Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1604
  • Last Modified:

What is the Correct Network Design?

Hi

I have created a virtual network using VMware ESXi which has an Untangle VM at the network perimeter. The untangle box acts as a VPN/Firewall for my network which consists of an External, Internal and DMZ segments.

When installed the VMWare was allocated localhost.localdomain and the web server in the DMZ has been working fine.

On the Internal segment of the virtual network Im looking to install MS SBS 2008 and during installation the SBS virtual box was set up as SBS1.MyDomain. I have since added three clients to the .MyDomain.

Looking back at what I have done Im now not sure of the interaction between the VMware and the SBS, should they both have the same domain name as they are on the same virtual network? Could someone please explain what would be the norm in this situation?

Cheers, Will
0
Whisky-Will
Asked:
Whisky-Will
  • 9
  • 6
  • 6
1 Solution
 
kumarnirmalCommented:
Virtual Networks are connected through various Port Groups which are in turn connected to vSwitches which are finally connected to Physical NICs.

For example, I can create 3 VMs which have 3 different IP Subnets

The NICs connected to the ESXi Server should be connected to different Physical Switches in order to segment them using Networking Concepts.

You can also use VLANs to segment different VMs.

Please bear in mind that the SBS and VMware ESXi Server need not be in the same Domain.

0
 
Whisky-WillAuthor Commented:
Hi kumarnirmal

I think I have the network structured correcly, diagram attached;

You indicate in your reply that the SBS and VMware ESXi Server need not be in the same Domain but surley this cant just be a random choice.

In my particular case should the Domain be the same or different, what is the concequence of going either way?

Regards
William


Network.JPG
0
 
kumarnirmalCommented:
The Internal SBS Server should have an uplink connected to the vSwitch since u cannot connect to the SBS Server if you do not map it to a vSwitch as indicated in the attachment.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
kumarnirmalCommented:
Just like how your vSwithc1 is connected to vmnic1, vSwitch3 should be connected to a vmnic or physical NIC if you intend to have SBS Connectivity to physical network.


0
 
Whisky-WillAuthor Commented:
Hi kumarnirmal

The SBS Server uses the Gateway Server on its segment of the Lan to reach the External network. In reverse all traffic arriving on the Virtual network has to go through the Gateway Server to reach either the Internal or DMZ segments. Is this not best practice?

That aside my question remains, In my particular case should the Domain on the VMWare be the same or different as the Domain on the SBS Server, and what is the consequence of going either way?

Regards
William
0
 
kumarnirmalCommented:
Sorry as I completely missed the Gateway Server 1 in picture.This is a good security practice.

The SBS Domain would be an Active Directory Domain.
Keeping the ESX Server in the same domain would cause no harm.

By the way are you using VIrtualCenter Server in your environment to manage ESX Hosts ?

You would have to put a DNS Host entry in the Windows / Linux DNS Server in your environment.
0
 
Whisky-WillAuthor Commented:
Hi kumarnirmal

As we are only a small business we are using VMWare Infrastructure Client to Manage the ESXi Hosts.

Our Gateway (Linux) is set up to get its DNS from the OpenDNS servers and all of our other VM's are Windows machines that get their DNS from the Gateway.

On the Domain front is it not the other way around?

My whole network was built in the .localdomain, so have I not then come along and created a .myDomain for the SBS within it. I'm really confused?

Regards
William  
0
 
kumarnirmalCommented:
Which version (2003 or 2008) and what edition (Standard or Premium) of Small Business Server are you using ?

For what purpose have you installed SBS ?

0
 
aldanchCommented:
You have two domains, .localdomain (physical infrastructure, where ESXi is), and .mydomain (virtual infrastructure, where SBS is).

"That aside my question remains, In my particular case should the Domain on the VMWare be the same or different as the Domain on the SBS Server, and what is the consequence of going either way?"

In this question, what does "VMWare" refer to? The host or the VMs? SBS is isolated and can only be accessed through routing conducted by your Gateway VM. The host should be on the same subnet as the VI client used to manage it.

Did you want to have two separate domains/forests wherein you'll enable uni- or bidirectional forest trusts or are you looking to unify them into one domain?
0
 
Whisky-WillAuthor Commented:
 
Hi aldanch
 
 Apologies for confusing things with a poor explanation.
 
 I have only 1 physical box that contains 2 physical network cards. This machine is collocated in an ISP's data center. I receive a feed into each network card from the ISP's switch. I have been provided with two public IP addresses (92.60.105.12 and 92.60.105.9) both of which have a mask of 255.255.255.128. I was given an address of 92.60.105.1 to use as a gateway and 92.60.105.8 to use for DNS.
 
 All other NIC's, switches and machines are virtual and all other addressing uses private IP numbers.
 
 Im using ESXi embedded, so when the physical server was first turned on the VMWare was booted from an internal USB key. During setup I was asked to provide an IP address for the VMWare Management Network, I used one of my public IP addresses (92.60.105.9) and this was virtually bridged to the ISP's network via one of my physical Nic's.
 
 Also during setup the VMware asked for a host name and defaulted "localhost.localdomain"
 
 I then proceeded to establish the virtual machine containing the Untangle Firewall, VPN and NAT device. This was given three virtual Nic's as follows:-
 
 External: Assigned my second public address (92.60.105.12) and was virtually bridged to my ISP's network via second physical Nic.
 
 Internal: Given a private IP address of 192.168.2.1/24
 
 DMZ: Given a private IP address of 10.0.10.1/8
 
 The Untangle box is set to get its DNS from OpenDns on 208.67.222.222
 
 I set up a virtual machine running an IIS server in the DMZ segment. This was given a private address of 10.0.10.2, a gateway of 10.0.10.1 and a DNS of 10.0.10.1. This all appeared to work fine and web pages could be served to the internet.
 
 I set up a virtual machine running the back end of my website on the internal segment. This was given a private address of 192.168.2.2, a gateway of 192.168.2.1 and a DNS of 192.168.2.1. This all appeared to work fine and I could VPN in to the Untangle box and reach the internal network and my back end could upload to the website to the DMZ
 
 I now want to install SBS 2008 on the Internal segment of the network. During setup I provided the following information: -
 
 Server Name: SBS1
 
 Internal Domain Name (NetBIOS): Indigolime
 
 Full Internal DNS Name: indigolime.local
 
 External Domain Name: indigolime.net
 
 IP address: 192.168.2.2
 
 Gateway: 192.168.2.1
 
 DNS: 192.168.2.1
 
 This appears to work fine but I'm concerned that the settings on the SBS virtual box "indigolime.local" and the settings on the VMware host "localhost.localdomain" need to be related in some way. They do after all exist on the same virtual network.
 
 Im very confused, what is best practice in this case?
 
 Will  
0
 
kumarnirmalCommented:
A single network can contain multiple Domains as long as your requirement is fulfilled.

localhost.localdomain is just a generic name which is assigned to an ESX Host when it is installed  if you do not assign a normal domain name such as myesxhost.domain.com.

Besides that, what is the role of the SBS in your Network ?
0
 
aldanchCommented:
Will,

Thanks for the detailed explanation of your network layout. I've attached a diagram that matches it (hopefully).

Let me start with the bottomline first: treat your ESX server as a member of a workgroup environment that is separate from your internal network (indigolime.local).

In this scenario, your ESX server's FQDN is "localhost.localdomain" which is a generic name assigned to the ESXi server when it's first created. This is usually changed to match the domain that your ESX server is on. However, since the server is on your ISP's datacenter in one of their subnets (92.60.105.x), it's not necessary for you to match it to your network (192.168.2.x for indigolime.local).

The "localhost.localdomain" FQDN is for DNS resolution (accessing ESX server and managing your virtual infrastructure - VMs, vSwitches, Datastores, etc), allowing you to conveniently access your ESX server by it's FQDN or NetBIOS name (for example, typing ESX1.domain.local or ESX1 in your VI client or on a web browser address bar) rather than its IP address (92.60.105.9). This applies when your ESX server is on the same subnet as your Domain Controllers, DNS servers, and the like. In your case, ESX server is transparent to your Internal network. It's just a resource pool for CPU, memory, and storage for your VMs as well as network connectivity in and out of your Internal network.
090421---Whisky-Will.png
0
 
aldanchCommented:
Will,

How are you accessing your ESX server? Is it through it's Public IP or did your ISP give your a portal to use to access it?
0
 
Whisky-WillAuthor Commented:
Hi kumarnirmal

The SBS will be used to provide a small number of small SharePoint sites used b y a small number of users, Web Access to email and centralised control for the file storage and backup of the 4 clients and 1 server in the SBS domain.

Regards
William
0
 
Whisky-WillAuthor Commented:
Aldanac

Diagram was spot on, a great answer triggering one of those Eureka! moments where every thing falls into place.

I access ESXi directly through the public IP address, is this a problem?

A true expert on a great site.

Regards
Will


0
 
aldanchCommented:
Will,

It's more of a security issue. ESXi's Management Network (VMkernel) is typically placed in a private network and is not directly accessible through the Internet. Your current predicament is that anyone can simply type in your ESX server's IP address on their favorite web browser, download the VI client, and attempt to gain access by brute forcing their way into your virtual environment.

There was a similar posting in the VMware Communities forum: http://communities.vmware.com/thread/194030

This post also mentions protecting your ESX server behind a firewall and setting up a VPN server that enables you to access your ESX via VI Client.

Did your ISP set up your ESX and then grant you access through a Public IP? Do they have an SLA regarding security of it?
0
 
Whisky-WillAuthor Commented:
aldanch

Thanks for the additional advice.

The problem I have is that the firewall is virtual so if I move the VMKernal behind the firewall I could end up in a situation where I cant get to the firewall because of a problem in ESXi and I cant get to ESXi because of a problem in the firewall or the other way around.

The ISP provides only power,cooling,ip addresses, a rack to hold the box and a network connection and the rest is down to me.

Without buying some physical hardware and paying to colocate it with the server, I cant see any other options?

Regards
William
0
 
aldanchCommented:
Willliam,

Wouldn't it be in the best interest of your company to safeguard your ESXi server as it is the openly exposed to anyone with an Internet connection? IMHO, I think that it's worth the investment (if budget allows).

Bringing hardware (hardware firewall/vpn router) and co-locating it with the server would add a layer of security for your ESX server (which currently only has a username and password as its ownly defense), albeit it will come with a price. I would stake that cost against a security breach that may ruin your company's reputation (and yours) or use your resources for malicious agendas.
0
 
Whisky-WillAuthor Commented:
aldanch:
Will take on board your comments
Regards
William
0
 
Whisky-WillAuthor Commented:
Aldanch; Thank you very much for all your help. Kind Regards William
0
 
aldanchCommented:
You're welcome! Glad to be of help!
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

  • 9
  • 6
  • 6
Tackle projects and never again get stuck behind a technical roadblock.
Join Now