Virtualize your ISA or Forefront TMG servers

Posted By: David Tesar | Aug 29th, 2008 @ 3:04 PM | 40,395 Views | 3 Comments

In the past, ISA has had very limited or no support on Microsoft's virtualization platform.  Now, ISA and Forefront Threat Management Gateway (TMG) is supported .  I met up with Jim Harrison to get some guidance on what you need to think about when you virtualize your ISA/TMG servers.  We quickly dive into a whiteboard session on the various ways you can configure Hyper-V / virtual server to work with ISA/TMG and dig into the advantages and disadvantages of each network configuration such as:

  • Performance
  • Management
  • Administration
  • Security

Some other things we talk about:

  • [15:12] Why placing TMG on the parent is a bad idea and how you should configure the parent partition
  • Configuration options of the actual ISA/TMG server
  • [22:11] Failover, Clustering, and Quick Migration with ISA / TMG in a virtual environment
  • [24:32] Configuration changes you should make for any host which faces the Internet

View the security considerations for virtualized ISA / TMG deployments guide / whitepaper Jim wrote.

See KB article 957006 which states ISA (and other) products are officially supported on Hyper-V.

Best practices for ISA server co-location with a DC
Tags: forefront, Forefront Edge, ISA, Virtualization
Rating:
1
0
#Sep 1st, 2008 @ 3:16 AM
Jason Jones
Jason Jones
Hey!

What a great video and very useful when read alongside the whitepaper...would be good to see similar media content for other "Tales from the Edge" articles too!

Cheers

JJ
#Feb 6th @ 8:51 PM
Goran Topalovic
Goran Topalovic

ISA/TMG in virtual environment is always a bad idea, and that is my personal opinion. Currently, the hardware costs less than software for the high-end ISA/TMG server, and I really don't see a reason why bother with deployment in Hyper-V environment.


 


#Apr 5th @ 10:04 PM
JimmyJoeBob
JimmyJoeBob
Virtualizing ISA, TMG ir IAG is no more "always"right or wrong any more than joining an edge-deployed ISA, TMG or IAG to your domain is "always" right or wrong.
There are perfectly valid reasons to virtualize your edge devices and there are perfectly valid reasons not to.  You have to perform Your own risk/.cost/benefit analysis and weigh the resulting factors.
Network security is not an absolute any more than it is an end-game.
Microsoft Communities