Question : Port Forwarding in VMware Virtual Network Editor

I've got a SBS2003 server that is connected directly to the Internet with routable IP address, in one-ethernet-port configuration. The existing firewall does port forwarding from the outside WAN to the routable IP subnet which contains the SBS2003 server.

I virtualized the server, and it now runs under a VMware Server 2 host. Network still the same.

I want to upgrade the server to SBS2008, but in order to do so, I must comply with IP address requirements which are that the server must be a Non-Routable (Private) IP... 192.168...etc

So I assume I can change the virtual network adapter settings to "plug" my SBS2003 server into a NAT'ed network and run its wizard to change IP. That would be fine, except this is a production server and it runs email, remote desktop and a monitoring program that would like to remain functional.

Seems like a can-do, but HOW DO I modify the port forwards to accommodate the new NAT'ed IP subnet. Do I need to whip out Visio to understand this? LOL


Answer : Port Forwarding in VMware Virtual Network Editor

Starting with the easy one, I know of no way to NAT inbound GRE through VMware server, if that is a requirement you may need to look at a virtual router such as vyatta. In that case your new server would reside in a host only network and all of the NATing would occur in vyatta.

Are you a single subnet inside your firewall? If so I see no reason to change the world simply to satisfy an IP address requirement for a single server.

That being said - a "best practice" would be to actually have three networks, call them outside, inside, and DMZ. Any traffic allowed from the Internet (outside) should not go directly to the inside network. It should instead go to the DMZ network (that would be your 192.168.x.x network). Any traffic between the DMZ network and the inside network should be limited by firewall rules.

This could be implemented with your NetVanta - from what I have been able to determine it supports three interfaces, WAN, ETH1, and ETH2 of which, from what you have told me, you are only using two.

You should definately move your setup to a server class machine With at least two NICS. I would suggest you install the free version of ESXi (rather than VMware Server) on your new server, then configure one of the NICs on your current inside network, the other NIC to the new DMZ network. Then establish all of your NATting and firewall rules for your new DMZ machine. Be sure to get a compliant server for ESXi, VMware has a hardware compatability list (HCL) on their website that will tell you what iis supported.

I know I have presented a plethera of options here - but if you have the funds for a new server the last option would be what I would recomend.

Hope this helps
Random Solutions  
 
programming4us programming4us