How to configure vSphere replication for virtual machines in the DMZ cluster while VRMS appliance is on the internal network
Article ID: 418591
Updated On:
Products
Issue/Introduction
This article outlines the steps for replicating virtual machines in the DMZ cluster by deploying an additional vSphere Replication Server (add-on) appliance inside the DMZ.
In this design, the primary vSphere Replication Management Server (VRMS) remains on the secure internal network, while the add-on VR Server in the DMZ handles the replication data. This method significantly reduces the number of firewall ports that must be opened from the DMZ to the internal network, making it a more secure design.
This configuration involves three key components:
-
Internal Network: Contains your vCenter Server and the primary VRMS appliance.
-
DMZ Network: Contains your DMZ ESXi hosts and the VMs to be replicated. You will deploy a new vSphere Replication Server (add-on) appliance here.
-
Firewall: The security boundary separating the Internal network and the DMZ.
Environment
vSphere Replication 9.x
Resolution
Follow the below steps to configure the environment and firewall.
Prerequisites
-
The primary vSphere Replication Management Server (VRMS) is already deployed and configured on your internal network.
-
Your vCenter Server (internal) is successfully managing the ESXi hosts in the DMZ cluster. (This implies standard management ports like TCP 443 and TCP 902 are already open for vCenter communication).
-
Deploy the vSphere Replication (Add-on) Server in the DMZ cluster. (Refer: Deploy an Additional vSphere Replication Server)
-
Configure the following rules on your firewall to allow the internal VRMS to manage the new DMZ appliance and to allow the DMZ appliance to write data to the internal target hosts.
| Direction | Source (From) | Destination (To) | Protocol | Port(s) |
| Internal -> DMZ | VRMS Appliance IP | vSphere Replication add on server | TCP | 8123 |
| DMZ -> DMZ |
DMZ ESXi hosts (applicable for both primary and secondary sites) |
vSphere Replication add on server (applicable for both primary and secondary sites) |
TCP | 31031 |
| DMZ -> DMZ | vSphere Replication add on server on secondary site | DMZ ESXi hosts on secondary site | TCP | 902 |
Once all the prerequisites are met, follow the below steps
1. Register the DMZ Add-on Server
-
Log in to the vSphere Client.
-
Go to the Site Recovery plug-in.
-
On the Replication Servers tab, click on "Add".
-
Enter the IP address of the new vSphere Replication Server you deployed in the DMZ.
2. Configure Replication for a DMZ VM
-
Right-click any VM in your DMZ cluster and select All vSphere Replication Actions > Configure Replication.
-
Proceed through the wizard, selecting your target site
-
On the Replication server page, the wizard will default to "Auto-assign". You must change this.
-
Select the Manual option.
-
A list of available VR Servers will appear. Select the new DMZ vSphere Replication Server you just registered.
Why this is critical: If you leave it on "Auto-assign," vSphere Replication may try to use the internal VRMS to handle the replication. This would fail, as the firewall does not allow the DMZ ESXi hosts to send data to the internal network. By manually selecting the DMZ appliance, you are telling the DMZ ESXi host to send its data to the server in its own network, which requires no firewall traversal.
-
Complete the wizard.
Feedback
