This is the first time I've set up an ESXi 5.5 server on a DMZ, and I want to verify what my networking configuration should be. Here's what I currently have - 5.5 host has 2 NICs in a standard vSwitch for management network, set as active (NIC #1) /standby (NIC #2). All is well, and I am communicating with the server using the vSphere fat client well,
All my VMs will be P2Ved from the existing physical boxes. All currently have 2 NICs - one for the DMZ (external facing) side, one for the LAN (internal facing) side. Pretty standard so far. So what I think I need is:
1 standard vSwitch, port group named DMZ, 1 server NIC (#3) assigned to it. VLAN = xxx (I will have my networking guys create this new VLAN)
1 standard vSwitch, port group named InternalLAN, 1 server NIC (#4) assigned to it. VLAN = yyy (I will have my networking guys create this new VLAN)
There is a Checkpoint firewall protecting the DMZ. It has 1 interface for the outside world, 1 for the trusted LAN. And 2 other interfaces, for use by my ESXi host. 1 interface for the DMZ, 1 for the 2nd NIC of the VMs.
So:
if I P2V my physical DMZ hosts; assign the proper portgroup to each virtual NIC in the VM; and plug the cable from each server NIC into the correct port on the firewall, everything should be good.
Traffic will come in from the Internet via the public port on the firewall; go through the DMZ interface of the firewall to the DMZ interface of the VM; if the VM needs info from the trusted LAN, it will request it via the internal LAN interface of the VM, which sends it through the firewall to the proper host on the trusted LAN. and vice versa, for the returned traffic.
Yes? Am I missing something major here? As long as I keep my server NICs going to different interfaces on the firewall (properly VLAN tagged), and have my VMs NICs going to the right port group, I should be good.
I hope I explained that clearly enough. Feel free to question me for further details, of course.
Thanks