http://www.ISAserver.org ------------------------------------------------------- 10+ points for the big word.... "Panacea". :) It goes without saying that all boxes in the enterprise should be hardened as much as the OS allows. Virtual tech does make a big difference. Most of my experience comes from VS2005 and a little bit from ESX 3.5. I don't have any experience with 2008 Hyper-V. So if I sound a bit short-sighted, That's where I'm coming from. The list rocks. Keep the good stuff coming. J -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jim Harrison Sent: Tuesday, August 26, 2008 1:25 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Virtualising ISA That's the "conventional wisdom". In fact, the virtual technology makes a HUGE difference. For instance, Microsoft Hypervisor is more secur(abl)e than Virtual Server simply because of the greater isolation between host and guests. The same is true for VMWare server vs. ESX. In fact, you *can* deploy a secure virtual environment, but as with any deployment, you have to balance capability against functionality and security. If you only consider server hardening on virtualized environments, you' re more (not less) likely to get whacked in virtualization, since your practices are likely not current.. Say it with me; "Virtualization is not a panacea". You can't simply migrate all your servers to virtualized hardware and expect an immediate; much less positive ROI. From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of John Wilson Sent: Tuesday, August 26, 2008 9:51 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Virtualising ISA A little off topic here, but to me the question isn't necessarily whether or not the ISA Server is supported in a virtual environment, but whether you would really *want* to do that. If a virtual host platform (be it Microsoft Hyper-V, ESX, or Virtual Server 2005) has an ISA virtual machine, then you have a NIC connected either directly or indirectly to what ISA considers the outside world (either directly to the ISP, or to the Cisco router connected to the ISP, or what have you). Even with VLANS that concept would make me extremely nervous. The only way I would validate an ISA virtual machine would be if the ISA server was only acting in Web proxy mode behind other firewalls for general security, or if the ISA virtual box was the second box in a chained or back-to-back config. It's just that in a virtual environment, you'd have to worry about hardening the host and Guest OS. However, you guys may be more experienced than I and have a different perspective. Correct me if I'm wrong. Sincerely, John C. Wilson ________________________________ From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Tuesday, August 26, 2008 12:20 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Virtualising ISA Doncha just love arguing semantics? :) My problem with linking the SVVP page (or even 944987) to this KB Article: The KB Article topic is supported virtualization environments. I see it as guilt by association. I just don't think it is 1) realistic or 2) pratical to assume that the majority of readers who are looking for a statement of support are going to dig to the level required to understand that a non-Microsoft virtualization environment is not supported for any of the applications listed. A simple statement as an additional note at the end of the introduction section that states something like, "At this time, the applications listed in this KB Article are only supported on Hyper-V; non-Microsoft virtualization environments are not supported. As this changes, updates will be reflected." would really make this discussion go away. ;) It's like being told to read the fine print: we all know we have to but are irritated that it can't just simply be put forth up front because of the frustration it causes. You're right, though. The reader should take enough of an interest to fully understand what's written. That's simple due diligence. I'm just saying make it easier to do so. :) On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote: http://www.ISAserver.org ------------------------------------------------------- While it's true that the burden of communication rests primarily with the speaker, some of the responsibility rests with the listener (reader) to actually absorb the content. If you're only looking for keywords and -phrases, you'll find what you seek. In fact, this is stated on the SVVP page; which coincidentally, is the reference point for the SVVP program. This is why only Hyper-V is listed in this KB. The last thing we need is multiple places to clean up when (not if) the support statement changes for the various 3rd-party virtualization offerings. SVVP is the primary place to go and this is why it's "linked to" from that KB. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Tuesday, August 26, 2008 7:35 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Virtualising ISA Jim, "Right now, there are *_NO_* validated non-MS platforms." This is what needs to be clearly stated. Again, depending on how you read it, a user may not get this. My point is really simply that; when specifically put forth in the same way you just put it, there's no room for argument. My guess is a lot of users out there will read into this the same way I did (optimistically), or worse yet, move forward thinking that support will come, only to run into an issue with said support when a problem occurs that requires it. At the end of the day, fair or not, Microsoft gets the black eye. By making it clear (without having to dig through links and guess at implied statements) upfront, I think greater value and service to the customers is provided. On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote: http://www.ISAserver.org ------------------------------------------------------- It's only misleading if you read into it. Let's take each bullet in turn: * Windows Server 2008 with Hyper-V * Microsoft Hyper-V Server 2008 [Jim] - ok; we'll take two at a time. Hyper-V Server and Windows 2008 with Hyper-V are the same thing from the guest OS perspective and ISA is supported there. * Supported partners' virtualization software For more information, click the following article number to view the article in the Microsoft Knowledge Base: 944987 (http://support.microsoft.com/kb/944987/) Support partners for non-Microsoft hardware virtualization software [Jim] This article doesn't list supported virtualization products. It lists virtualization support partners. Novel has signed on to help provide support for non-MS virtualization; nothing more. The bullet title in this article is misleading, but the article linked to is not. * Server Virtualization Validation Program (SVVP) For more information, visit the following Microsoft Web site: http://www.windowsservercatalog.com/svvp/ (http://www.windowsservercatalog.com/svvp/) [Jim] - go read this link. Right now, there are *_NO_* validated non-MS platforms. Therefore, there are no supported 3rd-party hardware virtualization products (yet). Therefore, no Microsoft products are supported on 3rd-party virtualization. The vendors listed on that site are "participating"; their products *_have not_* completed testing. Jim -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Tuesday, August 26, 2008 7:02 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Virtualising ISA Jim, Then the KB Article 957006 is extremely misleading. :( Here's an excerpt (in full) taken from the Introduction section. This article discusses the support policy for running Microsoft server software in the following supported virtualization environments: * Windows Server 2008 with Hyper-V * Microsoft Hyper-V Server 2008 * Supported partners' virtualization software For more information, click the following article number to view the article in the Microsoft Knowledge Base: 944987 (http://support.microsoft.com/kb/944987/) Support partners for non-Microsoft hardware virtualization software * Server Virtualization Validation Program (SVVP) For more information, visit the following Microsoft Web site: http://www.windowsservercatalog.com/svvp/ (http://www.windowsservercatalog.com/svvp/) In my interpreted version of this statement into layman terms, I read it as saying all of the bulleted environments are supported; specifically, any environment that is part of the Server Virtualization Validation Program. If you visit that page, VMWare, Inc. is listed as a participating vendor. If you then visit the Support link from that page, the first sentence states, "Technical support will be available for customers running a Windows Server operating system on a validated third-party hypervisor." Since ESX Server is a hypervisor and participation implies (at this time, based on language) validation, the support statement does appear to be transitive. I could not find anything specifically stating that the applications identified in the KB Article are only currently being supported in Hyper-V virtualized environments. If Microsoft is going to withhold support of the applications identified in the KB Article on other vendor's virtualization environments, then some kind of language should be used indicating that such support is pending [insert qualifier]. Just my $0.02 worth. On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote: http://www.ISAserver.org ------------------------------------------------------- That KB lists the products that are supported on Hypervisor. Greg's questions was specific to VMWare ESX. This will be a very sticky question and http://support.microsoft.com/kb/897615/ provides the support limits. -----Original Message----- From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young Sent: Tuesday, August 26, 2008 3:46 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Virtualising ISA Greg, ISA Server is supported. See the following KB Article for the full details on all supported virtualized applications from Microsoft. http://support.microsoft.com/kb/957006 On 8/26/08, Greg Mulholland <greg@xxxxxxxxxxxxxx> wrote: http://www.ISAserver.org ------------------------------------------------------- Jim and/or others Is there an official standpoint from MS as to supported requirements for ISA virtualised in production environments? (specifically ESX) Cheers Greg ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx -- Cordially yours, Jerry G. Young II Microsoft Certified Systems Engineer No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.6.7/1631 - Release Date: 8/24/2008 12:15 PM No virus found in this incoming message. Checked by AVG - http://www.avg.com Version: 8.0.138 / Virus Database: 270.6.7/1631 - Release Date: 8/24/2008 12:15 PM ------------------------------------------------------ List Archives: //www.freelists.org/archives/isalist/ ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/ ISA Server Blogs: http://blogs.isaserver.org/ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ To unsubscribe visit http://www.isaserver.org/pages/isalist.asp Report abuse to listadmin@xxxxxxxxxxxxx