I have created 3 virtual machines an ISA, WEB and a Client. ISA machine has 2 network adapters an Internal and external using the specified IP addresses Internal ű 192.168.33.1 External ű 192.168.22.1. The WEB and the CLIENT machine only have one Net work adapter using the specified IP addresses WEB ű 192.168.33.2 and CLIENT ű 192.168.22.2. I am trying to test a request to the web server from the client. When I try to access the web-192.168.33.2 on ISA machine I am getting a 403 Forbidden error. Has any one created this same scenario and might know how to fix it so that I can make the request from the Client to the Web.
Did you create two Loopback Adapters on the host machine, one for the Internal and one for the External network?
According to your info, the Internal network is 192.168.33.0/24 and the External network is 192.168.22.0/24. Right?
Also, the Web server seems to be on the Internal network and the Client on the External network. Is this correct?
So, your scenario is you want to test the publishing of a Web server. What is the relation between the Internal and the External network, route or NAT? Can you ping from the ISA server both the Web server and the Client? Do you have a DNS infrastructure in place? What access rule or publishing rule did you configure? ...
RE: How to build an ISA firewall lab with Virtual PC 2004 - 17.Mar.2005 8:39:00 PM
Thank you for the article. However, I am trying to do this setup using Virtual Server 2005 and it appears that these instructions do not work. I have followed the article to a 'T' but cannot get the virtual client PC's to communicate with the virtual server, nor vice-versa.
Virtual Server: Windows 2003 Server Standard Broadcom Net adapter (real) - External Network: 192.168.5.2 (gateway is 192.168.5.1, internet works fine) Loopback Adapter #1: 192.168.2.1 Loopback Adapter #2: not configured
Virtual Client #1: Windows XP Pro SP2 Loopback Adapter #1: 192.168.2.10 NO INTERNET, NO NETWORK COMMUNICATIONS WHATSOEVER
Virtual Client #2: Windows 2000 Pro SP4 Loopback Adapter #1: 192.168.2.11 NO INTERNET, NO NETWORK COMMUNICATIONS WHATSOEVER
The client PC's cannot even speak to each other using the same network adapter.
My article explains in detail the theory behind and how to build an ISA firewall lab on the basis of the advanced networking features of Virtual PC. If you need to know how to use Virtual PC in general, check out the Virtual PC help file and http://www.microsoft.com/virtualpc . For more how to's about ISA server 2004, check out the many articles on this site, the ISA help file and http://www.microsoft.com/isaserver .
RE: How to build an ISA firewall lab with Virtual PC 2004 - 25.Jun.2005 4:13:00 PM
I keep getting "Setup failed while registering ISA server filters" during installation of ISA 2004 on a virtual PC 2004. Also if use VMWare I get the same. No mater the number and type of network addapters.
I followed the instructions on how to build an virtual test lab for ISA.I have configured the internal on 192.168.20.1, the perimeter on 192.168.30.1 and the external on 192.168.1.10 (which connects to my home router(192.168.1.5) and out to the internet).
I was wondering what gateways I should use for each adapter.
Any help would be really appreciated.
P.S Does anyone know of a website with a tutorial on configuring Virtual PC for a test exchange lab.
once you have created the adapters on the host operating system and assigned them to the ISA virtual machine, you follow the standard ISA networking setup as explained in many articles on this site, the ISA help file and of course Tom's book http://www.amazon.com/exec/obidos/ASIN/1931836191/isaserver/.
To summarize, ISA supports only one default gateway and that must be set on the ISA external interface only. Therefore, all other interfaces don't have a default gateway.
1) Thanks! 2) Think you need to correct the link in first post it seems to give me a 404 (does not open new window, maybe???)
I have spent 2 days trying to set up a Virtual lab and Failed big tiime. Well Failed in the sence I could not set it up the way I wanted nor the way its depicted when I try to use an XP client.
Please, Please Stefaan correct me if I am worng and Pease Please add this information to you How to so that it will stop other users falling into the same trap if and only if I am right that is.
Law # 1 On a VM XP client the only network you CAN EVER use on your LOOPBACK addapter is 192.168.0.xxx Thus setting up an external XP DMZ client on a 172.16.0.0/24 and or an internal Client on a 10.10.10.0/24 will fail as you will NEVER get connectivaty (even if you set up a isa server and define your default getway).
Law # 2 If you have a Wireless adapter on your VM Host don't try to use it within a VM PC. it can work but it might not and if it does not then you will spend to much time working it out.
Case: I have a laptop hosts that connects to the internet via its wierless addapter to my home router (works fine) I set up a VM, use that adapter as its LAN addapter and try to obtain an ip address (wont work)
So I am still faced with the problem of setting up a lab (internal 10.10.10.0/dmz 172.16.1.0/ external) using a XP client in each segment and being able to connect to the internet via a isa server. And it seems the answer is in.
Chapter 4 / section 2 / We do not want to give the impression that we believe that VMware is a superior to Virtual PC as an operating system virtualization option. Microsoft uses Virtual PC extensively in their own testing and training environments. We have tested ISA firewalls on the Virtual PC platform and found virtual machine performance actually appeared slightly better. However, VMware has better support for the networking scenarios we typically try to reproduce in our labs, and so for testing firewall scenarios, it provides a slightly better option.
I wanted an internal and a dmz as well as connectvaty to the internet from a 3 headed ISA server.
I think I have got the infra sorted out.
Here is my layout and it seems to work. (I have not configured the ISA server!!!)
Host MYPC -> XP /sp2 -> Micrsoft VirtualPC Build 5.3.582.27 (thats with the SP) -> Sony Vaio laptop VGN-SZ1XP 2gig ram, 100 gig disk -> Internal adapter (Wired) disabled -> wifi adapter connect to adsl router HOME with dhcp in 10.10.10.0/24 -> Internet connectivaty works -> Added 2 new Microsoft loopback adapters to this host
Loaded VPC created the following 4 hosts adding each adapter one by one as I need to correct the missing mac addresses in most cases.
Internal Network AD1 -> 2003/SP1 Domain controller -> DNS for mynamespace.com -> VPC Addapter -> Local only -> Fix Ip 10.100.100.100/24 GW: None DNS 10.100.100.100 -> Renamed adapter LAN
XPLAN -> XP Workstation / SP2 -> Joined to mynamespace.com domain -> VPC Addapter -> local only -> Fix IP 10.100.100.10/24 GW: None DNS 10.100.100.100 Rennamed adapter LAN
-> Changed default Firewall settings to allow ICMP (Ping) Control Panel -> Network and Internet Connections -> firewall -> Advanced ICMP -> Settings -> Allow incoming echo requests -> tick -> ok -> ok
External Network (DNZ) XPOUT -> XP Workstation / SP2 -> VPC Addapter -> Microsoft Loopback addapter #2 -> Fix IP 192.168.0.10/24 GW: None Rennamed adapter DMZ -> Changed default Firewall settings to allow ICMP (Ping)
IAS6 -> 2003/sp1 (will become my IAS) -> VPC Adapter 1: Shared Networking NAT -> IP dynamic DNS 192.168.0.254 Renamed addapter HOME (my HOME network connected to ADSL)
-> VPC Adapter 2: Local only -> Fix Ip 10.100.100.1/24 GW: None DNS 10.100.100.100 Renamed adapter LAN
-> VPC Adapter 2: Microsoft loopback adapter #2 -> Fix IP 192.168.0.1/24 GW: None Rennamed adapter DMZ
It seems to work but only as I have NOT added ISA (Smle)
Tests on: Internal network Ping AD1 <-> XPIN <-> AS6 <-> AD1 = OK Both IP and DNS name XPOUT / Internet Fails (which is correct)
External Network (DNZ) XPOUT PING IP Only XPOUT <-> ISA6 = OK PING Internal network / Internet Fails (which is correct)
ISA6 PING ISA6 <-> AD1 <-> XPLAN <-> ISA6 = OK Both IP and DNS name (XPLAN will only work with xplan.mynamespace.com will need to work out how to fix that) PING IP only ISA6 <-> XPOUT = OK Internet works; Microsoft update works.
So the short version is You can make a Virtual lab with an internal 10.100.100.0/24 DMZ 192.168.0.0/24 Use XP as your clients and have internet over a shared NAT connection which uses a wifi adapter