Virtualize your ISA or Forefront TMG servers

Posted By: David Tesar | Aug 29th, 2008 @ 3:04 PM | 52,518 Views | 10 Comments

In the past, ISA has had very limited or no support on Microsoft's virtualization platform.  Now, ISA and Forefront Threat Management Gateway (TMG) is supported .  I met up with Jim Harrison to get some guidance on what you need to think about when you virtualize your ISA/TMG servers.  We quickly dive into a whiteboard session on the various ways you can configure Hyper-V / virtual server to work with ISA/TMG and dig into the advantages and disadvantages of each network configuration such as:

  • Performance
  • Management
  • Administration
  • Security

Some other things we talk about:

  • [15:12] Why placing TMG on the parent is a bad idea and how you should configure the parent partition
  • Configuration options of the actual ISA/TMG server
  • [22:11] Failover, Clustering, and Quick Migration with ISA / TMG in a virtual environment
  • [24:32] Configuration changes you should make for any host which faces the Internet

View the security considerations for virtualized ISA / TMG deployments guide / whitepaper Jim wrote.

See KB article 957006 which states ISA (and other) products are officially supported on Hyper-V.

Best practices for ISA server co-location with a DC
Tags: forefront, Forefront Edge, ISA, TMG, Virtualization
Rating:
1
0
#Sep 1st, 2008 @ 3:16 AM
Jason Jones
Jason Jones
Hey!

What a great video and very useful when read alongside the whitepaper...would be good to see similar media content for other "Tales from the Edge" articles too!

Cheers

JJ
#Feb 6th, 2009 @ 8:51 PM
Goran Topalovic
Goran Topalovic

ISA/TMG in virtual environment is always a bad idea, and that is my personal opinion. Currently, the hardware costs less than software for the high-end ISA/TMG server, and I really don't see a reason why bother with deployment in Hyper-V environment.


 


#Apr 5th, 2009 @ 10:04 PM
JimmyJoeBob
JimmyJoeBob
Virtualizing ISA, TMG ir IAG is no more "always"right or wrong any more than joining an edge-deployed ISA, TMG or IAG to your domain is "always" right or wrong.
There are perfectly valid reasons to virtualize your edge devices and there are perfectly valid reasons not to.  You have to perform Your own risk/.cost/benefit analysis and weigh the resulting factors.
Network security is not an absolute any more than it is an end-game.
#Oct 18th, 2009 @ 2:59 AM
Mark01
Mark01

Very helpful video !!

________________________________________________________________________

Apartments for rent in Dubai SEO Dubai Dubai Hotel Apartments Forex Broker Door Handles

 

#Nov 8th, 2009 @ 11:22 AM
PC4LIFE
PC4LIFE

Cool video on ISA servers, loooking to learn more about clustering and migrating techniques to improve our swimming pool resurfacing company. 

#Nov 25th, 2009 @ 12:17 PM
penguinafrica
penguinafrica

It's great to know about the possibility to virtualize ISA/TMG. However, alike Goran and many others out there, I simply don't see myself virtualizing my ISA/TMG. Not an option for me. My ISA/TMG box will remain physical. Period.

#Dec 21st, 2009 @ 4:28 PM
JimmyJoeBob
JimmyJoeBob

To penguiafrica - that's entirely your choice.

There is no "always" or "never" to the question.

As with any security question; it's all about risk management.

Thanx for watching anyway!

#Dec 30th, 2009 @ 12:03 PM
JimmyJoeBob
JimmyJoeBob

Are you looking for ocurses or just information in general?

http://technet.microsoft.com/en-us/library/cc441438.aspx is your best starting point.

Microsoft Communities