I'm wondering if anybody has set up their ISA server in MS Virtual Server. I want to rebuild my home network and was looking to virtualize/consolidate ISA, a IIS6 box, and two domain controllers. I would probably use at least 3 nics: external ISA, internal ISA, internal routable. I'm having trouble envisioning how the networking would work between the virtual and physical worlds on the external interface.
I would create the ISA Virtual server image with 2 nics and bind each to their respective physical counterparts. But here is the rub, when I assign the physical IP information from my DSL router, it will be bound to the physical nic. I can't assign the same IP to the virtual external nic because I'll get a IP conflict. So do I assign antother IP to the virtual external nic and use a static route?
would this cause any issues with publishing OWA or cause any NAT issues since I'll be using VPN?
Ahhh, but my company's close relationship with MS allows me to use Virtual Server for my home lab.
The thing about Virt Srv is that there isn't NAT functionality within it. So I'm a bit confused on how I would configure this network. The problem here is that I only have one external IP which would have to be bound to the physical network card on the virtual server host. So what I'm thinking of doing is setting up my network as in the following:
DSL Router -> Linksys Router -> Virt Srv Host Nic1 (bound to External Virtual ISA NIC)
I could then port forward 80/443/25 to the internal non routable IP bound to the ISA's external virtual interface.
Since the linksys router is just port forwarding, would I lose any functionality in ISA's ability inspect packets or publish services such as OWA or RPC over HTTP?
I am REALLY interested in the answers to this one because I am in the same boat. I have a single fixed IP from my ISP, and I usually set it on the external interface of a physical server. I would love to run the whole thing virtually, but am not sure how to do it cleanly.
How could a bound virtual interface be set up with the same IP address and subnet mask, etc. as the physical interface?
I don't think Virtual Server is going to allow us to bind the IP to both network cards. So I think we are going to have to do this by having a router in the front that routes all traffic to ISA for stateful packet inspection. I plan on using a Linksys broadband router and disabling the firwall all together. I'm hoping somebody has tried this and could give some guidance. I'm probably a few weeks until I'll even have time to do this but I'll be sure to post my findings.
Another thing I'm thinking of is just using windows IP routing (enable IP forwarding). You would have at least 3 nics just like you normally would. The external nic (nic 1) would have the internet routable IP address. IP routing would then route all traffic to an internal address bound to NIC 2(that would then be considered the external interface in ISA). This could also serve as a DMZ. The 3rd nic would be considered the internal side of ISA and where you would bind other virtual guests to.
What does everybody think? My main conern is obviously not breaking anything but I don't want to lose any functionality that I have today (VPN in, publishing multiple web sites, and OWA.
Hi Tom, So I started whiteboarding this out and now I think I'm more confused than when I started. I'm trying to figure out the best way to set this up in Virtual Server. I have had no problems setting it up as long as it is completely isolated in virtual server networks. But now I would like to run it in production this way.
Right now I have a Virtual Server host with 3 physical NICs installed. I have created two networks bound to two of the network adapters just for ISA. The other adapter will be regular file server access to the vshost which is a file server as well. I'm getting confused on where I should bind the internet routable address and how I should setup routing on the virtual server nics along with the physical server nics.
I'll effectively have two physical and two virtual nics to setup but I'm not sure how the routing is going to work with this setup.
Option 1 Bind my internet routable address to the physical external NIC on the VShost. Enable IP routing to the virtual (external interface) of the ISA virtual Server. This doesn't seem like it would be secure as I would have to lock down my VShost machine. Use Edge Template
Option 2 Add a router into the mix such that I go from: DSL-->router/fw-->Physical External Interface. Use back to back template.
Any feedback on this would be greatly appreciated.
From: Manchester, UK
I'm currently running a Virtual ISA on top of a XP host machine so that I can share the wireless access point and control traffic via the virtual ISA.
On the host machine with the NIC that is connected to the internet I have deselected the Client for MN, F&P Sharing for MN and Internet Protocol (TCP/IP) options in the NICs properties so that only the Virtual Machine network services option is ticked. Then on the virtual machine you add your IP settings on the apropriate Network connection. You get connectivity and can assign your static IP to the virtual ISA without getting an IP conflict. (You configure this as your External NIC on your virtual ISA)
On a second NIC you can then assign a private IP, and on your virtual ISA's internal properties assign another private IP to this NIC in the same subnet to allow the host machine a connection through your virtual ISA. This second NIC acts a virtual switch and you just need to treat the IP that you assigned to the Virtual ISA as your ISA's internal NIC.
I would watch out though. I've tested my virtual ISA by going to www.grc..com and it seems that loads of ports end up reporting as 'Open'during the Shields up scan. For me my virtual isa is behind a real ISA so I can control what goes through from there, it is something to watch out for though but might be worth trying.
I ended up doing as you suggest but with 3 nics. I unbound everything but ISA from net props for two of the nics. The third nic is just for File and Print services. I have done testing and shown this setup to be secure (no ports open from the outside).
quote:Originally posted by Taz69: If you don't mind me asking what host os are you using for your virtual server? Currently I'm using XP (SP2) though I might move my virtual ISA to my server once I've upgraded the OS on that to 2003.
I have Server 2003. I can't think of any reason why you would have any problems running it on your xp machine. For those of you new to virt server, remember disable hyperthreading.