We are looking for how to secure access in DMZ with VI3 for external companies we integrate in our environment. We plan to use HA as well. The AAMClient uses incoming AND outgoing ports (for tcp AND udp) from 2050 to 5000. Is there a way to reduce the number of ports?
there are different ways which should work.
1.) create a secon COS within the DMZ and lock everything out except 902,903 for VI Client
2.) allow only ESX-nnn and VC access to each other and well defined IP´s
for example in this thread we closed the SSH on a secondary COS port.
ps: Award points if you find answers helpful. Thanks.
Are you putting the ESX hosts into the DMZ or do you simply have VM's who need to reside in a DMZ network (vlan).
You can vlan the DMZ in through your physical production nics and the HA traffic does not need to flow anywhere near your DMZ or firewalls.
Considering awarding points if this is of use
we want to put the Service Console Ports into a secured Management Area (DMZ 1) near the VC server. The host should serve different VMs in various DMZs (DMZ 2 to DMZ xx).