Solved: What ports to open between ESX host and VC

sdaniely · ‎05-27-2008

I had to place an ESX host server in my DMZ. My license Server is still on my Inside LAN. What ports do I need to open between the two machines to allow complete communication between the ESX host and the VC?

I am running ESX 3.5 & VC 2.5.

Thanks - Sean

Jasemccarty · ‎05-27-2008

Sean,

Your Service Console IP shouldn't have to reside in the DMZ. Only the guests that need to be in the DMZ would be connected in the DMZ.

Jase McCarty

http://www.jasemccarty.com

Co-Author of VMware ESX Essentials in the Virtual Data Center

(ISBN:1420070274) from Auerbach

Jase McCarty - @jasemccarty

View solution in original post

Jasemccarty · ‎05-27-2008

Sean,

Your Service Console IP shouldn't have to reside in the DMZ. Only the guests that need to be in the DMZ would be connected in the DMZ.

Jase McCarty

http://www.jasemccarty.com

Co-Author of VMware ESX Essentials in the Virtual Data Center

(ISBN:1420070274) from Auerbach

Jase McCarty - @jasemccarty

sdaniely · ‎05-27-2008

How do I assign an internal IP for the console and a DMZ IP's to my guests?

Thanks! Sean

TomHowarth · ‎05-27-2008

the architectureof ESX is such that you Service console should not be in a DMZ, by the use of extra NICs and virtual switches you can create seperation of the networks thus enabling you to place your Guests in the DMZ and keep your high risk Service console inside your internal safe Network.

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410

sdaniely · ‎05-27-2008

I understand. How do I configure this than?

Currently I have one NIC (of 2 physical NICS) configured. I have Virtual Switch vSwitch0 attached to physical Adapter vmnic0. To that I have my VM Port Group and Service Console Port attached, all within the 172.x.x.x (DMZ) IP. What do I need to add/configure under Add Networking????

Thanks all.

TomHowarth · ‎05-27-2008

you would need to have mulitple NIC card in your host to do it in a secure manner.

therefore you would do something along the line of this.

VLAN Tag	vmnic number	vSwitch	Network ID
1	vmnic0	vSwitch0	Service Console
3	vmnic1	vSwitch1	VMnetwork
3	vmnic3	vSwitch1	VMnetwork
2	vmnic2	vswitch2	vMotion

|

the above table shows NIC 0 on VLAN 1 this NIC would be connected to a switch in your internal LAN, NIC 2 will be connected to its own phyiscal switch this would isolate the vMotion traffice, then the final VLAN 3 will be connect to a switch attached to your DMZ

see the attached jpeg for a better idea of what I am getting at

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410

Jasemccarty · ‎05-27-2008

If you are using 2 nics (teamed), the only way to do this, would be to setup your switch with trunked ports, and enable VLAN tagging (VST, or Virtual Switch Tagging).

You would then assign the Service Console a VLAN ID of a VLAN not in your DMZ, and the virtual switches to a VLAN ID in your DMZ.

If you can't use trunked ports on your switches, and don't have any additional nics, then you'll have to leave it as is. Unfortunately that isn't very secure.

I don't recall off the top of my head, but you should only need port 902, and possibly port 905 in between your DMZ and your internal lan.

Jase McCarty

http://www.jasemccarty.com

Co-Author of VMware ESX Essentials in the Virtual Data Center

(ISBN:1420070274) from Auerbach

Jase McCarty - @jasemccarty

TomHowarth · ‎05-27-2008

Jase

you are correct as to the ports requred, however in this situation even with only 2 nics, I personally would create 2 vSwitches for each nic. one holding the Service console and vmkernel (these could be VLAN Tagged allowing traffic seperation of the SC and vMotion trafic) and the other switch attached to a pNIC in the DMZ, I would rather have less through-put and resilieance than risk a compromise by sloppy configuration.

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410

Jasemccarty · ‎05-27-2008

Tom, as usual, I would have to agree with you.

I was only speaking from a theory standpoint.

Jase McCarty

http://www.jasemccarty.com

Co-Author of VMware ESX Essentials in the Virtual Data Center

(ISBN:1420070274) from Auerbach

Jase McCarty - @jasemccarty

mike_laspina · ‎05-27-2008

Hi,

The security points have be made so we can go the the ports. You only need 443, 22 and 902 for the VC and ESX host connections.(22 for ssh from your PC)

Dual port cards are not expensive and go a long way for what you are doing.

http://blog.laspina.ca/ vExpert 2009

sdaniely · ‎05-28-2008

Thank you all for you responses. I attached my 2nd NIC to my inside LAN and moved the service console to that.

Thanks again - Sean

All

What ports to open between ESX host and VC