You should leave vSS 0 with its existing uplink and the existing management vmkernel port. Create a virtual machine port group on that same switch. Move the other uplink to vSS 0 afterwards.
Should I first remove vSS 1 before doing this? I'm afraid that this will affect my Sophos UTM management (changing the NIC designated to LAN network). Do you mean by "move the other uplink to vSS 0 afterwards" you are talking about NIC teaming?
I don't know what it is you're trying to accomplish here and how this Sophos VM fits into the picture, but if you want isolation between those VLANs and yet still allow systems on each to talk out to the internet, then that becomes a matter of routing. You'll have to handle the routing outside of ESXi and configure your rules appropriately.
Yeah, me to . As a already said I don't know how to configure VLAN in that virtual switch. I mean I know why to use VLAN and how it works but I'm having trouble to configure this correctly.
Let me explain further. As you can see from the attached picture I have a spare NIC which is assigned to vSS 3. I hope this is OK. In this vSS 3 a have three port groups with 1-3 virtual machines in each port group. What I'm trying to accomplish here is that each port group (client, guest and server) is isolated from another (client VMs can't access guest VM and server VMs, guest VMs can't access client VMs and server VMs and so on) but all VMs in port groups have access to the internet. Now, should I connect that NIC assigned to vSS 3 to physical L2 switch with trunk/tag port and let Sophos UTM (router/firewall....) deal with that. I think this is the case because Sophos UTM is acting as Layer 3 switch (router) which should do all the routing. Am I thinking right or I'm still on the wrong path.