Virtualization Support for ISA and RRAS - 11 Oct 2007

Over the past few months, I've been doing a lot of traveling and I've neglected this blog. (If for some reason, anybody is interested in how I spent my summer, see the end of this post for my quick summary. It feels odd to be writing about myself, but I guess that's what people do in blogs.) Anyway, I'm back now and have a million things to write about. Microsoft has been incredibly busy!
I'll start by sharing a letter from a reader, Jeff Vandervoort, who asked me to get a response from Microsoft. At the end of Jeff's letter, you'll see the response Microsoft gave me. I'll be eager to hear what you think.

Jeff's Letter

It's frustrating to my clients (and me) that Microsoft is pushing virtualization for all kinds of uses -- as long as it doesn't involve Microsoft's own products. Virtualization, particularly with Windows Server 2003 Enterprise Edition's \[Server 2003 EE\] licensing, potentially adds a lot of value to Microsoft products for SMBs, but Microsoft's archaic, VM-hostile support policies make it risky to make use of it.
I've been told by Microsoft \[Customer Support Services\] CSS that even in the absence of a published support policy for running a product in a VM \[virtual machine\], Microsoft may not support it unless we reproduce the problem on physical hardware. When asked for specifics of what can go wrong in a VM, I get only vague answers and guesses.
Does Microsoft support Virtual Server for production use, or not? Is the real reason Virtual Server is free that, had we paid for it, we'd expect its use to be supported?
In this specific case, I'm charged with setting up 4 small branch offices: 2 with ~5 users, 1 with ~10 and another with ~25. The 2 smallest are project-specific and will exist for less than 2 years. Connectivity to the main office is critical, but so is economy. They have determined that Terminal Services does not meet their needs.
They'll be using an RRAS VPN endpoint in a VM at a small site with Web proxy clients to Microsoft's ISA, and an ISA VPN and edge firewall in a VM at the 3 other sites. The host machine in each case will be a DC/file and print server. Using Virtual Server with Server 2003 EE on the host means we buy only one server and one Server 2003 license, which puts the project in budget.
I've advised my client of Microsoft's support position in writing, and they're prepared to move forward at their risk. Their alternative is either no connectivity to the main office at all, or reducing security of the system as a whole by using SOHO firewall/VPN endpoints in lieu of ISA. Neither is acceptable to the client.
Microsoft CSS has confirmed there will be no Internet connectivity to the host machine in our config. But our configurations are still either "not recommended" or "not supported." In the case of ISA, the config is "not recommended" in the release notes and the ISA BPA \[Best Practices Analyzer\], and "not supported" on TechNet! So, while neither answer is acceptable: Which is it? Neither CSS nor I could find any documentation about RRAS in a VM. Microsoft does not appear to have given virtualization very much thought.
Unfirewalled honeypots are often run in VMs. The honeypots are attacked, but the host is unaffected, and survives to allow use of the undo disk to put the honeypot back online quickly. If VS can host honeypots safely, without compromising the host, why not ISA or RRAS?
Empirically, we have tested the ISA and RRAS VM configs and they work well, but it sure would be nice to have Microsoft's blessing while going into production.
Beyond ISA and RRAS, if Microsoft is going to encourage virtualization, they need to step up and support virtualizing their products, except where specific reasons can be furnished and documented that shows why they should not be.

Microsoft's Response to Jeff's Letter

We're sorry to hear your reader had a frustrating experience when deploying and maintaining solutions built on Microsoft software. For over 30 years, our design goal has always been to offer quality products, an excellent customer experience at a reasonable price. But when we don't meet these design goals, we listen to our customers and we make changes as needed.
Microsoft takes virtualization seriously. We're making investments across our business, to include computing infrastructure, applications, systems management, licensing, support and interoperability so that customers can deploy critical workloads and applications in a virtual environment. One way we've helped meet customers' needs is the Common Engineering Criteria, which allows customers and partners to see the design goals for Microsoft server products as it relates to other Microsoft server software, including server virtualization. Virtual Server 2005 was added to the 2005 Common Engineering Criteria and Windows Server virtualization, which is a feature of Windows Server 2008, has been added to the 2008 Common Engineering Criteria. Exemptions are only granted due to OS or hardware dependencies.
Specific to your reader, Microsoft does support Virtual Server 2005 in production environments and intends to keep on doing so with Windows Server virtualization. For instance, ISA Server 2006 is fully supported within a Virtual Server 2005 R2 guest; whereas previous versions of ISA Server were not. ISA Server 2006 can run as a virtual guest, but because of performance considerations and potential security risks due to misconfiguration, this configuration isn't recommended by Microsoft, especially in network firewall deployment scenarios. The ISA Server product team is committed to supporting virtualization in the future versions of ISA Server, and is committed to security and providing sound deployment and configuration guidance to customers.
Microsoft has published two KB articles that state our support policy for software running in a virtualized environment:
- Microsoft Virtual Server support policy:
- Support policy for Microsoft software running in non-Microsoft hardware virtualization software:

Consistent with software industry practice, Microsoft doesn't provide general product support for any third-party software. However, as virtualization software matures and the industry adoption goes beyond today's 4% penetration, we recognize that new support models are needed. Customers have told us that they want a consistent support experience across their physical and virtual computing systems. Microsoft offers a progressive technical support policy covering the Microsoft virtualization software, the Windows OS and most Microsoft applications. And Microsoft is working with the industry to define such a model so that customers receive a consistent technical support experience for their computing systems, be it physical or virtual.

TAGS: Windows 8
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.