Provider Portal on the WAN

chadc1979 · ‎12-10-2019

I was wondering if it should be accessible over the internet, the tenant portal and console proxy both work fine over the internet.

I'm using an NGINX reverse proxy in the DMZ with the WAF rules disabled for vCD, I'm assuming it must need to be able to access something that's configure like vCenter or NSX and can't so it doesn't work or it's a reverse proxy issue?

Just looking for clarification on if the provider console should work or not over the WAN, thanks.

Raducanu · ‎12-12-2019

First:

ALL enduser communication goes to the vCloud Cells.

You should check the "vCloud Directory Security" whitepaper, Chapter 5. The latest document i could find was for 9.5, but most this also apply to 9.7 / 10.

https://docs.vmware.com/en/vCloud-Director/9.5/vcd_sec.pdf

Things to check:

- If you have multiple Cells, use a LoadBalancer

- Open only port 443 to the internet (if you have ConsoleProxy on the same ip, also the IP of consoleproxy (e.g. 8443) and use a firewall (see: Blocking Malicious Traffic)

- Always use valid certificates

- Enforce strong passwords on all users

- If possible use a WAF and prevent access to administrative URLs (Admin Portal, Admin API Endpoints)

- If required enable MFA

All

Provider Portal on the WAN