Current thinking is: We put a load balancer (as VM). Each guest will be assigned to a private virtual switch, that is connected to no server NICs. Hence they only things they can talk to is each other.
Load balancer will be in vswitch that is connected to NICs that go to the firewall. The guest VMs will only have 1 vNIC. So the load balancer will do the router internally, between the DMZ and trusted LAN ... On Tue, Dec 2, 2014 at 10:50 AM, Kurt Buff <[email protected]> wrote: > My 2 cents... > > A DMZ is an untrusted zone. Having anything other than your firewall > with NICs in both production and DMZ is a sin. > > I'd put a switch in your DMZ, put more NICs in your VMware machine and > lagg all of them to the switch. The VMWare host itself shouldn't be > trusted, as it's running untrusted VMs - all access to the VMs and the > host on which they are running should be mediated by the firewall. > > Kurt > > On Tue, Dec 2, 2014 at 7:40 AM, Michael Leone <[email protected]> wrote: >> This is the first time I've set up an ESXi 5.5 server on a DMZ, and I >> want to verify what my networking configuration should be. Here's what >> I currently have - 5.5 host has 2 NICs in a standard vSwitch for >> management network, set as active (NIC #1) /standby (NIC #2). All is >> well, and I am communicating with the server using the vSphere fat >> client well, >> >> All my VMs will be P2Ved from the existing physical boxes. All >> currently have 2 NICs - one for the DMZ (external facing) side, one >> for the LAN (internal facing) side. Pretty standard so far. So what I >> think I need is: >> >> 1 standard vSwitch, port group named DMZ, 1 server NIC (#3) assigned >> to it. VLAN = xxx (I will have my networking guys create this new >> VLAN) >> >> 1 standard vSwitch, port group named InternalLAN, 1 server NIC (#4) >> assigned to it. VLAN = yyy (I will have my networking guys create this >> new VLAN) >> >> There is a Checkpoint firewall protecting the DMZ. It has 1 interface >> for the outside world, 1 for the trusted LAN. And 2 other interfaces, >> for use by my ESXi host - 1 interface for the DMZ, 1 for the 2nd NIC >> of the VMs. >> >> So: >> >> if I P2V my physical DMZ hosts; assign the proper portgroup to each >> virtual NIC in the VM; and plug the cable from each server NIC into >> the correct port on the firewall, everything should be good. >> >> Traffic will come in from the Internet via the public port on the >> firewall; go through the DMZ interface of the firewall to the DMZ >> interface of the VM; if the VM needs info from the trusted LAN, it >> will request it via the internal LAN interface of the VM, which sends >> it through the firewall to the proper host on the trusted LAN. and >> vice versa, for the returned traffic. (I don't have anything to do >> with the configuration of the Checkpoint, or any physical switches) >> >> Yes? Am I missing something major here? As long as I keep my server >> NICs going to different interfaces on the firewall (properly VLAN >> tagged), and have my VMs NICs going to the right port group, I should >> be good. >> >> I hope I explained that clearly enough. Feel free to question me for >> further details, of course. >> >> Thanks >> >> > >
