First I wanted to say that I have had a lot of fun digging back into Software Defined Datacenter, (SDDC). If you have not been able to tell I dove back in feet first with my recent vCloud Director Hybrid Cloud Case Study which I will also be presenting on the vBrown Bag this week. Something I discussed in the process I glazed over quickly was that I discovered you can actually configure the vShield Edge Gateway for NON standard IP Protocols using the vCloud UI. I even talked to a customer about this and they did not know it was possible. I stumbled on it through a blind test, so let me explain.
Firewall Rule Protocols Example:
In the View PCoIP on vCloud Director ost the other day I had this screen shot of the firewall rules.
I pointed out the there is a protocol listed called ESP that is NOT in the standard list of protocols at the very end of the list. You can see the default protocols listed below:
VMware View Requirement:
The reason I was messing with this is that the new VMware View 5.1 Security Server to Connection Server link is secured with IPSEC. I had all the other things open per the documentation except something known as “IP Protocol 50 – ESP”. When the rule was ANY-ANY it worked but I could not for the life of me figure out how to add a new Protocol Rule. Then it occurred to me that in the “Source” and “Destination” Port fields we can type anything we want, so why not give it a try here.
I did a little digging and found this VERY useful listing of the IP Protocol Numbers and names that gave me both the IP Protocol Number and Name for ESP. SO I took a shot in the dark and entered “ESP” in the field, and low and behold….it worked! I have not tested using the IP Protocol numbers, yet but I suspect that may work too.
As best I can tell I’m not sure if this is “well” documented or not in the vCloud Director guides, but now I keep that IP Protocol link handy and I know I can now add BOTH custom ports and protocols to my vCloud Director Edge Gateway Firewall rules. I always knew the port numbers were capable of being typed in. I’m not sure if I was the only one to not know the Protocol field worked the same way but I certainly did not find any information to the effect after searching for a few hours on it. I hope this helps others leverage the new 5.1 vCloud Director Edge Gateway Services.