Eric, i would of said that, but needed to type quicker to post before you..!!

This doc has a whole chapter on security that has port diagrams and tables...

http://www.vmware.com/pdf/vi3_301_201_server_config.pdf

Lots of good information here. My first thought was to put the service console on the corporate network. I ran that by one of the network people, and the initial answer was no, we keep all the connections on the DMZ network and provide access via firewall rules.

I'm expecting we will have some interesting conversations about this. Our Infosec doesn't always see eye-to-eye with other groups. We shall see.

They probably do not want you bridging the network with the ESX server which is something you do not want to do with traditional servers. You never want a server with multiple NIC's straddling the firewall. One exception to this is ESX. It is a very secure environment and if you read through some of the links I provided you will see this is a common practice when deploying ESX to DMZ's. If you stick your Service Console in the DMZ and it is hacked it's like handing over the keys to your car. All your VM's are vulnerable if the SC is compromised.

There are alot of unusual concepts in a VMware environment that many network guys are not used to. It's always a challenge trying to get them to change there ways. It helps to sit down with them and make them understand the unique networking features of Vmware (the concept of Vswitches, Vnics, Vmotion, Vlan tagging, Port groups, etc.). Once they understand more about it they tend to put up less resistance when you come to them with requests.