crescendas
Enthusiast
Enthusiast

How to share files to isolated VM?

Jump to solution

I cloned a production VM for some testing, thus I do not want to connect it to our production network to avoid IP conflict etc. In this situation, how do I transfer files between my PC and this cloned VM?

The VMtools has a shared folder but it appears not working in ESX or ESXi. The only method I can think of, at least for transferring of files into this VM is to convert the folder into ISO on my PC so that I can connect it as a virtual disc drive into the VM. Is there any other better methods to do this?

1 Solution

Accepted Solutions
Texiwill
Leadership
Leadership

Hello,

There are several methods to go forward and keep a VM 100% isolated....

1) Make a new VMDK attached to the source VM using hotadd. Place the data to transfer on this new VMDK. Unmount the VMDK and remove it from the source VM (hotremove or power down, modify the config, and boot up). Once unmounted/not part of source VMDK, attach the VMDK to the target VM and transfer files

2) Use the ISO/FLP method suggested.

Either method could possibly transfer virus', etc. Not sure why you want isolation but do consider this possibility, if the source files are infected then the target will be infected as well.

3) Transfer the data over serial port connections. You can make one VM the endpoint for anotehr VM when configuring serial port devices.

4) Mount a USB device into the source VM. Transfer the files. Unmount and mount the USB device to the target VM.

5) Place the target VM on a private vSwitch (no pNIC connections). Create a router/firewall VM and place it on the private vSwitch AND your normal network. Transfer the files through this firewall appliance to the target VM. Ensuring that the firewall is setup to NOT allow anything but the selected protocol to go through. Suggested protocol is ONLY SCP, not CIFS, not FTP, etc.... scp is the safest to use.

The last one will require that you trust your virtual firewall and that it is configured such that anything on the private vSwitch cannot communicate with the outside world and that only the one file transfer protocol is allowed. (or you can also allow RDP/VNC as required).

Lots of ways to achieve this solution, but they all depend on HOW isolated you want things to be.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
12 Replies
Bobdolemite
Contributor
Contributor

What about creating a secondary subnet with no gateway?

0 Kudos
crescendas
Enthusiast
Enthusiast

Do I have to amend my PC to the new subnet in order to access this VM too? If so, won't I loss connection to the ESXi server from my PC as a result?

0 Kudos
PduPreez
VMware Employee
VMware Employee

Not sure if this would work, depending on the network config, VLANs ect.

What I would do is create a new VM with two NICs

then you create a new vSwitch called Internal and do not assign any physical NICs

On this new VM, connect 1 NIC on your production network (PC Network) and the other NIC to the Internal Network. Connect you Isolated VM to the Internal network as well.

Make sure thi IPs are correct. It might sound like allot of work but should take no longer than 30min

This way you will be able to RDP to this new VM from your PC, and copy anything to the isolated VM through the Internal vSwitch

Regards

If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct. Thank you.

0 Kudos
eeg3
Commander
Commander

What I've done is just create an ISO with something like ImgBurn with the files we want to get to our isolated VM, then mount that ISO to the VM.

Blog: http://blog.eeg3.net
crescendas
Enthusiast
Enthusiast

Hi eeg3, this is what I am currently doing as mentioned above as well. But I find this troublesome. Why must vmware insist to use ISO just to share it into a VM? Why not just share a folder directly?

0 Kudos
crescendas
Enthusiast
Enthusiast

Hi PduPreez, adding a new NIC into the cloned VM is a good idea to avoid IP conflict, but it doesn't really solve the concern to isolate the VM in the first place as I do not want it to transmit or receive anything in the production network.

0 Kudos
PduPreez
VMware Employee
VMware Employee

I do not want it to transmit or receive anything in the production network.

If you isolate the VM with an internal switch, it woun't transmit any data on the production Network

See Picture of proposed config

This way you do not need to create an ISO every time you want to dump data.

Also if you clone another machine, you just add it to the Internal network. (You can run a whole isolated domain)

Regards

If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct. Thank you.

crescendas
Enthusiast
Enthusiast

I see your point now. I have also mark your reply as helpful in appreciation of your effort. Smiley Happy

But this does mean that I will have to provide additional resource such as using an extra switch or at least setting up a VLAN on existing switches to separate this isolated network from production network. Also, my PC will have to be physically remove from my production network and reconnect to this isolate network as well in order to be able to communicate with it right?

Quite troublesome as well with the creation of ISO file. But at least I can transfer files out whereby ISO file is only capable of transferring files into the isolated VM.

0 Kudos
PduPreez
VMware Employee
VMware Employee

But this does mean that I will have to provide additional resource such as using an extra switch or at least setting up a VLAN on existing switches to separate this isolated network from production network.

Creating an extra "Internal only" vSwitch takes is quick and takes very little resources. You do not need to specify any VLANs

You will only need an additional production IP for the new VM, on the isolated side you can use 192.168.x.x range

Also, my PC will have to be physically remove from my production network and reconnect to this isolate network as well in order to be able to communicate with it right?

Not True.

You keep your PC exactly as it is and remote desktop (RDP) to the New VM through the production network.

Then From the New VM you can copy stuff to the cloned VM or you could make a remote desktop session to the cloned VM from the New VM (rdp much faster than VMClinet console Smiley Happy )

So Basically the New VM is your Gateway to the Isolated network. Just do not enable routing on the New VM (Default Disabled)

No other machine on the Production Network will be able to communicate with the clone accept the New VM, and vise versa

I hope this clears it up

Regards

If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct. Thank you.

0 Kudos
Texiwill
Leadership
Leadership

Hello,

There are several methods to go forward and keep a VM 100% isolated....

1) Make a new VMDK attached to the source VM using hotadd. Place the data to transfer on this new VMDK. Unmount the VMDK and remove it from the source VM (hotremove or power down, modify the config, and boot up). Once unmounted/not part of source VMDK, attach the VMDK to the target VM and transfer files

2) Use the ISO/FLP method suggested.

Either method could possibly transfer virus', etc. Not sure why you want isolation but do consider this possibility, if the source files are infected then the target will be infected as well.

3) Transfer the data over serial port connections. You can make one VM the endpoint for anotehr VM when configuring serial port devices.

4) Mount a USB device into the source VM. Transfer the files. Unmount and mount the USB device to the target VM.

5) Place the target VM on a private vSwitch (no pNIC connections). Create a router/firewall VM and place it on the private vSwitch AND your normal network. Transfer the files through this firewall appliance to the target VM. Ensuring that the firewall is setup to NOT allow anything but the selected protocol to go through. Suggested protocol is ONLY SCP, not CIFS, not FTP, etc.... scp is the safest to use.

The last one will require that you trust your virtual firewall and that it is configured such that anything on the private vSwitch cannot communicate with the outside world and that only the one file transfer protocol is allowed. (or you can also allow RDP/VNC as required).

Lots of ways to achieve this solution, but they all depend on HOW isolated you want things to be.


Best regards,
Edward L. Haletky VMware Communities User Moderator, VMware vExpert 2009, 2010

Now Available: 'VMware vSphere(TM) and Virtual Infrastructure Security'[/url]

Also available 'VMWare ESX Server in the Enterprise'[/url]

Blogging: The Virtualization Practice[/url]|Blue Gears[/url]|TechTarget[/url]|Network World[/url]

Podcast: Virtualization Security Round Table Podcast[/url]|Twitter: Texiwll[/url]

--
Edward L. Haletky
vExpert XIII: 2009-2021,
VMTN Community Moderator
vSphere Upgrade Saga: https://www.astroarch.com/blogs
GitHub Repo: https://github.com/Texiwill

View solution in original post

0 Kudos
crescendas
Enthusiast
Enthusiast

Hi PduPreez, how do you RDP to the isolated VM thru the production network when it's suppose to be isolated from the production network? Unless the router or some bridging is setup for this purpose?

Thanks Texiwill for the varies alteratives. mapping VMDK is a good idea. USB is much more convenient but does not always work. I just wish the most convenient method of shared folder is supported in ESX just like it was with VM server and workstation.

0 Kudos
PduPreez
VMware Employee
VMware Employee

Hi PduPreez, how do you RDP to the isolated VM thru the production network when it's suppose to be isolated from the production network? Unless the router or some bridging is setup for this purpose?

The "New VM" has 2 NICs, so it can see both the production network and the Isolated network, but woun't root between them (unless specifically configured). From your PC you RDP to the "New VM", then from within this Remote Desktop session, you RDP to the Isolated VM. Smiley Happy

Like I said, you could have a whole domain running on the Isolated network, and access all servers through the "New VM" this way

Hope that clears it up

Regards

If you find this or any other answer useful please consider awarding points by marking the answer helpful or correct. Thank you.

0 Kudos