-4

I am using Hyper-V with Server 2008 R2. Does anyone know how to setup Windows Firewall so that I can restrict my Hyper-V guest instances to only allow outgoing connections on normal HTTP/HTTPS ports? This means it can browse web sites, but can't connect to FTP/SMTP/AIM.

I tried adding an outbound rule but not sure what programs I have to add, and also, the port section was disabled.

It appears what I am looking to do, cannot be done. Thank you all for the help.

Anthony Greco
  • 103
  • 1
  • 6
  • 1
    Please define Hyper-V Terminal. I can not make sense of your question like that - the "Connection" windows show another computer, ever open http/https themselves, so a firewall would be useless. And Hyper-V is no terminal server. – TomTom May 31 '12 at 18:18
  • Hyper-V Manager is a program, like parallel workstation or vmware that allows you to run virtual machines (instances of another OS). So i may have 5 windows XP virtual machines running on my server. I want to make sure this virtual machine cannot access anything but HTTP/HTTPS and i need to do it at the server level. i can't trust setting the windows firewall up on the virtual machine won't be modified. – Anthony Greco May 31 '12 at 18:25
  • I am asking this because a virtual machine picked up malware that then allowed it to start port scanning. This malware was able to disable windows firewall and I cannot trust my antivirus will always pick it up. Thus I want to restrict it in the Server 2008 firewall so my Virtual Machine can never access anything besides the ports I care to allow it to use. – Anthony Greco May 31 '12 at 18:27
  • 1
    Hyper-V does not run within Windows. I know it looks like that from the Host OS, but it's not the case. Hyper-V is a bare metal hypervisor. The Firewall on the Host OS has nothing to do with Hyper-V and nothing to do with the Guest OSes. The Host OS itself runs in a special kind of Virtual Machine, not on the hardware. Knowing that should immediately clear up any questions about using the Host OSes Firewall to do anything to the Guest OSes connections. – Chris S May 31 '12 at 19:15
  • 1
    Spin up a third VM, install Linux and build yourself a firewall. Adjust the networking so the all access to the off the box, must pass through the firewall VM. – Zoredache May 31 '12 at 19:15

3 Answers3

5

Take Hyper-V out of the question and the answer becomes obvious. Configure Windows Firewall on the guest (or a hardware firewall between the clients and the server) to allow only those ports. Configuring this has nothing to do with Hyper-V.

MDMarra
  • 100,183
  • 32
  • 195
  • 326
  • Yes it does because if I want to allow my host to connect to say aim, it no longer will. I care only to restrict my Hyper-V instance to these ports. – Anthony Greco May 31 '12 at 18:23
  • 4
    @AnthonyGreco I believe MDMarra was clear: he said "configure Windows Firewall on the *guest*," not the host. – Skyhawk May 31 '12 at 18:45
  • I am not sure what "on the guest" means. If he means on the server itself, the box hosting the virtual machines, than this is what I am trying to do and asking how do I do it. If he means on the virtual machine itself, this cannot be done as it can be changed. As for a hardware firewall the issue here is I only want to restrict my virtual machine, not everything on the server itself. I may want to say FTP from my Server 2008 RD, but the 5 virtual boxes running in Hyper-V on it should not be able to. – Anthony Greco May 31 '12 at 18:49
  • The guest is the OS that is running inside of Hyper-V. If you want to restrict that to a certain subset of outbound ports, you configure that on the guest, not the host. – MDMarra May 31 '12 at 18:50
  • As explained above that is not possible. I already had adware adjust that. I need this to be on the server restricting the Hyper-V app itself. I can easily setup "IIS to only allow inbound connections on port 75 to IP x.x.x.x" I need to do the same as "Only allow Hyper-V to allow outbound connection with a destination port of 80, IP doesnt matter". His answer is outside of the allowed criteria in my question. – Anthony Greco May 31 '12 at 18:52
  • 3
    You clearly don't have even a fundamental understanding of how Hyper-V or bridged networking works. You might be better off hiring someone with experience to configure this for you. You don't configure firewall rules for the guests on the host. You configure them on each individual guest. If this isn't working correctly, then it's probably because you're doing it wrong. You can't make a rule on the Hyper-V host that says "no guests can do anything except HTTP". – MDMarra May 31 '12 at 18:53
  • 2
    @AnthonyGreco Hyper-V (the hypervisor engine itself) should not be making ***ANY*** outbound connections (possible exception for software updates). Your question is `how to setup Windows Firewall so that I can restrict my Hyper-V guest instances to only allow outgoing connections on normal HTTP/HTTPS ports`. The answer, as MDMarra said, is to configure either the ***GUEST SYSTEM'S*** firewall or an upstream firewall on your network, just as you would if the guests were running on physical hosts. Hyper-V is completely uninvolved in this picture. Pretend it doesn't exist. – voretaq7 May 31 '12 at 18:56
  • I assumed Hyper-V still worked under our main OS's opertating system, just like all other virtualization applications (VMWare, Parallel). A hardware firewall is impossible because it would block than my actual server, and i inside the guest itself is also impossible because I can't trust that won't be changed on the guest. – Anthony Greco May 31 '12 at 19:00
  • 2
    @AnthonyGreco That's just wrong. VMWare is a company, not a product. Parallels is desktop virtualization where VMWare ESXi and Hyper-V are server virtualization and work very differently. Honestly, you should get a book or two on the topic, you seem to need more understanding than a 500 character comment on this site can give. – MDMarra May 31 '12 at 19:02
  • I dont need need a better understanding... And I made the assumption that since I am referencing Hyper-V by stating VMWare, people would realize I mean a software of theirs such as VMware Fusion or VMware Player. It apparently cannot be done, which is the answer. The other suggestions, though good suggestions, all go outside the bounds of my question's scope. – Anthony Greco May 31 '12 at 19:06
  • 3
    VMware Fusion and Player are both Type 2 hypervisors. Hyper-V is a type 1 hypervisor. They function very **very** differently. Hyper-V is analogous to VMWare ESXi, not Player or Fusion. I'm sorry if you took offense to anything that I said, but this is a site for **professional** systems administrators. If you're a professional and you're in charge of these systems and don't know these things, then getting a book on the topic is the least you should be doing. – MDMarra May 31 '12 at 19:09
  • 2
    "And I made the assumption that since I am referencing Hyper-V by stating VMWare, people would realize I mean a software of theirs such as VMware Fusion or VMware Player" - why on earth would you make such an incorrect assumption? Hyper-V is a server-class hypervisor, not a desktop one - it works far more closely to VMWare's ESXi than Fusion/Player/Workstation/Server. And I would very strongly suggest that you need better understanding as you ignorance of these most basic of facts has cost a lot of experts a lot of their time today simply because you don't know what you're doing. – Chopper3 May 31 '12 at 19:14
  • Chopper: My understanding and from what I was instructed is that it was a tool such as the ones I mentioned which it clearly was not. I apologies if you feel I wasted your time but the simple answer is "it cannot be done" which took seconds to figure out based on my unaltered question. A majority of the other time was spent on answers that were outside my questions scope. Again thank you to all who helped. – Anthony Greco May 31 '12 at 19:36
1

You have to be careful with configuring outbound port rules. For instance, if this machine is domained, assuming it is, then you can't simply disable all traffic as it would kill the communication to the various AD Controllers.

You can setup outbound port restriction rules and then specify the ports you wish for it to block. The problem you may end up having is the dynamic port ranges. For instance, AIM will utilize multiple ports on the outbound connection which are harder to block.

Microsoft has a good article here about how to change the default behavior of the firewall to block all and then specifically allow certain connections only. Maybe this would help the most?

Brent Pabst
  • 6,059
  • 2
  • 23
  • 36
  • one concern i had was I dont really care the outbound port, as like you said that changes, i care to block based by destination port. However it's an outbound (not inbound) connection. Also I need to block by application, in this case Hyper-V, so it shouldn't effect any other application besides this one. – Anthony Greco May 31 '12 at 18:45
  • on that note I also tried completely blocking outbound on the application as a test and it still had internet access... I assumed I may have been blocking the wrong EXE that handles the transfer of the data? – Anthony Greco May 31 '12 at 18:46
  • @AnthonyGreco Hyper-V isn't an application. You can block the manager application but that does nothing to block the child partition. I think your best bet here is to change the default behaviors and then open up the required outbound ports and services. Not really sure how else to do it, the important thing here is that you must do this from the Child Partition (a.k.a. Guest OS). The firewall settings on the Root Partition (a.k.a. Host OS) do not affect the children, depending on your setup. Hyper-V Architecture: http://msdn.microsoft.com/en-us/library/cc768520(v=BTS.10).aspx – Brent Pabst May 31 '12 at 18:49
  • Well lets assume than I was running VMWare. I can't image it being impossible to block a instance of VMWare from connecting to a specific port, because it's an application like any other. Are you saying it's not possible to tell AIM it can connect on port 15, but not port 20? – Anthony Greco May 31 '12 at 18:54
  • I have absolutely no problem switching to any other program to run these virtual machines if it's possible. I need to know before I do if it is indeed, possible or they will work the same? – Anthony Greco May 31 '12 at 18:57
  • @AnthonyGreco I don't think you understand how Hypervisors work. They run BELOW the operating system! Hyper-V and ESx are both Hypervisors and simply provide a platform to host virtual machines. If you want to change the network stack you have to do that on the guest machine! The Hypervisor simply passes network traffic from the physical wire to the virtual network adapter, nothing more. You could switch to VMWare but you'd have the same problem and twice the cost. – Brent Pabst May 31 '12 at 19:00
  • Brent, thank you. I assumed they still passed through the main OS like any other program. – Anthony Greco May 31 '12 at 19:01
  • No problem, just remember that Hyper-V is not an operating system program, it doesn't show up in Task Manager, the only program you can run is the management client which then can communicate through the layer to the hypervisor. – Brent Pabst May 31 '12 at 19:05
0

There is nothing to do with the Hyper-V. All the ports are managed from the Windows Firewall level (in case you have enabled the Windows firewall).

If you do netstat and see which ports are listening, it will not show 443 since there is no service running on that port

Sushanth Amin
  • 1