Solved

ISA 2006 on Hyper-V

Posted on 2011-02-17
11
878 Views
Last Modified: 2012-05-11
Hello,

I have a perfectly good guest installation of ISA 2006 Server on my Hyper-V server and would like opinions on the security of this setup please.

Server setup - Windows 2008 Hyper-V Server host system with 4 NIC's:

NIC 1 and NIC 2 are connected to the LAN with internal IP addresses.  These are used for a number of guest servers running on the Hyper-V server.
NIC 3 is connected to the DMZ port on the Juniper Firewall (the main hardware firewall) with a DMZ IP address.  This NIC is used by the ISA Server guest only.
NIC 4 is connected to the internal LAN with an internal IP address.  This NIC is used by the ISA Server only.

Network setup:

Internet -->  Juniper Firewall Untrust port (main hardware firewall) --> Juniper Policy directs traffic to the DMZ port on the Juniper Firewall --> DMZ NIC of Hyper-V guest ISA Server --> ISA Server policy --> internal LAN NIC of Hyper-V guest ISA Server --> internal LAN

Basically, I know that this setup is secure if the ISA Server were to be a stand alone server / member server (ie: not hosted on Hyper-V).  But I need to know if the other guest servers on the Hyper-V server are secure, because the ISA Server is also a guest on the same Hyper-V host server.

The ISA Server is used mainly for OWA Publishing and VPN Access.

Thanks,
Paul
0
Comment
Question by:Pifco1
11 Comments
 
LVL 2

Expert Comment

by:Mattrw
ID: 34915218
Chapter 3 seems relevant to your needs, check it out.
Hyper-V-Security-Guide.docx
0
 
LVL 23

Expert Comment

by:Suliman Abu Kharroub
ID: 34915222
Obviusely, the physical host machine could not be secured with ISA, as a result VHD files ( VMs Virtual hard disks) will not be secured too, which may effect these VMs if someone grant access (hack) your physical server.

For gust VMs as long as the VMs accessed the internet throw ISA server they are secured by ISA server.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34915296
Totallydown to your connections but as you have described it, it is secure and supported.

Keith
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 29

Accepted Solution

by:
pwindell earned 250 total points
ID: 34916545

Virtualize your ISA or Forefront TMG servers (Jim Harrison)
http://technet.microsoft.com/en-us/edge/Video/ff710552
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34916788
Win some lose some :)
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34917986
Win what? lose what?
I thought Jim says they same thing as those documents.  Some people just like to see it as a video :-)
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34918058
Aw,..I see,..he gave me the point,...I didn't know he did that.
0
 

Author Comment

by:Pifco1
ID: 34918189
I can select whichever answer I find most useful to my question, thanks.

But if you have to know the reason:
pwindell sent the link with the video, this was a good video, I enjoyed watching it, however on the link he sent was also this:

See KB article 957006 which states ISA (and other) products are officially supported on Hyper-V.

Which in turn directs you to a MS Technet article on:

Microsoft Internet Security and Acceleration (ISA) Server
Microsoft ISA Server is supported. For more information about support for ISA Server, visit the following Microsoft website: http://technet.microsoft.com/en-us/library/cc891502.aspx

So that answered my initial question:

But I need to know if the other guest servers on the Hyper-V server are secure, because the ISA Server is also a guest on the same Hyper-V host server.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34918297
Jim deals with that later toward the end of the video when dscussing the unbinding and the diabling of Nics.  In the end the only nic that needs to be enabled and have TCP/IP bound to it would be the Hyper-V Management interface on the Management Network that does not even physically touch any other LAN.  That is too much over-kill for me personally, but it definately gets the job done.  You just have to make sure that all your Virtual Switches and Virtual Networks with Hyper-V are correctly configure before you start unbinding TCP/IP and disabling the Physical Nics.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34918362
If it were me I would probably only do that with the External Nic and leave the others alone,...then again I might just give the External Nic a bogus IP# that would not "work" and forget it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 34918993
Your question, your points to do with as you wish.
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Copy Hyper-v machine. 8 70
File contents corrupt or mising 3 91
Exchange 2010 - SPAM using organization internal addresses 6 104
Cloning Windows Server 2012 licensing issue 3 79
When working with Microsoft SCVMM (System Center Virtual Machine Manager) in a Hyper-V virtualization environment, we have run across scenarios in which the failed migration of a VM from one host to another may leave the VM in a failed state. Specif…
Introduction RemoteFX is already in use today, but you're probably not aware of it.  With the advent of Windows 2012 and Windows 8, RDP has gotten a whole lot better due to the fact that RDP now uses even more RemoteFX technologies to make desktop …
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question