ESXi 6.5 DMZ Setup


I am trying to set up an ESX 6.5 server as a DMZ and having issues with the infrastructure,  I have attached a plan of what I am done so far but I cant get the ESXi HyperVisor to access the internet.

I have the ESX boxes gateway set to but think it should be but if I do this I cant get to the ESX box anymore.

I am quite new to this so any help would be great thank you.
Julian HainesSenior IT AdministratorAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Seth SimmonsSr. Systems AdministratorCommented:
what are you trying to accomplish?  why put the entire host in the dmz?
if you have guests that are going to be in the dmz, why not just add a vlan for the dmz network and lock it down at that level?
this is how i have it configured for a couple guests that are externally facing
Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
You would not normally put an ESXi server in the DMZ.

As my fellow colleague has suggested an ESXi server can support many VLANs for different VMs, on different networks, so then you would have a ESXi host with many VLANS, supporting different hosted VMs on different networks, including your DMZ.

This reduces the security footprint by not putting the ESXi Host into the DMZ.

Is there any vCenter Server in this environment ?

Where are you trying to access the ESXI Host from Externally Across the Internet ? hence why its in the DMZ ?
Julian HainesSenior IT AdministratorAuthor Commented:

Thank you for the advice I did not think about doing it this way and was just going to put the ESX server in the DMZ, I wanted to manage locally.

So if I understand I would, for example, create a VLAN10 for the DMZ and put the server in this VLAN, then have the ESX in VLAN0 which is on my local network?

Acronis True Image 2019 just released!

Create a reliable backup. Make sure you always have dependable copies of your data so you can restore your entire system or individual files.

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
Please DO NOT use VLAN0, VLAN0 is a special VLAN and should not be used or Tagged in ESXi. (or anything).

So you can choose what ever VLANs you want to use - VLAN10 for DMZ, VLAN5 for other things....

Remember that traffic from VLAN10 to any other VLAN needs to be secured via a Firewall.

It's entirely up to you where you put stuff, but if the ESXi host is not in the DMZ you reduce your security footprint, and depending on how you've built your DMZ, devices in the DMZ should not be able to communicate within the DMZ...

e.g. Server A should not be able to communicate with Server B in the DMZ.

but if Server A is a front facing Web Server which needs to access SQL Server, then make sure firewall rules only permit SQL traffic between them etc

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Julian HainesSenior IT AdministratorAuthor Commented:
Thank you for all the advice it was very helpfull

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
No problems, please post/shout if you need more help.
Julian HainesSenior IT AdministratorAuthor Commented:

I have reconfigured with the ESX box outside the DMZ and a test VM in a new vSwitch, VLAN, port group and vmnic which connects to my firewall but the VM cant ping the gateway or get out to the internet, ping etc.

I have checked all the IP's and Gateways it there something extra I may need to do when using VLAN's?

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
No, nothing, but if you are using a VLAN, which is on a different network to your Internet Router or Gateway, you will need Inter-VLAN routing between networks.

This is not a VMware relate issue, standard network design, your VM needs to have correct IP Address settings, gateway etc

and this depends on how your DMZ is constructed, normally but dependant upon design, your firewall can use NAT, forwarding, or your VM could have an external public IP Address.

e.g. your VM could have an external facing IP Address, or your VM could have a internal private IP Address, but the firewall translates a public faciing IP Address to this internal DMZ IP address.
Julian HainesSenior IT AdministratorAuthor Commented:

Thanks for the help, I have drawn up a new version of the network with the ESX not in the DMZ and a VLAN11, the VM in the DMZ is a VPN server so needs to feed down to the local network.

Does this look good or are there going to be issues?

Andrew Hancock (VMware vExpert / EE MVE^2)VMware and Virtualization ConsultantCommented:
A a quick glance all looks good on paper.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.