[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Adding a new VMware ESX host into VCentre within DMZ

Posted on 2014-02-02
13
Medium Priority
?
1,882 Views
Last Modified: 2014-03-08
Hi

I need to add a new VMware ESX host in an existing VCentre but needs to be configured within a DMZ architecture:-

So:-

1) What configurations do I need to do within VCentre, i.e network switches, etc..
2) The host be configured in its own DMZ but still needs to be available on the main internal network
3) What ports need to be enabled in firewall, to able to see DMZ servers and able to connect to these clients

Thanks
0
Comment
Question by:rakkad
  • 7
  • 6
13 Comments
 
LVL 124
ID: 39827545
1. Can be done in different ways depending upon policys in your organisation, either with:-

a). a dedicated vSwitch and at least two uplinks which connect to your DMZ, and then create a Virtual Machine Portgroup with a network label of DMZ.

b) it can be done with VLANs, and you would pass that VLAN to a vSwitch, and use VLAN tags on the Virtual Machine Portgroup

2. Do you really want to put the Host in the DMZ, we do not generally put hosts in the DMZ, we put Guests in the DMZ using the above, because you've got more network configuration, more ports to open, and the "surface area" is larger, e.g. because you've put the host in the DMZ.

3. There are many, many ports you would need to open, if you vCenter Server is in the Internal LAN

see here:-

Required ports for configuring an external firewall to allow ESX/ESXi and vCenter Server traffic

TCP and UDP Ports required to access vCenter Server, ESXi/ESX hosts, and other network components

So you need to think carefully about actually putty and install the HOST in the DMZ.
0
 

Author Comment

by:rakkad
ID: 39827610
Thanks for the comment !!

Is there a preferred recommendation and can you forward any possible design configurations ?

Thanks once again
0
 
LVL 124
ID: 39827627
Yes, it's in my first post.

Do not put the Host in the DMZ, and use 1a and 1b.
0
2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

 

Author Comment

by:rakkad
ID: 39827678
Thanks I'll keep you posted how I get on
0
 

Author Comment

by:rakkad
ID: 39828362
Will it possible to illustrate this in a form a pictorial representation of how It may hang together ?

Thanks
0
 
LVL 124
ID: 39828389
Yes, no problems, questions please ask....

ESXi Network
this assumes, placement of Host in Internal LAN, DMZ is connected to a vSwitch, and DMZ VMs will connect to this vSwitch only.

No traffic can pass between vSwitches, so is isolated in the switches in ESXi
0
 

Author Comment

by:rakkad
ID: 39843993
Hi

I have been going over this and still confused as it whether to put the host in the DMZ network (192.x.x.x) or in the internal VLAN 226 (VMware LAN) then connect to the DMZ.

If I we're to put the host in the DMZ straight, how difficult would this be for this host to connect to VCentre  ? What problems could run into ?  In your experience would organisations follow the rule to put the host in the internal LAN then connect to DMZ

Is this way, the DMZ host needs to see the VCentre, as apposed in the reverse way

Also, would you recommend DHCP or keep static IP addresses for VM guests

Thanks

I hope I am clear with the above
0
 
LVL 124
ID: 39844055
You will need to open many ports, between vCenter Server on production LAN and ESXi server in the DMZ.

Also your attack profile is higher, putting the entire HOST in the DMZ.

ALL our clients DO NOT put the Hosts in the DMZ, they connect network interfaces on the host to DMZ.

All servers, physical or virtual have Static IP Addresses.
0
 

Author Comment

by:rakkad
ID: 39844431
So to summarise, from your suggestions I put the new host in the existing Vcentre which is in the VLAN 226 - internal network, followed by Vswitches to connect to the DMZ 192.x.x.x

Thanks again for your speedy response
0
 
LVL 124
ID: 39844447
Correct, that's how it's done. Reduces attack footprint of not having management Interfaces in the DMZ for the Host Server.
0
 

Author Comment

by:rakkad
ID: 39878581
I have setup the DMZ VMware setup.  Can you verify the diagram and see if I have done it correctly.

Also, I have noticed that the vmnic0 is showing 10 instead of 1000

Also, vmnic1 to 3 is showing as standby and there is no actually connection, is there any reason for this ?

Can you assist, what can I do to check the above ?

Thanks
image.jpg
0
 
LVL 124

Accepted Solution

by:
Andrew Hancock (VMware vExpert / EE MVE^2) earned 1500 total points
ID: 39879025
There is a network fault with vmnic0, e.g. cable is not correct, port is not correct, it should show 1000, not 10.

I would check the port, cable, physical network port.

It looks like you have configured 3 nics, as standby, you will need to edit the vSwitch and decide what to do with these nics?

and move them up into Active or Unused.

Make sure if using 2 or 4 nics, that you have the correct teaming policy and physical switch configuration in place.
0
 

Author Closing Comment

by:rakkad
ID: 39915083
Thanks forum help in this call your solutions helped alot
0

Featured Post

When ransomware hits your clients, what do you do?

MSPs: Endpoint security isn’t enough to prevent ransomware.
As the impact and severity of crypto ransomware attacks has grown, Webroot fought back, not just by building a next-gen endpoint solution capable of preventing ransomware attacks but also by being a thought leader.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The following article is comprised of the pearls we have garnered deploying virtualization solutions since Virtual Server 2005 and subsequent 2008 RTM+ Hyper-V in standalone and clustered environments.
In this article, I show you step by step with screenshots to assist you - HOW TO: Deploy and Install the VMware vCenter Server Appliance 6.5 (VCSA 6.5), with some helpful tips along the way.
Teach the user how to join ESXi hosts to Active Directory domains Open vSphere Client: Join ESXi host to AD domain: Verify ESXi computer account in AD: Configure permissions for domain user in ESXi: Test domain user login to ESXi host:
This Micro Tutorial steps you through the configuration steps to configure your ESXi host Management Network settings and test the management network, ensure the host is recognized by the DNS Server, configure a new password, and the troubleshooting…
Suggested Courses

873 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question