Deploying the network edge on a virtual environment – Part 3

Now that you have some background knowledge on the concept of a virtualized network edge, we will go a little bit deeper and in this post I will try to illustrate different scenarios where we put TMG in our network:

1- TMG as an Edge Firewall

An edge firewall is a firewall placed on the edge of the network connecting the LAN to the Internet and is capable of inspecting any traffic that enters or exits the network.

As it is shown in the illustration, we will install the TMG on a Guest VM on Hyper-V and will disconnect the parent OS from the internet.

We need to create two virtual NICs on the Guest VM. One of the virtual NICs is connected to the physical server’s NIC linked to the LAN and the other virtual NIC is connected to the physical server’s NIC linked to the Internet.

Notes: The connection between the virtual NIC and the physical NIC is established through a Virtual Switch on each side. So keep in mind that in this scenario we will need to have two virtual switches.

2- TMG as a Three-Legged Firewall

A three-legged firewall is a type of firewall that is connected to three different network segments namely LAN, DMZ (Perimeter Network) and the Internet.

As precisely depicted in the illustration, everything looks and is configured the same as when we had an edge TMG firewall with the only difference that we need to have a new and third Virtual NIC on the Guest VM running TMG which is connected to the DMZ section of the network.

There goes to scenario here:

  • The DMZ is on the same Hyper-V Server. In this case we are going to have a specific virtual switch for our DMZ section. This switch is connected to the TMG on one side and to the virtual NICs of the Guest VMs from the other side. This way we can have a link between the TMG and the Guest VMs which are placed in DMZ.
  • The DMZ is not on the same Hyper-V server and is on another server or servers. The picture below can describe things a little bit better. In this scenario we still have the DMZ virtual switch but this virtual switch is not straight connected to the other DMZ Guest VMs; instead it is connected to them through the physical NIC of the server.

Notes: I don’t explain more on this scenario to avoid confusion; because I believe the picture is clearly showing what I am trying to say.

3- TMG as a Back-to-Back Firewall

In this scenario we have two TMGs both installed on two different Guest VMs. One of them is playing the role ofa frontier firewall connected to the Internet through a Virtual Switch; and the other TMG is playing the role of aback-end firewall connected to the LAN through another Virtual Switch.

Both of these Guest VMs running TMG, from the other side, are connected to a DMZ Virtual Switch. This virtual switch is also connected to the other VMs in the DMZ.

Notes: Again like the previous scenario, the DMZ section could be either on the same Hyper-V Server or on another server or servers. It totally depends on your design.

Here I just talked about the design and not the configuration on the TMG and VMs. Basically there are a number of things that need to be configured correctly if you want to get these scenarios up and running. In the next and most probably the last post of this series, I will talk about the configuration with all the details.

Some months ago I also had a deep dive session in Microsoft Virtualization and Security Summit 2010 and it was on deploying TMG on a virtualized environment. Below you can see my presentation slides shared for your use.

You want to learn more about this topic? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book:

To get more information about the book click on the book below:


Wish you all the best


Deploying the network edge on a virtual environment – Part 2

I would like to extend this discussion by talking about some of the concerns people might have when it comes to virtualization of the edge. There are a number of issues that might concern people that below is just a few:

-Software firewalls are less secure than firewall appliances (Hardware):

This is a totally wrong idea since on top of all those firewall appliances, there is always a software running using which the administrator is able to configure the firewall. The difference is that the appliance only comes in a box making it more expensive. So if you think you can set up a very good server with really efficient hardwares, then you could even get a better performance than an appliance.

-A more complicated infrastructure and therefore more difficult to manage:

Well, that is somehow true but you should bare in mind that the complication would also exist in a physical environment where you have no documentation about the configuration and of course the design. So keep in mind that for every implementation whether physical or virtual, documentation is the first approach to be taken.

-Windows is not secure enough to be placed on the edge:

While some might believe Windows Server is not secure enough to be on the network edge, I totally disagree since there has not been any serious security vulnerabilities to exploit on Windows Server (Especially 2008 R2) as in 2010 there were only 33 vulnerabilities found on this OS which none of them was called critical while Linux had over 179 vulnerabilities which many of them were found on its kernel making it so vulnerable to attacks. To support my opinion on the security of Windows below is three edge products by Microsoft installed on Windows Server with no vulnerabilities over years:

-Exchange Server 2010 Edge role

-Office Communication Server 2007 Edge Role

-ISA Server (It has had 10 years without any exploits)

Now that you have found relief about some of your concerns, we can talk about virtualizaiton of Forefront TMG 2010 which is to be done on Hyper-V on top of Windows Server 2008 R2.

When it comes to the implementation of an application, the first thing to think of is where to install it. On the Hyper-V, well the question is a bit more clear… Should I install it on the Guest OS or the parent OS?

The answer is the Guest OS will be where TMG must be installed. If you install it on the parent partition, then you have exposed you whole virtualized environment to the internet. Remember that the network edge is the part of your network more than the others exposed to the internet and therefore there is a higher possibility to go under attack. So we could say that if in any ways the the parent OS (With TMG) is compromised then the whole virtualized environment is going to be compromised.

Imagine a hacker having access to the Hyper-V console on the parent partition, you could guess what he would be capable of doing…

But if you install TMG on the Guest OS, just in case the server is hacked, only and only that Guest OS is compromised and not the whole virtual environment. That is why…

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below:


Deploying the network edge on a virtual environment – Part 3

Deploying the network edge on a virtual environment – Part 1

It was a while I had not posted anything here until today I decided to write a two- or three-part article (I am not still sure how many parts it is going to be composed of) on virtualization of the edge using Microsoft technologies.

With a rapid growth in the area of virtualization, one might think of virtualizing parts of the network that seemed and of course still seems pretty critical in every environment. One of those parts is the edge of the network where the internet meets the LAN or at least the perimeter network.

There is always a high number of reasons behind taking the network infrastructure all on a virtual platform but specifically for the network edge, the reasons must be strong enough to assure security because this is the part of the network which is more than the others exposed to the outside (The internet so to speak) and therefor could be affected by a number of potential attacks.

Talking about reasons, helping the environment and of course developing more Green technologies would be the most common reason behind any virtualizaion solution but here for the edge below is the answers to all those WHYs:

-Faster disaster recovery: As a systems engineer I have seen it many times when the devices sitting at the edge of the network responsible for all kinds of NATing and routing happen to fail and shut down as a result of hacking attacks, DDoS attacks or simply for no reason. In such situations, the first thing to do will be recovery and of course if the infrastructure is a ll virtualized, it will only be a matter of restoring the old Virtual Hard Disk files (VHD) and then booting up the OS again. It’s really fast and efficient really well suiting the requirement of an edge solution.

-Increasing Complexity for hackers: Who wouldn’t like to create a very complex environment for a hacker who gets terribly confused even if he gets the chance to penetrate in. As an administrator or a systems engineer you would also get lost if you are not familiar with the whole infrastructure that you are dealing with and just in case you do not have the documentation (Which is a must for every virtualized environment) you will be like Alice in wonderland.

-A Cost-effective solution for small businesses: Not all the businesses have big data centers with hundreds of servers installed in the racks. There are businesses with only one or two servers and of course a number of applications. For such businesses, installing an edge application like ISA Server or Forefront TMG 2010 on a separate server is a huge cost since servers are not that cheap to afford. By taking TMG and of course other applications all virtual on one or two servers, there will be a great save in costs.

For the time being, I just wanted to clarify things over all the questions of WHY??? In the next parts I will more discuss different scenarios in detail. In our exercises we are going to make use of Forefornt TMG 2010 as the edge application running on Hyper-v in a Guest VM.

You want to learn more? Check out my new book below and have access to great and practical tutorials and step-by-step guides all in one book: 

To get more information about the book click on the book below: