DMZ on Hyper-V using VLAN with fortigate

Question

One of my customers would like to publish his HR Portal on the internet, It is a IIS website, running on a virtual machine in a Hyper-V environment.

This company has a single host, with 2 NIC paired, connected to the firewall (Fortigate 60D).

My idea is to create a new WS2012r2 VM, enable and configure the web application proxy role and put this machine in a DMZ.

My concern is simple: if I setup the vNIC of this machine to tag his traffic with a specific VLAN ID, and I create a dedicated interface on the firewall with the same ID, are they going to talk to each other? The host has to be connected directly to the firewall? (there are no VLAN configured right now). Should i setup a vswitch or the single vNIC is enough?

Sorry for my english.

Thanks for your time.

Regards. Martino.Hi everybody.

Answer 1

A second vSwitch will be no more isolated than using vLANs. Both will cause the Hyper-V host to isolate traffic between your IIS VM and the rest of everything else. And a second vSwitch would force you to break apart the existing NIC team, which isn't desirable.

As long as your intervening (physical) network switches are configured to allow the VLAN, your host doesn't even have to be connected directly to the firewall.