Server Management - Systems Insight Manager
cancel
Showing results for 
Search instead for 
Did you mean: 

Configuration of hpSIM & VMware hosts in a DMZ

 
SOLVED
Go to solution
Chris_N
Occasional Advisor

Configuration of hpSIM & VMware hosts in a DMZ

I am asking for help configuring HP SIM to work with VMware ESX hosts in a DMZ.
We currently have a production environment with over 60 VMware ESX 3.0.2 hosts running HP Management Agent for VMware ESX Server 3.x version 7.8.0. These agents are fully functional and communicate with our HP SIM server without problem.
My current challenge is to configure 12 additional ESX 3.0.2 hosts running version 7.8.0 of the management agent in our DMZ’s. Per our firewall policies, we are not allowed to open SNMP (udp/161) or SNMPTRAP (udp/162) if other, more secure, options exist for management. According to several pieces of documentation on HP’s website, the recommended management protocol is WBEM (tcp/5989). I am unable to find any documentation that states how to configure this for VMware ESX 3.0.2, or if this configuration is even possible. What management protocol options exist for ESX; wbem, dmi, snmp, ssh, etc. Does ESX only support the SNMP management agent? Any help would be appreciated.
3 REPLIES
David Claypool
Honored Contributor
Solution

Re: Configuration of hpSIM & VMware hosts in a DMZ

Managing ProLiant servers with HP SIM currently requires SNMP and there is no other option. Specifically regarding VMware ESX, no CIMOM exists for this target.
Martin Smoral
Trusted Contributor

Re: Configuration of hpSIM & VMware hosts in a DMZ

David what about connecting the ILO of the DMZ servers to the internal network and use the snmp passthrough feature of the ilo ? I have sucessfully used this on windows boxes, then the SIM server on the internal net will get the traps from the Servers in the DMZ.
Rob Buxton
Honored Contributor

Re: Configuration of hpSIM & VMware hosts in a DMZ

I thought best practise for VMWare ESX Servers was to have the Service Console port on the internal network. This way the service console is better protected.
There are a number of threads on the VMware forums about ESX servers in the DMZ.
Using the approach above, the ESX server doesn't look as though it's in the DMZ.

Your Network guys may raise issues of the server "bridging" the DMZ and Internal networks - but again if you read some of the threads in the vmware forums they indicate that this is pretty secure.