0

I have a host server running Windows Server 2008 and on this I have a Virtual Server (using Hyper-V) running Windows Server 2003. The Virtual server hosts websites specifically. I am trying to use the Windows Firewalls on them (Host and Virtual Servers) to secure them incase my Hardware Firewall goes down (again). I need to have RDP enabled and Specific IP's only allowed. I have this working for the host. However, when I did the same process for the virtual server, RDP wasn't restricted to the specific IPs. Meaning that I could still access the virtual server from an IP that wasn't on the list. So my question is, How is the virtual server's firewalling handled differently/in relation to the host?

R3XL
  • 1
  • 1

1 Answers1

0

The answer depends in large part on how you have configured Hyper-V to do the networking. When you set up a guest OS, you normally configure a virtual NIC (virtual network card), and the settings you selected there will have an impact on how your PC will handle network traffic. Typically, there are a few common options you can choose:

  • NAT
  • Bridged Networking
  • Internal Networking

NAT is going to be the default setting, so that's probably what you are running right now. It allows you to connect outside of the network for things like accessing the internet, but without extra tweaking it won't let you establish an inbound connection to it. In this mode the Guest OS sends traffic normally, but your packets get re-written at the gateway to appear to be coming from the Host system. Since your running a webserver you'll most likely want a bridged network.

Bridged network works by essentially treating the Guest system as a "real" machine. The VM has access to the physical network and can directly access any services on it.

Your best bet here is to configure a third option - which would be to set up NAT with port forwarding. By design, this prevents inbound connections to the Guest OS since it will be on a seperate subnet (most likely it will have an IP of 10.X.X.X). If you have RDP running on 3389 - you would set up a rule on your physical router as well as in your NAT settings in Hyper-V to forward traffic on 3389 from your Host adapter to your virtual adapter.

tdk2fe
  • 600
  • 2
  • 13
  • Are you sure you're talking about Hyper-v networking? In Hyper-V you can crate a vSwitch of one of three types: External, Internal and Private. None of which are bridged or NAT'ed, as far as I'm aware. – joeqwerty May 01 '13 at 01:56
  • I wasn't speaking directly to any specific hypervisor, but the same concepts still apply. External probably refers to a bridged setup, where the VM connects directly to the host adapter and is a full network citizen. Internal refers to VMs being on a subnetted VLAN below your host machine - IE if the host is 192.168.1.1 they will most likely be 10.0.0.1, 10.0.0.2... but can still communicate with the host. Private is a full private network subnet with no communication to the host or external networks. – tdk2fe May 01 '13 at 14:34
  • Thank you for the reply. It gave me a starting point. The VSwitch on the network is External. If this equates to a bridged setup then the VServer is acting as it's own machine, which I had suspected.How does this affect the virtual server though? If it is a seperate machine (in theory) then the firewall should have worked the same way as on the Host, shouldn't it? – R3XL May 02 '13 at 01:56