ISA 2006 Firewalls Supported on Virtual Server R2

Installing ISA 2006 on Microsoft Virtual Server 2005 R2 is supported.

Because the Windows operating system that hosts Virtual Server cannot be protected by the ISA Firewall on a virtual server, the ISA Firewall in a Virtual Server environment should not be used in an edge firewall scenario, and this configuration is not supported. You can use this configuration securely in other scenarios, such as:

  • A production deployment in which the ISA Firewall on Virtual Server provides Web proxy services such as forward proxy, publishing, and caching, and is protected by an edge firewall, such as an additional ISA Firewall or array of ISA Firewalls
  • A laboratory deployment

If you encounter high \Process\wspsrv\Virtual Bytes performance counter values (values of 1,800,000,000 (1.8 GB) indicate that there may be a problem), you may consider using the ISA Firewall on Virtual Server 2005 R2, as an alternative to buying another ISA server computer. Consider the following:

  • Define the number of guest operating systems hosted by the virtual server. After virtual bytes exceed 1.8 GB, you should consider adding a virtual operating system to the computer after adding 2 GB of RAM.
  • Add RAM to the host computer (2 GB for each guest operating system).
  • Install Microsoft Virtual Server 2005 R2 on your server
  • Install guest operating systems.
  • Install and configure the ISA Firewall on each guest operating system.
  • Use an external load balancer, for example, Domain Name System (DNS) round-robin hardware based or Windows Network Load Balancing (NLB), to spread traffic among the ISA Firewalls

Measurements of a remote procedure call (RPC) over Secure HTTP (HTTPS) publishing scenario on a dual-core, dual-processor 2.2 GHz server with 8 GB of RAM showed the following:

  • A single installation of the ISA Firewall on a host computer handled 40000 concurrent connections with approximately 2 GB of virtual memory.
  • Three ISA Firewalls installed on three virtual operating systems handled 60000 concurrent connections with only 1.3 GB used by each virtual computer. This model could be scaled out to more virtual computers (for example, four, eight, and so on) depending on the amount of RAM and the processing power of the hosting server. The tests were run on three computers.
  • CPU utilization in both cases was almost the same.

Adapted from: http://www.microsoft.com/technet/isa/2006/perf_bp.mspx

As you can see, MS Virtual Server 2005 R2 can allow you to significantly scale out your ISA Firewalls to provide support for an additional tens of thousands of connections. Keep in mind that the ISA Firewall in a virtual environment cannot protect the host operating system, so you’ll need an ISA Firewall or ISA Firewall array in front of your virtual ISA Firewall environment to protect the host operating system hosting the guest ISA Firewalls.

HTH,

Tom

Thomas W Shinder, M.D.
Site: http://www.isaserver.org/

Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7

Email: [email protected]

MVP — Microsoft Firewalls (ISA)

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top