Solved: Re: Websense p2V (network considerations) - please...

rucky · ‎06-24-2009

Hi Guys

We are going to virtualise our websense server, i have done some research but so far i am not 100% sure about how would i go about this.

I have done a drawing (not so good) to have a look for you guys. This is the PHYSICAL setup.

-- ---

-

I would like to you to guide me to the virtual setup.

As you know in the virtual world, we will have two NICs on websense server (as shown in pic) - allocated to a Vswitch which in turn will have an allocated Physical NIC.

-

(What NIC would this be from the drawing),

Also in the virtual world (we have two HPprocurve switches) on which we have our LAN,Iscsi and Vmotion networks defined.

Will i have to bring my network interfaces directly from the cisco routers (directly plugging into the ESX)

or wil have to unplug these interfaces from the websense servers and plug them in the HP procurve switch (one uses for virtual world)

??? my concern is , all the monitor (source and destination port) configuration in on the cisco switch. (to which our websense is directly connected)

-

so if i virtualise, i will have two layers added in between (1. Vswitch) & 2. HP procurve switches.

I hope this has made sense, if not please ask me and i will try to explain

BUT please help me, as i am stuck. I am sure there are people who have done this before.

Please, your expert advice is needed.

Regards

Rucky

Texiwill · ‎06-30-2009

Hello,

Consider your vSwitch + VM to in effect replace your Websense server so you have connections to the cisco switches. You would trunk from the Cisco through the HP Procurves to your vSwitch Portgroup on which this VM resides.

Remember your VM should not be able to see your Service Console, Management tools, IP Storage, or VMOtion networks.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

Texiwill · ‎06-30-2009

Hello,

Consider your vSwitch + VM to in effect replace your Websense server so you have connections to the cisco switches. You would trunk from the Cisco through the HP Procurves to your vSwitch Portgroup on which this VM resides.

Remember your VM should not be able to see your Service Console, Management tools, IP Storage, or VMOtion networks.

Best regards,

Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, Virtualization Practice Analyst[/url]
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
[url=http://www.astroarch.com/wiki/index.php/Blog_Roll]SearchVMware Pro[/url]|Blue Gears[/url]|Top Virtualization Security Links[/url]|Virtualization Security Round Table Podcast[/url]

--
Edward L. Haletky
vExpert XIV: 2009-2023,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

rucky · ‎07-02-2009

Hi Tex

This has now been resolved. I did not trunk the HP switch port - i just ran the cable straigh from by cisco 3750 (trunk port) to ESX.

Then allocated the first NIC to websense portgroup (which is hanging of the virtual switch to where the trunk port connects to)

Then i put the portgroup and vswitch in Promocious mode and whooooooooo....Voila.....(starts filtering)...

Other thing i had to do was i had to assign my second Vnic to my other (production network) so that i can send block page info etc (communication, management).

But yes that resolved.

Thanks, took some time but finally is done.

Our websense is standlaone (FYI)

MartenTran · ‎08-13-2009

Are you running in a clustered environment? if so how do you keep the server on the esx that has the nic attached to the mirror port?

Thank you in advance

Mike

rucky · ‎08-13-2009

we are running in a clustered esx environment, but we havent got any redudance for websense at the moment, so i have only created the portgroup (websense) on one of our esx server (network card which is attached to mirror port, is assigned to websense porgroup) if that makes sense................., so the websesnse vm always stayson this esx server. obviosly if i have to turn this esx off for maintance we will loose websense but then websense is not one of the critical applications , we can do with this being down for few minutes to few hours,

the plan is to add more network cards to other esx servers (3 of them) and then build redundance, but i havnt researched into how will i go about port mirroring in that, i dont know weather it is possible to have 4 mirror ports on one switch/router- may be not.. but i will have to look into it when i add more network cards to other esx servers.

hope that explains.. and answers your question, if its not clear please ask again

MartenTran · ‎08-14-2009

How do I keep the vm that is running websense from migrating to another on its own. (HA I believe).

Mike

AsherN · ‎08-14-2009

Have you talked to Websense?

For some reason Websense cannot run in a single VM. Been there, done that, not happening.

All

Websense p2V (network considerations) - please help !!!!!