April 2008 - Posts
Not sure if this applies to virtualised instances of ISA 2006 on virtual server, but it sure does on HyperV. There are many variants of the problem which you can find on the internet. Here's mine
I've set up ISA 2006 on a virtual host with three network cards. One for management, one for virtual machines, and one for the Internet. ISA 2006 is connected to two of them, virtual machine and internet. Set up all the rules as I did on my physical host which is about to be decommissioned, but the funny thing is Internet access on the ISA is fine, but not on other clients. Monitoring the log tells me that all traffic is being blocked by the default enterprise deny all rule, even though the source to destination and protocol matches the rules above it.
I also realise that start-up and shut-down of ISA takes a fairly bit of time, and accessing the certificates is a pain. Remembering that other MVPs faces some problem with virtualised ISA, and many of them disabled TCP Offloading and it solved their problem. That works for me too, and it solved all the slow start-up, shut-down and access certificate.
Previously, I've mentioned that I've replaced my motherboard with Asus Rampage Formula. This board comes with a dual gigabit lan port. So I was playing with the network configuration on my hyper-v host. The LAN Left is where the virtual network switch is attached to, and all virtual machines uses this to communicate. The LAN Right is where the host is using to communicate.
I remember seeing a network layer diagram somewhere which I can't find now. It says that when network traffic comes into a network card, it will route the traffic to both the host and the virtual machine network switch, which means installing ISA on virtual machine does not protect the host. Installing IS on host does not protect the virtual machines if they are listening to the external network card.
Since I now have a dedicated lan port for the host, I was playful, and disabled the LAN port for virtual machines on my host. If I do that on virtual server / virtual pc, I'm quite sure that the network connectivity will be gone, even though the network cable is still shown as attached. But in Hyper-V, it is still working! I can access my virtual machines from my laptop, and vice versa. In fact, if i disable both, I still have network connectivity to my virtual machines, though I won't be able to access the host!
Now, if I virtualise ISA, since the virtual network switch does not have an IP, and the external network card does not have an IP for the host, does it mean that all network will go through ISA? Does it means that my ISA really behaves exactly like a physical box, without compromising the host?
Cool huh?
[Updated]
Found something that explain how networking works in hyper-v
Details and download bits can be found here.
Just some additional details. If you have existing Windows 2008 virtual machines, you need to download this and package it into an ISO to mount it into the virtual machine's CD-Rom drive, as you will lose your network connections after upgrade.
For your existing windows 2003 or windows XP machines, you just need to update the Integration Services
Updates: For windows 2008 x64 virtual machine, you need to install the same bit you installed on the host before you get your network back.
Sigh, for the past three days, I was trying to fix my hardware, as one fine morning, the PC is beeping continuously. After reboot, it is checksum error. Naturally, thinking its motherboard problem, I went to buy a high-end gaming rig (Rampage Formula), as that would be better to run 24x7 rather than a normal motherboard, but later realise that it is the CPU that short-circuit the motherboard. A few trips to Sim Lim, and I got myself a quad core, while waiting for my E6600 to be replaced by Intel.
And you know what I saw in Sim Lim? A gigabyte motherboard that says "Support 6 quad processor"!!! I ask the person, what does that mean. He says 6 core is coming out soon!
http://www.engadget.com/2008/03/18/intels-6-core-dunnington-coming-in-2008-nehalem-official/
More reasons to play with HyperV! Now, if only motherboard comes with more ram slots...