yawasare1969
Contributor
Contributor

Windows RDC to virtual machines w/ non-routable IP addresses

Jump to solution

Hello,

I need to be able to remote console from my windows box into my virtual machines which have non-routable IP addresses. These vm's are setup on a vswitch w/ no physical adapter, their gateway is a vm (Windows 2003 server), acting as a router, which has a connection to a vswitch that is attached to a physical adapter. This router-vm also acts as a DHCP & DNS server for the other vm's providing their non-routable ip's. So the router-vm allows the other vm's access to the outside. We don't want to use VIC for various reasons. I did this before by putting the port number at the end of the non-routable ip in remote desktop connection, I've just forgotten what I did on the back end in the router-vm. Thanks.

yaw

0 Kudos
1 Solution

Accepted Solutions
Craig_Baltzer
Expert
Expert

A couple of ideas in addition to doing a static route on the workstations needing RDP access to the isolated VMs...

  1. If you just need to have 1 or 2 people connected to the "isolated" VMs at one time you could enable remote desktop on the "router VM". From your workstation you could RDP to the router VM, then from your session on the router VM RDP to the isolated VM you wanted to administer. Works ok for occasional use, however you may find the "double RDP" introduces some lag in the UI

  2. On the router VM setup RRAS, setup a NAT/Basic Firewall, then use the NAT functionality (i.e. 'Reserve a public address' in RRAS terminology) to translate a "public" address into a "private" address. You can setup filters to determine which workstations are permittted to connect to the "isolated" VMs via RDP. You then RDP to the "public" address you've defined which RRAS NATs to the private IP address and makes the connection.

View solution in original post

0 Kudos
6 Replies
pomiwi
Enthusiast
Enthusiast

Thats a pretty 'open answered' question Smiley Happy RDP advertises by default on port 3389, so... you would need to be able to RDP from your workstation through to the VM on port 3389 or change the port and RDP using ip address:xxxx.

How you get there has various solutions.. maybe put a static route on your workstation/gateway that routes packets destined for the VM's through to your VM router, then have the router route them locally.. ensuring you have routes back to the workstation in the VM's or in their gateway (VM router)... Or if the VM router is running some sort of firewall (ISA?) then you could publish a port and redirect, i.e. you RDP to the ISA server on port 9999 and it forwards this through to internal VMs on port 3389?

In summary the answer will not be VM/ESX specific, normal networking rules will apply.

Cheers

Craig_Baltzer
Expert
Expert

A couple of ideas in addition to doing a static route on the workstations needing RDP access to the isolated VMs...

  1. If you just need to have 1 or 2 people connected to the "isolated" VMs at one time you could enable remote desktop on the "router VM". From your workstation you could RDP to the router VM, then from your session on the router VM RDP to the isolated VM you wanted to administer. Works ok for occasional use, however you may find the "double RDP" introduces some lag in the UI

  2. On the router VM setup RRAS, setup a NAT/Basic Firewall, then use the NAT functionality (i.e. 'Reserve a public address' in RRAS terminology) to translate a "public" address into a "private" address. You can setup filters to determine which workstations are permittted to connect to the "isolated" VMs via RDP. You then RDP to the "public" address you've defined which RRAS NATs to the private IP address and makes the connection.

0 Kudos
TomHowarth
Leadership
Leadership

of the two already posted I would favour option2 of the second post,

you do not state however if the access is internal or external to your site. but as already mentioned this is not really a VMware issue, but a Networking one, normal networking rules and security applies

If you found this or any other answer useful please consider the use of the Helpful or correct buttons to award points

Tom Howarth

VMware Communities User Moderator

Tom Howarth VCP / VCAP / vExpert
VMware Communities User Moderator
Blog: http://www.planetvm.net
Contributing author on VMware vSphere and Virtual Infrastructure Security: Securing ESX and the Virtual Environment
Contributing author on VCP VMware Certified Professional on VSphere 4 Study Guide: Exam VCP-410
0 Kudos
ChrisDearden
Expert
Expert

Port Address Translation or be very clever and build a Windows 2k8 machine in TS Gateway mode.

If this post has been useful , please consider awarding points. @chrisdearden http://jfvi.co.uk http://vsoup.net
yawasare1969
Contributor
Contributor

Thanks to all you've relit the lightbulb in my head.:) I now remember how I did it before. I'll have to investigate the W2K8 solution, that may prove to be better.

0 Kudos
yawasare1969
Contributor
Contributor

Hi Tom,

To answer your question it's internal access, so it's not a big security concern for us. A bunch of QA engineers need access to vm's we're setting up and we're trying to mask that they won't be using physical machines in certain instances. If we had them use VIC obviously they'd know.

yaw

0 Kudos