You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cloudstack.apache.org by Joshua <jo...@gmail.com> on 2013/11/09 11:10:31 UTC

Advanced Networking with CloudStack

Hello guys,

I have a special client request that I'm not quite certain the most secure
way to fulfil.

Client wants to host a virtual office environment of Windows VMs on the
cloud but needs the VMs to be connected to an onsite print/scan/fax. Access
to all VMs must be available at this same onsite office via thinclients but
some VMs must also be able to be RDPed in from a remote location.

My first instinct would be to install a virtual router with a single static
IP (maybe 2) but I'm not sure if there will be any negative implications of
such a setup. Onsite, there would be a VPN compatible router that would
talk to the virtual router to establish the VPN so that the onsite
thinclients can connect to the VMs via RDP to their internal IPs. Since the
printer is plugged to the same VPN router, this would allow all VMs connect
to the printer directly.

Regarding the issue about external RDP, the virtual router would forward
specific ports to specific computers. Targets will be identified via the
port being connected to - i.e. x.x.x.x:11111 redirects to VM1:3389, 22222
to VM2:3389 etc. I understand that I can modify the listen port on RDP but
these VMs will be created from template so a common port would be the least
troublesome.

Alternatively, the virtual router could authenticate the redirections via
MAC address but I think this would be an administrative nightmare.

So after reading my wall of text, my questions would be:

1. Any VPN routers that work well with CloudStack?

2. Can someone point me to some links on how to setup the virtual router
based on the above requirements?

3. Do advise if not having a particular static IP for the VPN router (means
the virtual router would have to listen to traffic from all global traffic)
would be opening a can of worms.

Thank you in advance.

Regards,
Joshua

Re: Advanced Networking with CloudStack

Posted by Shanker Balan <sh...@shapeblue.com>.
(moving to the users list as it’s more appropriate for user support queries)

On 09-Nov-2013, at 3:40 pm, Joshua <jo...@gmail.com> wrote:

> Hello guys,
>
> I have a special client request that I'm not quite certain the most secure
> way to fulfil.
>
> Client wants to host a virtual office environment of Windows VMs on the
> cloud but needs the VMs to be connected to an onsite print/scan/fax. Access
> to all VMs must be available at this same onsite office via thinclients but
> some VMs must also be able to be RDPed in from a remote location.

Doable via default IPSEC VPN support in CloudStack.

http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.2.0/html/Installation_Guide/vpn.html

>
> My first instinct would be to install a virtual router with a single static
> IP (maybe 2) but I'm not sure if there will be any negative implications of
> such a setup. Onsite, there would be a VPN compatible router that would
> talk to the virtual router to establish the VPN so that the onsite
> thinclients can connect to the VMs via RDP to their internal IPs. Since the
> printer is plugged to the same VPN router, this would allow all VMs connect
> to the printer directly.
>

The default virtual router (VR), already supports IPSEC VPN.


> Regarding the issue about external RDP, the virtual router would forward
> specific ports to specific computers. Targets will be identified via the
> port being connected to - i.e. x.x.x.x:11111 redirects to VM1:3389, 22222
> to VM2:3389 etc. I understand that I can modify the listen port on RDP but
> these VMs will be created from template so a common port would be the least
> troublesome.

Once you are on the VPN, each host is directly reachable over the private
guest segment. ACLs can then be used on a per host basis to control
network access to RDP ports.


>
> Alternatively, the virtual router could authenticate the redirections via
> MAC address but I think this would be an administrative nightmare.
>
> So after reading my wall of text, my questions would be:
>
> 1. Any VPN routers that work well with CloudStack?
>
> 2. Can someone point me to some links on how to setup the virtual router
> based on the above requirements?
>
> 3. Do advise if not having a particular static IP for the VPN router (means
> the virtual router would have to listen to traffic from all global traffic)
> would be opening a can of worms.


Certainly possible to implement your requirements in ACS.

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

CloudStack Bootcamp Training on 27/28 November, Bangalore
http://www.shapeblue.com/cloudstack-training/




This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.

Re: Advanced Networking with CloudStack

Posted by Shanker Balan <sh...@shapeblue.com>.
(moving to the users list as it’s more appropriate for user support queries)

On 09-Nov-2013, at 3:40 pm, Joshua <jo...@gmail.com> wrote:

> Hello guys,
>
> I have a special client request that I'm not quite certain the most secure
> way to fulfil.
>
> Client wants to host a virtual office environment of Windows VMs on the
> cloud but needs the VMs to be connected to an onsite print/scan/fax. Access
> to all VMs must be available at this same onsite office via thinclients but
> some VMs must also be able to be RDPed in from a remote location.

Doable via default IPSEC VPN support in CloudStack.

http://cloudstack.apache.org/docs/en-US/Apache_CloudStack/4.2.0/html/Installation_Guide/vpn.html

>
> My first instinct would be to install a virtual router with a single static
> IP (maybe 2) but I'm not sure if there will be any negative implications of
> such a setup. Onsite, there would be a VPN compatible router that would
> talk to the virtual router to establish the VPN so that the onsite
> thinclients can connect to the VMs via RDP to their internal IPs. Since the
> printer is plugged to the same VPN router, this would allow all VMs connect
> to the printer directly.
>

The default virtual router (VR), already supports IPSEC VPN.


> Regarding the issue about external RDP, the virtual router would forward
> specific ports to specific computers. Targets will be identified via the
> port being connected to - i.e. x.x.x.x:11111 redirects to VM1:3389, 22222
> to VM2:3389 etc. I understand that I can modify the listen port on RDP but
> these VMs will be created from template so a common port would be the least
> troublesome.

Once you are on the VPN, each host is directly reachable over the private
guest segment. ACLs can then be used on a per host basis to control
network access to RDP ports.


>
> Alternatively, the virtual router could authenticate the redirections via
> MAC address but I think this would be an administrative nightmare.
>
> So after reading my wall of text, my questions would be:
>
> 1. Any VPN routers that work well with CloudStack?
>
> 2. Can someone point me to some links on how to setup the virtual router
> based on the above requirements?
>
> 3. Do advise if not having a particular static IP for the VPN router (means
> the virtual router would have to listen to traffic from all global traffic)
> would be opening a can of worms.


Certainly possible to implement your requirements in ACS.

--
@shankerbalan

M: +91 98860 60539 | O: +91 (80) 67935867
shanker.balan@shapeblue.com | www.shapeblue.com | Twitter:@shapeblue
ShapeBlue Services India LLP, 22nd floor, Unit 2201A, World Trade Centre, Bangalore - 560 055

CloudStack Bootcamp Training on 27/28 November, Bangalore
http://www.shapeblue.com/cloudstack-training/




This email and any attachments to it may be confidential and are intended solely for the use of the individual to whom it is addressed. Any views or opinions expressed are solely those of the author and do not necessarily represent those of Shape Blue Ltd or related companies. If you are not the intended recipient of this email, you must neither take any action based upon its contents, nor copy or show it to anyone. Please contact the sender if you believe you have received this email in error. Shape Blue Ltd is a company incorporated in England & Wales. ShapeBlue Services India LLP is a company incorporated in India and is operated under license from Shape Blue Ltd. Shape Blue Brasil Consultoria Ltda is a company incorporated in Brasil and is operated under license from Shape Blue Ltd. ShapeBlue is a registered trademark.