Boston Linux & UNIX was originally founded in 1994 as part of The Boston Computer Society. We meet on the third Wednesday of each month at the Massachusetts Institute of Technology, in Building E51.

BLU Discuss list archive


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Discuss] Securing a VMware ESXi server at a colo site?



> From: John Abreau [mailto:abreauj at gmail.com]
> 
> I did a bit of googling to see how to setup a vpn server on the ESXi host, and it
> seems that's not possible. And managing the host through a vpn running on a
> guest VM sounds unreliable; if you need to use the management console to
> fix a problem that affects the vpn server guest, you have no access to the
> management console until the problem is fixed.
> So it seems I'll still need a separate physical server to provide the vpn.

Correct(ish).

You should not imagine ESXi as being a "normal" linux - although it runs a linux kernel, it has little to no semblance to any normal linux distribution that you're used to.  It is intended to be a bare metal black box, and it's generally best to let it be that way.  As I said before, there is some useful stuff you can do via ssh, but good reasons to avoid it.

Presumably you have some other backup solution available, right?  Don't expect the host OS to do anything useful in terms of software raid or backups, or even hardware raid management.  HW raid management is a whole separate subject - Some things you can do, others you can't.  

The *best* solution is to have the ESXi host running VM's, which are network shared via iscsi from a storage server, which is *designed* to do storage and iscsi well (such as a ZFS server).  I like to run ESXi diskless, because they do crap for disk management.

You *can* install a VPN server in a VM running on the ESXi host - and I have before - and it works fine - as long as nothing goes wrong with that guest VM.  Some time ago, I had to put in extra effort to make pfSense work in a VM, but I think the recent versions actually support it, or something - you can check with pfSense if you want.

Of course, if anything goes wrong with your ESXi host, you'll be glad to have a separate hardware vpn, and remote access to the iLom or whatever.



BLU is a member of BostonUserGroups
BLU is a member of BostonUserGroups
We also thank MIT for the use of their facilities.

Valid HTML 4.01! Valid CSS!



Boston Linux & Unix / webmaster@blu.org