Configuring an ISA Server Test Environment Using Virtual Machines

Best Practices

• Back up systems regularly As with any other server, the virtual machines should be backed up consistently. This might include shutting down the servers and copying the hard disk files and configuration files to another location. If this is not possible, back the virtual machines up with the appropriate backup software as you would with any other server.

• Purchase licenses for each Virtual Server Be sure to properly license software running on virtual machines, which have the same licensing requirements as physical servers—this means that when it comes to licensing software, each of the virtual servers is considered a separate physical server.

• Label virtual networks and adapters When setting up an ISA Server 2004 test environment on Virtual Server 2005, you create several different virtual networks and several virtual network adapters. Be sure to label each virtual network and virtual adapter to assist with keeping track of each network.

• Disable hyperthreading technology Hyperthreading (which creates its own sort of virtual environment, making one processor appear as two) used with Virtual Server can adversely affect performance when there is a heavy workload on the host server.

Gotchas

There are certain issues to be aware of when running in a Virtual Server environment:

• Single point of failure Because all the virtual machine hard disks are located in files on the host server's hard disk, a drive or array failure might disable all the virtual servers as well (depending on the redundancy of the disk array itself, and the extent of the failure). In the event of a catastrophic failure of the host server's hardware, you might be in a situation in which several servers go offline and all systems must be recovered rather than just one.

• Performance monitoring challenges Because a virtual server environment places multiple servers on a single piece of hardware, performance tuning can be challenging. Be sure to include sufficient memory for each virtual machine and for the host operating system. Fast disk access is also important.

• Network adapter bottlenecks When multiple virtual machines share the same physical network adapter on the host server, network cards can become overwhelmed with traffic requirements. Be sure to monitor usage on network ports with multiple virtual machines attached. If needed, add additional network cards to the host machine and attach some of the virtual machines to the additional adapters.

Creating a Virtual Server Environment

The following sections outline how to create a Virtual Server environment with ISA Server. We assume that you have already installed Virtual Server. Should you require more information, see the resources available on the Virtual Server Web site at http://www.microsoft.com/windowsserversystem/virtualserver/.

Including a Simple, Isolated Client and an ISA Server Environment

In this scenario, you create a simple network environment that includes a single isolated client connected to an ISA server. The first step in setting up this situation is to create the virtual machines for both the client (in this case, Windows XP Professional) and the server (Microsoft Windows Server 2003 with ISA Server 2004). The ISA server is connected directly to the Internet. Perhaps this is in a test environment where you are setting up the configurations for a production ISA server. A diagram of the test lab is shown in Figure 19-1.

Figure 19-1: This screenshot shows the configuration of the test lab being created in this chapter.

To create a new machine in Virtual Server, you first create a new virtual hard disk, then create a new virtual machine that utilizes that virtual hard disk. Next, you install the operating system onto that virtual machine just as you would a physical server.

Creating a Virtual Hard Disk

The first step in creating a virtual machine is to create a virtual hard disk.To do so, follow these steps:

1. Open the Virtual Server Administration Web site.

2. Under Virtual Disks, select Create, then select Dynamically Expanding Virtual Hard Disk, as shown in Figure 19-2.

   Tip

   You must then choose the location for the virtual disk file and the size. The size is the actual size of the hard disk, not the C partition. The example shown in Figure 19-3 would look like a 16 GB hard disk that could then be partitioned as needed by Windows Server during the installation.

3. Enter the appropriate location and size for the virtual hard disk, then click Create, as shown in Figure 19-3.

Figure 19-2: You can create multiple types of virtual hard disks.

Figure 19-3: You can create a dynamically expanding virtual hard disk and specify the maximum size for the hard disk and the physical location of the virtual hard disk file.

Once the virtual disk has been created, you must create the virtual networks to which the virtual machine will attach. You will configure the network adapters properly once the virtual machine has been installed.

Creating Virtual Networks

The next step in creating a lab environment is to create two additional networks within Virtual Server 2005 that will become the inside (internal) and outside (Internet) networks for the test lab. Figure 19-4 shows an example of creating a virtual network that is not connected to a physical adapter on the host server. This configuration creates a network that can connect multiple virtual machines but does not connect to the outside world. Creating an isolated test environment can be very useful for testing potentially unstable, dangerous, or confidential technologies or configurations.

Figure 19-4: You can create new virtual networks as needed within the Virtual Server console.

To create the lab, you create two virtual networks that are not connected to any physical adapters on the host server. This creates an external and internal network for testing purposes. Figure 19-5 shows the final look of the virtual networks for Virtual Server. The internal and external networks are not connected to a physical adapter on the host machine. NIC 1 and NIC 2 are virtual networks that are connected to physical adapters in the host machine. You do not use NIC 1 or NIC 2 in this example.

1. Navigate to the Master Status page of the Virtual Server 2005 Administration Web site.

2. Under Virtual Networks, click Create.

3. For the first virtual network, enter a virtual network name of Outside and do not attach the virtual network to a physical adapter. This procedure is shown in Figure 19-4. Then, click OK.

4. Repeat this procedure to create an Inside virtual network.

Figure 19-5: This shows a Virtual Server with four separate virtual networks.

Your final virtual network configuration should look similar to what is shown in Figure 19-5.

Finally, you create the virtual machine and attach it to the correct virtual hard disks and virtual networks, by following these steps:

1. On the Master Status page of the Virtual Server 2005 Administration Web site, under Virtual Machines click Create.

2. Enter the virtual machine name, its location, the amount of virtual memory to assign, and the virtual hard disk to use, as shown in Figure 19-6.

3. Click Create.

Figure 19-6: You can control various aspects of a new virtual machine, including its physical location, during creation.

Finally, you can start the new virtual machine and install it as you would any other machine. To install Windows Server 2003, you would put the installation CD in the CD drive, ensure that the virtual machine has captured the physical CD drive, and start the virtual machine. You could also mount an image of a Windows Server 2003 CD and boot from it. Next, on the virtual machine configuration screen, click the virtual machine name, and click Turn On. This is shown in Figure 19-7.

Figure 19-7: You can turn on a virtual machine from the Virtual Server interface.

Once the server is installed, you can administer and run it just as you would any other server. Figure 19-8 shows the Web-based Virtual Server 2005 interface with a remote control session to a virtual machine named ISA2004SE.

Figure 19-8: The virtual machine can be controlled through the Virtual Server Web interface.

The final task you want to accomplish is to add the appropriate virtual network adapters and attach them to the correct virtual networks. To do so, follow these steps:

1. Shut down the virtual machine.

2. On the Master Status page of the Virtual Server 2005 Administration Web site, click the virtual machine name, and then click Edit Configuration, as shown in Figure 19-9.

3. Click Network Adapters as shown in Figure 19-10.

   You next create two virtual network adapters for the virtual machine. One of the adapters will be connected to the external virtual network and the other will be connected to the internal virtual network. Figure 19-11 shows this configuration.

4. Click OK.

5. Boot the virtual machine.

Figure 19-9: You can edit the configuration of the virtual machine to change items such as memory, processor utilization, network adapters, and virtual disks.

Figure 19-10: You can add multiple virtual network adapters to each virtual machine and connect those virtual network adapters to the appropriate virtual networks.

Figure 19-11: Two separate virtual network adapters are connected to two separate virtual networks. These correspond to the internal and external networks in the ISA Server 2004 configuration.

Once the virtual machine is booted, it detects two network adapters. These correspond to the adapters created previously in Virtual Server, as shown in Figure 19-12.

Figure 19-12: This screenshot shows the two network adapters that the ISA Server 2004 virtual machine sees. These correspond to the virtual network adapters added previously.

At this point, you can enter the appropriate network address information into each network adapter and install ISA Server 2004 just as you would on a normal physical server. Once this is complete, you can create various other workstations and servers to be on either the internal or external networks for testing access through the ISA Server 2004 computer.

Creating a Complex Client, ISA Server, and Perimeter Network Environment

It is possible to create more complex environments using Virtual Server 2005 and ISA Server 2004. For example, by creating an additional virtual network and virtual network adapter, you can create a perimeter network (also known as a demilitarized zone, or DMZ) and use that environment to test network access with a perimeter network and create the appropriate configurations within ISA Server.