I have a situation with the following setup:
ESX Host - ESX1 Vmware guest os : box1,box2,box3,box4.
There is a special VPN connected to box1 and box3.
All of the guest OS's have full access to the rest of the network.
My aim is to have two groups:
box1 and box3 in one group box2 and box4 in another group.
These should only have access to their own group, and the vpn that comes into box1/2. They should not be able to see the rest of the network.
Due to some port and vm issues, is there a way I can do this from the guest OS's? using internal firewall or ipsec etc?
The aim is to have a duplicate AD environment from our real network, setup on the box3 and box4. Needs to be a duplicate and co-exist as this is dev for some interfaces from other systems, that I cannot pipe of to a dev environment.
A bit of a strange request, but I am hoping someone can poke me in the right direction.
Thanks
Think about how you would do this physically - you have a separate physical network with your test servers on, with its own DC on that network. If you needed any kind of communication with your live system, you'd use a firewall/router connected to both networks to control exactly what packets are allowed to pass between the networks.
You can do this in VMware ESX by creating a new vSwitch for your dev environment. You could create a dedicated firewall VM running something like m0n0wall, and connect that to both the dev vSwitch and your production vSwitch.
You want to be very careful about letting the DC on the dev system in particular talk to the production network! Set up your firewall rules before connecting the firewall/router to the production network.