I will be SO STOKED to see this VMWare doc! Thanks for taking the time to do this. Since new PC's for testing become expensive as the tests multiply, VMWare is the only way I test anymore. This will be a treat, I'm sure...
The doc is delayed, but not forgotten. Work will start on it today and it should take a couple of days to get things ready for publication. I'd like it to be the base doc for all the stuff I do for ISA 2004 for the next three years. With everyone working from the same base config, we'll all be on the same page, and will be able to easily share config files!
I would recomend VPC 2004 by microsoft, works great for ISA 2004 and allows you to have one network card on the physical box and in the VPC console add up to 4 virtual network cards based on any installed on the machine.
I hear VPC isn't bad, but for some of the more detailed network scenarios we'll be working with in the future in my books and on this site, we'll need to use in some cases all 9 virtual switches that VMware provides. But for simple scenarios, VPC is supposed to work fine.
quote:Originally posted by <Jared>: If I've got the terminology correct...
VS beta appears to support numerous "virtual networks" which I believe are equivalent to virtual switches. I configured about 15 with no limit in sight so it should support your 9 switch requirement.
To be independent of each other, each virtual network has to connect to some NIC: physical, vlan, or loopback. I didn't take the time to add that many loopbacks but it looks like it should work.
The VMs are still limited to the 4 virtual NICs I mentioned before so that limits how complex a single virtual ISA server could get.
It may be similar. What I wonder is if these virtual networks are isolated Ethernet broadcast domains, in the same way that VMware networks are. You'll run into issues if they are on the same Ethernet broadcast domains when doing troubleshooting and testing. I know, I used to put all hosts on the same VMnet and just assigned different network IDs to the hosts, and made some big boo boos because the result were spurious and make it appear as if the ISA firewall performed proxy ARP (which it does not).
quote:Originally posted by canada: Isa 2000 & 2004 beta work great on Vmware, I also do my testings using it.
Two NICs, one on the bridged network which represent the internal ("domain") and the second on the NAT network considering it will be my ISP.
If you need a DNS record considering you're using a DHCP Dsl connection you can use the Dynamic DNS providers. I published an Exchange 2000 SRV behind ISA.
VmWare just needs a fine tune up of a configuration file vmnetnat.conf to allow the incoming tcp & udp ports into you virtual machine.
The one I use is VmWare GSX 2.5.1 & now ver.3 with 2 NICs, 3 SRV Os and a client OS on a W2k srv host. It just needs enough RAM.
Tested with w2k & isa 2k, W2k3 & Isa 2004.
I bet other configurations are also possible ( back to back and tri homed) but not tested yet.
Hope this will help.
Interesting config! I've never used the NAT network and usually disable it because I never need it. I just assign the bridged adatper a default gateway address that points to the actual Internet router on the live network. Then all hosts are assigned to different VMnets so that the networks are logically and physically separated (like actual segmented Ethernet networks).
quote:Originally posted by tshinder: It may be similar. What I wonder is if these virtual networks are isolated Ethernet broadcast domains, in the same way that VMware networks are.
I have never used VMware and VS sounds quite a bit simpler. Basically, you can configure your virtual networks however you want. If you made two separate vnets that did not share the same physical NIC, loopback, or external network, then the two networks are completely separate and no broadcasts would reach the other network.
Hey Tom, what's the status on the VMWare document?
The way I have my system setup:
ISA VM (2 NICs): External NIC: NAT - treat Host machine as ISP IP: 192.168.202.100, 192.168.202.101 DG: 192.168.202.2 (HOST) DNS: 192.168.202.2
Internal NIC: IP: 192.168.142.100 DG: none
WEB Server VM (1 NIC): Internal NIC: IP: 192.168.142.120 DG: 192.168.142.100 (ISA) DNS: 192.168.202.2
I've got Web Publishing enabled and have set Proxy requests to published server: Requests appear to come from the original client.
This new capability is sweet! Now my web logs have the remote client's IP!
The next thing I want to configure is Server Publishing to an internal SMTP server. This server will accept connections on the 2nd external IP (192.168.202.101).
One of the problems with ISA2000 is that outbound connections always come from the default IP of the ISA server. This was not what I wanted because my MX record had the 2nd IP and I only want my SMTP server to send mail from this IP.