While I believe you are correct in your premise, I also believe you're creating
multiple failure points for security. If you have the firewall in the mix, you
should be able to create rules to allow the required traffic to pass back into
the LAN from the DMZ as required without having the 2nd NIC in the VM. I
understand that you're trying to migrate the existing physical to the new
virtual equivalent, and the same situation already exists there as well.
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
-----Original Message-----
From: [email protected] [mailto:[email protected]] On
Behalf Of Michael Leone
Sent: Tuesday, December 2, 2014 10:40 AM
To: [email protected]
Subject: [NTSysADM] OT: networking advice for a VMware host on a DMZ
This is the first time I've set up an ESXi 5.5 server on a DMZ, and I want to
verify what my networking configuration should be. Here's what I currently have
- 5.5 host has 2 NICs in a standard vSwitch for management network, set as
active (NIC #1) /standby (NIC #2). All is well, and I am communicating with the
server using the vSphere fat client well,
All my VMs will be P2Ved from the existing physical boxes. All currently have
2 NICs - one for the DMZ (external facing) side, one for the LAN (internal
facing) side. Pretty standard so far. So what I think I need is:
1 standard vSwitch, port group named DMZ, 1 server NIC (#3) assigned to it.
VLAN = xxx (I will have my networking guys create this new
VLAN)
1 standard vSwitch, port group named InternalLAN, 1 server NIC (#4) assigned to
it. VLAN = yyy (I will have my networking guys create this new VLAN)
There is a Checkpoint firewall protecting the DMZ. It has 1 interface for the
outside world, 1 for the trusted LAN. And 2 other interfaces, for use by my
ESXi host - 1 interface for the DMZ, 1 for the 2nd NIC of the VMs.
So:
if I P2V my physical DMZ hosts; assign the proper portgroup to each virtual NIC
in the VM; and plug the cable from each server NIC into the correct port on the
firewall, everything should be good.
Traffic will come in from the Internet via the public port on the firewall; go
through the DMZ interface of the firewall to the DMZ interface of the VM; if
the VM needs info from the trusted LAN, it will request it via the internal LAN
interface of the VM, which sends it through the firewall to the proper host on
the trusted LAN. and vice versa, for the returned traffic. (I don't have
anything to do with the configuration of the Checkpoint, or any physical
switches)
Yes? Am I missing something major here? As long as I keep my server NICs going
to different interfaces on the firewall (properly VLAN tagged), and have my VMs
NICs going to the right port group, I should be good.
I hope I explained that clearly enough. Feel free to question me for further
details, of course.
Thanks
