[isalist] Re: Virtualising ISA
- From: Jim Harrison <Jim@xxxxxxxxxxxx>
- To: "isalist@xxxxxxxxxxxxx" <isalist@xxxxxxxxxxxxx>
- Date: Tue, 26 Aug 2008 10:24:47 -0700
That's the "conventional wisdom". In fact, the virtual technology makes a HUGE
difference. For instance, Microsoft Hypervisor is more secur(abl)e than
Virtual Server simply because of the greater isolation between host and guests.
The same is true for VMWare server vs. ESX.
In fact, you *can* deploy a secure virtual environment, but as with any
deployment, you have to balance capability against functionality and security.
If you only consider server hardening on virtualized environments, you're more
(not less) likely to get whacked in virtualization, since your practices are
likely not current..
Say it with me; "Virtualization is not a panacea". You can't simply migrate
all your servers to virtualized hardware and expect an immediate; much less
positive ROI.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of John Wilson
Sent: Tuesday, August 26, 2008 9:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
A little off topic here, but to me the question isn't necessarily whether or
not the ISA Server is supported in a virtual environment, but whether you would
really *want* to do that. If a virtual host platform (be it Microsoft Hyper-V,
ESX, or Virtual Server 2005) has an ISA virtual machine, then you have a NIC
connected either directly or indirectly to what ISA considers the outside world
(either directly to the ISP, or to the Cisco router connected to the ISP, or
what have you). Even with VLANS that concept would make me extremely nervous.
The only way I would validate an ISA virtual machine would be if the ISA server
was only acting in Web proxy mode behind other firewalls for general security,
or if the ISA virtual box was the second box in a chained or back-to-back
config. It's just that in a virtual environment, you'd have to worry about
hardening the host and Guest OS.
However, you guys may be more experienced than I and have a different
perspective. Correct me if I'm wrong.
Sincerely,
John C. Wilson
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 12:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
Doncha just love arguing semantics? :)
My problem with linking the SVVP page (or even 944987) to this KB Article: The
KB Article topic is supported virtualization environments. I see it as guilt
by association.
I just don't think it is 1) realistic or 2) pratical to assume that the
majority of readers who are looking for a statement of support are going to dig
to the level required to understand that a non-Microsoft virtualization
environment is not supported for any of the applications listed.
A simple statement as an additional note at the end of the introduction section
that states something like, "At this time, the applications listed in this KB
Article are only supported on Hyper-V; non-Microsoft virtualization
environments are not supported. As this changes, updates will be reflected."
would really make this discussion go away. ;)
It's like being told to read the fine print: we all know we have to but are
irritated that it can't just simply be put forth up front because of the
frustration it causes.
You're right, though. The reader should take enough of an interest to fully
understand what's written. That's simple due diligence. I'm just saying make
it easier to do so. :)
On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:
http://www.ISAserver.org
-------------------------------------------------------
While it's true that the burden of communication rests primarily with the
speaker, some of the responsibility rests with the listener (reader) to
actually absorb the content. If you're only looking for keywords and -phrases,
you'll find what you seek.
In fact, this is stated on the SVVP page; which coincidentally, is the
reference point for the SVVP program. This is why only Hyper-V is listed in
this KB. The last thing we need is multiple places to clean up when (not if)
the support statement changes for the various 3rd-party virtualization
offerings.
SVVP is the primary place to go and this is why it's "linked to" from that KB.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 7:35 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Virtualising ISA
Jim,
"Right now, there are *_NO_* validated non-MS platforms."
This is what needs to be clearly stated. Again, depending on how you read it,
a user may not get this. My point is really simply that; when specifically put
forth in the same way you just put it, there's no room for argument. My guess
is a lot of users out there will read into this the same way I did
(optimistically), or worse yet, move forward thinking that support will come,
only to run into an issue with said support when a problem occurs that requires
it. At the end of the day, fair or not, Microsoft gets the black eye. By
making it clear (without having to dig through links and guess at implied
statements) upfront, I think greater value and service to the customers is
provided.
On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>> wrote:
http://www.ISAserver.org
-------------------------------------------------------
It's only misleading if you read into it. Let's take each bullet in
turn:
* Windows Server 2008 with Hyper-V
* Microsoft Hyper-V Server 2008
[Jim] - ok; we'll take two at a time. Hyper-V Server and Windows 2008
with Hyper-V are the same thing from the guest OS perspective and ISA is
supported there.
* Supported partners' virtualization software
For more information, click the following article number to view
the article in the Microsoft Knowledge Base:
944987 (http://support.microsoft.com/kb/944987/) Support partners
for non-Microsoft hardware virtualization software
[Jim] This article doesn't list supported virtualization products. It
lists virtualization support partners. Novel has signed on to help provide
support for non-MS virtualization; nothing more. The bullet title in this
article is misleading, but the article linked to is not.
* Server Virtualization Validation Program (SVVP)
For more information, visit the following Microsoft Web site:
http://www.windowsservercatalog.com/svvp/
(http://www.windowsservercatalog.com/svvp/)
[Jim] - go read this link. Right now, there are *_NO_* validated non-MS
platforms. Therefore, there are no supported 3rd-party hardware virtualization
products (yet). Therefore, no Microsoft products are supported on 3rd-party
virtualization. The vendors listed on that site are "participating"; their
products *_have not_* completed testing.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 7:02 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Virtualising ISA
Jim,
Then the KB Article 957006 is extremely misleading. :(
Here's an excerpt (in full) taken from the Introduction section.
This article discusses the support policy for running Microsoft server
software in the following supported virtualization environments:
* Windows Server 2008 with Hyper-V
* Microsoft Hyper-V Server 2008
* Supported partners' virtualization software
For more information, click the following article number to view
the article in the Microsoft Knowledge Base:
944987 (http://support.microsoft.com/kb/944987/) Support partners
for non-Microsoft hardware virtualization software
* Server Virtualization Validation Program (SVVP)
For more information, visit the following Microsoft Web site:
http://www.windowsservercatalog.com/svvp/
(http://www.windowsservercatalog.com/svvp/)
In my interpreted version of this statement into layman terms, I read it
as saying all of the bulleted environments are supported; specifically, any
environment that is part of the Server Virtualization Validation Program.
If you visit that page, VMWare, Inc. is listed as a participating
vendor. If you then visit the Support link from that page, the first sentence
states, "Technical support will be available for customers running a Windows
Server operating system on a validated third-party hypervisor." Since ESX
Server is a hypervisor and participation implies (at this time, based on
language) validation, the support statement does appear to be transitive.
I could not find anything specifically stating that the applications
identified in the KB Article are only currently being supported in Hyper-V
virtualized environments.
If Microsoft is going to withhold support of the applications identified
in the KB Article on other vendor's virtualization environments, then some kind
of language should be used indicating that such support is pending [insert
qualifier].
Just my $0.02 worth.
On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx<mailto:Jim@xxxxxxxxxxxx>>
wrote:
http://www.ISAserver.org
-------------------------------------------------------
That KB lists the products that are supported on Hypervisor.
Greg's questions was specific to VMWare ESX.
This will be a very sticky question and
http://support.microsoft.com/kb/897615/ provides the support limits.
-----Original Message-----
From:
isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>
[mailto:isalist-bounce@xxxxxxxxxxxxx<mailto:isalist-bounce@xxxxxxxxxxxxx>] On
Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 3:46 AM
To: isalist@xxxxxxxxxxxxx<mailto:isalist@xxxxxxxxxxxxx>
Subject: [isalist] Re: Virtualising ISA
Greg,
ISA Server is supported.
See the following KB Article for the full details on all
supported virtualized applications from Microsoft.
http://support.microsoft.com/kb/957006
On 8/26/08, Greg Mulholland
<greg@xxxxxxxxxxxxxx<mailto:greg@xxxxxxxxxxxxxx>> wrote:
http://www.ISAserver.org
-------------------------------------------------------
Jim and/or others
Is there an official standpoint from MS as to supported
requirements for ISA virtualised in production environments? (specifically ESX)
Cheers
Greg
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other
sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to
listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to
listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx<mailto:listadmin@xxxxxxxxxxxxx>
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.6.7/1631 - Release Date: 8/24/2008 12:15
PM
Other related posts:
