I have a challenge that so far I can not figure out how to resolve.
I have installed an ESX server in a CO-LO for a Proof of Concept.
I have been assigned a Public IP address for the ESX server that will be connected to the COS
I have also been assigned an IP address on the Storage LAN to connect to a volume on the SAN.
The ESX server will not need to connect to anything else at the CO-LO.
I have built 2 VM's on the ESX server. One to run Citrix and on to be and Active Directory Domain Controller. These VM's connected to a virtual switch on the 192.168.x.x network.
Here is the challenge:
How do I get traffic coming in on the Public IP address on the COS NIC routed to the 192.168.x.x Virtual Network?
Ports have been opened on the Public IP address as follows: 902, 22, 443, 80.
Can the ESX server act as a NAT router to redirect traffic from the Public NIC to the Virtual Machine network?
Any help would be appreciated. If I have left out any important details, let me know and I will post them.
Thanks for everyone's help.
Hi Randy, ESX doesn't provide NAT functionality as you will find in VMware Workstation for example and it would be highly recommended from a security perspective to not have your ESX host accessible on the Internet. Here's what you could consider and I'll just list one NIC for each function, but ideally you would have 2 for reduncy
1 - NIC connected to the Internet. ESX would have a virtual switch (vswitch) on this NIC that would only have a virtual machine port group on it (i.e. ESX would not have an IP address for itself or management precense on this subnet). On this vswitch you would have a VM that would function as a firewall. There are numerous options for this which you can download from www.vmware.com/appliances
2 - NIC for your DMZ - ESX would have a vswitch for the DMZ virtual NIC of your virtual firewall appliance, plus your Citrix and AD virtual machines.
3 - NIC to access storage - are you using iSCSI and would you be using software or hardware iSCSI from ESX. If you're using software iSCSI you would need a service console port and vmkernel port on this vswitch
4 - NIC for access to be used to manage ESX. The firewall appliance could be setup as a VPN server and you would then make a VPN connection and get an IP address on this network to manage your host. Your firewall appliance would have a virtual nic on this subnet as well.
This setup would provide reasonable protection for your ESX host and allow you do to this with one IP address. Downside is that if the firewall appliance goes down you have no access (or at least you mention nothing about this). If you do want to have direct IP access to thi ESX host, you would need two public IP address, one for ESX and another to access your Citrix server (again you would still want to deploy a firewall for this - physical or virtual). But if you are able to get 2 IP address, I would still put access to ESX behind an low end VPN appliance.
Apart form the issues relating to connecting the COS to a public address your setup is possible.with some amendments. First, there is no built in functionality that will route traffic through on the console to your internal VM's. What your need to do is create a VM that will act as a virtual router to connect up the two isolated segments. This machine must have a vNic connected to the portgroup on both the internal and external vSwitch. I think popular candidates would be something like the IPCop appliance or MonoWall
Obviously this device must have an IP address distinct to the console address. The best bet to would be get the console off the public network. It really shouldnt be there. Even better front up the ESX with a proper firewall/NAT device.