VMware Access Point Firewall Rule Generator
February 20, 2017
Posted by on
When deploying Virtual Desktop/Application remote access solutions you often need to engage with ‘The Firewall Guy’. This can often be a difficult conversation involving lots of questions such as “what?”, “from where?”, “to where?” and “why?”
To this end I have created a Access Point Firewall Rules Generator which you can download. You just need to plug in the parameters on the lookup tab and it will pre-populate the firewall rules for you. Other than the standard back end stuff which you (as the Virtual Desktop Consultant) should already know, the only things you need to ask the firewall guy for are:
- Access Point owned IP addresses in the DMZ
- Internet facing IP Address for the NAT rule – You don’t actually need to know this yourself but it helps in order to provide a fully completed rule set
- Certificates – May be from someone else entirely
Hopefully you won’t even need to talk to the firewall guy at all after that! You can fill in the sheet and email it off to him/her.
A Few points to note:
- This is based upon the information from this VMware article which I found to be missing items such as DNS and RADIUS so I have added these in
- The deployment mode is based upon the two IP addresses per Access Point; Single IP will work fine, just enter the same IP in both the Front-End and Back-End Management sections
- When Deploying the Access Point either via PoSH or OVF, the first IP entered becomes the external one, not the Management/Backend Communication one, which is the second one entered
- If you want to read a blog on actually deploying Access Point, this by Carl Stalhood is probably the best one out there
I’ve used the PowerShell deployment method before but since 2.8 the OVF deployment actually works properly so it’s just as easy to deploy it that way then import your predefined settings from a JSON file.