VMware Cloud Community
divine_kane
Enthusiast
Enthusiast
‎03-07-2008 08:39 AM
Jump to solution

ISA 2006 VM and DMZ Web VM Networking question

Hi

I have a question regarding ISA 2006.

Here is a quck bit of background on the idea

Were looking to use MS ISA for our perimeter firewall configuration, and to implement a DMZ, now in a physical server world you would have a ISA box connected to your router with another NIC for access to the internal network and another NIC for a DMZ (hope this is right so far). and the DMZ NIC will manage all traffic to the DMZ via connection to a switch which connects to the DMZ boxes.

Now in a ESX environment i know it is possible to do the same by having NICs for the ESX nodes, which connect to the router, these NICs are assigned to the ISA VM when it is on that ESX node. But my question is per regarding the DMZ web servers, which will also be VMs hosted on the ESX boxes, but how do you network these so they are part of a DMZ? Can this be done via using a Virtual NIC that connects the DMZ VMs to the ISA VM and if so then do the DMZ Web Server VMs need to be on the same ESX node, OR do we need to have a physical connections for the servers to route the traffic?

Hope this explanation isn't too vague, please ask for clarification and i will post a image to help explain.

Thanks in advance

Kane

If you found my post helpful, please mark it as 'helpful' or 'correct'

Kane If you found my post helpful, please mark it as 'helpful' or 'correct'
0 Kudos
1 Solution

Accepted Solutions
Roman_Romano
Enthusiast
Enthusiast
‎03-11-2008 04:25 AM
Jump to solution

As with all nodes in a cluster, they must have access to the same shared storage and identical network configuration. So each of your nodes must have identically name vSwitches so a vm on one node works identically on the other node, should it need to Smiley Wink

regards

View solution in original post

0 Kudos
6 Replies
Roman_Romano
Enthusiast
Enthusiast
‎03-07-2008 08:49 AM
Jump to solution

will you not just have a virtual switch mapped to a physical nic connected to your DMZ network for all your VM DMZ servers, and a virtual switched mapped to another physical nic that connects to your internal network for all internal connections????

0 Kudos
O_o
Enthusiast
Enthusiast
‎03-07-2008 09:03 AM
Jump to solution

Hey,

I created an environment for a SB client of mine ... I'll try to explain how I did it ...

The configuration of the ISA server is 3-leg perimeter, but could work for other configurations as well.

You just create 3 Vswitches and connect the 3 vNICs of the ISA server to each of these switches (so the vNICs can't communicate directly with each other, since there is no connection between the vswitches), each of these vSwitches have (in this case) 1 physical NIC. 1 physical NIC is connected to the External network ( your router to Internet for example), 1 physical NIC is connected to your Internal network switch, and 1 physical NIC is connected to the DMZ switch witch is totaly seperated from the internal LAN, you don't actually need a physical NIC for the DMZ if you are not running any physical servers in the DMZ, All traffic passes the Firewall doesn't it , in the clients case, he wanted me to connect a Wireless AP on the physical NIC of the DMZ, so his visitors were connected to the DMZ, instead of the internal LAN ... customer is king Smiley Wink

What you get is 3 seperated vSwitches in your ESX host (VI client) ...

Hope this is somewhat clear, if not, I'll try to get a screenshot of the setup ...

Grtz,

O_o

divine_kane
Enthusiast
Enthusiast
‎03-10-2008 08:07 AM
Jump to solution

O_o thats great, many thanks for answering my question, that is somewhat clear. But do you need to have a vSwtich setup on each of the ESX nodes or is this configured via the VC machine for example if you want several DMZ VMs running on different ESX nodes but connecting to the same vSwitch?

Sorry if these questions are kinda basic but i haven't had much experience when it comes to the networking within ESX.

Kane

If you found my post helpful, please mark it as 'helpful' or 'correct'

Kane If you found my post helpful, please mark it as 'helpful' or 'correct'
0 Kudos
divine_kane
Enthusiast
Enthusiast
‎03-11-2008 03:59 AM
Jump to solution

Hi

Can anybody help with this?

Kane

If you found my post helpful, please mark it as 'helpful' or 'correct'

Kane If you found my post helpful, please mark it as 'helpful' or 'correct'
0 Kudos
Roman_Romano
Enthusiast
Enthusiast
‎03-11-2008 04:25 AM
Jump to solution

As with all nodes in a cluster, they must have access to the same shared storage and identical network configuration. So each of your nodes must have identically name vSwitches so a vm on one node works identically on the other node, should it need to Smiley Wink

regards

0 Kudos
O_o
Enthusiast
Enthusiast
‎03-12-2008 01:57 PM
Jump to solution

I see I missed a question ... Sorry about that ... Been very busy ... I trust your questions ^probably are answered now .... If not, I'll try to answer them more quickly this time Smiley Happy

0 Kudos