VMware Cloud Community
chrisb101
Contributor
Contributor
Jump to solution

VMWare WebServer Deployment

I'm new to virtulization but I currently use VMWare ESXi for building virtual servers. The ESXi servers currently resides on the internal network behind a firewall and currently only hosts internal servers. However I would now like to build a new Webserver for an external facing website. What is the best way to do this using ESXi, obviously I dont want the web server to be able to see the internal network to ensure it stays secure. Is there any way of doing this on an ESXi box that hosts internal boxes.

Many Thanks

Reply
0 Kudos
1 Solution

Accepted Solutions
vmroyale
Immortal
Immortal
Jump to solution

The decision to add an additional ESXi server would simplify your setups, but it also adds operational complexities. There are now two ESXi servers to deal with. The question may ultimately be whether or not it is easier for you to maintain two installs or to use the one internal with the appropriate security measures in place. Physical separation is always nice, but is it worth it for one host running one guest? Like so many things with virtualization, the best approach depends on a variety of factors. A great read for either approach you take is the Security Hardening Best Practices.

Good Luck!

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com

View solution in original post

Reply
0 Kudos
4 Replies
vmroyale
Immortal
Immortal
Jump to solution

Hello and welcome to the forums.

It can be done, with careful switch planning. Check out the DMZ Virtualization with VMware Infrastructure Best Practices Guide for much more information.

Good Luck!

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
chrisb101
Contributor
Contributor
Jump to solution

Thanks very much for the pointer, as we only have 1 Esxi server on the production lan I'm wondering if it would be better to place another ESXi server within the DMZ on another physical box. This way keeping them physically seperate. Has anybody come across any security concerns when hosting an ESXi server in a DMZ for webserver before or is this not recommended?

Thanks

Reply
0 Kudos
vmroyale
Immortal
Immortal
Jump to solution

The decision to add an additional ESXi server would simplify your setups, but it also adds operational complexities. There are now two ESXi servers to deal with. The question may ultimately be whether or not it is easier for you to maintain two installs or to use the one internal with the appropriate security measures in place. Physical separation is always nice, but is it worth it for one host running one guest? Like so many things with virtualization, the best approach depends on a variety of factors. A great read for either approach you take is the Security Hardening Best Practices.

Good Luck!

Brian Atkinson | vExpert | VMTN Moderator | Author of "VCP5-DCV VMware Certified Professional-Data Center Virtualization on vSphere 5.5 Study Guide: VCP-550" | @vmroyale | http://vmroyale.com
Reply
0 Kudos
khughes
Virtuoso
Virtuoso
Jump to solution

We run a couple servers in our DMZ on ESX hosts along side with internal servers. For the best security and complete separation, you could put a dedicated DMZ host out there but then again if you're only going to have 1 server why not just make it a physical box.

The way we lock down our dmz and internal network to keep them separate is have dedicated pNICs for internal and DMZ. So pNIC 1/2 deal with only internal network and are connected to the production network vswitch, and then pNIC 3/4 are direct access to the DMZ and connected to the DMZ vswitch. So internal / dmz traffic aren't flowing on the same pNICs which adds some security. That's just how we run it but that article gives a lot of good best practices.

  • Kyle

-- Kyle "RParker wrote: I guess I was wrong, everything CAN be virtualized "
Reply
0 Kudos