How To Configure vCloud Edge Gateway Protocols

First I wanted to say that I have had a lot of fun digging back into Software Defined Datacenter, (SDDC).  If you have not been able to tell I dove back in feet first with my recent vCloud Director Hybrid Cloud Case Study which I will also be presenting on the vBrown Bag this week.  Something I discussed in the process I glazed over quickly was that I discovered you can actually configure the vShield Edge Gateway for NON standard IP Protocols using the vCloud UI.  I even talked to a customer about this and they did not know it was possible.  I stumbled on it through a blind test, so let me explain.

Firewall Rule Protocols Example:

In the View PCoIP on vCloud Director ost the other day I had this screen shot of the firewall rules.

View_firewall

I pointed out the there is a protocol listed called ESP that is NOT in the standard list of protocols at the very end of the list.  You can see the default protocols listed below:

vCloud_protocols

VMware View Requirement:

The reason I was messing with this is that the new VMware View 5.1 Security Server to Connection Server link is secured with IPSEC.  I had all the other things open per the documentation except something known as “IP Protocol 50 – ESP”.  When the rule was ANY-ANY it worked but I could not for the life of me figure out how to add a new Protocol Rule.  Then it occurred to me that in the “Source” and “Destination” Port fields we can type anything we want, so why not give it a try here.

I did a little digging and found this VERY useful listing of the IP Protocol Numbers and names that gave me both the IP Protocol Number and Name for ESP.  SO I took a shot in the dark and entered “ESP” in the field, and low and behold….it worked!  I have not tested using the IP Protocol numbers, yet but I suspect that may work too.

As best I can tell I’m not sure if this is “well” documented or not in the vCloud Director guides, but now I keep that IP Protocol link handy and I know I can now add BOTH custom ports and protocols to my vCloud Director Edge Gateway Firewall rules.  I always knew the port numbers were capable of being typed in.  I’m not sure if I was the only one to not know the Protocol field worked the same way but I certainly did not find any information to the effect after searching for a few hours on it.  I hope this helps others leverage the new 5.1 vCloud Director Edge Gateway Services.

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.

2 comments

  1. Thanks for the info. Was looking for this very thing. But how do we do PAT (port address translation) for the nonpredifend ports? I would like to do a DNAT for 3389 (RDP) or 25 (SMTP). I would also like to enable SSL VPN-Plus. I see we can do all this through VSM but not through vCloud Director. Thanks.

    • I would think you can type in the non standard ports anyway but I have not done a PAT. From what I have learned, you are able to type the ports in pretty much anywhere, but only if the options are even in the UI or API. I’ve no idea on the SSL VPN I did not configure that.

Leave a Reply

Your email address will not be published. Required fields are marked *