• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA 2006 Array on VMWARE ESX server

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA 2006 Array on VMWARE ESX server Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA 2006 Array on VMWARE ESX server - 2.Jun.2007 6:16:15 AM   
intersimi

 

Posts: 47
Joined: 12.May2007
Status: offline
Hi,

I have an exchange environment that I am building. The environment includes OWA, RPC over HTTP and Activesync. I will be using ISA 2006 EE in an array for this environment.

All of the servers are to be installed as Guests on ESX, spread across 4 Host servers.

My query is based around the load balancing of the Array. I have seen various threads that state that Load Balancing an ISA array using native ISA balancing is problematic on VMWare. Is this the case?

If ISA array load balancing is going to be an issue, I guess the easiest solution would be to employ a network load balancer and round robin the requests to the ISA servers public interfaces.

How would the internal clients connect to the array? Would a network device also have to be employed? I am guessing it would.

Advice needed please.

_____________________________

regards,

Intersimi
Post #: 1
RE: ISA 2006 Array on VMWARE ESX server - 11.Jun.2007 9:09:02 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
For security reasons and to get NLB working, get the ISA Firewall off the VM and put it on a dedicated Firewall machine.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to intersimi)
Post #: 2
RE: ISA 2006 Array on VMWARE ESX server - 13.Jun.2007 2:56:52 AM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
To make NLB work in vm's make sure that the esx host virtual switch is configured with Notify Switches = No

Then it will work.

ISA server can safely be run in a vm. A long as you have a seperate vswitch etc.

(in reply to tshinder)
Post #: 3
RE: ISA 2006 Array on VMWARE ESX server - 13.Jun.2007 10:03:33 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi theRob,

Remember, virtualization is not a security technology, therefore you should not fully trust the partitioning between VMs, that's why ISA Firewall shouldn't be run in VMs in a production envrioment. For testing its great, but never in production.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theRob)
Post #: 4
RE: ISA 2006 Array on VMWARE ESX server - 14.Jun.2007 3:29:22 AM   
justmee

 

Posts: 505
Joined: 14.May2007
Status: offline
I would defineteley agree would Tom.
A firewall is a physical machine used to provide physical segmentation.
ISA would run on top of the OS protecting itself(therefore the host and the OS).
Even in the dumb single adapter scenario(the Web Proxy Filter is an application filter and not an independent service) the host(OS) will be protected by ISA.
Run on a VM, ISA will protect the guest and not the host, therefore the host will be vulnerable and ISA will not be able to do something.
Consider that you actually are using VMware Server(the free software from VMware) and install ISA with two adapters, one bridged to the physical NIC and a VMnet one. On the local-only network you would put some servers you want to protect with ISA. If an attacker compromise the real host, enabling the VMnet adapter on the host(which should be disabled), will give him direct access to the servers "behind" ISA.
Whatever you would do on the host to protect the VMs, the attacker can do to in the oposite way once he had compromised the host.
Regards.

(in reply to tshinder)
Post #: 5
RE: ISA 2006 Array on VMWARE ESX server - 20.Jun.2007 12:28:58 PM   
theRob

 

Posts: 103
Joined: 31.Aug.2003
From: The Netherlands
Status: offline
The poster stated that the virtualization software used is VMware ESX and not VMware server.

Installing ISA as a virtual machine, just depends on the environment you are in.

(in reply to justmee)
Post #: 6
RE: ISA 2006 Array on VMWARE ESX server - 21.Jun.2007 6:31:51 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
ESX is no more secure than GSX (virtual server).

My point is that virtualization goals are not the same as security goals. There's no replacement for dedicating a box to your network security devices.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to theRob)
Post #: 7
RE: ISA 2006 Array on VMWARE ESX server - 26.Oct.2008 8:27:12 AM   
pietergerritse

 

Posts: 12
Joined: 23.Oct.2008
Status: offline
If we trust vlans on switches, why not trust vm's on servers?

(in reply to tshinder)
Post #: 8
RE: ISA 2006 Array on VMWARE ESX server - 26.Oct.2008 8:47:30 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
As far as I am aware, now that MS has got Hyper-V, then ISA is now supported in a VM.

As to ESX, Much more secure than Hperv-v

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to pietergerritse)
Post #: 9
RE: ISA 2006 Array on VMWARE ESX server - 26.Oct.2008 8:47:58 AM   
SteveMoffat

 

Posts: 1130
Joined: 29.Jun.2001
From: Hamilton, Bermuda
Status: offline
In my opinion....

_____________________________

Thanks
Steve

ISA 2006 Book! - http://tinyurl.com/2gpoo8
TMG Bible - http://tinyurl.com/ykv85hr
www.isaserver.bm

The built in ISA help is likely the most comprehensive help built into an application anywhere. USE it!!! Search it!!! RTFM

(in reply to SteveMoffat)
Post #: 10
RE: ISA 2006 Array on VMWARE ESX server - 26.Oct.2008 10:32:13 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: SteveMoffat

In my opinion....


Coward!

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to SteveMoffat)
Post #: 11
RE: ISA 2006 Array on VMWARE ESX server - 2.Nov.2008 5:30:16 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
quote:

As far as I am aware, now that MS has got Hyper-V, then ISA is now supported in a VM.

I would say spot on Steve, just spot on...

As for the virtual switches, they say:
quote:

Layer 2 network security policies.  Enforce security for virtual machines at the Ethernet layer. Disallow promiscuous mode sniffing of network traffic, MAC address changes, and forged source MAC transmits

And the fun is yet to come, next year, we will get a Cisco virtual switch, yay!

Regarding Hyper-V vs ESX, allow me to drop the marketing bombs, 1 and 2.
There is no question that VMware is ahead of Microsoft, but personal, I kinda like Hyper-V(yes, although I'm a VMware fan). I usually and normally use VMware ESX most of the time, but I also have a Hyper-V server with which I mess from time to time, sometimes more often...

As Tom said, in the end, is all about the level of security you will will expect to get and that you will obtain in practice, comparing a VM with a physical machine. A decision has to be made in respect with a proper acknowledgment of the facts, and as Steve noted, not omitting the hypervisor used.

Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Jason Jones)
Post #: 12
RE: ISA 2006 Array on VMWARE ESX server - 5.Nov.2008 9:28:50 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
That's very interesting regarding the Cisco managed switch. It would be very interesting to see how these are deployed, and if MS has plans for its own virtual managed switch offerings. Exicting stuff!

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to adimcev)
Post #: 13
RE: ISA 2006 Array on VMWARE ESX server - 5.Nov.2008 11:42:38 AM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Hi Tom,
Yep, that's cool stuff!
This is a quick view over that virtual switch and VMware. In this article they mention about Intel too working with VMware(as they say, no surprise...).

Colin McNamara, covers in a few articles this subject:
http://www.colinmcnamara.com/2008/09/16/cisco-releases-nexus-1000v-virtual-switch-for-vmware
http://www.colinmcnamara.com/2008/03/15/challenges-integrating-vmware-into-cisco-networks
http://www.colinmcnamara.com/2008/09/17/altor-virtual-network-security-analyzer-vnsa-integrated-with-ciscos-nexus-1000v-for-vmware
He also points out some youtube techwise videos about that, this one looks interesting.

Cisco have signed into Microsoft's Server Virtualization Validation Program(maybe for their WAAS).
I can't see what would stop Microsoft to also get a Cisco virtual switch for example for Hyper-V, if they would really want to.
In my opinion, Microsoft got a good start with Hyper-V, a nice product, and the future looks promising.

No PM links on your profile, eh ?
Too bombarded ?
I had some links that might explain the question about the Hyper-V networks from your new article.
I'll just send you an email, maybe, unusually, you will receive this one.

Cheers!
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 14
RE: ISA 2006 Array on VMWARE ESX server - 5.Nov.2008 2:27:21 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Regarding the supported thing:
- according to the bellow link, ISA is officially supported by Hyper-V:
http://www.microsoft.com/windowsserver2008/en/us/hyperv-app-support.aspx
quote:

Support for the listed applications is provided for the applications running on Hyper-V and other validated virtualization platforms. More details can be found in Microsoft Support Knowledgebase article 957006: Microsoft server software and supported virtualization environments.


- according to the bellow link, Microsoft server software and supported virtualization environments, which lists ISA Server:
http://support.microsoft.com/kb/957006
quote:

This article discusses the support policy for running Microsoft server software in the following supported virtualization environments:
•    Windows Server 2008 with Hyper-V
•    Microsoft Hyper-V Server 2008
•    Server Virtualization Validation Program (SVVP)

MORE INFORMATION
The third-party products that this article discusses are manufactured by companies that are independent of Microsoft. Microsoft makes no warranty, implied or otherwise, about the performance or reliability of these products.

Third parties are responsible for testing their software together with Microsoft software. Microsoft software may not work as intended in third-party virtualized hardware environments.

  And VMware ESX 3.5 U2 has passed the Microsoft Server Virtualization Validation Program(SVVP):
http://www.vmware.com/company/news/releases/svvp.html
quote:

VMware Lays Foundation for Broader Market Penetration by Giving Customers Access to Support for Software For All Major Microsoft Applications such as Microsoft Exchange Server, SQL Server, SharePoint Server and others across Virtualized Environments

PALO ALTO, Calif. – Sept 3, 2008 -- VMware, Inc. (NYSE: VMW), the global leader in virtualization solutions from the desktop to the datacenter, today announced it has qualified its industry-leading VMware ESX hypervisor under the Microsoft Server Virtualization Validation Program (SVVP). VMware ESX 3.5 update 2 (ESX 3.5u2) is the first hypervisor to be listed under the program, providing VMware customers who run Windows Server and Microsoft applications with access to cooperative support from Microsoft and VMware.

Microsoft’s Server Virtualization Validation Program enables VMware and other software providers to test and validate their virtualization software to run Windows Server 2008 and previous versions of Windows Server. Under this program, Microsoft offers cooperative technical support to customers running Windows Server on validated, non-Microsoft server virtualization software, such as VMware ESX 3.5 update 2. Customers with support policies in place, and running Windows Server-based applications on VMware ESX 3.5u2, can receive cooperative technical support from Microsoft. VMware also offers an extra layer of protection for customers, outside of Microsoft’s Server Virtualization Validation Program, who work directly with VMware for support. The additional protection is a part of the VMware Premier Support contract with Microsoft that enables VMware to escalate application issues rapidly and work directly with Microsoft engineers to expedite resolution.

http://blogs.technet.com/virtualization/archive/2008/09/03/The-Validated-Hypervisor.aspx
quote:

By now you might have seen that VMware ESX 3.5 update 2 has passed the Microsoft Server Virtualization Validation Program. They announced it here.

http://windowsservercatalog.com/svvp.aspx?svvppage=svvp.htm
http://windowsservercatalog.com/svvp.aspx?svvppage=svvpsupport.htm
http://windowsservercatalog.com/svvp.aspx?svvppage=svvpfaq.htm

-  according to this link, http://www.microsoft.com/presspass/press/2008/aug08/08-19EasyPathPR.mspx :
quote:

Expanded Technical Support

Microsoft has updated its technical support policy for 31 server applications so that customers can receive technical support when deploying those applications on Windows Server 2008 Hyper-V, Microsoft Hyper-V Server or any other third-party validated virtualization platform. Now customers can get the same level of product support in a virtualized environment that they are accustomed to with nonvirtual environments.


So it appears(maybe someone can confirm with a real situation), that ISA is officially supported in ESX 3.5 U2 too.

Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to adimcev)
Post #: 15
RE: ISA 2006 Array on VMWARE ESX server - 9.Nov.2008 10:49:31 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Adrian,

Thanks! All great info.

I got the email mesasge from your about the Hyper-V networks. Thanks for that!

Tom



_____________________________

Thomas W Shinder, M.D.

(in reply to adimcev)
Post #: 16
RE: ISA 2006 Array on VMWARE ESX server - 11.Nov.2008 4:16:02 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
Hi Tom,
What's more secure: ISA deployed as a firewall as VM or ISA deployed in Hork Mode™ as a physical machine ?
I suppose the worst scenario would be Hork Mode™ as VM ...
Just joking....

Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to tshinder)
Post #: 17
RE: ISA 2006 Array on VMWARE ESX server - 12.Nov.2008 8:56:13 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Adrian,

Hork Mode™ will always be unsecure! Of course, so is an ISA firewall in a VM (unless you found a way to make it impossible to jump VM boundaries)

Thanks!
Tom 

< Message edited by tshinder -- 12.Nov.2008 8:57:18 AM >


_____________________________

Thomas W Shinder, M.D.

(in reply to adimcev)
Post #: 18
RE: ISA 2006 Array on VMWARE ESX server - 6.Nov.2011 6:33:16 PM   
xpander1

 

Posts: 4
Joined: 11.Oct.2011
Status: offline
Interesting read... any thoughts have changed on this?
WHat about installing a backend ISA box on VMWARE with frontend ISA on hardware?

(in reply to tshinder)
Post #: 19

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA 2006 Array on VMWARE ESX server Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts