Hi everyone.
I'm working on a new design for ESXi 5.0 but i'm wondering what everyone is doing for management of ESXi in DMZ?
I've decided not to but the ESXi in the DMZ itself, but on the internal net, but i'm not sure about the management.
Is it secure to manage both internal esxi and dmz esxi with the same vCenter?
In the "DMZ Virtualization with VMware Infrastructure" guide, all zones are managed by the same vCenter.
Personally i'm leaning towards this solution but my networkteam is not sure...
Regards
Kristian
Hi
I have single vCenter instance for DMZ and PROD servers. What you can do it connect mgmt interface from DMZ server to isolated vLAN, open specific ports from vCenter to DMZ mgmt vLAN. In that situation you have your DMZ servers separated from the rest of your env and you can manage them using single vCenter instance
You will have something like below:
Message was edited by: arturka Diagram added
We currently have a very similar setup, our production vCenter server manages both our production, internal LAN hosts and also our DMZ host. You just need to make sure that you have all of the correct ports open between the vCenter server and the DMZ host, and everything should work fine. Here is a handy diagram showing common connectivity requirements in a vSphere setup...
http://www.vi-tips.com/2011/05/vsphere-network-ports-diagram.html
We make sure that remote SSH connectivity is turned off on the DMZ host, and its very important to configure tight rules around the types of traffic and destinations for traffic originating from the DMZ coming into the internal LAN.
Thanks a lot guys!
Are you by any chance running Lockdown Mode on the servers?
Kristian
kristianaasen wrote:
Thanks a lot guys!
Are you by any chance running Lockdown Mode on the servers?
Kristian
yes, on DMZ always but you have to keep in mind that if you have lockdown mode enabled and using vMA as a syslog it will stops working, you have store your logs in a different way, either on datastore or to remote syslog server.