ESXi

 View Only
  • 1.  is vpn sufficient to secure esxi management access

    Posted Jul 28, 2023 05:12 PM

    Our small not-for-profit has an esxi box hosting 3 vms.   This has been running in a lab environment for a while but we now want to move the machine to a server farm for general access to the vms.   The server farm support team has warned us not to put a vmware box online without taking steps to secure access to the management layer (not the vms).   The only management capability we need is to be able to remotely reboot the vms should they become non responsive.  In general, we would like to be able to remotely access the interface to the management layer that one sees when using the web browser interface. The vms are not windows vms so there is no possibility of rdp-ing to a windows vm and starting a vmware management session from there, as suggested in another post on this forum.

    Would it be sufficient to put the vmware box's IP address behind a VPN device?  If so, what is the simplest and most cost effective approach to this?   The server farm support team suggested putting the vmware ip behind a fortinet 60d, but fortinet setup is daunting, requiring expertise we don't have and haven't been able to find.

    Thanks!



  • 2.  RE: is vpn sufficient to secure esxi management access

    Posted Jul 29, 2023 12:31 PM

    Like many things, it all depends (on the VPN). The most secure, IMHO, is a hardware device, Fortinet or such. I have no experience with Fortinet, we use Meraki  and Sonicwall routers, with static public IP addresses to accommodate same.

    I suppose you could use something like TeamViewer (there are several choices)  into a computer on the same LAN and access that way. I have not used same. There are also cheaper routers/firewalls that support openvpn, 

    IMO: Like many things, strong security isn't cheap, cheap security isn't strong. 



  • 3.  RE: is vpn sufficient to secure esxi management access

    Posted Jul 30, 2023 04:26 AM

    You can apply ACL to restrict your management segment on the management gateway interface. Also ESXi itself has firewall rules to restrict access. You can apply ACL on gateway interface or firewall rules on ESXi or both.

    Regards,

    Sachchidanand



  • 4.  RE: is vpn sufficient to secure esxi management access
    Best Answer

    Posted Jul 30, 2023 04:41 PM

    Am I mistaken that ACL rules would require that the device we use to get into the vmware management layer would have a known/fixed ip address?  If so, that would be too restrictive for our situation.  The only devices we have with fixed ip are the machines at the server farm.



  • 5.  RE: is vpn sufficient to secure esxi management access

    Posted Jul 31, 2023 01:49 AM

     I am also running ESXI nodes at remote locations and only using ACLs to restrict them. Can you please elaborate your answer what else you find as a better solution? So I can also think of an alternate solution for my servers.

    Regards,

    Sachchidanand