2

I am running a Windows 2008 R2 server with various services running natively and two virtualised servers running on Hyper-V.

The hardware server, I'm going to call it REAL1, has one external NIC, to which I can assign any of the following IP addresses: 1.2.3.4, 1.2.3.5, 1.2.3.6, etc...

I need to achieve the following: I would like to be able to connect to REAL1 via remote desktop (RDP / port 3389) on one IP address (say 1.2.3.4), but also to the virtualised servers (I'm going to call them VIRTUAL1 and VIRTUAL2) on the other available IP addresses (say 1.2.3.5 and 1.2.3.6).

The easiest way of doing this is to connect the virtual servers directly to the external interface and assign them each their own IP address. REAL1 will have 1.2.3.4, VIRTUAL1 will have 1.2.3.5 and VIRTUAL2 will have 1.2.3.6. Unfortunately, although I don't directly manage the two virtual servers, I have responsibility for their security. I would like to have some kind of firewall between the virtual servers an the internet.

I have tried running a virtual machine firewall, but have found the performance on Hyper-V pretty terrible.

The alternative I am now trying is Routing and Remote Access (RRAS):

  • I have set up a virtual network called 'Internal' and REAL1 has a virtual network adapter connected to this virtual network
  • I have connected each of the virtual servers to this network too
  • I have assigned each server static IP addresses on this virtual network (REAL1 has 10.1.1.1, VIRTUAL1 has 10.1.1.2 and VIRTUAL2 has 10.1.1.3)
  • I have installed RRAS and set up a NAT. The external interface is the external NIC, the internal interface is the virtual NIC connected to the internal network
  • I have assigned all the available external IP addresses to the external NIC on REAL1.
  • The virtual servers have been set up appropriately such that their default gateway is pointing to 10.1.1.1 and they can both access externally. Success! The RRAS is routing packets.

The problem I have is that when I try to port forward services from the external IP address on REAL1, it only works if there is not already a service bound to the port. Remote desktop 'greedily' binds to every available IP address on port 3389 on REAL1 so I can't selectively forward incoming traffic for 1.2.3.5:3389 to 10.1.1.2:3389. RRAS will allow me to set up this port forwarding, and no errors come up. It just doesn't work.

So the question I have is:

Is there a better way of doing this? Or at least is there a way of resolving the apparant conflict between RRAS and everything else on the physical server?

3 Answers3

1

I have tried running a virtual machine firewall, but have found the performance on Hyper-V pretty terrible.

Häh? I run multiple RRAS / Firewall systems with Hyper-V (2 RRAS, one TMG) and performance is really ok for 99% of the things - actuall all Icare about.

If you are OK with RRAS as firewall, sue RRAS externally.

Put in a second NIC on REAL1 - a non-hardware one (Microsoft driver - look it up - I think it is called loopback adapter), then put up the virtual network around that one. RRAS can then forwar incoming TCP etc. connections there.

I personally would not run anything but Hyper-V on the physical server ;) Definitely not higher level functions, if it is exposed to the internet ;)

TomTom
  • 51,649
  • 7
  • 54
  • 136
  • I have been running IPCop & Endian Firewall as virtual machines, but their use of 'Legacy Network Adapters' means that throughput is really bad for high bandwidth or high numbers of connections. Your suggestion sounds remarkably similar to what I am doing. Unfortinately I can't forward ports bound on an external address to anything on the internal / loopback interface. Remote desktop (port 3389) is the biggest problem here. –  Apr 19 '10 at 11:27
  • Try usind a windows based firewall then - naturally legacy network adapter is pretty much a "stupid performance sucker" issue. No way around it. TMG (Microsoft THread Management Gatway) is a decent firewall for windows AND has quite good performance under Hyper-V. – TomTom Apr 19 '10 at 11:36
  • TMG system requirements are a bit too much for my purposes. I just want a lightweight solution which will not take too much of the limited resources on the physical server. Maybe I should run a W2K8 server core VM with just RRAS installed (assuming that works on server core)...? –  Apr 19 '10 at 11:55
  • Bad news: does not work on server core (otherwise I would have 2 more cores around). BUt it works on a quit lightweight VM - though I am up to 768mb now for RRAS On both ends (I use it to connect my office to my productio cluster). – TomTom Apr 19 '10 at 12:13
1

I don't see how performance can be so bad, I'd definitely go with a third virtual server that has your firewall/remote access/service publishing and keep the physical host clean of such things.

Obviously the best thing would be to slot a second NIC into the machine and dedicate it for the internal network if such a thing exists.

If no such internal network exists, then just use a third virtual server with something like TMG installed, assign it the external IP(s) and create a private network on the inside which is purely virtual and only connects the physical host, the two virtual servers and the TMGs inside interface together. Use NAT and several external IP addresses on the TMG to publish the other servers. This will partially shield not only the virtual servers but the physical host as well.

Oskar Duveborn
  • 10,760
  • 3
  • 33
  • 48
  • Performance is bad for non-windows firewalls (like IPCop / Endian Firewall which I have used) because they use the legacy network adapter in Hyper-V. I would use something like TMG in the way you suggest, but the machine only has 8Gb RAM, and a single quad-core. TMG system requirements are very high for running a separate VM which is just going to do NAT + port forwarding and nothing else! I would hope something like that could run in < 256Mb. –  Apr 19 '10 at 11:53
  • Well, I run a virtual instance of ISA Server 2006 in 384MB of RAM without any problems whatsoever but I do agree the TMG eats a bit more but not as much as the printed requirements state. – Oskar Duveborn Apr 19 '10 at 12:29
1

Are you running a high-end video adapter on your Hyper-V server? There is an issue with this configuration and a recommendation to use the basic svga drivers on Hyper-V servers.

Understanding High-End Video Performance Issues with Hyper-V

A possible option to solving your RDP problem is to add the Terminal Services Gateway to your Hyper-V server and then you can connect to your VM's through your Hyper-V Server. I wrote up an article that outlines this feature in Windows 2008 Server and use it every day to get to my VM's on my lab server.

Once you have TSG enabled you can extend it by adding RRAS with SSTP to add the option of a VPN connection into your home network, all over your Hyper-V server.

Dscoduc
  • 1,095
  • 2
  • 8
  • 15
  • Really interesting - hadn't seen this before, thanks. Unfortunately, this isn't the issue I'm experiencing. I do have an older 3D card in one of the servers experiencing bad performance (ATI X700), but its using the standard SVGA drivers and I've run the performance monitor tests suggested by Virtual PC Guy and they come up clean. The other servers involved are using standard non-3D cards + standard SVGA drivers. –  Apr 21 '10 at 10:18
  • Tom, drop me a line on my blog (see article link in my answer) and I will help you setup your Hyper-V the way you want... It seems that there are plenty of options to get things working. – Dscoduc Apr 21 '10 at 17:46