csharp_guru
asked on
Remote Desktop into Virtual PC, Virtual Server or VMware
Virtualization is the IT buzzword du jour, and I'm building an 8 GB RAM PC to run multiple OSes.
1. Can I use Remote Desktop from the Internet to get into Guest (WinXP and Win2K3) OSes?
2. Can I do this while keeping the Host OS inaccesible from the Internet (for security)?
I've more Virtual Networking questions but will ask separately to maximize points.
Very grateful for any insights or experiences you can share on these issues.
1. Can I use Remote Desktop from the Internet to get into Guest (WinXP and Win2K3) OSes?
2. Can I do this while keeping the Host OS inaccesible from the Internet (for security)?
I've more Virtual Networking questions but will ask separately to maximize points.
Very grateful for any insights or experiences you can share on these issues.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
The best option is to either not give any IP address to you host OS.
Or give a IP address with no routing.
This will maximize your host OS security.
With this, you can manage your host OS locally, or only from a pc which is in same subnet.
Or give a IP address with no routing.
This will maximize your host OS security.
With this, you can manage your host OS locally, or only from a pc which is in same subnet.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
nexissteve - if you want to get technical, there is NO SUCH THING as a secure machine that has internet access. EVERYTHING has vulnerabilities - it's a just a matter of if they've been found yet.
But I agree - VPN setup is the most advisable.
But I agree - VPN setup is the most advisable.
leew - the whole idea of this forum is to get technical. The problem is that there ARE known attack vectors.
What are the known attack vectors of Windows Virtual Server - because the question is NOT limited to VMware, which is all your answer covered.
There's a certain limit to which you should go with technicalities... And I've been told by other experts here NOT to get too technical - you can't have it both ways. You have to look at the question and decide on your own.
There's a certain limit to which you should go with technicalities... And I've been told by other experts here NOT to get too technical - you can't have it both ways. You have to look at the question and decide on your own.
ASKER
Great answers. I didn't expect such fast responses, thank you all very much. If you don't mind, I'd like to to try 'em out before accepting,
In my current setup, my home network has a Cisco Pix 501 that forwards RDP to one of the desktops.
In my new setup, I want to prevent RDP access to any real machine. Instead, I want the Pix to foward RDP to one of the virtual machines on the new desktop I'm building. Then from there, I should be able to run multiple Remote Desktops on the other virtual machines as well as on the real machines on the home LAN. Yes, this will be a huge resource hog! But I'm building the new desktop with a Pentium 955EE that is dual core with hyperthreading, giving 4 logical CPUs, 8GB RAM and 2 SATA Raid 10,000 rpm drives. If I configure everything right it should be doable.
What I'm worried is that I've never run Virtual PC or Virtual Server. I've run VMware with a minimal network. So I don't know what problems I might encounter running multiple networked virtual machines. I don't know if the 4 logical CPUs can be properly utilized, or I'll end up with unacceptable latencies on the nested Remote Desktops. Maybe I can bind specific VMs to specific CPUs.
Is this really practical? The main goal is to prevent any Internet access to the real machines on the LAN, and hopefully use one or more virtual machines as gatekeepers. Of course, the other goal is to run multiple OSes. Does this really secure the real machines, or not? I can't try the full setup until my new PC boots up, hopefully Thursday, June 1.
In my current setup, my home network has a Cisco Pix 501 that forwards RDP to one of the desktops.
In my new setup, I want to prevent RDP access to any real machine. Instead, I want the Pix to foward RDP to one of the virtual machines on the new desktop I'm building. Then from there, I should be able to run multiple Remote Desktops on the other virtual machines as well as on the real machines on the home LAN. Yes, this will be a huge resource hog! But I'm building the new desktop with a Pentium 955EE that is dual core with hyperthreading, giving 4 logical CPUs, 8GB RAM and 2 SATA Raid 10,000 rpm drives. If I configure everything right it should be doable.
What I'm worried is that I've never run Virtual PC or Virtual Server. I've run VMware with a minimal network. So I don't know what problems I might encounter running multiple networked virtual machines. I don't know if the 4 logical CPUs can be properly utilized, or I'll end up with unacceptable latencies on the nested Remote Desktops. Maybe I can bind specific VMs to specific CPUs.
Is this really practical? The main goal is to prevent any Internet access to the real machines on the LAN, and hopefully use one or more virtual machines as gatekeepers. Of course, the other goal is to run multiple OSes. Does this really secure the real machines, or not? I can't try the full setup until my new PC boots up, hopefully Thursday, June 1.
ASKER
Sorry I wrote my above comment in parts and did not see some of the other comments. Yes, I should really use a VPN.
In case you are wondering why I need such an elaborate setup for a home LAN, there will actually be at least 5 remote users (not counting any interested hackers). At least my wife, two sons a friend and myself may use Remote Desktop access to the home LAN.
Of course, anything on the Internet is vulnerable, but this will add one or more layers of defense. The big question is how vulnerable the real machines would be through the virtual gateways. Thanks for the link provided by NexisSteve. I will check it out.
In case you are wondering why I need such an elaborate setup for a home LAN, there will actually be at least 5 remote users (not counting any interested hackers). At least my wife, two sons a friend and myself may use Remote Desktop access to the home LAN.
Of course, anything on the Internet is vulnerable, but this will add one or more layers of defense. The big question is how vulnerable the real machines would be through the virtual gateways. Thanks for the link provided by NexisSteve. I will check it out.
although most of the differences between Vmware workstation and virtual PC are minimal, it is my opinion that Vmware offers an improved networking abstraction layer. If you plan on running many virtual network adapters, you would prefer vmware. What brings you to choose virtual pc?
Hi Csharp,
What virtual machines solution were you intending on using? Also what were you intending the host OS to be?
cheers
S
What virtual machines solution were you intending on using? Also what were you intending the host OS to be?
cheers
S
leew -
Fair call on that my answer was directed at vmware.
I am all for healthy debate, but I am also for giving the correct information. And if in giving the correct information, my answer conflicts with another person on this forum then i dont give a rats to be honest.
I didnt think my above answer wasnt really that technical. It just provided the information on a solution.
As a technical forum we should be advising users on best practice in the industry. In fact I wouldnt really be comfortable not giving the full information and risking someone putting in a solution that was badly implemented. That would mean we had failed in providing a proper answer. In summary I dont care what other experts have told you, I will continue to post complete solutions.
Us debating the above answers is probably against the rules at expert exchange, so I wont post off topic further.
Csharp_guru -
Currently there are no known vulnerabilities for vmware server or virtual server in the wild " If you have the latest patches installed", So in short patch everything to the hilt, use a VPN and you should be fine. If you are serious about keeping the host OS as safe as possible then make sure you keep it maintained and up to date.
I hope this helps
Cheers
S
ASKER
Thanks again for the new comments.
NexiSteve, In answer to your question, I am planning to use Windows XP Pro as the host, because that'e the only OS that Microsoft authorizes to host both Virtual PC and Virtual Server. Since this is a new machine, it will intially be "patched to the hilt". The challenge will be keeping it that way, but that's one reason I want to focus on this one machine. While Remote Desktop is great, VPN can be a pain, in my experience. So I can usually rely on corporate Sys Admins to solve my VPN problems. In this case, using VPN for home LAN, I'll be the one debugging VPN problems, so can you point me to any good link for setting up and managing RDP via VPN? Otherwise, I may just fall back to encrypted RDP and not a true VPN.
Carl_Legere, you asked, why Virtual PC? I agree that VMware is probably much better, and I've actually used it in the past. However, for the last 5 years, I've been a Consultant on Service-Oriented Architecture, and my multiple VMs are for modeling multiple servers and workstations talking to each other using XML and Web Services. SInce I'll be using primarily Microsoft products such as SQL Server, Office Server, Biztalk, SBS etc., I might be better off using Microsoft VM products also. A better reason is that I have an MSDN Premium subscription and get all these products free, while I would have to pay for the VMware products. If Microsoft VMs don't do the job, I'll go ahead and switch to VMware.
Leew, Arnold and PrashSax, I appreciate your recommendations, and please bear with me while I test them out, before accepting the most useful solution(s),
FYI csharp.
Vmware server is now free. Check it out at www.vmware.com
Fair call on the VPN setup. Sometimes they can be a pain in the neck.
Cheers
Steve
Vmware server is now free. Check it out at www.vmware.com
Fair call on the VPN setup. Sometimes they can be a pain in the neck.
Cheers
Steve
" and I'm building an 8 GB RAM PC to run multiple OSes "
Yeah, great idea, but BIG BIG mistake as Arnold would say. A multiple OS system CANNOT - repeat, CANNOT multi-task different OSs concurrently, so you are killing your idea before it can begin. If you have 3 OSs and you want them to be accessible to run concurrently, then you run 3 COMPUTERS EACH WITH ONE OS -- that is the ONLY way to get this to work. Buy 3 simple setups each to run an OS, not one MEGA system to mutitask 3 OSs, which is impossible to do. SORRY. It does not work.
Yeah, great idea, but BIG BIG mistake as Arnold would say. A multiple OS system CANNOT - repeat, CANNOT multi-task different OSs concurrently, so you are killing your idea before it can begin. If you have 3 OSs and you want them to be accessible to run concurrently, then you run 3 COMPUTERS EACH WITH ONE OS -- that is the ONLY way to get this to work. Buy 3 simple setups each to run an OS, not one MEGA system to mutitask 3 OSs, which is impossible to do. SORRY. It does not work.
BTW, VMWARE still cannot multi-task 3 separate OSs, they work one by one. You simply CANNOT do this, as you think you can, it does not work. WindowsXP, linux, and 2003 CANNOT run at once from one computer, it is 10000000% impossible.
In that case, I'm doing the impossible on my server, running 2 virtual machines on it at the same time quite effectively.
ASKER
Scrathcyboy, thanks for your sobering comments. I agree that VMs are limited compared to hardware.
However, this is not a production setup, it's a home desktop that I'm building. When I need performance, I can hibernate the VMs and focus the full power of the machine, e.g. for benchmarks or gaming.
Also, it's easier to build (and maintain) one Mega machine than four small ones! Of course, it's a single point of failure, but PCs are pretty reliable these days.
CPU I'm using is Pentium 955EE (dual core HT) which acts like four logical CPUs. Now Virtual Server claims to utilize multiple processors. I'm sure VMware server can too, since it's more capable. Hope reality matches the hype.
I hope to complete this PC next weekend, as I'm waiting on some parts. Then maybe I can run some benchmarks, and understand the pros and cons of this setup.
BTW, scrathcyboy, yours were the accepted answers for my first two (Storage) questions on EE. This is my third question, and I appreciate your help.
However, this is not a production setup, it's a home desktop that I'm building. When I need performance, I can hibernate the VMs and focus the full power of the machine, e.g. for benchmarks or gaming.
Also, it's easier to build (and maintain) one Mega machine than four small ones! Of course, it's a single point of failure, but PCs are pretty reliable these days.
CPU I'm using is Pentium 955EE (dual core HT) which acts like four logical CPUs. Now Virtual Server claims to utilize multiple processors. I'm sure VMware server can too, since it's more capable. Hope reality matches the hype.
I hope to complete this PC next weekend, as I'm waiting on some parts. Then maybe I can run some benchmarks, and understand the pros and cons of this setup.
BTW, scrathcyboy, yours were the accepted answers for my first two (Storage) questions on EE. This is my third question, and I appreciate your help.
ASKER
Well, this question has started to meander. The original question on Remote Desktop into VMs was answered very well by NexisSteve and LeeW, so I accepted their answers 50:50 with a grade A. I'll have more questions on this. Thank you all.
In a sense the Guest OS's use the peripherals of the host system. The network Card/s of the host system will be used by the guest systems for their network connectivity.
You would need to configure your Guest OS's to get their OWN IPS on the LAN versus get NAtted IPs from the HOST.
You can then configure your firewall to allow access to the GUEST systems while denying access to the host system. Note that once access to a Guest system has been achieved, access to the Host OS provided RDP service is running, can be achieved.