vCenter and esxi hosts - DMZ or LAN?

Currently, I have vCenter and 2 esxi hosts on the LAN, and I have to VPN into the firewall to access either (vCenter is actually a VM on one of the esxi host).  However, console performance is terrible with this setup, and I'm thinking that it's because of the VPN overhead.  So, my question is, should I move vCenter into the DMZ so that I can access it sans VPN, and open the necessary ports so that it can connect with the esxi hosts on the LAN?  Note that, despite the virtualization, the DMZ and LAN networks are separate physical networks using multiple NICs on the hosts.  Well, kinda...the NICs are connected to a single switch, but the switch is segmented using VLAN.
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

msdcdevAuthor Commented:
Well, turns out that I can't put the vCenter server on the DMZ, and leave the esxi hosts on the lan.  See page 183:

So, if I'm not mistaken, my options are:

1.  Leave vCenter and esxi hosts on LAN and deal with the ridiculously slow response times.
2.  Move vCenter AND esxi hosts to the DMZ...which would also require a public IP for each ESXI host and vCenter.

Can anyone speak to best practices on the configuration?
IMHO, putting your vCenter in DMZ and making publicly accessible is a terrible idea.  

What speed is your VPN connection?    Your connection may be limited by the bandwidth and/or latency.    

With slow connections, do you have a machine in the building you can use for RDP access, so that only screen updates, mouse/kbd is transferred?    RDP/remote access is usually a good option.

msdcdevAuthor Commented:
I agree...I originally thought that I'd just leave 3389 and RDP locked down on all of my VMs for more security, but now that I think about it, it's obviously less secure to move vCenter to the DMZ.

My connection is burstable to 100 mb/s.  On a simple bandwidth tester, it looks like I'm getting 30 down and 10 up.  That should be more than enough to run the VM's console through a VPN I'm still not sure why it's so painfully slow. RDP (through VPN) flies like I'm sitting right in front of the it doesn't make sense that the VMWare console is that much slower.  In fact, that's why I hadn't tried RDP until a couple of hours ago...I assumed performance would be comparable.
SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our upcoming webinar!

I have vcenter running an a Xeon quad with 4 gig and SQL 2008...   and even on the LAN it takes me about a minute to start it up...      How does your speed compare on the network to off the network?  

msdcdevAuthor Commented:
It's not the vCenter start up speed, or even the console start up speed, that are unbearable.  It's the responsiveness of the console (cursor, keyboard inputs, etc).  On the network (gigabit, no VPN), console input responsiveness was good.  Probably comparable to RDP off network.
Oh, ya, I hate using console across the VPN, its pretty bad.... I find that a remote software on the host works better IMHO.   I tend to use Dameware or RDP on virtual hosts instead of the console whenever I can.    

I can give you some basic ideas though they might be a little old school...  just turn off a visual styles, turn off all effects lower the res, lower the color depth, turn off all the visual bells and whistles to help speed things along.    


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
msdcdevAuthor Commented:
Thanks for the help.  RDP is working great.  Not sure why VMWare doesn't use the same protocol for it's console.  Although, I guess RDP is windows-specific, so the best you can do with VMWare is transmit the entire screen as a stream of images.  It all makes sense now :)
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.