• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA on ESX

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA on ESX Page: [1]
Login
Message << Older Topic   Newer Topic >>
ISA on ESX - 2.Oct.2009 11:40:50 AM   
Carpish

 

Posts: 3
Joined: 2.Oct.2009
Status: offline
Looking for technical reference material that documents issues with ISA running on a DMZ ESX server. This particular instance is designed to publish internal websites to the internet and will not be the only thing running on the ESX farm.

Ive done a fair amount of research on the topic and my opinion thusfar is people appear to be hesitent to say its a bad idea.

Thanks in advance,
Brian
Post #: 1
RE: ISA on ESX - 2.Oct.2009 1:02:17 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
This may help:

http://technet.microsoft.com/en-us/library/cc891502.aspx

http://support.microsoft.com/kb/957006/

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Carpish)
Post #: 2
RE: ISA on ESX - 2.Oct.2009 2:19:35 PM   
Carpish

 

Posts: 3
Joined: 2.Oct.2009
Status: offline
Thank you JJ.

I understand it is supported, but is it smart?

Seems strange to me that I would want to trust ESX's networking code to route traffic to and from the ISA box as it should. Security vs. $$?

Curious,
Brian

(in reply to Jason Jones)
Post #: 3
RE: ISA on ESX - 2.Oct.2009 6:43:23 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Brian,

It's an interesting debate and you've hit the nail on the head using the word "trust" as that is what it comes down to ultimately.

Call me old fashioned, but for edge/firewall solutions, I still tend to favour a physical solution with "air gaps". Don't get me wrong, I think Hyper-V/VMware are great technologies, but just because you can, doesn't necessarily mean you should  

If you do want to run virutal machines for edge or DMZ services, I would definitely use a dedicated ESX host which is physically separate from ESX which may be hosting internal or LOB applications. 

I know Tom has his own views on this subject, so hopefully he will chime in...

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to Carpish)
Post #: 4
RE: ISA on ESX - 3.Oct.2009 6:32:59 AM   
Dumber

 

Posts: 278
Joined: 21.Mar.2008
Status: offline
This video might also be interesting to view.
http://edge.technet.com/Media/Virtualize-your-ISA-or-Forefront-TMG-servers/

The discussion to virtualize or not... Well I think it's fine to do. However at least one physical NIC is only bound to the ISA server and nothing else. So no IP addresses on that NIC not even in ESX.
The video explains it quite nicely about the possible architectures.

_____________________________

Marcel
Netherlands

MCTS, MCITP (SA,EA) MCP, MCSA:Security, MCSE:Security, CCNA, CCSA, CCSE, CCSE+
No matter how secure, there is always the human factor.
http://www.phetios.com/

(in reply to Jason Jones)
Post #: 5
RE: ISA on ESX - 6.Oct.2009 12:17:19 PM   
Carpish

 

Posts: 3
Joined: 2.Oct.2009
Status: offline
Very good resource, thanks.

I was hoping Tom would post on the topic, most of what I can find of his out on the internet is around a year old and I was wondering if his stance had softened at all.

Thanks,
Brian

(in reply to Dumber)
Post #: 6
RE: ISA on ESX - 7.Oct.2009 12:16:22 PM   
adimcev

 

Posts: 380
Joined: 19.Oct.2008
Status: offline
It's not that simple in one just jumping in and answer your question.
Security is always a tradeoff.
Like it or not, security and virtualization (will) mix together(yeah, I know the exprimation was lame), unless you are living under a rock.

Is not that you take ISA and running it as a virtual firewall protecting some VMs with it, and for that you do X and Y, and you did it right. Then if something bad happens just blame VMware 'cause is insecure to run ISA in VMware.
I would like to go deeper into this, but that would require some (long) writing(as ISA is just a piece of the puzzle) and I feel kinda lazy right now(if I write a brief description one may feel I've left something out of the picture).

For example, this document from DISA for DoD has 100 pages and actually does not discuss a specific virtual network infrastructure, rather it goes and details VMware ESX and guidelines for implementing it(I highly recommend you reading it if you go VMware's way, although it might be a little outdated when it comes to vSphere, but may touch the "trust" you are interesting in):
http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf

These ones also worth a reading:
http://www.vmware.com/files/pdf/vi35_security_hardening_wp.pdf
http://www.cisecurity.org/bench_vm.html

Aditionally you can take at:
http://searchvmware.techtarget.com/tip/0,289483,sid179_gci1344826,00.html
Or:
http://www.vmware.com/files/pdf/network_segmentation.pdf
Or through:
http://blogs.vmware.com/security/

If this conforts you in any way:
http://www.vmware.com/files/pdf/customers/09Q1_ss_vmw_Army_III_english.pdf

A non-ISA example of intersection of virtualization(VMware) and security:
http://www.rsa.com/go/DLP/video/vmware-dlp-video-320x240-24MB.wmv

As you can note, hypervisors evolved, and they can now address other things, things in the past they could not address(including in the security area).

What I'm saying is that is not secure or insecure to run ISA in VMware or Hyper-V, this is what you(or the person in the position of deciding in your company) based on your company's needs and infrastructure(I doubt you are supposed to detail these on a forum so that a reasonable opinion to be given).


Thanks,
Adrian

_____________________________

Blog: http://www.carbonwind.net/blog

Get Our ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Carpish)
Post #: 7
RE: ISA on ESX - 17.May2013 2:56:18 PM   
gavind

 

Posts: 13
Joined: 30.Mar.2013
Status: offline
quote:

ORIGINAL: Dumber

This video might also be interesting to view.
http://edge.technet.com/Media/Virtualize-your-ISA-or-Forefront-TMG-servers/

The discussion to virtualize or not... Well I think it's fine to do. However at least one physical NIC is only bound to the ISA server and nothing else. So no IP addresses on that NIC not even in ESX.
The video explains it quite nicely about the possible architectures.


Thank you for posting this up. This included detailed steps as I';m trying to set up Hyper-V.

(in reply to Dumber)
Post #: 8
RE: ISA on ESX - 5.Feb.2014 10:57:50 PM   
bluebird5

 

Posts: 1
Joined: 5.Feb.2014
Status: offline
I'm still very confused over the difference between IAG and ISA. Specifically, I have two points. We have remote users using RPC over HTTP, can I use the ISA server within IAG to publish that? And we have a third party antispam company. Our current firewall is setup to only receive SMTP from their range of addresses. Can I setup the ISA server within IAG to handle that firewall rule?

_____________________________

Smile PleazZZZzzzZZZzzzz

(in reply to gavind)
Post #: 9

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA on ESX Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts