[isalist] Re: Virtualising ISA
- From: "John Wilson" <John@xxxxxxxxxxxxxxxxxxxxxxxx>
- To: <isalist@xxxxxxxxxxxxx>
- Date: Tue, 26 Aug 2008 13:45:06 -0400
http://www.ISAserver.org
-------------------------------------------------------
10+ points for the big word.... "Panacea". :)
It goes without saying that all boxes in the enterprise should be hardened
as much as the OS allows. Virtual tech does make a big difference. Most of
my experience comes from VS2005 and a little bit from ESX 3.5. I don't have
any experience with 2008 Hyper-V. So if I sound a bit short-sighted, That's
where I'm coming from.
The list rocks. Keep the good stuff coming.
J
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On
Behalf Of Jim Harrison
Sent: Tuesday, August 26, 2008 1:25 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
That's the "conventional wisdom". In fact, the virtual technology makes
a HUGE difference. For instance, Microsoft Hypervisor is more
secur(abl)e than Virtual Server simply because of the greater isolation
between host and guests. The same is true for VMWare server vs. ESX.
In fact, you *can* deploy a secure virtual environment, but as with any
deployment, you have to balance capability against functionality and
security.
If you only consider server hardening on virtualized environments, you'
re more (not less) likely to get whacked in virtualization, since your
practices are likely not current..
Say it with me; "Virtualization is not a panacea". You can't simply
migrate all your servers to virtualized hardware and expect an
immediate; much less positive ROI.
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of John Wilson
Sent: Tuesday, August 26, 2008 9:51 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
A little off topic here, but to me the question isn't necessarily
whether or not the ISA Server is supported in a virtual environment, but
whether you would really *want* to do that. If a virtual host platform
(be it Microsoft Hyper-V, ESX, or Virtual Server 2005) has an ISA
virtual machine, then you have a NIC connected either directly or
indirectly to what ISA considers the outside world (either directly to
the ISP, or to the Cisco router connected to the ISP, or what have you).
Even with VLANS that concept would make me extremely nervous.
The only way I would validate an ISA virtual machine would be if the ISA
server was only acting in Web proxy mode behind other firewalls for
general security, or if the ISA virtual box was the second box in a
chained or back-to-back config. It's just that in a virtual environment,
you'd have to worry about hardening the host and Guest OS.
However, you guys may be more experienced than I and have a different
perspective. Correct me if I'm wrong.
Sincerely,
John C. Wilson
________________________________
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 12:20 PM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
Doncha just love arguing semantics? :)
My problem with linking the SVVP page (or even 944987) to this KB
Article: The KB Article topic is supported virtualization environments.
I see it as guilt by association.
I just don't think it is 1) realistic or 2) pratical to assume that the
majority of readers who are looking for a statement of support are going
to dig to the level required to understand that a non-Microsoft
virtualization environment is not supported for any of the applications
listed.
A simple statement as an additional note at the end of the introduction
section that states something like, "At this time, the applications
listed in this KB Article are only supported on Hyper-V; non-Microsoft
virtualization environments are not supported. As this changes, updates
will be reflected." would really make this discussion go away. ;)
It's like being told to read the fine print: we all know we have to but
are irritated that it can't just simply be put forth up front because of
the frustration it causes.
You're right, though. The reader should take enough of an interest to
fully understand what's written. That's simple due diligence. I'm just
saying make it easier to do so. :)
On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org
-------------------------------------------------------
While it's true that the burden of communication rests primarily with
the speaker, some of the responsibility rests with the listener (reader)
to actually absorb the content. If you're only looking for keywords and
-phrases, you'll find what you seek.
In fact, this is stated on the SVVP page; which coincidentally, is the
reference point for the SVVP program. This is why only Hyper-V is
listed in this KB. The last thing we need is multiple places to clean
up when (not if) the support statement changes for the various 3rd-party
virtualization offerings.
SVVP is the primary place to go and this is why it's "linked to" from
that KB.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx]
On Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 7:35 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
Jim,
"Right now, there are *_NO_* validated non-MS platforms."
This is what needs to be clearly stated. Again, depending on how you
read it, a user may not get this. My point is really simply that; when
specifically put forth in the same way you just put it, there's no room
for argument. My guess is a lot of users out there will read into this
the same way I did (optimistically), or worse yet, move forward thinking
that support will come, only to run into an issue with said support when
a problem occurs that requires it. At the end of the day, fair or not,
Microsoft gets the black eye. By making it clear (without having to dig
through links and guess at implied statements) upfront, I think greater
value and service to the customers is provided.
On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org
-------------------------------------------------------
It's only misleading if you read into it. Let's take each bullet
in turn:
* Windows Server 2008 with Hyper-V
* Microsoft Hyper-V Server 2008
[Jim] - ok; we'll take two at a time. Hyper-V Server and Windows
2008 with Hyper-V are the same thing from the guest OS perspective and
ISA is supported there.
* Supported partners' virtualization software
For more information, click the following article number
to view the article in the Microsoft Knowledge Base:
944987 (http://support.microsoft.com/kb/944987/) Support
partners for non-Microsoft hardware virtualization software
[Jim] This article doesn't list supported virtualization
products. It lists virtualization support partners. Novel has signed
on to help provide support for non-MS virtualization; nothing more. The
bullet title in this article is misleading, but the article linked to is
not.
* Server Virtualization Validation Program (SVVP)
For more information, visit the following Microsoft Web
site:
http://www.windowsservercatalog.com/svvp/
(http://www.windowsservercatalog.com/svvp/)
[Jim] - go read this link. Right now, there are *_NO_* validated
non-MS platforms. Therefore, there are no supported 3rd-party hardware
virtualization products (yet). Therefore, no Microsoft products are
supported on 3rd-party virtualization. The vendors listed on that site
are "participating"; their products *_have not_* completed testing.
Jim
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 7:02 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
Jim,
Then the KB Article 957006 is extremely misleading. :(
Here's an excerpt (in full) taken from the Introduction section.
This article discusses the support policy for running Microsoft
server software in the following supported virtualization environments:
* Windows Server 2008 with Hyper-V
* Microsoft Hyper-V Server 2008
* Supported partners' virtualization software
For more information, click the following article number
to view the article in the Microsoft Knowledge Base:
944987 (http://support.microsoft.com/kb/944987/) Support
partners for non-Microsoft hardware virtualization software
* Server Virtualization Validation Program (SVVP)
For more information, visit the following Microsoft Web
site:
http://www.windowsservercatalog.com/svvp/
(http://www.windowsservercatalog.com/svvp/)
In my interpreted version of this statement into layman terms, I
read it as saying all of the bulleted environments are supported;
specifically, any environment that is part of the Server Virtualization
Validation Program.
If you visit that page, VMWare, Inc. is listed as a participating
vendor. If you then visit the Support link from that page, the first
sentence states, "Technical support will be available for customers
running a Windows Server operating system on a validated third-party
hypervisor." Since ESX Server is a hypervisor and participation implies
(at this time, based on language) validation, the support statement does
appear to be transitive.
I could not find anything specifically stating that the
applications identified in the KB Article are only currently being
supported in Hyper-V virtualized environments.
If Microsoft is going to withhold support of the applications
identified in the KB Article on other vendor's virtualization
environments, then some kind of language should be used indicating that
such support is pending [insert qualifier].
Just my $0.02 worth.
On 8/26/08, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
http://www.ISAserver.org
-------------------------------------------------------
That KB lists the products that are supported on
Hypervisor.
Greg's questions was specific to VMWare ESX.
This will be a very sticky question and
http://support.microsoft.com/kb/897615/ provides the support limits.
-----Original Message-----
From: isalist-bounce@xxxxxxxxxxxxx
[mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Jerry Young
Sent: Tuesday, August 26, 2008 3:46 AM
To: isalist@xxxxxxxxxxxxx
Subject: [isalist] Re: Virtualising ISA
Greg,
ISA Server is supported.
See the following KB Article for the full details on all
supported virtualized applications from Microsoft.
http://support.microsoft.com/kb/957006
On 8/26/08, Greg Mulholland <greg@xxxxxxxxxxxxxx> wrote:
http://www.ISAserver.org
-------------------------------------------------------
Jim and/or others
Is there an official standpoint from MS as to
supported requirements for ISA virtualised in production environments?
(specifically ESX)
Cheers
Greg
------------------------------------------------------
List Archives:
//www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our
other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other
sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit
http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials:
http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
--
Cordially yours,
Jerry G. Young II
Microsoft Certified Systems Engineer
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.6.7/1631 - Release Date:
8/24/2008 12:15 PM
No virus found in this incoming message.
Checked by AVG - http://www.avg.com
Version: 8.0.138 / Virus Database: 270.6.7/1631 - Release Date: 8/24/2008
12:15 PM
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
