How to connect to iSCSI SAN without compromising security

Hello:

How to enable server OSes (VMS or physical host computers) to connect and LUN iSCSI mount without compromising the safety of our ESX host?  We have a few Microsoft servers that need to use iSCSI initiators at Mount MON for MSCS.   We cannot use the ESX initiators because VMware doesn't support iSCSI to virtual storage with MSCS.  We have already read all the documentation and spoke with VMware support, so we know that our only option is to use the iSCSI initiators in Microsoft servers to connect to the LUN.

Our concern is security.  If we let the servers use their iSCSI initiators to connect to the San, then they also won't have access to our service and the vkernels via the iSCSI network console?  ESX requires that you have a port the service console and the port of vkernel on the iSCSI network for each ESX box that you want to use the ESX initiator for.  We struggle to understand how to connect any machine (virtual or physical) to the iSCSI network to mount LUN without exposing our service and vkernels consoles.  I know that the best practice is to remove this VMs network for this exact reason, but of course many organizations also have physical servers (UNIX, Windows) who need to access their iSCSI SAN.  How people treat this?  How much of a security problem is it?  Is there a way to secure the service console and vkernel ports while allowing host ESX - no access to the SAN?  I know that many of you are facing this exact in your organizations situation, please help.  Obviously, it is not supposed that nobody uses their SAN iSCSI for anything else except for the ESX host.  I thank very you much.

James

Hello

Check out this blog

Use of firewall is certainly a step in the right direction for that. If you can't have separate iSCSI networks, then you will need to isolate nodes NON-ESX/VCB iSCSI using other mechanisms. I would certainly opt for firewalls or reduce the redundancy to just 2 network-by-network cards and not 4 to a single network.

Someone at - it any other suggestions? Surely many ESX users share their iSCSI SAN with a lot of different systems and operating systems. Thanks again.

They do, but they do not secure their networks for their VMs ESX iSCSI / other physical systems. You have asked a very important question and it's how to connect to iSCSI SAN without compromising safety. If the options are currently:

  1. Physically isolate

  2. Isolate using firewall

Given that ESX speaks in clear text and does not support IPsec for iSCSI, you have very limited options that are available to you. The firewall you use and charge iSCSI, you send through it will determine if there is no latency. Yes its a cost extra, but if it is an independent network switches/ports/etc.

Best regards
Edward L. Haletky
VMware communities user moderator, VMware vExpert 2009
====
Author of the book ' VMWare ESX Server in the enterprise: planning and securing virtualization servers, Copyright 2008 Pearson Education.
Blue gears and SearchVMware Pro items - top of page links of security virtualization - Security Virtualization Round Table Podcast

Tags: VMware

Similar Questions

  • How to reconnect safely iSCSI SAN connection after new ESXi4u1 reinstall on USB?

    Hi all

    Can anyone here guide me how to add the connection to the current host of ESXi 4 iSCSI SAN?

    I think not as export the ESXi existing profile using vMA can do much because the version number is different so ESXi profile export is useless.

    Note: during the installation of 4u1 ESXi I unplug the host LAN cable.

    Thank you.

    Kind regards

    AWT

    Access to the host on the MD3000i configured?

    Cause the host will have a different IQN, you must reconfigure the access.

    André

  • How to connect VMware to SAN

    Hello

    I have configured SAN with RAID 10 and 3 volumes of 1 TB each. I have 3 Dell server that I want to connect to the SAN. I SAN of Dell and dell powerConnect switch. To connect my machine EXi to SAN, do I have to master. (ISCSI and VMware traffic?

    Any help would be appreciated

    SAN F/C controller - need to set up a group of FABRIC

    ===================================================================

    Reference DELL SERVER (ESX) with port HBA card F/C 1 connect to the port of SWITCH SAN DELL F/C 1

    DELL SERVER B (ESX) with F/C map HBA 1 port to connect to the port of SWITCH SAN DELL F/C 2

    DELL SERVER C (ESX) with F/C map HBA 1 port to connect to the port of SAN DELL F/C 3 SWITCH

    STORAGE SAN DELL F/C 1 connected to SWITCH SAN DELL F/C 7

    Read/write of data via SAN F/C

    Ethe LAN Controller - (optional) to set up the Group VLAN

    ===================================================================

    Reference DELL SERVER (ESX) with Ethe port card NIC 1 connect to the DELL LAN SWITCH ELE 1 port

    DELL SERVER B (ESX) with Ethe card NIC 1 port to connect to the port of SWITCH LAN DELL ELE 2

    DELL SERVER C (ESX) with Ethe port card NIC 1 connect to the port of SWITCH LAN DELL Ethe 3

    NETWORK STORAGE SAN DELL 1 connected to Ethe DELL LAN SWITCH 7

    Management of the system through LAN Ethe

    Additional VCenter Server to configure all ESXs

    Trunking is not necessary.

  • How to connect to another user without password account, with the administrator account in Vista?

    My son will connect to FB, then goes to bed and does not sign off the coast. I log in and the machine is really slow. I am administrator in Windows Vista. Can I disconnect it without password?


    * original title - how I as an administrator can connect my son, another user of my computer. I can get her password, but is it a switch, so I can just cut him so my machine is not so slow? *

    Hello

    Unfortunately, we are unable to disconnect another user without password account.

    However, you can restart the computer that would disconnect the other accounts.

  • How to connect to windows 8 without a windows account?

    I was able to help a few people with their win8 configuration and had TO create a LIVE windows for respective users account.  How win8 users can take total possession of their computer without having to create a LIVE account?

    Although the above post is great, especially if you want to create a new 'local' account, in my view, is not the best answer to your question.

    Lets start at the first installation. On several computers, the default option says to create an account, called from Microsoft. When you are on this screen, near the bottom, there is an option that allows you to create an account without a Microsoft account. After pressing this option, the next screen will give you two choices, create Microsoft then use or create the local account. The option you are looking for is to create a local account. A local account is not linked to what anyone and it's like an account on any previous version of windows.
    Now, if you already have a Microsoft account is created, you can simply switch to a local account.
    Here's how.
    1) pull up the menu charms by moving your cursor over one of the right hand corners. The cursor must be completely in the corner and won't be visible. Or the easiest, is to press the windows key and the c key at the same time.
    (2) select the settings options.
    (3) now, click on the text at the bottom that says "change PC settings."
    (4) on the screen that appears, select the users in the left part. By default, the user you are connected as a poster.  A bit of the top, you will see the option that says "Switch to local accounts."
    (5) follow the instructions that popup. Once you have done the above, your account is now a normal windows account.
    There are advantages to having a Microsoft account, but I don't know how frustrating it can be to go through the long process of creating a windows account when you simply want to connect and play with the new computer.
    PM me or post back if there is something that is not clear.
    I hope this helps.

  • How to connect an Oracle database without using input TNS

    Hello

    I need to connect my pc Oracle database server without using the TNS entry. How to do this?

    Kind regards

    007

    [easy connection: CONNECT to username/password@[/]host[:port][service_name]

  • W530: How to connect 4 external screens without USB DOC

    I want to connect multi monitors without USB - DOC.

    Is this OK as follows?

    1. change the type of connector of the Mini-affichage port to display the port.

    2. "port to port adapter display dual display ' connect.

    3. at each port, more "Display port for port adapter dual display ' connect...

    Please tell me the solution.

    Thank you.

    This configuration will not work.

    You need a workstation series 3 dock with 2 sets of DP ports.

    Need you a separator of RFP for each of the DP ports on the dock.

  • How to connect Jabber to MeetingPlace without HTTPS

    Hello

    I Jabber for Windows v11.7.0 42920 build mode phone connected to the CUCM v10.5.2.13901 - 2. The CPU on CUCM services are created for ICT, directory and MeetingPlace. For MeetingPlace service, selected protocol is HTTP and port 80.

    However, client Jabber, State of the connection for the meetings is: 'the last connection unsuccessful. Address is correct (configured in the UC services), but shows HTTPS rather than HTTP protocol configured. Traffic capture from my PC to the MeetingPlace server, I see HTTPS only, but on MeetingPlace HTTPS request is not enabled if this does not work. Why ignoring East-Jabber protocol and port settings in the CPU on CUCM services?

    Is this a bug in Jabber or CUCM... or it could be another problem somewhere?

    Thank you

    S.

    This is because jabber are supported meeting Cisco Webex's servers. It will not support another server in place of meeting even that it was listed in the Service profile. Check out the release notes link where he referred to the list of the local server supported by jabber below.

    http://www.Cisco.com/c/en/us/TD/docs/voice_ip_comm/Jabber/Windows/11_7/j...

    Earlier version of jabber have the same behavior.

    I hope this helps.

  • How to connect to the computer without the administrator password?

    Original title: imn locked out of my computer laptop windows 7. request a password or a reset disk.

    I have a recovery disk and its does not work and is locked me and tried the function StickyKeys and that no longer works

    I have a recovery disk and its does not work and is locked me and tried the function StickyKeys and that no longer works

    There are a lot of options built into Windows to help you out of this situation:
    • Restart the computer with your Windows repair CD, then use system restore to set Windows in a few days (only works if you have recently changed the password).
    • Log on to your account admin to spare, and then reset the password for your existing account (works only if you set up an alternative admin account).
    • Log in as administrator mode without failure, then reset the password for your existing account (the password is usually empty).
    • Insert your flash drive USB with the password key file (only works if you have taken the time to create a keyfile and if it is common).
    • Use the password indicator (works only if you have created a hint and if it's good enough to allow you to guess the password)
    • Check your paper files (works only if you threw down the password somewhere)
    The post-its feature key is assistance to persons with disabilities. You cannot use to reset a password. If you could, what purpose is there to have a password?

  • How to connect to the computer without administrator privileges?

    Original title: question administrator

    I don't have the admin rights even if I'm the only one using the machine. I accidentally deleted the Administrator profiles, I created and the default admin was left disabled and I don't remember giving it a password.

    I can't raise any application or change the permission of my profile.
    When I try, I have the window UAC which has the "Yes" button grayed out.
    When I go to computer management > users and local groups to change the properties of the profiles I get 'access denied '.

    I tried running with the system in mode safe but still can't find a way to get the elevation or change my authorization to administrator.
    When I get to safe mode and Admin profile appears on the list and I get to click, restart the system.
    It doesn't matter if all the services.msc a services property gray buttons? Is something wrong with the services?

    I accidentally deleted the Administrator profile

    Delete the only and only the administrator account would be equivalent to throw one and only safe key you have. Here's how you can recover from this error:

    1. Set your BIOS so that it uses the DVD drive as its primary boot device.
    2. Start the computer with your Windows 7 repair CD.
    3. Press a key when prompted to boot from the DVD.
    4. Select 'PC Repair' in the menu.
    5. Select 'Repair' when prompted.
    6. When you are prompted, select System Restore.
    7. Configure Windows to a point before you removed your admin account.
    8. Plan ahead a little and create, test and document an alternative admin account, same as you have a spare emergency House key. This will save you a lot of trouble.

  • How to connect to the database without sqlclient soa

    Hi all

    I have a very simple question.

    I need to write a shell script to get some stats for bpel instances of database as part of the daily health check.

    The problem is in our area of unix server, any customer database is not installed.

    Sql client is present as part of the installation of SOA that we can use to create the connection to the database? or by any mode of access to the shell database.

    Thanks in advance,

    Bob

    Hi Bob, there.

    most of the components in the FMW stack including SOA infrastructure rely on pure JDBC to talk to RDBMS and as I know there is no client Oracle installed in slot the FMW home (after installing SOA Suite).

    One possibility would be to use the Oracle Instant Client and use its tools from your shell scripts. It's a bit unzip and run Setup.

    HTH,

    A.

  • How to recover my hotmail password without answering security question?

    Trying to retive my password using the email sent to me by microsoft, said in the mail that I have 4 options to recover the password. I followed the steps and it brings me only to two options. 1. to get it from an email which is inconvinient, because I need to create an and it does not allow me to change the alternate email "set" before the question. 2. is to choose the customer support that never worked and brings me to try again later because the site is not ready. im looking forward to option 3 which is to retrieve via the mobile phone number, but this option is not displayed during the process. any help please?

    Basically - if you do not configure the options (alternative email, mobile phone number, etc.) before you lost access in any way to your account - you just can't use those.  You had those put in place while you were able to use your account fully - well before that you never had any problems.

    You pretty much the customer service at this point - and - as you begin to realize... you got what you paid for.  ;-)

    Just point as it is.  Coming to you from the point of view-to-peer - a lot of this could have been avoided on your part and it is now, because certain things were not made - a PITA concern.

    * side *.

    Insofar as it is inconvenient to create an alternative email - many people * saying *, but I have a few comments on that.

    -Usually the ISP you use first (dial-up, Cable Modem, ADSL, Satellite, wireless, etc.) not only * gives * you and email address - but probably gives you the ability to create multiple accounts.  Free (well well, in the context of the fact that you pay for your Internet Service.)  What is great about these?  Set you up and you use as a substitute of email addresses for other services so that you can recover your password.  Because you PAY for the Internet Service (and therefore email addresses) - get the password reset account usually is a phone call away - so if you forgot your alternative email address password because you rarely use it - not a big deal.

    Is simply put second - everything - so annoying that what you are going through now?

    Last thought on this... You have an e-mail account free - it is not difficult to create a pair of them and use them as the laternative for the other and vice versa.  I recommend that they find on the different services (Hotmail, Gmail, Yahoo, etc) - but this way - you have what you need.  Treat one as the REAL alternative and the other as a main line.  The true alternative could also be the email that you use to register for craptastic deals and like it - then all mails going to it instead of your main account.

    When return you to your email - do the wise thing - get this second configuration of e-mail (heck - I have 6 email addresses I always use) and configure all backup plans you can - alternative emails (Yes - you can use several ones) and numbers mobile and security issues, and everything that is offered.  This is a free service - enough so it's self-service or lose.  :-)

  • SSXA: How it connects to Content Server as a sysadmin without password?

    Hello world

    We use SSXA 11.1.1.5. The documentation says that SSXA engine accesses the content as a user admin server internally:
    the adminUser userId is used to extract the data from the content server file and store it in the Studio of Site for external Applications cache.
    With little investigation, we found that the admin user is configured in the configuration file wcm - config.xml:
    <contentServer connectionName="MyPortal" adminUser="sysadmin"/>
    However, we are confused because no password is necessary. (In fact, the XML < contentServer > element has an attribute called "adminPassword" but it does not matter what we put in it - the continuous SSXA engine to run. The user interface does not include a password either, field that makes us think that this attribute is deprecated).

    Could someone explain to me how SSXA connects to the content without password server? If it uses some special API that does not require a password, it's a security breach?

    Thank you
    Dimitar

    It uses the remote Client of Intradoc (IDRC). http://download.Oracle.com/docs/CD/E14571_01/doc.1111/e16819/toc.htm

    It is not a security hole because there is a UCM configuration parameter called SocketHostAddressSecurityFilter that determines which network addresses are allowed to use CRMI.

    Jonathan
    http://redstonecontentsolutions.com
    http://corecontentonly.com

  • Cannot migrate VM on iSCSI SAN. Failure at the helm of the 10%. Peut vmping to all addresses

    Hello everyone

    Impossible to migrate virtual machines on iSCSI SAN. Failure at the helm of the 10%. Peut vmping to all addresses

    I recently installed a new configuration of the VM and I feel the above. My configuration is:

    2 HP DL380 with 1CPU 16 GB of ram and 500 GB shared space on iSCSI SAN.

    Installation of the network as follows:

    each host has the 6 network ports that is load balanced and fault tolrated in 3 VMSwitches. VMSwitch0 goes to 2 ports to shared resources on a 4510th cisco. On this switch, I use VLAN tagging to different servers that perform different functions. It works fine.ie. VLAN 5 is for the management vlan 31 is for secure vlan servers 37 is forinternal Web servers.

    VMSwitch1 is a vmkwenelport for the connection of iSCSI SAN. It is set on vlan 200 on the switch, so does tagging vlan put it. We have separated our san network ourusual networks.

    vmswitch2 is used for backup purposes and is used in a similar manner as vmswitch0. the ports of trunkied and backup services is vlan tag to go to the correct servers.

    I am able to ping betwneen the VLANS allowed. I can also vmkping to all the ip addresses of the two hosts san.

    What I can't do is to migrate direct customers between the hosts. He is still unable to 10% with the following error:

    Migrate the computer virtual iws3xx - pop1.mns.tlg.private a general error has occurred: the VMotion failed because the ESX hosts were not able to connect to the network for VMotion.  Please check your physical network configuration and settings network VMotion.

    I looked in the newspaper of vmkkernel and I get the following text:

    9 Oct 15:05:38 esxn1-pop1 vmkernel: & lt; 7 & gt; fn_scroll_back not implemented & lt; 7 & gt; fn_scroll_back not implemented & lt; 7 & gt; fn_scroll_back not implemented & lt; 7 & gt; fn_scroll_back no implemented7:05:04:55.236 cpu2:6534) migrate: vm 6535:2094: info setting VMOTION: ts = 1255097135856641 Source, src = ip & lt; 172.31.207.21 & gt;

    9 Oct 15:05:38 esxn1-pop1 vmkernel: ip dest = & lt; 172.31.207.22 & gt; Dest wid = 6447 using SHARED swap

    9 Oct 15:05:38 esxn1-pop1 vmkernel: 7:05:04:55.236 cpu2:6534) Tcpip_Vmk: 1107: refining worldwide 6899 172.31.207.21, success

    (9 Oct 15:05:38 esxn1-pop1 vmkernel: 7:05:04:55.236 cpu2:6534) VMotion: 1807:1255097135856641 S: Set ip address ' 172.31.207.21 ' worldlet affinity to send the world ID 6899

    9 Oct 15:06:53 esxn1-pop1 vmkernel: 7:05:06:10.234 cpu3:6899) WARNING: MigrateNet: 668: 1255097135856641 S: Connect to & lt; 172.31.207.22 & gt; : 8000 failed: timeout

    9 Oct 15:06:53 esxn1-pop1 vmkernel: 7:05:06:10.234 cpu3:6899) WARNING: migrate: 295: 1255097135856641 S: Failed: host ESX The failed to connect on the network for VMotion (0xbad010d) @0 x 0

    9 Oct 15:06:53 esxn1-pop1 vmkernel: 7:05:06:10.245 cpu1:6538) WARNING: migrate: 3267: 1255097135856641 s: Migration, considered a failure by the VMX.  It is probably a timeout, but check the VMX log for the actual error.

    The journal of vmx says:

    16:07:38.856 Oct 09: vmx | http://Msg.checkpoint.migration.nodata the VMotion failed because the destination ESX host has not received all of the data of the source on the network for VMotion ESX host.  Please check your network VMotion settings and physical network configuration and ensure that they are correct.

    Can anyone help with this please

    No iSCSI traffic will work only if vmKernal and vmConsole are on the same vswitch. Maybe on the same vLAN according to how your VLAN.

  • How to connect to the database

    Hi all

    I use labsql (and quite new to him m) and the server Mysql 5.1.I wanted to know how to connect to the database without changing the name of the dsn from the tools administrative/ODBC 5.1 driver manually. I want to install exe in several PC and it would be a great help if I could make the connection directly but my Vi.

    I went through several forums and came to know that 'Provider = ProviderName; Data Source = DatabaseSource; Initial Catalog = DatabaseName; User = username ID; Password = password', should solve the problem. But where in my case I m still confused. The connection string above does not sit well with me.

    Can someone help me please.

    Have a look here, where I have such a picture to show how to form a string constant to connect to the database. Some subsequent posts in this thread should also be useful.

    Good luck!

    Ian

Maybe you are looking for