Using ISA Server to protect virtual machines

by Shijaz Abdulla on 17.08.2007 at 15:31

If you use virtualization technologies like Virtual Server or Virtual PC and have virtual machines that are exposed to the internet, you might want to use ISA Server to protect them. While it is possible (and recommended) to have ISA Server on a separate machine to protect all your infrastructure, you might have a scenario wherein you’d like to run ISA Server on the host machine (i.e. the physical machine that has Virtual Server/Virtual PC installed and hosts the guest virtual machines).

If you have only one network card on that host machine and you install ISA Server on the host machine, you would expect it to protect all guest machines hosted on that host computer, right? Wrong!

Microsoft Virtual Server uses an NDIS driver to route traffic to its guest machines, based on their assigned MAC addresses. Since NDIS drivers are located “below” ISA’s driver (i.e. fweng.sys), the traffic is routed before ISA even sees it!! However, ISA will still protect any other applications or OS services running directly on the host machine.

In the diagrams, the dotted lines represent traffic that has been screened by ISA.

One way to overcome this difficulty is to have another network card on the host machine (the “Internal” card), and connect all guest machines to this network. The first network card will connect to the cruel world outside (the “external” card). Of course the internal network now has to be on a different subnet and you have to take into account all the hassles of having two networks.

In this configuration, all the traffic coming in from the external network will be routed to the internal NIC only through NAT/Route relationships that you have configured on the ISA Server. However, it is important that you make sure all your virtual machines are never connected to the external NIC in order to secure them.

If you don’t have a spare physical NIC on the host hardware, you can also use a ‘virtual’ Loopback adapter for the internal network. I have described the loopback adapter in a previous post.

Trackback Permanent Link

2 Responses to Using ISA Server to protect virtual machines

  1. ryan@lan says:

    Does my mac adresse change if I upgrade my computer with some other hardware? For example change the graphic card?

  2. Shijaz says:

    Hi Ryan,

    The MAC address is built into the network adapter. If you change your network card, the MAC address will change. The MAC address is independent of other hardware components like graphics card.

    Shijaz

Leave a Reply