Using ISA Server to protect virtual machines

by Shijaz Abdulla on 17.08.2007 at 15:31

If you use virtualization technologies like Virtual Server or Virtual PC and have virtual machines that are exposed to the internet, you might want to use ISA Server to protect them. While it is possible (and recommended) to have ISA Server on a separate machine to protect all your infrastructure, you might have a scenario wherein you’d like to run ISA Server on the host machine (i.e. the physical machine that has Virtual Server/Virtual PC installed and hosts the guest virtual machines).

If you have only one network card on that host machine and you install ISA Server on the host machine, you would expect it to protect all guest machines hosted on that host computer, right? Wrong!

Microsoft Virtual Server uses an NDIS driver to route traffic to its guest machines, based on their assigned MAC addresses. Since NDIS drivers are located “below” ISA’s driver (i.e. fweng.sys), the traffic is routed before ISA even sees it!! However, ISA will still protect any other applications or OS services running directly on the host machine.

In the diagrams, the dotted lines represent traffic that has been screened by ISA.

One way to overcome this difficulty is to have another network card on the host machine (the “Internal” card), and connect all guest machines to this network. The first network card will connect to the cruel world outside (the “external” card). Of course the internal network now has to be on a different subnet and you have to take into account all the hassles of having two networks.

In this configuration, all the traffic coming in from the external network will be routed to the internal NIC only through NAT/Route relationships that you have configured on the ISA Server. However, it is important that you make sure all your virtual machines are never connected to the external NIC in order to secure them.

If you don’t have a spare physical NIC on the host hardware, you can also use a ‘virtual’ Loopback adapter for the internal network. I have described the loopback adapter in a previous post.

Making Virtual Server guests talk to the host machine

by Shijaz Abdulla on 05.07.2007 at 12:18

Microsoft Virtual Server 2005 R2 is a free tool from Microsoft that lets you run “virtual” machines on your computer (like Microsoft Virtual PC or VMWare).

So how do you transfer files from your host machine to a virtual machine running on Virtual Server? Or, how do you make the virtual machine communicate with your standalone host that is not connected to any external network?

The answer is Microsoft Loopback Adapter.

When you install Loopback Adapter, you get a new virtual network adapter installed on your machine, which can be used to communicate between the host and guest machines running on it.
To install Microsoft Loopback Adapter, go to Control Panel –> Add hardware –> ** –> Network Cards –> Select ‘Microsoft’ and look for ‘Microsoft Loopback Adapter’ and install it.

You simply apply an IP address on the Loopback adapter that’s from the same range as the virtual machines and configure your VMs to use the Loopback card for the network connection and you’re connected!

Loopback adapter is available in all releases of Windows including Windows Vista.