I have two ESX 3.5 servers in a DMZ. I can access these servers on any port from my LAN via a VPN. Servers in the DMZ are unable to initiate connections back to the LAN, for obvious reasons. I have a vCenter server on my LAN and can initially connect to the ESX servers fine. However, the ESX servers then try to send a heartbeat back to the vCenter server on UDP/902 – obviously this will not get back to the vCenter server, which then marks the ESX servers as not responding and disconnects.
There are two broad solutions I can think of:
1) Try to tell vCenter to ignore not getting heartbeats. The best I can do here is delay the disconnect by 3 mins.
2) Try some clever network solution. However, again I am at loss.
Note: The vCenter server is on a LAN, and cannot be given a public IP, so firewall rules back will not work. Also, I cannot setup a VPN from the DMZ to the LAN.
**I am adding the following, explanation that I added to the comments
OK, maybe this is the bit that I not explaining well. The DMZ is on a remote site, an entirely independent network (network 1). The vCenter server is on our office LAN (network 2). Network 2 can connect to any machine on any port on network 1. But network 1 is not allowed to initiate a connection to network 2. Any traffic destined to network 2 from network 1 gets dropped by the firewall as it is traffic to a non-routable address. The only solution I can think of is setting up a VPN from network 1 to network 2, but this is not acceptable.
So any clever folk out there any ideas?
J
Best Answer
James, why not configure the ESX hosts at the remote location so that their guests are in a DMZ, but the ESX service console etc are in a back-zone subnet that you can establish a VPN with? That way, your hosts are isolated from web connectivity (a good thing) but your guests can continue to operate front-facing.
As for the remote site problem... you really need a site-to-site VPN link going on here, between your internal LAN and the remote (non-DMZ if possible) subnet.