

"...an invaluable aid for both IT professionals and those who require tech support."

In the Press

"where IT professionals provide quick answers on just about any topic"

Business Account Plans

Loading Advertisement...