Setting Up a Production ISA Server Virtual Machine | Microsoft Internet Security and Acceleration (ISA) Server 2004 Administrators Pocket Consultant (Pro-Administrators Pocket Consultant)

You might wonder whether it is possible to use Virtual Server 2005 to create a production ISA Server 2004 virtual machine. Please note that an ISA Server 2004 installation in a Virtual Server 2005 configuration will not be supported by Microsoft's Product Support Services (PSS) team.

For more information, see the Microsoft Knowledge Base article "Windows Server System Software not Supported Within a Microsoft Virtual Server Environment" at http://support.microsoft.com/kb/897614.

Virtual Server 2005 provides security to protect the virtual machines from other virtual machines and to protect the virtual machines from the host machine. You can configure the virtual machines to prevent them from talking with other systems on the production network, or you can configure the virtual server to run in "network isolation" mode—to do this, make certain that all the virtual servers are running on the same subnet, which is separate from the production subnet.

Note

Be aware that the host and guest machines cannot intercept network packets from one another. The virtual machine network services driver routes all packets to the appropriate machine. For this reason, a firewall or antivirus program running on the host machine does not protect the virtual machine. You must install protection on every machine you wish to protect.

Best Practices

Although it is possible to use Virtual Server to run a production ISA Server 2004 computer, we do not recommend doing so, as it is unsupported by Microsoft and provides additional attack surface (both the individual guest machine, and access to the host environment). Using ISA Server to protect internal resources or networks within the corporate network, or using the ISA server as a proxy server, would be the most likely scenarios. In any case, follow these recommendations when using ISA Server 2004 in a Virtual Server environment:

Use a dedicated network adapter When connecting an ISA Server 2004 virtual server to the network, dedicate a physical network adapter to only the ISA Server 2004 virtual machine.
Check your licensing situation Be certain that you verify that you have the appropriate licenses purchased when using Virtual Server 2005.
Know your environment Be sure to understand the security implications on both the virtual machine and the host machine before attaching an interface to an unsecure network such as the Internet. For example, an access rule that allows traffic to pass directly from the Internet to other protected networks would make your environment extremely vulnerable.
Allocate appropriate resources Allocate memory and processor availability appropriately for the ISA Server 2004 virtual machine to ensure it is not starved for resources by other virtual machines. ISA Server performance degradations can affect the performance of all traffic passing through the firewall. We recommend a machine with one or more 1.5 GHz processors, 1.5 GB or more of RAM, and a 20 GB or larger hard disk.

For more information about the system requirements for Virtual Server 2005, see http://www.microsoft.com/windowsserversystem/virtualserver/evaluation/sysreqs.mspx. For more information about the hardware requirements for ISA Server 2004, see Chapter 2, "Installing and Configuring Microsoft ISA Server 2004 Standard Edition," and Chapter 3, "Installing and Configuring Microsoft ISA Server 2004 Enterprise Edition."