1

Okay here's an interesting question. In two parts:

  1. Is it advisable to run TMG as a hyper-v guest in production? (something is nagging me that it's not a good idea, but it's possible to give a VM exclusive access to a NIC and technically the "host" is just another guest with special privileges).
  2. If run TMG as a hyper-v guest, should I place the host in the Internal network or is DMZ safe enough? My concern here is obviously that the Host machine could be considered a weak link. The DMZ is behind a NAT and I'm not giving the Host machine any external access. I only give internal machines access to the host. Is this enough or should I bring the host Internal?

Or back to point 1, should I scrap that Idea altogether and put TMG on a separate physical machine? (so I lied, I guess it's in 3 parts).

For Clarification My design is as follows (all running on on physical box)

Machine A - Hyper-V Host does not have access to any host NICS only virtual networks created through Hyper-V. Also runs (currently) the DMZ DC with a one way trust to the internal Domain. And DNS / DHCP for internal. Connected to DMZ virtual network only.

Machine B - TMG Guest Machine Three-leg configuration: External is connected to a physical NIC assigned a publicly accessible IP. Internal and DMZ are both connected to virtual networks. Firewall rule in place to allow Machine A to handle AD communications with Internal DC/DNS. Also physical NIC for DMZ connected to wireless AP.

Machines C-?? Internal Network Services and clients They are connected to the Internal virtual network and are given access on a case by case basis.

Everything is working correctly, I just want to make sure that I'm not creating some gaping hole in my network with this configuration.

Michael Brown
  • 168
  • 1
  • 9

2 Answers2

3

  1. It looks like Microsoft has "officially" announced support of of TMG on Hyper-V - http://www.microsoft.com/forefront/threat-management-gateway/en/us/default.aspx

  2. As Tatas stated. Just because TMG is on the hypervisor, there is no technical requirement for the hypervisor itself to be exposed. The virtual-to-physical NIC assignments under the hypervisor is the only requirements in placing TMG into a functioning configuration. The hyperisor can stay put based on your "normal" deployment for hypervisors per your environment.

As long as there are no rampant hypervisor exploits, then running TMG and similar products are/should be just as "safe" as it would be on physical hardware.

With that said, there may be some operational advantages to having perimeter-type applications on physical hardware when it comes to addressing and/or responding to out-of-band situations (e.g. network utilization spikes, hypervisor issues, etc.).

user48838
  • 7,431
  • 2
  • 18
  • 14
  • We wrestled with keeping our TMGs physical for that very reason. What if we can't get to the virtual console... However, our trust in our virtual environment is high and we decided to go with it. – Tatas Jun 17 '11 at 21:13
  • That's absolutely an aspect, but the other piece is what if the perimeter is taking a beating (from which ever side) and its up-tick impacts the hypervisor's planned/perceived provisioning. That's where the physical isolation will at least contain the functionality draw to just that function within your environment. – user48838 Jun 17 '11 at 21:26
  • Thanks for the answer...like I said I just wanted to make sure there wasn't a KNOWN issue with this...if they get control of the host, they can pretty much controll any machine on my network. Or at the very least shut down TMG and eff everything up. – Michael Brown Jun 17 '11 at 23:30
  • That's where configuring the host correctly network-wise will head most of that off - unless hypervisor exploits of that nature come about. – user48838 Jun 17 '11 at 23:34
2

  1. We run TMG in VMWARE, so yes virtualization is definitely a viable option. Hyper-V is no different. You could create a new VM network specifically for the TMG guest(s). That would help isolate the nics/traffic.

  2. Our TMG's are publicly addressed (we use them to reverse proxy exchange). I don't see an overwhelming reason to put it in the DMZ, but it would be helpful to know exactly how you're planning to use it.

Tatas
  • 2,081
  • 1
  • 13
  • 19
  • No I know TMG would be public addressed. When I say host, I mean the Hyper-V host. Like VMWare, Hyper-V can run directly on the machine or it can install under a running Windows 2008 OS in which case that OS becomes the "host" (technically it's just another guest OS with special privileges). This is the Host I'm referring to in part 2 of the question. – Michael Brown Jun 17 '11 at 19:45
  • I see what you're saying now. Why not put it in the Internal virtual network. Just like all of your clients will be, This is precisely what the Internal network is for. – Tatas Jun 17 '11 at 20:33