VMware Cloud Community
Longjoseph
Contributor
Contributor
Jump to solution

ESX Host AD Integration possible without giving up Management VLAN?

Hello all,

I am trying to reconcile two security related "best practices" that, due to some knowledge gap in my own mind, seem to be mutually exclusive:

  1. The notion of a "management VLAN", and ...

  2. VI3 - AD integration

The use of a dedicated "management VLAN" or isolated network dedicated for service console and VMkernel communication is a consistently recommended best practice. Another recommended even if less emphasized best practice for securing a VI3 environment is to configure ESX hosts and the VirtualCenter server to use Active Directory or LDAP instead of local user authentication.

It is easy to find resources that discuss the implementation of either of these principles individually; however I have yet to find any discussion of both in the same context, and so my problem at this point is figuring out how to integrate my ESX hosts and VC with Active Directory while at the same time maintain an isolated management VLAN.

When I read white papers and "how-to" blogs on integrating VI3 with AD, it is obvious that the intent is to configure the ESX host to authenticate users from the Active Directory services on the corporate network.

So my question is:

Since the service console is connected to the management VLAN, which is explicitly isolated from the corporate/production VLAN(s), then how is it possible for the ESX Server to authenticate users from an AD on the corporate network for which the service console port has no access? BTW, I am assuming that routing between the management and production VLANs is NOT the answer, since that effectively "connects" those VLANs and defeats the purpose.

I am puzzled that the concept of a separate management VLAN (or physical network) is notably absent in everything I've found so far on the topic of VI3 - AD integration. And likewise, the management VLAN concept is always presented absent any implication that SC communication outside of the management VLAN is ever necessary or desirable.

Any insight on this will be greatly appreciated, be it merely pointing out the obvious or whatever. Thanks!

Reply
0 Kudos
1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership
Jump to solution

Hello,

As RParker stated the easiest way is to use a firewall that allows AD to go in and out to your internal network from the VM Administrative network. The separation best practice generally implies that it is firewalled to allow only the appropriate access to the SC from other systems. This can be achieved with a properly configured physical firewall/gateway/router. The best practice does not mean complete physical separation just appropriate protections in place to deny access to those who should not access this all important network.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Reply
0 Kudos
4 Replies
RParker
Immortal
Immortal
Jump to solution

The VC is the AD integration part. If your VC can communicate with the AD then it will work fine. Even if you are isolated, your security team should be able to open a port on the firewall to allow it to talk to your AD. That shouldn't pose a security risk.

Longjoseph
Contributor
Contributor
Jump to solution

Thanks for your answer. After a bit more digging, it led me to the following article that helps clarify the problem, although it doesn't really answer the root question. The following article, "Authentication in a VMware Infrastructure 3 (VI3) implementation", by Scott Lowe (#) does a good job of explaining how VC does Windows based user authentication independently from the Linux based ESX Server service console authentication, and yet "acts as a bridge, or a proxy, between Active Directory and the Linux-centric methods of the ESX Server Service Console". So it is as you say that VC can authenticate users via active directory and allow those users to manage ESX hosts from the VC server via a Linux proxy account on the backend. In that scenario, the ESX host only cares about it's local VC account and has no need to authenticate that actual user.

Still however, user authentication on the ESX host's service console is a completely separate thing from the VC server. In order for a user to logon to the ESX host, via the service console, SSH, FTP, or whatever including a direct connection from a VI client, the user must be authenticated by the Linux OS on the ESX server. That can be done via locally (and independently) on each individual ESX server, OR the ESX servers can be configured to authenticate via a directory service, e.g. AD, as described in this VMWare whitepaper: "[http://www.vmware.com/pdf/esx3_esxcfg_auth_tn.pdf]".

So, I do now have a somewhat clearer picture, however it is the ESX Server to AD integration part that I am concerned about. Not so much the how-to implement -- the document above lays that out pretty well -- but rather how can I do that and still maintain a separation between the SC / management VLAN and the corporate/production network?

Reply
0 Kudos
Texiwill
Leadership
Leadership
Jump to solution

Hello,

As RParker stated the easiest way is to use a firewall that allows AD to go in and out to your internal network from the VM Administrative network. The separation best practice generally implies that it is firewalled to allow only the appropriate access to the SC from other systems. This can be achieved with a properly configured physical firewall/gateway/router. The best practice does not mean complete physical separation just appropriate protections in place to deny access to those who should not access this all important network.


Best regards,

Edward L. Haletky

VMware Communities User Moderator

====

Author of the book 'VMWare ESX Server in the Enterprise: Planning and Securing Virtualization Servers', Copyright 2008 Pearson Education. As well as the Virtualization Wiki at http://www.astroarch.com/wiki/index.php/Virtualization

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill
Reply
0 Kudos
virtualdud3
Expert
Expert
Jump to solution

...but rather how can I do that and still maintain a separation between the SC / management VLAN and the corporate/production network?

I don't know if it is a "supported" configuration, but I have always thought that installing an instance of ADAM (Active Directory Application Mode) on the VirtualCenter server would be a great way to obtain the benefits of Active Directory authentication and still retain full physical isolation for the managment LAN.

I'll play around with this over the next few days and see if I can come up with anything useful.

###############

If you found this information useful, please consider awarding points for "Correct" or "Helpful". Thanks!!!

############### Under no circumstances are you to award me any points. Thanks!!!