We did sure consider if we should have a virtual solution for the dmz at all. However we came to the conclusion to have a vmware vsphere cluster of two esx servers, one in each server room.
In our cluster for the LAN we are using blade servers from HP, in DMZ we are using stand alone servers.
For easy management we have the service console in our LAN and all other networks in dmz, separated by physical network cards.
The networks in dmz are separated by VLAN ID.
The only problem is when we have to convert a physical server on the dmz to virtual. Because of that the service console is connected to the LAN, and we don´t want any server from the DMZ to talk on the LAN. (It is called DMZ for a reason). The solution to that is to only use offline converts of servers in dmz. To physically go down to the server room, shut down the server, reconnect the network card to a LAN port on the switch and boot up with the VMWare converter offline CD (coldclone.iso).
The cons of that is that we have a longer downtime comparing to online converting (Wich works perfectly if you have a quite static server, as web-servers, application servers and so on), the pros is that it is safer in a secure point of view.
However, if you are setting up a similar enviroment, make sure that you are using a gigabit connection to the service console.. It takes a looong time to convert a server on a 100 mbit connection...
No comments:
Post a Comment