Gezmonder
Enthusiast
Enthusiast

EUC Access Point IP Addressing

Jump to solution

Hello,

We have an Access Point 2.8 going into a small DMZ with a single flat 192 network publishing out Horizon 6.2. Using the two IP option seemed like a sensible approach and I have one IP with the rules open to reach the back end servers and another hosting a NAT from the internet facing firewall. However, the documentation states:

"With two network interfaces, external traffic is on one subnet, and internal and management traffic are on another subnet."

Now we obviously we only have one subnet and as a result I have not configured any additional routes during on the access point deployment.

Is a two IP configuration supported on a single subnet? I agree it has somewhat limited advantages but is slightly more secure than using a single IP.

Thanks.

Labels (1)
1 Solution

Accepted Solutions
markbenson
VMware Employee
VMware Employee

There are some security advantages in using multiple NICs but we fully support onenic, twonic and threenic options so no issue there for support in a production environment.

The only issue with multiple NICs is when a deployment uses that to bypass the inner firewall. e.g. have the Internet facing NIC in the DMZ and the backend NIC in the corporate network so that traffic going through Access Point bypasses the firewall. In that scenario, I too would argue that it is less secure. The security improvement of multiple NICs is acheived when deployed as shown in DMZ Design for VMware Access Point and the use of Multiple NICs where in all three cases, the inner firewall is still required.

Anyway, glad you're up and running and this is answered.

View solution in original post

0 Kudos
3 Replies
markbenson
VMware Employee
VMware Employee

You're right. There is no advantage with two NICs on one subnet. You probably need just one. People generally have two NICs when they have two separate networks in their DMZ.

There is some more information here - DMZ Design for VMware Access Point and the use of Multiple NICs

Hope this helps.

Mark

Gezmonder
Enthusiast
Enthusiast

It does work okay using the layout I described but I've dropped it down to a single NIC. My concern was that the documentation and templates keep harping on about single NICs being for PoCs which suggests that VMware won't support it in a production environment - If they do then that's fine.

Some members of the community are also arguing that using multiple NICs is less secure than using a Single NIC, I can see their point.

0 Kudos
markbenson
VMware Employee
VMware Employee

There are some security advantages in using multiple NICs but we fully support onenic, twonic and threenic options so no issue there for support in a production environment.

The only issue with multiple NICs is when a deployment uses that to bypass the inner firewall. e.g. have the Internet facing NIC in the DMZ and the backend NIC in the corporate network so that traffic going through Access Point bypasses the firewall. In that scenario, I too would argue that it is less secure. The security improvement of multiple NICs is acheived when deployed as shown in DMZ Design for VMware Access Point and the use of Multiple NICs where in all three cases, the inner firewall is still required.

Anyway, glad you're up and running and this is answered.

View solution in original post

0 Kudos