vCenter and esxi hosts - DMZ or LAN?

Currently, I have vCenter and 2 esxi hosts on the LAN, and I have to VPN into the firewall to access either (vCenter is actually a VM on one of the esxi host).  However, console performance is terrible with this setup, and I'm thinking that it's because of the VPN overhead.  So, my question is, should I move vCenter into the DMZ so that I can access it sans VPN, and open the necessary ports so that it can connect with the esxi hosts on the LAN?  Note that, despite the virtualization, the DMZ and LAN networks are separate physical networks using multiple NICs on the hosts.  Well, kinda...the NICs are connected to a single switch, but the switch is segmented using VLAN.
LVL 1
msdcdevAsked:
Who is Participating?
 
MikeKaneCommented:
Oh, ya, I hate using console across the VPN, its pretty bad.... I find that a remote software on the host works better IMHO.   I tend to use Dameware or RDP on virtual hosts instead of the console whenever I can.    

I can give you some basic ideas though they might be a little old school...  just turn off a visual styles, turn off all effects lower the res, lower the color depth, turn off all the visual bells and whistles to help speed things along.    

0
 
msdcdevAuthor Commented:
Well, turns out that I can't put the vCenter server on the DMZ, and leave the esxi hosts on the lan.  See page 183:

http://www.vmware.com/pdf/vi3_301_201_server_config.pdf

So, if I'm not mistaken, my options are:

1.  Leave vCenter and esxi hosts on LAN and deal with the ridiculously slow response times.
2.  Move vCenter AND esxi hosts to the DMZ...which would also require a public IP for each ESXI host and vCenter.

Can anyone speak to best practices on the configuration?
0
 
MikeKaneCommented:
IMHO, putting your vCenter in DMZ and making publicly accessible is a terrible idea.  


What speed is your VPN connection?    Your connection may be limited by the bandwidth and/or latency.    

With slow connections, do you have a machine in the building you can use for RDP access, so that only screen updates, mouse/kbd is transferred?    RDP/remote access is usually a good option.

0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
msdcdevAuthor Commented:
I agree...I originally thought that I'd just leave 3389 and RDP locked down on all of my VMs for more security, but now that I think about it, it's obviously less secure to move vCenter to the DMZ.

My connection is burstable to 100 mb/s.  On a simple bandwidth tester, it looks like I'm getting 30 down and 10 up.  That should be more than enough to run the VM's console through a VPN tunnel...so I'm still not sure why it's so painfully slow. RDP (through VPN) flies like I'm sitting right in front of the machine....so it doesn't make sense that the VMWare console is that much slower.  In fact, that's why I hadn't tried RDP until a couple of hours ago...I assumed performance would be comparable.
0
 
MikeKaneCommented:
I have vcenter running an a Xeon quad with 4 gig and SQL 2008...   and even on the LAN it takes me about a minute to start it up...      How does your speed compare on the network to off the network?  

0
 
msdcdevAuthor Commented:
It's not the vCenter start up speed, or even the console start up speed, that are unbearable.  It's the responsiveness of the console (cursor, keyboard inputs, etc).  On the network (gigabit, no VPN), console input responsiveness was good.  Probably comparable to RDP off network.
0
 
msdcdevAuthor Commented:
Thanks for the help.  RDP is working great.  Not sure why VMWare doesn't use the same protocol for it's console.  Although, I guess RDP is windows-specific, so the best you can do with VMWare is transmit the entire screen as a stream of images.  It all makes sense now :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.