[isalist] Re: Virtualising ISA
- From: "Jerry Young" <jerrygyoungii@xxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Tue, 26 Aug 2008 13:24:32 -0400
Well...
I suppose it comes down to the scenario and requirements of the company.
A case might be able to be made using Server 2008 Core with Hyper-V (which
should be very well hardened) for a highly available web solution
encapusated in a Server 2008 Core Failver Cluster.
As a hosting provider, I can see the potential for a service offering that
includes a full "pod" of virtual servers. As a hosting customer, having
direct control over firewall policies may have appeal.
I think the same argument could be made for ESX Server, too, since it is a
hypervisor and so has a very small attack surface (if any?).
I'm taking a stab in the dark answering your question (and may be reaching)
but this is what I thought of. ;)
On 8/26/08, John Wilson <John@xxxxxxxxxxxxxxxxxxxxxxxx> wrote:
>
> A little off topic here, but to me the question isn't necessarily whether
> or not the ISA Server is supported in a virtual environment, but whether you
> would really **want** to do that. If a virtual host platform (be it
> Microsoft Hyper-V, ESX, or Virtual Server 2005) has an ISA virtual machine,
> then you have a NIC connected either directly or indirectly to what ISA
> considers the outside world (either directly to the ISP, or to the Cisco
> router connected to the ISP, or what have you). Even with VLANS that concept
> would make me extremely nervous.
>
>
>
> The only way I would validate an ISA virtual machine would be if the ISA
> server was only acting in Web proxy mode behind other firewalls for general
> security, or if the ISA virtual box was the second box in a chained or
> back-to-back config. It's just that in a virtual environment, you'd have to
> worry about hardening the host and Guest OS.
>
>
>
> However, you guys may be more experienced than I and have a different
> perspective. Correct me if I'm wrong.
>
>
>
> Sincerely,
>
>
>
> John C. Wilson
>
>
> ------------------------------
>
> *From:* isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> *On Behalf Of *Jerry Young
> *Sent:* Tuesday, August 26, 2008 12:20 PM
> *To:* isalist@xxxxxxxxxxxxx
> *Subject:* [isalist] Re: Virtualising ISA
>
>
>
> Doncha just love arguing semantics? :)
>
>
>
> My problem with linking the SVVP page (or even 944987) to this KB Article:
> The KB Article topic is *supported** *virtualization environments. I see
> it as guilt by association.
>
>
>
> I just don't think it is 1) realistic or 2) pratical to assume that the
> majority of readers who are looking for a statement of support are going to
> dig to the level required to understand that a non-Microsoft virtualization
> environment is not supported for any of the applications listed.
>
>
>
> A simple statement as an additional note at the end of the introduction
> section that states something like, "At this time, the applications listed
> in this KB Article are only supported on Hyper-V; non-Microsoft
> virtualization environments are not supported. As this changes, updates
> will be reflected." would really make this discussion go away. ;)
>
>
> It's like being told to read the fine print: we all know we have to but are
> irritated that it can't just simply be put forth up front because of the
> frustration it causes.
>
>
>
> You're right, though. The reader should take enough of an interest to
> fully understand what's written. That's simple due diligence. I'm just
> saying make it easier to do so. :)
>
>
> On 8/26/08, *Jim Harrison* <Jim@xxxxxxxxxxxx> wrote:
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> While it's true that the burden of communication rests primarily with the
> speaker, some of the responsibility rests with the listener (reader) to
> actually absorb the content. If you're only looking for keywords and
> -phrases, you'll find what you seek.
>
> In fact, this is stated on the SVVP page; which coincidentally, is the
> reference point for the SVVP program. This is why only Hyper-V is listed in
> this KB. The last thing we need is multiple places to clean up when (not
> if) the support statement changes for the various 3rd-party virtualization
> offerings.
> SVVP is the primary place to go and this is why it's "linked to" from that
> KB.
>
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
> On Behalf Of Jerry Young
> Sent: Tuesday, August 26, 2008 7:35 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Virtualising ISA
>
> Jim,
>
> "Right now, there are *_NO_* validated non-MS platforms."
>
> This is what needs to be clearly stated. Again, depending on how you read
> it, a user may not get this. My point is really simply that; when
> specifically put forth in the same way you just put it, there's no room for
> argument. My guess is a lot of users out there will read into this the same
> way I did (optimistically), or worse yet, move forward thinking that support
> will come, only to run into an issue with said support when a problem occurs
> that requires it. At the end of the day, fair or not, Microsoft gets the
> black eye. By making it clear (without having to dig through links and
> guess at implied statements) upfront, I think greater value and service to
> the customers is provided.
>
>
> On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> It's only misleading if you read into it. Let's take each bullet in
> turn:
>
> * Windows Server 2008 with Hyper-V
> * Microsoft Hyper-V Server 2008
> [Jim] - ok; we'll take two at a time. Hyper-V Server and Windows
> 2008 with Hyper-V are the same thing from the guest OS perspective and ISA
> is supported there.
>
> * Supported partners' virtualization software
> For more information, click the following article number to
> view the article in the Microsoft Knowledge Base:
> 944987 (http://support.microsoft.com/kb/944987/) Support
> partners for non-Microsoft hardware virtualization software
> [Jim] This article doesn't list supported virtualization
> products. It lists virtualization support partners. Novel has signed on to
> help provide support for non-MS virtualization; nothing more. The bullet
> title in this article is misleading, but the article linked to is not.
>
> * Server Virtualization Validation Program (SVVP)
> For more information, visit the following Microsoft Web site:
> http://www.windowsservercatalog.com/svvp/ (
> http://www.windowsservercatalog.com/svvp/)
> [Jim] - go read this link. Right now, there are *_NO_* validated
> non-MS platforms. Therefore, there are no supported 3rd-party hardware
> virtualization products (yet). Therefore, no Microsoft products are
> supported on 3rd-party virtualization. The vendors listed on that site are
> "participating"; their products *_have not_* completed testing.
>
> Jim
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:
> isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young
> Sent: Tuesday, August 26, 2008 7:02 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Virtualising ISA
>
> Jim,
>
> Then the KB Article 957006 is extremely misleading. :(
>
> Here's an excerpt (in full) taken from the Introduction section.
>
> This article discusses the support policy for running Microsoft
> server software in the following supported virtualization environments:
>
>
> * Windows Server 2008 with Hyper-V
> * Microsoft Hyper-V Server 2008
> * Supported partners' virtualization software
> For more information, click the following article number to
> view the article in the Microsoft Knowledge Base:
> 944987 (http://support.microsoft.com/kb/944987/) Support
> partners for non-Microsoft hardware virtualization software
> * Server Virtualization Validation Program (SVVP)
> For more information, visit the following Microsoft Web site:
> http://www.windowsservercatalog.com/svvp/ (
> http://www.windowsservercatalog.com/svvp/)
>
> In my interpreted version of this statement into layman terms, I
> read it as saying all of the bulleted environments are supported;
> specifically, any environment that is part of the Server Virtualization
> Validation Program.
>
> If you visit that page, VMWare, Inc. is listed as a participating
> vendor. If you then visit the Support link from that page, the first
> sentence states, "Technical support will be available for customers running
> a Windows Server operating system on a validated third-party
> hypervisor." Since ESX Server is a hypervisor and participation implies (at
> this time, based on language) validation, the support statement does appear
> to be transitive.
>
> I could not find anything specifically stating that the applications
> identified in the KB Article are only currently being supported in Hyper-V
> virtualized environments.
>
> If Microsoft is going to withhold support of the applications
> identified in the KB Article on other vendor's virtualization environments,
> then some kind of language should be used indicating that such support is
> pending [insert qualifier].
>
> Just my $0.02 worth.
>
> On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
>
> http://www.ISAserver.org <http://www.isaserver.org/>
> -------------------------------------------------------
>
> That KB lists the products that are supported on Hypervisor.
> Greg's questions was specific to VMWare ESX.
>
> This will be a very sticky question and
> http://support.microsoft.com/kb/897615/ provides the support limits.
>
> -----Original Message-----
> From: isalist-bounce@xxxxxxxxxxxxx [mailto:
> isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young
> Sent: Tuesday, August 26, 2008 3:46 AM
> To: isalist@xxxxxxxxxxxxx
> Subject: [isalist] Re: Virtualising ISA
>
> Greg,
>
> ISA Server is supported.
>
> See the following KB Article for the full details on all
> supported virtualized applications from Microsoft.
>
> http://support.microsoft.com/kb/957006
>
> On 8/26/08, Greg Mulholland <greg@xxxxxxxxxxxxxx> wrote:
>
> http://www.ISAserver.org <http://www.isaserver.org/>
>
> -------------------------------------------------------
>
> Jim and/or others
>
> Is there an official standpoint from MS as to
> supported requirements for ISA virtualised in production environments?
> (specifically ESX)
>
> Cheers
>
> Greg
> ------------------------------------------------------
> List Archives:
> //www.freelists.org/archives/isalist/
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our
> other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit
> http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other
> sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit
> http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
> ------------------------------------------------------
> List Archives: //www.freelists.org/archives/isalist/
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server Articles and Tutorials:
> http://www.isaserver.org/articles_tutorials/
> ISA Server Blogs: http://blogs.isaserver.org/
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
>
> --
> Cordially yours,
> Jerry G. Young II
> Microsoft Certified Systems Engineer
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.138 / Virus Database: 270.6.7/1631 - Release Date: 8/24/2008
> 12:15 PM
>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
Other related posts:
