View Security Server Firewalls


If you’ve ever set up a View Security Server for external access, you’ve probably invested a fair amount of your time looking at firewall port requirements.  I sure did.  And then, after all that time, I still ended up falling back on trial and error, for at least a little bit.  Rather than repeating that process (and to hopefully help others), I’m putting together a quick post with my notes.  This engagement is using vShield and is securing the Security Servers with these rules, preventing both incoming and outgoing traffic (except for what is explicitly allowed).

First, there is an excellent list of general network portsrequired for VMware products, which can give you a good place to begin.  There’s a more detailed list of View Network Port Requirements as well, which is an even better place to begin (but, if you’re working with other VMware products, the general list is a good resource to have available).

Unfortunately, as I’ve mentioned, that’s only a good place to begin.  Buried in the View Install Guide (in a place I never managed to find until I was explicitly looking for this particular port), there’s a few more network port requirements that are not in that main list.  Namely, you must allow IPSec traffic to flow from the Security Servers to their Connection Servers.  We had to allow UDP 500 from the Security Servers to the Connection Servers (thank goodness for blocked traffic reporting!), as well as traffic from the ESP protocol.  With that additional traffic allowed, things began working as intended.

I wanted to make one final note about firewalls around View Security Servers.  All of that VMware documentation lists the flows that you need in order for the VMware software to do its work.  You still need everything for Windows to do its work, too, including DNS (TCP/UDP:53), NTP (UDP:123), ICMP and probably a few more.  So make sure that you’ve got time to do some trial and error when you’re configuring your firewall rules, and make sure that you remember than an application server does more than just run that application!

Comments

Popular posts from this blog

Orphaned VMDK Files

Deleting Orphaned (AKA Zombie) VMDK Files

Clone a Standard vSwitch from one ESXi Host to Another