cloudstack-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Shanker Balan <shanker.ba...@shapeblue.com>
Subject Re: Advanced Networking with CloudStack
Date Mon, 11 Nov 2013 04:44:45 GMT
(moving to the users list as it’s more appropriate for user support queries)

On 09-Nov-2013, at 3:40 pm, Joshua <joshuakoh@gmail.com> wrote:

> Hello guys,
>
> I have a special client request that I'm not quite certain the most secure
> way to fulfil.
>
> Client wants to host a virtual office environment of Windows VMs on the
> cloud but needs the VMs to be connected to an onsite print/scan/fax. Access
> to all VMs must be available at this same onsite office via thinclients but
> some VMs must also be able to be RDPed in from a remote location.

Doable via default IPSEC VPN support in CloudStack.

http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.2.0/html/Installation_Guide/vpn.html

>
> My first instinct would be to install a virtual router with a single static
> IP (maybe 2) but I'm not sure if there will be any negative implications of
> such a setup. Onsite, there would be a VPN compatible router that would
> talk to the virtual router to establish the VPN so that the onsite
> thinclients can connect to the VMs via RDP to their internal IPs. Since the
> printer is plugged to the same VPN router, this would allow all VMs connect
> to the printer directly.
>

The default virtual router (VR), already supports IPSEC VPN.


> Regarding the issue about external RDP, the virtual router would forward
> specific ports to specific computers. Targets will be identified via the
> port being connected to - i.e. x.x.x.x:11111 redirects to VM1:3389, 22222
> to VM2:3389 etc. I understand that I can modify the listen port on RDP but
> these VMs will be created from template so a common port would be the least
> troublesome.

Once you are on the VPN, each host is directly reachable over the private
guest segment. ACLs can then be used on a per host basis to control
network access to RDP ports.


>
> Alternatively, the virtual router could authenticate the redirections via
> MAC address but I think this would be an administrative nightmare.
>
> So after reading my wall of text, my questions would be:
>
> 1. Any VPN routers that work well with CloudStack?
>
> 2. Can someone point me to some links on how to setup the virtual router
> based on the above requirements?
>
> 3. Do advise if not having a particular static IP for the VPN router (means
> the virtual router would have to listen to traffic from all global traffic)
> would be opening a can of worms.


Certainly possible to implement your requirements in ACS.

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560
055

CloudStack Bootcamp Training on 27/28 November, Bangalore
http://www.shapeblue.com/cloudstack-training/




This email and any attachments to it may be confidential and are intended solely for the use
of the individual to whom it is addressed. Any views or opinions expressed are solely those
of the author and do not necessarily represent those of Shape Blue Ltd or related companies.
If you are not the intended recipient of this email, you must neither take any action based
upon its contents, nor copy or show it to anyone. Please contact the sender if you believe
you have received this email in error. Shape Blue Ltd is a company incorporated in England
& Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated
under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated
in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Mime
View raw message