VMware Cloud Community
Fuwmanchew
Contributor
Contributor
Jump to solution

VM isolation but still keep them manageable

I'm working on a project where I'm going to have about 10-20 VM's all on the same server but I don't want them to be accessible to each other. I don't want there to be any way of browsing other VM's on the network unless the VM user wants to be accessible to another. I would also like the abililty to push out software to all of them and still manage them via Active Directory or something using group policy and the like. Is this at all possible? How would you go about doing this? I'm going to do testing with the free version of VMWare Server. Any suggestions? Thanks in advance!

Reply
0 Kudos
1 Solution

Accepted Solutions
mcowger
Immortal
Immortal
Jump to solution

I dont know if server can do this, but you are going to want to have an individual port group for each VM.

--Matt

--Matt VCDX #52 blog.cowger.us

View solution in original post

Reply
0 Kudos
5 Replies
mcowger
Immortal
Immortal
Jump to solution

I dont know if server can do this, but you are going to want to have an individual port group for each VM.

--Matt

--Matt VCDX #52 blog.cowger.us
Reply
0 Kudos
Rodos
Expert
Expert
Jump to solution

VLANs are going to give you a lot of what you want but as mentioned I am not sure you can use them in Server. Why not try an evaluation version of ESX, you have 30 days to test.

The VMware Virtual Networking Concepts paper will give you some background on the types of things you can do with networks in VMware.

Considering awarding points if this is of use

Rodos {size:10px}{color:gray}Consider the use of the helpful or correct buttons to award points. Blog: http://rodos.haywood.org/{color}{size}
Fuwmanchew
Contributor
Contributor
Jump to solution

I was going to try to keep my expenses as low as possible by using the free version but I may need to go with a version of ESX. Thanks!

Reply
0 Kudos
BenConrad
Expert
Expert
Jump to solution

"I'm working on a project where I'm going to have about 10-20 VM's all on the same server but I don't want them to be accessible to each other"

Setup 20 portgroups on your vSwitch

"I don't want there to be any way of browsing other VM's on the network unless the VM user wants to be accessible to anothe"

You are probably going to need to either go through a router with strict ACL's or maybe go through a firewall that supports vlan tagging for your 20 VLANs.

"I would also like the abililty to push out software to all of them and still manage them via Active Directory or something using group policy and the like"

This should work if you are using the firewall with vlan tagging.

Reply
0 Kudos
kalex
Enthusiast
Enthusiast
Jump to solution

If vlans are going to be used than network traffic for each vm would be isolated and you would need AD server on each network segment. if all of your vms are on the same domain belonging to the same Active directory and all you want to do is prevent access to the vms, then you can control this through permissions on each vm. you will have to highly lockdown the security of each vm. then if user a needs access to user b vm you will be able to add the domain account of that user to the vm that he needs access to.

basically you will need to control local security of each VM using the Domain accounts of your users and other vms. By using GPO you can even secury it stronger by removing things such as Run command, registry access, my network neighborhood, etc. At the place i use to work before, I had this done in order to have multiple customers access same Terminal server and being completely isolated and not even aware of each other. This was done on the one Server.

Hope this helps.

alex

Reply
0 Kudos