Re: isa 2k4 and second subnet inside network host ( vmware )
- From: "Will" <westes-usc@xxxxxxxxxxxxxx>
- Date: Tue, 1 Apr 2008 23:57:05 -0700
"Pedro M. Leite" <pleite@xxxxxxxxx> wrote in message
news:uW832x8kIHA.3780@xxxxxxxxxxxxxxxxxxxxxxx
hi.
scenario : sbs 2k3 with isa 2k4
our network is facing the outside world via dsl.
a, mx and ptr records available and all is working
inside subnet is 192.168.0.x
i want to add a second subnet, 192.168.101.x ( vmware ) and make it
available to the outside world, and inside as well.
the thing is that the virtual machines are inside a real host under
192.168.1.x.
how can i route from the outside address > into vmware machine
192.168.101.x
from 192.168.0.x ??
using host headers.
this almost like there are two connected networks. the vmware host is a
router between 192.168.0.x and 192.168.101.x.
You don't say what the business requirements are, so it's kind of hard to
suggest a network topology or firewall and/or router configuration.
The method Phil describes works fine, and it creates a route to the server
from the firewall. It doesn't isolate the server running on VMWare from
other hosts on the Internal network. Moreover, compromise of the server
gives the intruder full access to your internal network, tunneling back out
from the VMWare server on the virtual machine through the "router" running
on the host.
If you had requirements for additional security, then another design would
be:
1) Add a network port on the VMWare host corresponding to 192.168.101.x.
Disable IP on the host on that adapter, but do not disable the adapter. On
VMWare, bridge the virtual machine to that adapter.
2) On ISA, add an adapter port and assign the 192.168.101.x subnet to it.
Create an ISA Network for that adapter. Create needed network rules
describing interactions between new network, internal network, and external
network. Create firewall rules between the same. First time you go
beyond the simple Internal / External model in ISA you will likely make
mistakes on network rules (forget them, or design them incorrectly), so pay
attention to complaints in eventviewer about addresses not assigned to
adapters, and pay attention to monitor log in ISA showing any traffic for
which no rule is assigned. Such traffic usually is missing a network rule
to describe the traffic and ISA doesn't process such traffic (monitor gives
very misleading information about such traffic).
3) Connect the bridged port on the VMWare host to the new adapter on ISA.
Now you have full isolation of the virtual machine through the bridged port
onto its own dedicated subnet, protected by ISA from and to the other
internal network.
4) If you have an Internet server running on the VMWare virtual machine, you
can "publish" it through ISA to the external network, and you'll get extra
protection for some protocols like HTTP.
Downside to the design above is it makes ISA a single point of failure on
the network. Upside is it gives you far greater levels of control on the
traffic flows between computers on different networks.
--
Will
.
- Follow-Ups:
- Re: isa 2k4 and second subnet inside network host ( vmware )
- From: Pedro M. Leite
- Re: isa 2k4 and second subnet inside network host ( vmware )
- References:
- isa 2k4 and second subnet inside network host ( vmware )
- From: Pedro M. Leite
- isa 2k4 and second subnet inside network host ( vmware )
- Prev by Date: Best Practice for Using MVPS HOSTS File on ISA Server?
- Next by Date: Re: ISA URL set
- Previous by thread: Re: isa 2k4 and second subnet inside network host ( vmware )
- Next by thread: Re: isa 2k4 and second subnet inside network host ( vmware )
- Index(es):
Relevant Pages
|
