CSS11506 - Moving backend web servers behind firewall
Again another newbie CSS question. But now that I have the CSS terminating both SSL connections for my backend web servers. Is it possible to move the servers off the same subnet as the CSS (public zone) and move them back into my production LAN which is behind another pix interface ? Not sure on how I could do this as so far I can only make my setup work when the web servers are connected to the CSS11506 switch module.
Re: CSS11506 - Moving backend web servers behind firewall
However, you have to guarantee that the response from the server to the client goes through the CSS. Because the client is normally talking to the vip and not the server. So, the CSS needs to see the traffic to nat the server ip into the vip.
If the CSS is in a DMZ and the server on the inside, the chance is the server will respond directly to the client, breaking the setup.
You can force the CSS to do client nat using source group. This will guarantee that all responses go back to the CSS.
But your server log will show only connections from the CSS.
Another solution is to put the CSS on the inside as well with the servers.
Or to place it on the outside between the firewall and the gateway, but it will be subject to attack.
The unmanaged mode is also known as Network only switching, which is introduced in Brazos release. It adds the flexibility for customer to use only network automation for service appliance.
If a device is configured a...
Usually, we can access ESXi Shell by pressing Alt+F1 from ESXi DCUI (Direct Console User Interface).
But on HyperFlex system, it just shows black window.
This is expected behavior because HyperFlex redirects ESXi Shell output to SoL...
Configuring an Export Policy Using the GUI
This procedure explains how to configure an Export policy using the APIC GUI. Follow these steps to trigger a backup of your data:
On the menu bar, choose Admi...