A Home Lab Use For vShield App Firewall

My vShield App Firewall Use Case

The scenario for why I wanted to try and use the vShield App Firewall was pretty basic and is probably similar for most folks.  Everything in the “Lab” space is virtual except for some of the storage devices and all of the personal devices.  However I have the networking split between two subnets

  • 192.168.100.x – All Physical and Personal Devices
  • 192.168.110.x – Most Virtual Machines

When I decided to build the home lab I wanted to have some level of remote access using VMware View.  Now I have pretty limited View expertise, just enough to get it setup and working, but because of my home router I have a challenge.  The home router will only do Port Forwarding to local IP addresses, and that router is part of the 192.168.100.x network.  Therefore my View Security Server needed to have an IP address on that network, making it part of my “trusted” network while all the other virtual machines are in the lab network.  Even though I am only passing Port 443 that Virtual Machine was still going to be part of my trusted LAN.  So I decided to have some fun with the vShield App Firewall.  The diagram below show some of the network layout.  You can see since the View Security Server is on a trusted network.

vShield App Firewall

How vShield App Firewall Helped

My goal ultimately was to allow internet traffic on port 443 and PCoIP into the virtual machine for View Security Server, but then limit that virtual machine’s ability to communicate to other things on the trusted network.  Effectively I wanted to put a DMZ around the virtual machine.  This is why vShield App Firewall is so high on the cool scale, it does exactly that!  The goal is to basically change the diagram to look like below where the View Security Server is boxed into a DMZ even though it is on the same subnet

vShield App Firewall

I would like to point out that the View Security Server is NOT part of the Active Directory Domain, and is a workgroup machine only with local credentials.  Therefore my only concern was making sure I could block access to the other IP addresses on the trusted LAN.

Installing and Configuring vShield App Firewall

First thing you need to do is obviously license and install the vShield Cloud Network Security suite, (vCNS), and then install the vShield App Service on all the hosts in the cluster.  The latest versions are very good about not locking you out of vShield Manager and vCenter Server once they are enabled.   You can see the screen shot below that the option is enabled.  The install is pretty self-explanatory and you will end up with a vShield Firewall Appliance per ESXi Host.

vShield App Firewall

vShield App Firewall Rules

Now for those that never wrote firewall rules this is where worlds can collide a bit.  Personally back in my system admin life I was also a Checkpoint Firewall administrator so I have always had a good understanding of source, destination, services, etc.  The new vShield App Firewall rules look very similar to other enterprise firewalls.  The exception is you can write rules by specific virtual machine as well as services, and defining networks.  You also get access to flow information so see blocked and accepted flows to easily help you troubleshoot.

Because I wanted to allow access to this View Security Server, but deny access from that virtual machine to much of the other network below is the current rule set I have been playing with.  It still needs some tuning as there is still technically a few holes.

vShield App Firewall

However it is functional and has provided me what I wanted.  The virtual machine, although on the same network, cannot talk to anything on that network and is only allowed to reach AD, DNS, View Connection server, and the View Desktops.  I can certainly refine the rules further, but for the initial use case it is working and I cannot get to anything from the View Security Server except the internet and the view connections are working to the desktops.  Many of the custom service rules I had to pull from the View Firewall Documentation.

Final Thoughts on the vShield App Firewall

I think this product is VERY high on the cool scale.  I know at VMworld we asked people if they thought it was cool and lots of people raised their hands.  When we followed up with “who is using it?”, most of the hands went down.  So even though this is a single and isolated use case it proves the use case and I would encourage you to try it.  Just don’t get too frustrated if things get too locked down.  Use the Flow Monitoring to see what is going on and keep adjusting the rules.  Make sure you have the ports you need for that service, but you can now isolate a single, or group of virtual machines in a DMZ without ever using a real hardware firewall!  It goes without saying that this can be done for things outside a lab as well.

About Chris Colotti

Chris is active on the VMUG and event speaking circuit and is available for many events if you want to reach out and ask. Previously to this he spent close to a decade working for VMware as a Principal Architect. Previous to his nine plus years at VMware, Chris was a System Administrator that evolved his career into a data center architect. Chris spends a lot of time mentoring co-workers and friends on the benefits of personal growth and professional development. Chris is also amongst the first VMware Certified Design Experts (VCDX#37), and author of multiple white papers. In his spare time he helps his wife Julie run her promotional products as the accountant, book keeper, and IT Support. Chris also believes in both a healthy body and healthy mind, and has become heavily involved with fitness as a Diamond Team Beachbody Coach using P90X and other Beachbody Programs. Although Technology is his day job, Chris is passionate about fitness after losing 60 pounds himself in the last few years.


  1. Chris is if I installed the vcns in. How do I enable or as you put it install the vshield app appliance for the host. Is that done from vShield Manager or from vCenter?

Leave a Reply

Your email address will not be published. Required fields are marked *