1. Add 2 new networks on your host- DMZ and MGMT

Creating VSwitches

and associated Port Groups

shut down pfsense firewall and add two network adapters, for 350-dmz and 350-mgmt

Start it back up and see if the new adapters are available

Once you have done this, it is easier to configure the interfaces from the pfsense web utility.

don't forget to save and apply!

You should now be able to see the interfaces on the CLI

2. Clone Rocky Template to 2 new servers: web01-yourname and web02-yourname

We will operate using vsphere now. Create a new Rocky8 server (web1-jake) by cloning from the template we made in an earlier lab

You can set interface using specifications

don't forget to put it on the dmz

spin it up, quick ping to gateway

whipping up a quick apache server

We will create a second server web2-jake by cloning the first one since its already mostly set up.

This stuff needs to be different

start up the machine and make sure its functioning like the other one

we need to make a quick modification to index.html

3. Clone Ubuntu Template for 2 new servers: Backup01-yourname and Monitor01-yourname

My template was too big so I had to make a new smaller Ubuntu VM (backup) and clone it to make monitor. But we can still use the specification created in the previous lab

basic setup...

Some quick tests

Now we can save this setup as a template

and we will make monitor1-jake from this template plus the specification

We will need to set static IPv4 for this VM manually because it was originally intended to be used with DHCP. Not a big deal.

Running some tests

4. Configure Firewall settings

Both DMZ and MGMT have been given internet access as part of setup

But we will try instead to professionalize these rules into a fully realized policy

LAN Rules

DMZ Rules

MGMT Rules

5. Users/Roles

We do this mostly on DC1-jake

create webdev and sysadmin groups

add two sample users to each

and add them to the corresponding groups

Back on vcenter...

make a webdev folder (contains web1 and web2)

and a sysadmin folder (contains backup1 and monitor1)

Add webdev AD group as Virtual Machine Power User to the webdev folder

and sysadmin AD group as Virtual Machine Power User to both folders.

Now try logging in as webdev1 to see what is accessible

As expected, webdevs can only access the DMZ webservers

try again with sysadmin1

It is working as expected

Reflection

The individual listed steps of this lab were all pretty straightforward and I didn't have much trouble with them because they were mostly things I've done before. However, I encountered two major problems that really slowed me down. While playing with my pyvmomi code over the weekend, I accidentally shut down all of my VMs at the same time, including my vcenter host. After starting back up, it wasn't working right, and couldn't connect to any VMs. I did a number of things including manually restarting the vcenter services with service-control --start --all however some services remained down. I spent a long time on this and eventually restored full functionality to vcenter but it became very unreliable and everything would disconnect literally every few seconds, so simple actions like starting a new VM would take upwards of 30 minutes. Also, I ran into really bad issues with storage space. My ESXi host only has 1 disk and by now it was nearly full. Even after deleting some old stuff, I still didn't have enough space to deploy Ubuntu VMs from the template I had created. Because you can't shrink a template, I needed to make a new (smaller) Ubuntu template from scratch, which added a lot of time especially combined with the ultra-slow vcenter operations.