VMware Cloud Community
kristianaasen
Contributor
Contributor
‎09-06-2011 01:26 AM

Manage both internal and DMZ ESXi with the same vCenter?

Hi everyone.

I'm working on a new design for ESXi 5.0 but i'm wondering what everyone is doing for management of ESXi in DMZ?

I've decided not to but the ESXi in the DMZ itself, but on the internal net, but i'm not sure about the management.

Is it secure to manage both internal esxi and dmz esxi with the same vCenter?

In the "DMZ Virtualization with VMware Infrastructure" guide, all zones are managed by the same vCenter.

Personally i'm leaning towards this solution but my networkteam is not sure...

Regards

Kristian

Reply
0 Kudos
4 Replies
arturka
Expert
Expert
‎09-06-2011 01:34 AM

Hi

I have single vCenter instance for DMZ and PROD servers. What you can do it connect mgmt interface from DMZ server to isolated vLAN, open specific ports from vCenter to DMZ mgmt vLAN. In that situation you have your DMZ servers separated from the rest of your env and you can manage them using single vCenter instance

You will have something like below:

2011-09-06 10h45_57.jpg

Message was edited by: arturka Diagram added

VCDX77 My blog - http://vmwaremine.com
Reply
Villag3Idiot
Enthusiast
Enthusiast
‎09-06-2011 01:59 AM

We currently have a very similar setup, our production vCenter server manages both our production, internal LAN hosts and also our DMZ host. You just need to make sure that you have all of the correct ports open between the vCenter server and the DMZ host, and everything should work fine. Here is a handy diagram showing common connectivity requirements in a vSphere setup...

http://www.vi-tips.com/2011/05/vsphere-network-ports-diagram.html

We make sure that remote SSH connectivity is turned off on the DMZ host, and its very important to configure tight rules around the types of traffic and destinations for traffic originating from the DMZ coming into the internal LAN.

Reply
kristianaasen
Contributor
Contributor
‎09-06-2011 02:03 AM

Thanks a lot guys!

Are you by any chance running Lockdown Mode on the servers?

Kristian

Reply
0 Kudos
arturka
Expert
Expert
‎09-06-2011 02:07 AM

kristianaasen wrote:

Thanks a lot guys!

Are you by any chance running Lockdown Mode on the servers?

Kristian

yes, on DMZ always but you have to keep in mind that if you have lockdown mode enabled and using vMA as a syslog it will stops working, you have store your logs in a different way, either on datastore or to remote syslog server.

VCDX77 My blog - http://vmwaremine.com
Reply
0 Kudos