ISA on ESX (Full Version)

All Forums >> [ISA 2006 General] >> Installation and Planning



Message


Carpish -> ISA on ESX (2.Oct.2009 11:40:50 AM)

Looking for technical reference material that documents issues with ISA running on a DMZ ESX server. This particular instance is designed to publish internal websites to the internet and will not be the only thing running on the ESX farm.

Ive done a fair amount of research on the topic and my opinion thusfar is people appear to be hesitent to say its a bad idea.

Thanks in advance,
Brian




Jason Jones -> RE: ISA on ESX (2.Oct.2009 1:02:17 PM)

This may help:

http://technet.microsoft.com/en-us/library/cc891502.aspx

http://support.microsoft.com/kb/957006/

Cheers

JJ




Carpish -> RE: ISA on ESX (2.Oct.2009 2:19:35 PM)

Thank you JJ.

I understand it is supported, but is it smart?

Seems strange to me that I would want to trust ESX's networking code to route traffic to and from the ISA box as it should. Security vs. $$?

Curious,
Brian




Jason Jones -> RE: ISA on ESX (2.Oct.2009 6:43:23 PM)

Hi Brian,

It's an interesting debate and you've hit the nail on the head using the word "trust" as that is what it comes down to ultimately.

Call me old fashioned, but for edge/firewall solutions, I still tend to favour a physical solution with "air gaps". Don't get me wrong, I think Hyper-V/VMware are great technologies, but just because you can, doesn't necessarily mean you should [;)] 

If you do want to run virutal machines for edge or DMZ services, I would definitely use a dedicated ESX host which is physically separate from ESX which may be hosting internal or LOB applications. 

I know Tom has his own views on this subject, so hopefully he will chime in...

Cheers

JJ




Dumber -> RE: ISA on ESX (3.Oct.2009 6:32:59 AM)

This video might also be interesting to view.
http://edge.technet.com/Media/Virtualize-your-ISA-or-Forefront-TMG-servers/

The discussion to virtualize or not... Well I think it's fine to do. However at least one physical NIC is only bound to the ISA server and nothing else. So no IP addresses on that NIC not even in ESX.
The video explains it quite nicely about the possible architectures.




Carpish -> RE: ISA on ESX (6.Oct.2009 12:17:19 PM)

Very good resource, thanks.

I was hoping Tom would post on the topic, most of what I can find of his out on the internet is around a year old and I was wondering if his stance had softened at all.

Thanks,
Brian




adimcev -> RE: ISA on ESX (7.Oct.2009 12:16:22 PM)

It's not that simple in one just jumping in and answer your question.[;)]
Security is always a tradeoff.
Like it or not, security and virtualization (will) mix together(yeah, I know the exprimation was lame), unless you are living under a rock.

Is not that you take ISA and running it as a virtual firewall protecting some VMs with it, and for that you do X and Y, and you did it right. Then if something bad happens just blame VMware 'cause is insecure to run ISA in VMware.
I would like to go deeper into this, but that would require some (long) writing(as ISA is just a piece of the puzzle) and I feel kinda lazy right now(if I write a brief description one may feel I've left something out of the picture).

For example, this document from DISA for DoD has 100 pages and actually does not discuss a specific virtual network infrastructure, rather it goes and details VMware ESX and guidelines for implementing it(I highly recommend you reading it if you go VMware's way, although it might be a little outdated when it comes to vSphere, but may touch the "trust" you are interesting in):
http://iase.disa.mil/stigs/stig/esx_server_stig_v1r1_final.pdf

These ones also worth a reading:
http://www.vmware.com/files/pdf/vi35_security_hardening_wp.pdf
http://www.cisecurity.org/bench_vm.html

Aditionally you can take at:
http://searchvmware.techtarget.com/tip/0,289483,sid179_gci1344826,00.html
Or:
http://www.vmware.com/files/pdf/network_segmentation.pdf
Or through:
http://blogs.vmware.com/security/

If this conforts you in any way:
http://www.vmware.com/files/pdf/customers/09Q1_ss_vmw_Army_III_english.pdf

A non-ISA example of intersection of virtualization(VMware) and security:
http://www.rsa.com/go/DLP/video/vmware-dlp-video-320x240-24MB.wmv

As you can note, hypervisors evolved, and they can now address other things, things in the past they could not address(including in the security area).

What I'm saying is that is not secure or insecure to run ISA in VMware or Hyper-V, this is what you(or the person in the position of deciding in your company) based on your company's needs and infrastructure(I doubt you are supposed to detail these on a forum so that a reasonable opinion to be given).


Thanks,
Adrian




gavind -> RE: ISA on ESX (17.May2013 2:56:18 PM)

quote:

ORIGINAL: Dumber

This video might also be interesting to view.
http://edge.technet.com/Media/Virtualize-your-ISA-or-Forefront-TMG-servers/

The discussion to virtualize or not... Well I think it's fine to do. However at least one physical NIC is only bound to the ISA server and nothing else. So no IP addresses on that NIC not even in ESX.
The video explains it quite nicely about the possible architectures.


Thank you for posting this up. This included detailed steps as I';m trying to set up Hyper-V. [image]https://imagicon.info/cat/5-59/1.gif[/image]




bluebird5 -> RE: ISA on ESX (5.Feb.2014 10:57:50 PM)

I'm still very confused over the difference between IAG and ISA. Specifically, I have two points. We have remote users using RPC over HTTP, can I use the ISA server within IAG to publish that? And we have a third party antispam company. Our current firewall is setup to only receive SMTP from their range of addresses. Can I setup the ISA server within IAG to handle that firewall rule?




Page: [1]