Carbonwind.net
Forefront TMG
ISA Server
Vyatta OFR
VPN
Virtualization
Firewalls
Cisco
Miscellaneous
Wireless

 01.06.2008
Running TMG (Threat Management Gateway) in Hyper-V


I was thinking for quite a while now to run a second OS on my laptop, and to keep it "clean" for virtualization purposes.
The shiny Windows Server 2008 x64 looks like a nice choice to me.
So I've installed for testing and evaluation Windows Server 2008 x64 Standard as my second OS on my laptop.
And decided to use Hyper-V instead of  VMware Server or VMware Workstation.
Hyper-V appears a pretty slick and easy to use product, however, currently I'm not totally convinced to use Hyper-V on my laptop instead of VMware products.
For me the main drawbacks, at this moment, are:
 - lack of USB support
 - unsure of what/how many OS' are supported.
The VMware products look more mature and flexible.
But I kinda like Hyper-V and I plan to use it for some time from now.

You may want to read the Hyper-V FAQ.
You may also like to read these interesting presentations:
 - BH07_Baker_WSV_Hypervisor_Achitecture.pdf
 - BH07_Baker_WSV_Hypervisor_Security.pdf

I was playing with TMG Beta 1 in VMware Workstation 6.
Now that I had the chance, I decided to spin the wheel a little bit in Hyper-V.
It was not quite a walk in the park, although it can be, if you know what you are doing.
I've managed somehow to nail it a couple of times (including to blue-screen two different TMG VMs).
Don't get my wrong, you can get TMG Beta 1 up and running in Hyper-V from the first try.
Actually I would dare to say that after the RC1 update for the Hyper-V role, I've enjoyed a better experience with TMG Beta 1 in Hyper-V compared with TMG Beta 1 in VMware Workstation 6 on my laptop.

About the update:
 - http://support.microsoft.com/kb/950049
 - Windows Virtualization Team Blog : Hyper-V RC1 Release Available on Microsoft Download Center!

I did not use at the beginning the updated Hyper-V role.

If you want to learn how to add the Hyper-V role, please read Tarek Majdalani's article:
 - Installing Hyper-V and Deploying Windows Server 2008 as Your First Virtual Machine - Part I

I was thinking to start with a simple lab, two VMs:
- a VM on which to install Windows Server 2008 x64 Enterprise Edition for the DC of this lab.
- a VM on which to install Windows Server 2008 x64 Standard Edition for TMG Beta 1.

First thing I've run into was the fact that I can't use "directly" my wireless adapter in Hyper-V.
For allowing Internet connectivity for the TMG VM, I need to bind this VM to my wireless adapter.
Fortunetely there is a simple solution to this problem, you may like to read John Paul Cook's article:
 - Using Wireless with Hyper-V

I've added an "Internal only" Virtual Network (called ForBridgeVN), and bridged the virtual network adapter and my wireless adapter, see Figure1 and Figure2 .


Figure1: Hyper-V: Virtual Networks



Figure2: Network Adapters on the Host

Note that the Windows Firewall is enabled on the Network Bridge, see Figure3. This does not prevent me to establish, for example a VPN connection to the TMG from my host OS or to access a web server published through TMG.


Figure3: Windows Firewall Settings

I've created a VM on which to install Windows Server 2008 x64 Enterprise Edition for the DC of this lab.
I've used a Network Adapter for it and the "Net2VN" virtual network, see Figure4.


Figure4: Hyper-V: DC VM Settings

And installed Windows Server 2008 x64 Enterprise Edition on it and configured it as a DC. No major problems here, see Figure5.


Figure5: Hyper-V: My DC VM up and running

Then I've created a VM on which to install Windows Server 2008 x64 Standard Edition for the TMG Beta 1.
I've used two Network Adapters for it: "ForBridgeVN" and "Net2VN" virtual networks. Syntethic NICs, see Figure6.

If you want to find out more about Hyper-V terminology, please read Ben Armstrong's article: Hyper-V Terminology.


Figure6: Hyper-V: TMG VM Network Adapters - Syntethic

And ran into troubles because of the synthetic NICs on TMG.
The installation of Windows Server 2008 x64 Standard Edition completed without problems.

When I've started the DC VM and attempted to start the TMG VM in order to make it a domain member, I've received an error, see Figure7.


Figure7: Hyper-V: "DVD Error"

Looking at the error I've noticed something about the dvd word.
Both VMs were configured to use my physical DVD drive, see Figure8.


Figure8:  Hyper-V: DC VM - CD/DVD Drive

I've simply checked None in the Specify the media to use with your virtual CD/DVD drive on the TMG VM.
And after that the VM started with no problems.
Made it a domain member, no issues with that either.

Then went and installed TMG on it.
If you want to learn how to install TMG Beta 1 and create a web accesss policy, check doctor Tom Shinder's guides:
- Installing the Forefront Threat Management Gateway (Forefront TMG) Beta 1
- Creating a Web Access Policy using the Forefront Threat Management Gateway (TMG) Beta 1 (Part 1)

Don't forget about configuring the update settings on the TMG, see the bellow Technet document:
http://technet.microsoft.com/en-us/library/cc441562.aspx

Actually the istallation succeeded.
But I had connectivity problems. "Ping" was fine (ping tests are pretty much meaningless, there is no proof that things are actually working), however I've lost the "domain connectivity" and I could not pass traffic through the TMG.
Looking at the Alerts tab, I've noticed a couple of alerts (one of them was telling me something about connectivity to the DC).
Unfortunetely I did not take any printscreens at that time, so no pictures.
Messed a little bit with a couple of settings and then I've decided to start with a fresh VM.
Same issues.

And I've rebuilt one more time the TMG VM (I like to keep things clean), this time using Legacy Network Adapters, see Figure9.


Figure9: Hyper-V: TMG VM Legacy Network Adapters - Emulated

And success: the beast was up and running, looking happy, see Figure10.


Figure10: Hyper-V: TMG up and running

Then I've decided to install the Hyper-V update, see Figure11.


Figure11: Hyper-V: RC1 Update

And I could not start my VMs anymore, see Figure12. Note that in Figure12 I've already "fixed" the DC VM.


Figure12: Hyper-V: Failed to Start VM After Update

I did not waste too much time troubleshooting this.
I've created two new VMs (for DC and TMG), and used for them the virtual HDDs from my previous VMs, see Figure13.


Figure13: Hyper-V: Using the Old Virtual HDD

 - On the DC VM, I needed to update the drivers, the NIC was no longer detected, see Figure14 and Figure15. No problems, configured the new NIC with the required IP settings and things looked good.


Figure14: Hyper-V: DC VM - Insert Integration Services Setup Disk


Figure15: Hyper-V: DC VM - Install Hyper-V Integration Services

 - On the new TMG machine I've used again "Legacy Network Adapters". And one more time the beast was up and running, looking happy.

Actually Hyper-V seems faster now, I have no scientific data to back my comments (I did not do any tests), I just "feel" that some performance was gained, at least on my laptop.

Anyway, I've decided to start with a fresh lab after the update (the new DC VM is called now DC_WINx64, I've kept the old name for the TMG VM).
Now I've used the "working settings" and everything went smoothly.

I did a quick test to see that the malware inspection was running using the EICAR test file. I have the following firewall policies on the TMG, see Figure16.


Figure16: Hyper-V: TMG Beta 1 - Firewall Policies

And the download of the EICAR test file was blocked by TMG, see Figure17 and Figure18.


Figure17: Hyper-V: Host Behind TMG Beta 1 - The Download of Infected File Was Blocked by TMG


Figure18: Hyper-V: TMG Beta 1 Log - The Download of Infected File Was Blocked

I wanted to test inbound connectivity too. As can be noted from Figure16 , I have used a web server publishing rule to publish a web server behind TMG (it's actually an IIS7 web server running on the DC VM,  I'm not worried about security issues, I'm in my private lab and this is just a test).
I can access a web server located behind TMG with no problems from my host OS, see Figure19. Note that I did not modified the firewall settings on the host machine, see Figure20.


Figure19: Hyper-V: Access From the Host OS a Web Server Located Behind TMG Beta 1


Figure20: Host Windows Firewall Settings

As can be seen in Figure19, I've added another VM, running Windows XP x32 SP3. Its settings are shown in Figure21. Note that I can use a Network Adapter because I had applied SP3, on SP2 I cannot install the Hyper-V Integration Services.


Figure21: Hyper-V: Windows XP SP3 VM Settings

I can access from it the web server located behind TMG with no problems too, see Figure22 and Figure23.


Figure22: Hyper-V: Windows XP SP3 VM - Accessing The Web Server Located Behind TMG Beta 1


Figure23: Hyper-V: TMG Beta 1 Log

I also wanted to test if I can establish a VPN connection(L2TP/IPsec) from the WinXP VM. No problems, see Figure24, Figure25 and Figure26.


Figure24: Hyper-V: TMG Beta 1 - VPN Connection Log


Figure25: Hyper-V: WinXP VM: VPN Connected


Figure26: Hyper-V: TMG Beta 1 - VPN Sessions

As it should be, split-tunneling is disabled on the WinXP VM, and I'm accessing Internet through the TMG over the VPN connection, see Figure27 and Figure28.


Figure27: Hyper-V: WinXP SP3 VM: Internet Access Over the VPN Connection


Figure28: Hyper-V: TMG Beta 1 - VPN Connection Log

And since I've specified on my access rule which allows Internet Access to VPN Clients that Malware Inspection to be applied, I've tested it:


Figure29: Hyper-V: WinXP VM - The Download of the Infected File Over the VPN Connection Was Blocked


Figure30: Hyper-V: TMG Beta 1 - The Download of Infected File Was Blocked Over the VPN Connection Was Blocked

Searching a little bit, I found this interesting post from Jim Harrison:
http://www.freelists.org/archives/isapros/05-2008/msg00059.html

Thus I've decided to try one more time with Network Adapters on the TMG VM, now that I've updated to Hyper-V RC1.
So I've started from zero, a fresh lab.
New Virtual Networks on Hyper-V, see Figure31.


Figure31: Hyper-V: New Virtual Networks

The new NICs on the host can be seen in Figure32.


Figure32: New NICs on the Host

The settings for the new DC VM are shown in Figure33.


Figure33: New DC VM Settings

The settings for the new TMG VM are shown in Figure34.


Figure34: New TMG VM Settings

And installed TMG.
Like before installation succeeded, but now something has changed.
"Ping" connectivity is fine and apparently I do have "domain connectivity" and also some Internet connectivity on the TMG, see Figure35 and Figure36. A weird thing is the fact that the order of the NICs on the TMG VM does not appear to be correct ("LAN Area Connection" should be the Internet facing NIC, see Figure34), but this was like so before I've installed TMG (every time I'm using Network Adapters).


Figure35: Hyper-V: TMG VM - Synthetic NICs


Figure36: Hyper-V: TMG Beta 1 VM - Add Users


However I'm not able to pass traffic through the TMG, or actually only sometimes/sporadically traffic passes through TMG.
And I cannot update the TMG machine, see Figure37.


Figure37: Hyper-V: TMG Beta 1 VM - Alerts

So it still does not work for me with Network Adapters after the Hyper-V update to RC1.

If I go and remove the Network Adapters on this VM and instead add Legacy Network Adapters (see Figure38), things immediately start to work, see Figure39 (now the order of the NICs on the TMG VM is correct).


Figure38: Hyper-V: TMG VM - Changed to Emulated NICs


Figure39: Hyper-V: TMG Beta 1 VM - up and running

So currently I'm using TMG with Legacy Network Adapters in Hyper-V RC1.

I've kept my lab this Sunday up for more than 7 hours (it's running on my laptop as my second OS, and I cannot keep it up too much right now), see Figure40, and I did not encounter any major issues.


Figure40:  Hyper-V: Lab Uptime