Running ISA Server 2006 under Hyper-V

For the uninitiated, Microsoft's Hyper V provides a compelling reason for consolidating multiple physical machines into fewer ones while still maintaining most if not all the features of a full fledged physical machine. Learn more about the technical details at the Technet Magazine page.

The reader may remember my obsession with staying green and trying to come up with solutions inside my home to reduce electricity consumption. As part of that plan, at least three machines, the domain controller, the web-server and the mail server were virtualized under Hyper-V.  It is a very straightforward process and is documented at various places. What is not documented however is, the final piece of the puzzle; Is it possible to virtualize ISA Server 2006 (edge firewall) inside the Hyper-V? If yes, does it still protect the host server?

The answer is "yes" to both the questions and the whole setup can be done in less than an hour. I'll keep the unimportant details like installing the Hyper V, basic installation of the ISA server etc out of this article. If the readers need more details, please let me know via the comments and I'd update the post.

Here's how the physical diagram of the setup looks like but before we go any further, its time for the usual "Disclaimer¹"

Assuming a simple home based network, the Router above represents the sole connection to the ISP's backbone (can be a DSL or a cable modem router) and is set as a transparent bridge aka - the ISA server will take the WAN IP addresses. Here's the run-down on the whole setup.

Step 1. Install the Windows Server 2008 on the host machine (with all the NICs onboard). For the installation part, connect any one network port to the internet for Windows Update. Once the installation is done, open up network adapters and rename them as follows.

• Physical Gateway - NIC0
• Physical Public -NIC1
• Physical Internal - NIC2

Step 2. Reboot the machine. Step 1 and 2 are required to make it easy to identify which network port is which. Trust me, you need the names to figure out and ensure you're connecting the right physical and virtual ports to the right places. A little mistake here and all your security is out of the way. If you do not reboot prior to step 3, you won't see the new names you assigned to each Local Area Connection.

Step 3.Install Hyper-V. During the installation, hyper-V will ask for the network adapter that you want to configure for virtual machine networking. Choose the "Physical Internal" network adapter you renamed in step 1. Installation of Hyper-V will require a reboot again.

Step 4. Windows Update. Requires Reboot. Before you reboot, remove all network connections and set your router to transparent bridge mode.

Step 5. Open up the Network Adapters again. Here you would find a new network adapter (virtual) that Hyper-V created for you. Rename this to "Virtual Internal". Open up Hyper-V management console. Fire up the Virtual Network Manager. Rename the in-use adapter to "Virtual Internal" as well.

Step 6. Using the Virtual Network Manager, create virtual adapters of type External for the remaining two adapters. See Figure 1 for illustration. Make sure you rename the Network Adapters as and when you create a new Virtual Adapter with the same name. Avoid confusion here and you'd save countless hours figuring out what went wrong.

Step 7. Virtual Network Manager view should look like Figure 1. Network Adapters should look something like Figure 2.

Step 8. Open up properties for all the three Virtual Adapters from the Network Connections control panel and change them as shown below.

Step 9. Disconnect the ISP side of the router. Connect the ethernet port of router to NIC1 (Physical Gateway) via  a straight cable (assuming auto-sensing ports). You can check if you have connected to the right NIC by looking at the disconnected/connected icon in Control Panel-> Network Connections. Hopefully, if you named everything properly earlier, this should be a breeze.

Step 10. Connect the remaining two NICs on the Hyper-V to your network switch via standard CAT5/6 cables. Connections to all internal network begin and terminate from this switch and it forms a part of the secured network once ISA is installed.

Step 11. Create a new virtual machine with the following settings.

Step 12. Install Windows Server 2003 x86 on this machine and rename the two virtual adapters inside the ISA VM accordingly (you can test which one is which by disconnecting the router to NIC1 network cable and checking which network port shows up as disconnected)

Step 13. Assign the external WAN IP to the public interface on ISA server. Assign the internal gateway (for example 192.168.1.1) to the internal interface on ISA server. Configure the firewall as you normally would.

That's it! You're done. You can connect the router back to the ISP backbone and surf away while keeping everything inside your network secure.

Update 12/5/2008

To explain more as Anthony asked in comments below, here is an updated figure

The Red Ethernet Cable (in the figure) from the Internet router goes to  Physical Public, the Host machine will not have access to it, the Hyper-V changes that (with our settings above) to Virtual Public and only the ISA uses this (thus firewalls). Example IP addresses: whatever your ISP has allocated for you for eg: 76.210.162.111/255.255.254.0 (The ISA Server uses these IPs on the WAN side)

The Green and the Blue Ethernet cables both go to the same network switch (which belongs to the internal network).

The Green CAT cable goes to port marked Physical gateway to which the Hyper-V host machine does not have access, is turned into Virtual Gateway (by our settings above)  and the ISA is the only machine that can use this.  (The ISA server acts as gateway and needs/uses two networks) Example IP address that one would normally assign: The gateway IP address for your internal chosen Private IP eg. 192.168.1.1/255.255.255.0 With this setting, the route to gateway/ISA is available at the internal network switch and any number of networks connected to this switch should (if set properly) be able to access the Internet via the ISA server.

The Blue Ethernet Cable  connects the internal network switch  to  Hyper-V machine (via Physical Internal) as well as to all the Virtual Machines (via Virtual Internal) running inside of the Hyper-V on this box. Example of VMs running on my box: The Domain controller, DHCP Server, DNS, etc… Note that the ISA is NOT connected to this network. Typically I would not assign an IP address unless its a server and let DHCP lease take-over from here but servers such as (VMs) Exchange Server, DNS, DHCP etc have their own static IPs such as 192.168.1.5/255.255.255.0 etc … in the same private IP range as our internal network.

Note that in the entire setup above, we did not use Hyper-V partitioning.