Skip navigation

Virtualization Support for ISA and RRAS - 25 Sep 2007

A frustrated reader gets a response from Microsoft

Over the past few months, I've been doing a lot of traveling and I've neglected this blog. (If for some reason, anybody is interested in how I spent my summer, see the end of this post for my quick summary. It feels odd to be writing about myself, but I guess that's what people do in blogs.) Anyway, I'm back now and have a million things to write about. Microsoft has been incredibly busy!
I'll start by sharing a letter from a reader, Jeff Vandervoort, who asked me to get a response from Microsoft. At the end of Jeff's letter, you'll see the response Microsoft gave me. I'll be eager to hear what you think.

Jeff's Letter

It's frustrating to my clients (and me) that Microsoft is pushing virtualization for all kinds of uses -- as long as it doesn't involve Microsoft's own products. Virtualization, particularly with Windows Server 2003 Enterprise Edition's \[Server 2003 EE\] licensing, potentially adds a lot of value to Microsoft products for SMBs, but Microsoft's archaic, VM-hostile support policies make it risky to make use of it.
I've been told by Microsoft \[Customer Support Services\] CSS that even in the absence of a published support policy for running a product in a VM \[virtual machine\], Microsoft may not support it unless we reproduce the problem on physical hardware. When asked for specifics of what can go wrong in a VM, I get only vague answers and guesses.
Does Microsoft support Virtual Server for production use, or not? Is the real reason Virtual Server is free that, had we paid for it, we'd expect its use to be supported?
In this specific case, I'm charged with setting up 4 small branch offices: 2 with ~5 users, 1 with ~10 and another with ~25. The 2 smallest are project-specific and will exist for less than 2 years. Connectivity to the main office is critical, but so is economy. They have determined that Terminal Services does not meet their needs.
They'll be using an RRAS VPN endpoint in a VM at a small site with Web proxy clients to Microsoft's ISA, and an ISA VPN and edge firewall in a VM at the 3 other sites. The host machine in each case will be a DC/file and print server. Using Virtual Server with Server 2003 EE on the host means we buy only one server and one Server 2003 license, which puts the project in budget.
I've advised my client of Microsoft's support position in writing, and they're prepared to move forward at their risk. Their alternative is either no connectivity to the main office at all, or reducing security of the system as a whole by using SOHO firewall/VPN endpoints in lieu of ISA. Neither is acceptable to the client.
Microsoft CSS has confirmed there will be no Internet connectivity to the host machine in our config. But our configurations are still either "not recommended" or "not supported." In the case of ISA, the config is "not recommended" in the release notes and the ISA BPA \[Best Practices Analyzer\], and "not supported" on TechNet! So, while neither answer is acceptable: Which is it? Neither CSS nor I could find any documentation about RRAS in a VM. Microsoft does not appear to have given virtualization very much thought.
Unfirewalled honeypots are often run in VMs. The honeypots are attacked, but the host is unaffected, and survives to allow use of the undo disk to put the honeypot back online quickly. If VS can host honeypots safely, without compromising the host, why not ISA or RRAS?
Empirically, we have tested the ISA and RRAS VM configs and they work well, but it sure would be nice to have Microsoft's blessing while going into production.
Beyond ISA and RRAS, if Microsoft is going to encourage virtualization, they need to step up and support virtualizing their products, except where specific reasons can be furnished and documented that shows why they should not be.

Microsoft's Response to Jeff's Letter

We're sorry to hear your reader had a frustrating experience when deploying and maintaining solutions built on Microsoft software. For over 30 years, our design goal has always been to offer quality products, an excellent customer experience at a reasonable price. But when we don't meet these design goals, we listen to our customers and we make changes as needed.
Microsoft takes virtualization seriously. We're making investments across our business, to include computing infrastructure, applications, systems management, licensing, support and interoperability so that customers can deploy critical workloads and applications in a virtual environment. One way we've helped meet customers' needs is the Common Engineering Criteria, which allows customers and partners to see the design goals for Microsoft server products as it relates to other Microsoft server software, including server virtualization. Virtual Server 2005 was added to the 2005 Common Engineering Criteria and Windows Server virtualization, which is a feature of Windows Server 2008, has been added to the 2008 Common Engineering Criteria. Exemptions are only granted due to OS or hardware dependencies.
Specific to your reader, Microsoft does support Virtual Server 2005 in production environments and intends to keep on doing so with Windows Server virtualization. For instance, ISA Server 2006 is fully supported within a Virtual Server 2005 R2 guest; whereas previous versions of ISA Server were not. ISA Server 2006 can run as a virtual guest, but because of performance considerations and potential security risks due to misconfiguration, this configuration isn't recommended by Microsoft, especially in network firewall deployment scenarios. The ISA Server product team is committed to supporting virtualization in the future versions of ISA Server, and is committed to security and providing sound deployment and configuration guidance to customers.
Microsoft has published two KB articles that state our support policy for software running in a virtualized environment:
- Microsoft Virtual Server support policy:
- Support policy for Microsoft software running in non-Microsoft hardware virtualization software:

Consistent with software industry practice, Microsoft doesn't provide general product support for any third-party software. However, as virtualization software matures and the industry adoption goes beyond today's 4% penetration, we recognize that new support models are needed. Customers have told us that they want a consistent support experience across their physical and virtual computing systems. Microsoft offers a progressive technical support policy covering the Microsoft virtualization software, the Windows OS and most Microsoft applications. And Microsoft is working with the industry to define such a model so that customers receive a consistent technical support experience for their computing systems, be it physical or virtual.

How I Spent My Summer

And now for something completely different: As I said, while I was spending the summer traveling for pleasure and for work, Microsoft was very busy with all sorts of new announcements that I need to write about. But since this is a blog, I feel compelled to talk about myself first.
My husband (whose name is Ossi, short for Oswald) and I drove down the coast from our home near Seattle. Our first night was spent in a creepy little town called Ocean Shores, WA. The coast is gorgeous there, but the town consists of nothing but big "resort" chain hotels and looks like it was built to become a big tourist center, but nobody came. But the drive down the coast was stunningly beautiful. We only got lost once when our navigation system sent us down a dirt road to nowhere as a "shortcut." But it was a pretty drive.
We spent a night in Ft. Bragg, CA (yep, it's a West Coast Ft. Bragg), and found an outstanding restaurant, Mendo Bistro, in that little town. Then we cut across California to Lake Tahoe and spent July 4, at a wonderful oasis of a B&B called the Black Bear Inn. (The only evidence of Tahoe's big forest fire that we could see were signs all over town thanking the heroic firefighters.) From Tahoe, we drove over to Utah to see the stunning Canyonlands and Arches National Parks. We decided against hiking in the 105-degree weather, though. Along the way, I bought a great handmade turquoise necklace at a scenic overlook where all sorts of trinkets were spread on the sidewalk under signs forbidding any selling. (Fortunately, the signs didn't say anything about buying.) Then we drove through the beautiful (though suffering from pine-bark beetle damage) Colorado Rockies, over I-70, past Vail, to Denver for Microsoft's Worldwide Partner Conference. (See, I told you there was also work involved.)
After spending a week at the lovely Windows IT Pro headquarters in Loveland, CO, and getting some quality time with my team, Ossi and I drove home via Yellowstone National Park -- gorgeous, too many people, lots of geysers. I hadn't been to Yellowstone since a family vacation when I was a kid. All I remember from that childhood trip was the smell of sulfur, but I didn't notice that smell much at all this time. Strange how memory plays tricks on you.
We were home for a week and then flew to Germany to visit Ossi's parents in Neumarkt/Opf., near Nuremburg. Between watching goofy German TV with the in-laws, we made it our mission to check out as many Biergarten as we could. I lived in Germany from 1975 to 1984 and we visit every year, but I had somehow failed to consciously think about how wonderful German cafes and beer gardens are. You can find beautiful scenery and sit as long as you like after a hike or bike ride and enjoy the beer and the people. (sigh)
Ossi and I spent the entire day of our 30th wedding anniversary in Regensburg, where we had lived and attended the university back in the 70s. Regensburg is a remarkable town. It's on the northernmost part of the Danube (which is anything but blue, BTW) and is one of only two medieval cities in Germany that weren't destroyed in WWII bombings. So you can walk down the narrowest little streets you've ever seen and feel what it must have been like living in those 13th-century buildings. The town was actually founded by Markus Aurelius in 179 AD, and you can still see Roman ruins downtown. My favorite juxtaposition is that you can stand inside McDonalds on the main street (Maximillianstrasse) and look out a big picture window to see remains of the Roman wall.
Anyway... there was lots more, but I this is long enough to bore anybody. Suffice it to say that I'm back now and will be posting regularly -- about Microsoft, not me. It's hard to think where to even begin with all the Microsoft stuff that's going on....

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.