Having a fully virtualized server environment is great, but with the constant push towards public services, there has been an increase in DMZ servers for many companies.
In my opinion, I think the simplest way to do this is to create the LPAR with the normal virtual ethernet adapter, and the simply switch the adapters once set up is complete. This allows you to complete all functions through the NIM and you don’t have to worry about firewall interference until after most of the tedious parts are complete. No CDs to mount, no files to manually copy over. Every body wins!
When creating an LPAR, follow the steps here for help, and add these simple tweaks to make your life easier when building an LPAR in the DMZ
- Before creating the LPAR, ensure that you have all of the details and networking set up. This includes a public IP address, the physical port and switch, and the correct VLAN. You will also need a spare, unused IP address to be your temporary local IP address for initial set up
- When creating the profile for the LPAR, ensure that you create an LHEA on an open port. This can be done later, but this will be the adapter you switch over to once the set up is complete (if you don’t know which ports are already in use, refer to the System’s profile and view the LHEA ports individually to see LPARs connected to the ports)
- Before completing any steps on the NIM server, ensure that you add the new hostname and temporary IP address to the /etc/hosts file.
- Proceed with installation as normal
- Once installation is completed, you can edit the LPAR profile. Remove the virtual ethernet adapter (ensure you do not reboot LPAR until you complete LPAR side work as well)
- From the LPAR, “ifconfig -a” to view the adapters
- “smit tcpip” -> “Minimum Configuration and Startup” -> “Select Adapter (eg en0)
- Add host, ip, subnet and gateway to this adapter
- Once new adapter initialized, remove the old adapter with “rmdev -dl”
- Ping a known DNS IP to test configuration
- Shutdown LPAR and activate new profile now to switch LPAR to DMZ
- Remove entry from NIM /etc/hosts file (I have forgotten to do this and it comes back to bite you…hard)
Note: For future work, you will not be able to mount your NIM server. All file transfers must be done through SCP (or alternative). This means any mksysb, monitoring or general maintenance scripts will need to be different than that of a normal LPAR.
Also, any communication between your new LPAR and any servers such as TSM will need to have specific ports opened in the firewall. Inquire your network team for more details.