I cloned a production VM for some testing, thus I do not want to connect it to our production network to avoid IP conflict etc. In this situation, how do I transfer files between my PC and this cloned VM?
The VMtools has a shared folder but it appears not working in ESX or ESXi. The only method I can think of, at least for transferring of files into this VM is to convert the folder into ISO on my PC so that I can connect it as a virtual disc drive into the VM. Is there any other better methods to do this?
Hello,
There are several methods to go forward and keep a VM 100% isolated....
1) Make a new VMDK attached to the source VM using hotadd. Place the data to transfer on this new VMDK. Unmount the VMDK and remove it from the source VM (hotremove or power down, modify the config, and boot up). Once unmounted/not part of source VMDK, attach the VMDK to the target VM and transfer files
2) Use the ISO/FLP method suggested.
Either method could possibly transfer virus', etc. Not sure why you want isolation but do consider this possibility, if the source files are infected then the target will be infected as well.
3) Transfer the data over serial port connections. You can make one VM the endpoint for anotehr VM when configuring serial port devices.
4) Mount a USB device into the source VM. Transfer the files. Unmount and mount the USB device to the target VM.
5) Place the target VM on a private vSwitch (no pNIC connections). Create a router/firewall VM and place it on the private vSwitch AND your normal network. Transfer the files through this firewall appliance to the target VM. Ensuring that the firewall is setup to NOT allow anything but the selected protocol to go through. Suggested protocol is ONLY SCP, not CIFS, not FTP, etc.... scp is the safest to use.
The last one will require that you trust your virtual firewall and that it is configured such that anything on the private vSwitch cannot communicate with the outside world and that only the one file transfer protocol is allowed. (or you can also allow RDP/VNC as required).
Lots of ways to achieve this solution, but they all depend on HOW isolated you want things to be.
Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]
Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]
What about creating a secondary subnet with no gateway?
Do I have to amend my PC to the new subnet in order to access this VM too? If so, won't I loss connection to the ESXi server from my PC as a result?
Not sure if this would work, depending on the network config, VLANs ect.
What I would do is create a new VM with two NICs
then you create a new vSwitch called Internal and do not assign any physical NICs
On this new VM, connect 1 NIC on your production network (PC Network) and the other NIC to the Internal Network. Connect you Isolated VM to the Internal network as well.
Make sure thi IPs are correct. It might sound like allot of work but should take no longer than 30min
This way you will be able to RDP to this new VM from your PC, and copy anything to the isolated VM through the Internal vSwitch
Regards
If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct. Thank you.
What I've done is just create an ISO with something like ImgBurn with the files we want to get to our isolated VM, then mount that ISO to the VM.
Hi eeg3, this is what I am currently doing as mentioned above as well. But I find this troublesome. Why must vmware insist to use ISO just to share it into a VM? Why not just share a folder directly?
Hi PduPreez, adding a new NIC into the cloned VM is a good idea to avoid IP conflict, but it doesn't really solve the concern to isolate the VM in the first place as I do not want it to transmit or receive anything in the production network.
I do not want it to transmit or receive anything in the production network.
If you isolate the VM with an internal switch, it woun't transmit any data on the production Network
See Picture of proposed config
This way you do not need to create an ISO every time you want to dump data.
Also if you clone another machine, you just add it to the Internal network. (You can run a whole isolated domain)
Regards
If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct. Thank you.
I see your point now. I have also mark your reply as helpful in appreciation of your effort.
But this does mean that I will have to provide additional resource such as using an extra switch or at least setting up a VLAN on existing switches to separate this isolated network from production network. Also, my PC will have to be physically remove from my production network and reconnect to this isolate network as well in order to be able to communicate with it right?
Quite troublesome as well with the creation of ISO file. But at least I can transfer files out whereby ISO file is only capable of transferring files into the isolated VM.
But this does mean that I will have to provide additional resource such as using an extra switch or at least setting up a VLAN on existing switches to separate this isolated network from production network.
Creating an extra "Internal only" vSwitch takes is quick and takes very little resources. You do not need to specify any VLANs
You will only need an additional production IP for the new VM, on the isolated side you can use 192.168.x.x range
Also, my PC will have to be physically remove from my production network and reconnect to this isolate network as well in order to be able to communicate with it right?
Not True.
You keep your PC exactly as it is and remote desktop (RDP) to the New VM through the production network.
Then From the New VM you can copy stuff to the cloned VM or you could make a remote desktop session to the cloned VM from the New VM (rdp much faster than VMClinet console )
So Basically the New VM is your Gateway to the Isolated network. Just do not enable routing on the New VM (Default Disabled)
No other machine on the Production Network will be able to communicate with the clone accept the New VM, and vise versa
I hope this clears it up
Regards
If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct. Thank you.
Hello,
There are several methods to go forward and keep a VM 100% isolated....
1) Make a new VMDK attached to the source VM using hotadd. Place the data to transfer on this new VMDK. Unmount the VMDK and remove it from the source VM (hotremove or power down, modify the config, and boot up). Once unmounted/not part of source VMDK, attach the VMDK to the target VM and transfer files
2) Use the ISO/FLP method suggested.
Either method could possibly transfer virus', etc. Not sure why you want isolation but do consider this possibility, if the source files are infected then the target will be infected as well.
3) Transfer the data over serial port connections. You can make one VM the endpoint for anotehr VM when configuring serial port devices.
4) Mount a USB device into the source VM. Transfer the files. Unmount and mount the USB device to the target VM.
5) Place the target VM on a private vSwitch (no pNIC connections). Create a router/firewall VM and place it on the private vSwitch AND your normal network. Transfer the files through this firewall appliance to the target VM. Ensuring that the firewall is setup to NOT allow anything but the selected protocol to go through. Suggested protocol is ONLY SCP, not CIFS, not FTP, etc.... scp is the safest to use.
The last one will require that you trust your virtual firewall and that it is configured such that anything on the private vSwitch cannot communicate with the outside world and that only the one file transfer protocol is allowed. (or you can also allow RDP/VNC as required).
Lots of ways to achieve this solution, but they all depend on HOW isolated you want things to be.
Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010
Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]
Also available 'VMWare ESX Server in the Enterprise'[/url]
Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]
Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]
Hi PduPreez, how do you RDP to the isolated VM thru the production network when it's suppose to be isolated from the production network? Unless the router or some bridging is setup for this purpose?
Thanks Texiwill for the varies alteratives. mapping VMDK is a good idea. USB is much more convenient but does not always work. I just wish the most convenient method of shared folder is supported in ESX just like it was with VM server and workstation.
Hi PduPreez, how do you RDP to the isolated VM thru the production network when it's suppose to be isolated from the production network? Unless the router or some bridging is setup for this purpose?
The "New VM" has 2 NICs, so it can see both the production network and the Isolated network, but woun't root between them (unless specifically configured). From your PC you RDP to the "New VM", then from within this Remote Desktop session, you RDP to the Isolated VM.
Like I said, you could have a whole domain running on the Isolated network, and access all servers through the "New VM" this way
Hope that clears it up
Regards
If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct. Thank you.