2

I have a hosted dedicated server, that I would like to run Hyper-V on including TMG as an edge to secure the environment. But because this is a hosted server, I have a few questions that I hope you can help me answer.

The server needs to run a TMG, domain controller, web-server and a sql-server - 4 guests. It has one NIC connected to the internet. I had something like this in mind (modified from TechNet): Network architecture

If I choose to go with this solution, how can I manage my server remotely? The problem is that the parent is not connected directly to the internet. This is also a good thing from a security perspective, which is important, but if I can't manage my server...

How do you normally solve this problem?

Tommy Jakobsen
  • 259
  • 5
  • 10
  • It's an interesting conundrum - do you have more info on the hosting? Is it a commodity server you're renting or your own box you've collocated? – ITHedgeHog Aug 01 '11 at 15:16
  • You can see a similar server right here: [Hetzner](http://www.hetzner.de/en/hosting/produkte_rootserver/eq8) – Tommy Jakobsen Aug 01 '11 at 15:31

2 Answers2

3

Given your hardware there are only two ways I can see to achieve what you're trying to achieve with the single machine (Unless your host offers some kind of com port remote access to the physical server?).

The first is to enable the host machine (On a separate IP) to have an IP Address even though you are binding the NIC in Hyper-V Manager. This connection would then need to be connected directly on to the internet - this would need to be secured with a separate firewall.

Whilst it would be possible to route it back through TMG I would not advise doing this at all with a virtual TMG instance nor with a remote TMG server - what do you do when you set a rule wrong and it locks you out).

You could then use this IP to access your host machine directly - depending on your own connectivity you could lock it down to only responding to requests from certain IP ranges (IE your office static address).

The second option would be too request another physical NIC from your host, and have it assigned an IP address as above.

Both options require you obtaining an extra IP Address from your host which will incur extra cost.

ITHedgeHog
  • 654
  • 6
  • 13
  • When you say host, you mean the parent on the hypervisor, right? If I order a second NIC for management, it would have to be exposed on the internet. Doesn't that leave me vulnerable to attacks? – Tommy Jakobsen Aug 01 '11 at 16:31
  • Yes, by host I mean the parent partition. Yes you would be open to the internet, unless you lock down the firewall further. For example if you have a static IP at work you could make the management NIC only respond to requests from your static IP. – ITHedgeHog Aug 01 '11 at 18:49
1

A "slight" modification to what is already in place is to:

  • Obtain an additional routable IP address (total 2)
  • Set the "Virtual Network" NIC to "bridge" mode with a routable IP
  • Assign the other routable IP to the physical host NIC
  • Enable VPN access to the physical host and lock down all other unneeded ports

The VPN arrangement (you choose the level of security to suit your needs - PPTP, IPSec, etc.) will allow you to access the physical server to administer it and the hypervisor, while the existing virtualized environment functions as configured (diagrammed).

user48838
  • 7,393
  • 2
  • 17
  • 14
  • What is the prefered way to enable VPN access? I do not have much experience with this. Can I do it directly on the parent using software? A hardware solution is not possible. – Tommy Jakobsen Aug 02 '11 at 07:13
  • If you are deploying Hyper-V, then there is a good chance you have the rest of Windows as well. The simplest way is to create an "incoming" VPN configuration along where the NIC definition is - it's something like "Network and Dial-up Connections" (they change the naming from version-to-version). – user48838 Aug 02 '11 at 07:37
  • Sounds easy. Do you know if Hyper-V Server has this functionality? – Tommy Jakobsen Aug 02 '11 at 08:32
  • Are you running Hyper-V core or is it actually Windows 2008R2? If it is actually Windows 2008R2, then you should be able to right-click and "create new connection" by the existing NIC connection. – user48838 Aug 02 '11 at 12:32
  • No, [Hyper-V Server](http://www.microsoft.com/hyper-v-server/en/us/default.aspx) :) – Tommy Jakobsen Aug 02 '11 at 15:04
  • You may be "out of gas" with your configuration - at least with the VPN route for secured remote management. You might still check to see if you can add an "Incoming VPN Connection" within the networking connections folder. – user48838 Aug 02 '11 at 15:15