VMware Communities: Message List - ESX 3.5 Behind a Firewall

Re: ESX 3.5 Behind a Firewall

Texiwill — Sat, 27 Jun 2009 14:12:10 GMT

Hello

Moved to Security Forum.

Ideally you want something like this:

Home <-> Internet <-> FW <-> DMZ <-> FW <-> Production <-> FW <-> Management Network (VC + SC + VIC workstation)

Yes you want that many firewalls. The idea is that you use a VPN to cross the boundaries as necessary. You NEVER want to place your SC/VC/VIC within your DMZ or out on the internet. You could do something like the following to gain the access you need.

Home <-> VPN <-> Management Network

Check out http://www.vmware.com/files/pdf/dmz_virtualization_vmware_infra_wp.pdf

Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'
Also available 'VMWare ESX Server in the Enterprise'
SearchVMware Pro|Blue Gears|Top Virtualization Security Links|Virtualization Security Round Table Podcast

Re: ESX 3.5 Behind a Firewall

AndreTheGiant — Wed, 17 Jun 2009 15:57:13 GMT

You're welcome.

Andre

Re: ESX 3.5 Behind a Firewall

ejking — Wed, 17 Jun 2009 07:39:17 GMT

Thanks your opinion that i will now be considering. Much appreciated

Re: ESX 3.5 Behind a Firewall

wila — Sun, 14 Jun 2009 15:20:17 GMT

Hi,

You should really not open any of those ports to the internet.
Use VPN as Andre suggest or SSH to forward your ports to the host instead using an external firewall.

If you cannot add an external firewall for whatever reason, then you could set up a firewall VM, have it autostart with the host and route your traffic through there.

--
Wil
_____________________________________________________
Visit the VMware developers wiki at http://www.vi-toolkit.com

Re: ESX 3.5 Behind a Firewall

AndreTheGiant — Sun, 14 Jun 2009 15:08:19 GMT

I suggest you to use a VPN system.
I more secure and you have (usually) open a single port.

Andre
**if you found this or any other answer useful please consider allocating points for helpful or correct answers

ESX 3.5 Behind a Firewall

ejking — Thu, 11 Jun 2009 17:15:14 GMT

Requirement

ESX server is on DMZ to be on HP hardware and VC(2.5) on the internal LAN. Server based licensing to be used and the Flex lic server is on the same server as VC

Ability to deploy software on ESX by use of ILO by Admins (both Console & Virtual media access)

Ability for the app support to remote to VM's in DMZ to manage VM's only and deploy sofware. Preferably if app support can load the app themselves and if not possible admin does if for them. mstsc/landesk/sms/dameware,etc is not allowed.

Ability to deploy software from Altiris RDP server which is inside the internal LAN

DNS name resolution to be allowed.

Company operates a strict policy and ports need to be kept to a bare minimum

******************************************************************************************************************************************************************************************************

Current Ports to be opened and solution that i can think off

ESX to Flex lic server (27000 &27010), ESX to Vcenter/Web (443 and 903/UDP), VI to ESX(902&903), ILO to ESX(23 &17988), DNS(53 TCP/UDP)

Other than adding IP helper ipaddresses on Switches is there any ports required for altiris RDP server VM deployment? Is the risk of using RDP more than the benefit?

App support team to be given access via "Generating Remote Console URL" for VM's on VC. And admin teams put the software for them on VM's. Is there a better solution to this?

If we used host based licensing, would 27000 and 27010 still needs to be open on the firewall

Suggest any ports that can be added or removed, or anything else usefull. Thanking you