2

I am successfully able to VPN in to our remote network and access vSphere management console over a private IP, thus locking down console management from outside world, nice.

Problem is that vmKernel is not able to get access to NTP time servers since gateway is private.

Now, with a Linux test VM I am able to take a single physical NIC and create 2 virtual NICs, one for private, the other public (gateway on public). Then, adding a static route to the VM for VPN client subnet allows traffic to flow back out of the firewall, works great.

Is it possible to do the same with vmKernel, dedicating a single physical NIC to both private & public traffic, adding static route(s) accordingly? If not, can this be pulled off with 2 physical NICs? (shame to use 2 physical NICs just for console though)

Goal is to lockdown console access from outside world while still allowing vmKernel to get NTP updates and whatever else ESXi needs to remain up-to-date (firewall is an ASA 5505, btw)

Ideas appreciated, am loving the transition from bare metal to virtual ;--)

virtualeyes
  • 675
  • 3
  • 12
  • 28
  • Have you considered just setting up a box acts as an NTP server and has access to both your public or private networks? – Zoredache Aug 07 '10 at 22:00
  • Hmmm, I do have another server on the network that could provide NTP data. I assume this means that ESXi itself does not need access to outside world other than for keeping accurate time via NTP? Are most people putting console on a public IP? I'd prefer to keep it private, VPN is great for locking down servers to minimal exposure. – virtualeyes Aug 07 '10 at 22:13

1 Answers1

1

Two ways to go:

  1. Configure your firewall, so it allows the ESXi server to pull NTP data from the internet, but nothing else
  2. Install an ntp virtual appliance on your ESXi box. Have that appliance get the NTP data from the internet, and your ESXi box its NTP data from the appliance.

--jeroen

Jeroen Wiert Pluimers
  • 290
  • 6
  • 14
  • right, problem is ESXi is on private network, so no outside access -- I think using another server as an NTP server on inside that has outside access will do the trick.... – virtualeyes Aug 10 '10 at 19:36