I have a design question related to deploying vCD and vSM.

I understand that the Console Proxy connection facilitates connections to VM consoles. And that the http connection facilitates client connections in to vCD.

How should I configure the design of vCD and vSM if all my ESXi servers' service consoles are on an isolated management vLAN?

How should vShield Manager network connection be configured in this instance? Another dedicated vLAN?

Should the http connection for vCD be on the internal (public) network? And the console proxy be on the management vLAN shared with ESXi service consoles? Or does the console proxy only need to connect to the vCenter Server directly and can also reside on the internal (public) network?

How should the vShield Manager be connected to vCD considering that the documentation recommends that the vSMgmt network be seperate from the service console and vmkernel networks? How will it connect to the vCD if vSM's only network connection is over a dedicated vSMgmt network?

I'm assuming that the vShield Apps on each ESXi server will connect to the vSM server over this vLAN.

Am I missing something?

-Ed