Hi,
I am wondering if I should virtualize a unihomed ISA 2006 which will be used only for reverse proxy.
I heard a firewall should never be virtualized because of the continuous swapping between user and systemcontext (the CPU rings). I also heard that the latest CPU's like the Intels with VT support don't have this problem, but I am unsure.
Anyway: even if I make a rule in ISA2006 to allow everything, even then the firewall service is running and checking all packets. Microsoft changed the ISA 2000 way where you could install only a proxy to a forced combination of both firewall and proxy.
Is it okay to run a unihomed proxy-only ISA 2006 in a VM?
I am afraid this will have an impact on the entire ESX and thus other VM's too.
What are your thoughts about this?
TIA.
Here are the specs for my host:
4 single core 2.8 Ghz processors with 14 virtual machines (including the ISA server). The ISA server has 1 vCPU and 1 GB of RAM.
I believe my box is unihomed - we are not using the firewall functionality.
ISA is more than we need - I am slowly working towards setting up a Linux box to replace it.
I'm actually in the midst of doing that exact configuration. We have a requirement to enable smart card authentication for OWA, and with the constraints of Exchange 2003, that's the only way to do it... So far, our initial testing hasn't shown any issues.
I am running ISA 2006 for proxy and web filtering as a virtual machine. Currently I have 600 active connections and VC is reporting 300-600 Mhz used. I have no complaints from me or the users. I am running it on older hardware that doesn't have VT.
do you have other VM's on your ESX?
is yours also unihomed?
As ISA2006 is picky on where it should be installed: not on a DC, not on Exchange, not on...etc...we'd love to have it in a VM.
It's just too bad that Microsoft decided to make their proxy a firewall combination...
Here are the specs for my host:
4 single core 2.8 Ghz processors with 14 virtual machines (including the ISA server). The ISA server has 1 vCPU and 1 GB of RAM.
I believe my box is unihomed - we are not using the firewall functionality.
ISA is more than we need - I am slowly working towards setting up a Linux box to replace it.