How to build an ISA firewall lab with Virtual PC 2004

How to build an ISA firewall lab with Virtual PC 2004


By Stefaan Pouseele
January 2005
Last Update: 03/01/2005


1. Summary


You bought yourself or convinced your boss to buy for you a new desktop or laptop with a fast processor, plenty of disk space and 2 Gbyte of memory. You have already installed Windows XP SP2 and Virtual PC 2004 SP1 on the box and now you wonder how to use that nice piece of hardware and software to implement an ISA firewall lab. Virtual PC lets you create one or more virtual machines, each running its own operating system, on a single physical computer. So, setting up multiple virtual machines to implement an ISA firewall lab sounds to be a perfect scenario for using Virtual PC. However, what is so special in implementing an ISA firewall lab is the fact that you have to create multiple isolated network segments. Therefore, in this article we will talk about how to use the advanced networking features of Virtual PC and using them in an ISA firewall lab.


If you are new to Virtual PC 2004, I suggest you check out first the Microsoft Virtual PC 2004 website. Also, I assume here you already have a good understanding of how to create virtual machines.


2. Virtual PC Networking


Each virtual machine can be set up to use from zero to four network adapters as shown in the figure below. This means that you can create a maximum of four network segments, directly connected to a virtual machine. Each network adapter will be seen by the virtual machine as a DEC / Intel 21140 Based PCI Fast Ethernet adapter.




For each network adapter you have basically four configuration options:



  • Not connected: The virtual machine appears to not be connected to any network. This option is recommended when the physical computer is not on a network, or if you do not plan to access the Internet through a virtual machine. This can prevent possible delays if the virtual machine software checks the network controller.
     
  • Shared networking (NAT): The first virtual machine network card can be assigned to Shared Network (NAT). When this option is selected, the virtual machine is connected to a private network created by Virtual PC. The network includes a virtual DHCP server and a virtual network address translation server. The virtual machine is then able to access most TCP/IP-based resources that the host operating system can access. Therefore, Virtual PC allows guest operating systems to get an IP address dynamically, as shown in the figure below, without making use of a host external resource. Several virtual machines share a single external IP address for accessing the outside network.




  • Virtual networking: When this option is selected, the virtual machine is connected directly to the currently selected network connection of the host operating system. The virtual machine will appear and behave like a separate physical computer on the same network as shown in the figure below. The networking configuration of the virtual machine is determined by the configuration of the network and will therefore determine how an IP address is assigned to the virtual machine. If the network uses a DHCP server, an IP address is assigned dynamically to the virtual machine. Similarly, if the network uses static IP addresses, you must manually configure the virtual machine to use a static IP address. So, the virtual machine is able to transmit packages to other computers connected to the same network, including the host operating system, other virtual machines and any destination reachable through the currently selected network connection of the host operating system.




  • Local only: This option provides networking support between virtual machines only. This means that the virtual machine will not have access to any network resources on the host operating system. The virtual machine communicates with other running virtual machines on the ‘Local only’ network. No traffic transmits over the wire to other computers and no traffic is exchanged with the host operating system. However, keep in mind that only a single ‘Local only’ network exists for all virtual machines on the same host computer. Another way of looking at this configuration option is to consider the ‘Local only’ network as a special case of virtual networking without the binding to a real network adapter on the host operating system as shown in the figure below.



3. ISA firewall lab


Now that we have a better understanding of the different configuration options for the Virtual PC network adapters, let’s talk about how to use that knowledge to implement a classic thrihomed ISA firewall lab as shown in the figure below.




First of all, we need an Internal Network that must be isolated from all other networks and from the host operating system. This Internal Network will interconnect multiple hosts such as an XP workstation, an ISA server and an Active Directory Domain controller that will also be hosting the internal DNS/DHCP/WINS server, the Exchange server, the Active Directory integrated Certificate Authority server and a Web/FTP server. Next, we need a Perimeter Network or DMZ Network that must also be isolated from all other networks and from the host operating system. This Perimeter Network will interconnect the ISA server and a Web/FTP server. At last, we need an External Network that must be able to communicate with the external world. For the Internet connection we use an ADSL line and a Linksys WRT54G broadband router to offload the PPPoE stuff. The Linksys router uses as LAN IP address 192.168.1.1/24 and has a buildin DHCP server for the DHCP scope 192.168.1.100 – 192.168.1.149.


If we look at the above requirements, it should be obvious that the ‘Virtual networking’ configuration option is a perfect fit for the External Network and that the ‘Local only’ configuration option is what we need for the Internal and Perimeter Network. However, we do have here a problem because there is only a single ‘Local only’ network for all virtual machines on the same host computer. So, the main question is how to create an equivalent for multiple ‘Local only’ networks?


The solution to that problem is in fact quite simple and consists of installing multiple Microsoft Loopback Adapters on the host operating system, for each isolated network one, and unbinding all items from those loopback adapters except the Virtual Machine Network Services. In that way we can create ourselves, with the help of the ‘Virtual networking’ configuration option, as many ‘Local only’ networks as we want. To better understand this simple and elegant solution is to consider each loopback adapter as a separate hub or switch. Because nothing else is bound to that adapter but the Virtual Machine Network Services, the host operating system can’t interfere in any way with those ‘Local only’ networks.


As an exercise we’ll go through the procedure to install and configure the Microsoft Loopback Adapters on the host operating system and assign the three network adapters internal, perimeter and external to the ISA virtual machine. For your reference I include here the Microsoft knowledgebase articles how to install the Microsoft Loopback Adapter in Windows XP, Windows 2000 and Windows 2003:



Installing the Microsoft Loopback Adapter on the host operating system


To manually install the Microsoft Loopback adapter in Windows XP, follow these steps:



1. Go to Start > Settings > Control Panel > Add Hardware.


2. Click Next, select Yes, I have already connected the Hardware and then click Next.




3. At the bottom of the list, click Add a new hardware device and then click Next.




4. Select Install the hardware that I manually select from a list and then click Next.




5. From the list, select Network adapters and then click Next.




6. In the Manufacturer box, click Microsoft and in the Network Adapter box, click Microsoft Loopback Adapter, and then click Next.




7. Confirm the installation of the new hardware by clicking Next.




8. In the final screen of the Add Hardware Wizard click Finish.




Because we need two Microsoft Loopback Adapters, one for the internal network and one for the perimeter network, you should go at least a second time through the install procedure to install a second Microsoft Loopback Adapter. After all Microsoft Loopback Adapters are installed you should see something simular as in the figure below for the available Network Connections. In this case, we have the onboard LAN connection, four Microsoft Loopback Adapters, a PCMCIA Xircom card used for Network Monitoring, a Wireless Network Connection and a VPN connection.




Configuring the Microsoft Loopback Adapter on the host operating system


After the loopback adapters are installed successfully, you should manually configure their options, as with any other adapter. In our case we will only use the Microsoft Loopback Adapters #2 and #3. Therefore we will first disable the Microsoft Loopback Adapters #1 and #4. Next, and this is a very important step, you should unbind all items from the Microsoft Loopback Adapters #2 and #3 except the Virtual Machine Network Services as shown in the figures below. To do that, right click the appropriate adapter in the Network Connections screen and select Properties.





Assigning the network adapters to the ISA virtual machine


Now that we have created the necessary ‘hubs or switches’ on the host operating system, it’s time to assign them to the ISA virtual machine. So, startup the Virtual PC console, select the ISA virtual machine and click Settings. For the Adapter 1 select the Microsoft Loopback Adapter you want to use for the internal network; in our case we use the Microsoft Loopback Adapter #2. Next, for the Adapter 2 select the host operating system real LAN adapter for the external network; in our case it is the Broadcom NetXtreme Gigabit Ethernet adapter. Finally, for the Adapter 3 select the Microsoft Loopback Adapter you want to use for the perimeter network; in our case we use the Microsoft Loopback Adapter #3. Review your settings and you should see something simular as shown in the figure below.




Next, click OK and we are ready to launch the ISA virtual machine. When starting up the ISA virtual machine you might see the following warning message.




If that’s the case, the Virtual PC configurator did not assign correctly a MAC address to the network adapters for the virtual machine. To correct that problem, shutdown the virtual machine and open the virtual machine configuration file (*.vmc) with Notepad. In the virtual machine configuration file locate the section ‘<ethernet_adapter>…</ethernet_adapter>’. Review this section and you will probably not find the per adapter entries ‘<ethernet_card_address type=”bytes”>…</ethernet_card_address>’ as shown below.

<ethernet_adapter>

<controller_count type=”integer”>3</controller_count>

       <ethernet_controller id=”0″>

               <virtual_network>

                       <id type=”bytes”>B33FA5924A9F11D98074E24E3991CFE9</id>

                       <name type=”string”>Microsoft Loopback Adapter #2</name>

               </virtual_network>

               <ethernet_card_address type=”bytes”>0003FF495341</ethernet_card_address>

       </ethernet_controller>

       <ethernet_controller id=”1″>

               <virtual_network>

                       <id type=”bytes”>E2A5EAD24A3A11D980B9A39FBC46C673</id>

                       <name type=”string”>Broadcom NetXtreme Gigabit Ethernet</name>

               </virtual_network>

               <ethernet_card_address type=”bytes”>0003FF495342</ethernet_card_address>

       </ethernet_controller>

       <ethernet_controller id=”2″>

               <virtual_network>

                       <id type=”bytes”>B33FA5934A9F11D98074E24E3991CFE9</id>

                       <name type=”string”>Microsoft Loopback Adapter #3</name>

               </virtual_network>

               <ethernet_card_address type=”bytes”>0003FF495343</ethernet_card_address>

       </ethernet_controller>

</ethernet_adapter>


The solution is to manual assign a MAC address to the network adapters. Normally the Virtual PC configurator should assign a MAC address value of the form ‘0003FFXXXXXX’ where XXXXXX is a random 3 byte hex number who must be unique for all the virtual machine network adapters, just like in the real world. Therefore, make sure you choose a unique value for the MAC address. In our case, we used the hex value of the first three letters of the hostname for the first adapter and increment it by one for each additional adapter. Once you have assigned a correct MAC address to the network adapters, save the changes, close Notepad and startup again the virtual machine. All should go well now.


4. Conclusion


In this article we went over how you can use Microsoft Virtual PC 2004 to build an ISA firewall lab. By using multiple Microsoft Loopback Adapters on the host operating system, you can test and model complex ISA firewall scenarios before implementing them in a real network environment. The only practical limitation you will run into is the number of virtual machines you can run simultaneously and this is largely determined by the amount of memory you have on the host operating system. A total memory capacity of 1 – 2 Gbyte should be more then adequate for most ISA firewall scenario testing and still provide enough performance for the virtual machines.


I hope you enjoyed this article and found something in it that you can apply to your own environment. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000190 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks!  – Stefaan.


 

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top