Proxy in DMZ design

[v.tom]

Hi,

I have would like to backup some VM's in a DMZ cluster, so I have deployed a proxy in the DMZ cluster.
The security guy was not pleased that the proxy server needs a open port to the vCenter (port 443) which is in the non-DMZ network.

He asked if there is a solution which does not require to open an outbound port from within the DMZ.

What are the best practices in this case?

[foggy]

Tom, you could add host to Veeam B&R console directly, instead of adding it via vCenter. In this case connection to vCenter Server would not be required.

[tsightler]

From a design perspective, the proxy itself does not need to be in the DMZ at all. Can you tell me a little more about your specific DMZ configuration? Is the ESXi host also "in" the DMZ from a management perspective. In other words, does the management interface for that ESXi host live in the DMZ, or just the VMs.

Typically what I see is that the VMs are given IPs in the DMZ, but the ESXi host itself has it's management interface still accessible from the vCenter. In that scenario you can just use a proxy on your production network to backup VMs in the DMZ using network mode. Of course if you have a firewall between your vCenter and the ESXi host that might not be ideal from a performance perspective.

Also, there is a very good reason why the proxy requires a connection to vCenter. The VMware VADP APO which is being used by the proxy, requires the session to be authenticated during the backup so it must contact the vCenter server. If you post some more about your setup we can probably find a solution. In general I do not recommend placing a proxy within the DMZ itself as that means the traffic is likely to flow across a firewall which is normally not ideal.