{"id":11237,"date":"2011-05-14T09:59:46","date_gmt":"2011-05-14T09:59:46","guid":{"rendered":"https:\/\/aidanfinn.com\/?p=11237"},"modified":"2011-05-14T09:59:46","modified_gmt":"2011-05-14T09:59:46","slug":"forefront-tmg-or-any-firewall-virtualisation","status":"publish","type":"post","link":"https:\/\/aidanfinn.com\/?p=11237","title":{"rendered":"Forefront TMG (or any Firewall) &#038; Virtualisation"},"content":{"rendered":"<p>I was asked today about using (W2008 R2 SP1 Hyper-V) Dynamic Memory and Forefront Threat Management Gateway (TMG).&#160; To be honest, I hadn\u2019t looked at TMG on virtualisation before \u2013 Microsoft has a huge product catalogue.<\/p>\n<p>I searched, and found a long and detailed <a href=\"http:\/\/technet.microsoft.com\/library\/cc891502.aspx\" target=\"_blank\">article<\/a> on the subject.&#160; The guidance starts with understanding the network role of the TMG installation in question.&#160; That means understanding workloads (network and server) that the VM will be handling.&#160; This leads to some general TMG configurations, which will obviously affect resource requirements and performance.&#160; We are reminded that the TMG VM will be sharing a host with other VM workloads, and therefore a spiking TMG VM could affect resource utilisation of other VMs.&#160; Consider this when sizing hosts or placing virtual machines.&#160; The TMG group recommends doing a 2 week proof-of-concept or assessment to gather empirical data for this sizing process.&#160; TMG will eat CPU and memory.<\/p>\n<p>Speaking of memory, a SQL back end is used for logging.&#160; This is normally an Express install.&#160; This edition (at the moment) doesn\u2019t have the ability to deal with expanding memory such as Hyper-V Dynamic Memory.&#160; The minimum RAM for TMG is 2 GB.&#160; Well, SQL Express has a <a href=\"http:\/\/msdn.microsoft.com\/en-us\/library\/ms345154(v=sql.90).aspx\" target=\"_blank\"><em>\u201cone GB memory limit for the buffer pool\u201d<\/em><\/a><em>.&#160; <\/em>If you decide you must enable DM on your TMG VM(s), then maybe you should set the start up memory setting for a TMG VM to 2048 MB.&#160; That will leave SQL Express in a healthy state in terms of memory (knowing how much to take at startup) and will ensure that TMG always has the minimum required.&#160; You can set your maximum memory setting to what you find is required after your assessment.<\/p>\n<p>Physical networking is discussed.&#160; Any VLANing or DMZ\/edge network designs for a physical installation should still apply.&#160; <em>Don\u2019t<\/em> redesign or compromise the network design to suit virtualisation; <em>do<\/em> redesign the virtualisation hosts to suit the network and security requirements.<\/p>\n<p>Ideally, a host used for providing capacity to network security VMs should not run other VM roles, e.g. you ideally won\u2019t mix Exchange VMs and TMG VMs on the same host.&#160; But hey, sounds great in mid\/enterprise environments but a bit pricey for SMEs.<\/p>\n<p>There\u2019s lots of advice on lock down policies, patching, and enabling BitLocker on the parent partition.&#160; And of course, only provide access to the parent partition as and when is (business critically) required.<\/p>\n<p>An interesting one which might answer many forum questions, the TMG group recommends that internal and external virtual NICs should not share virtual switches.&#160; That means you should ideally use different physical NICs for those networks, and <em>maybe<\/em> use different virtual NICs that are created by your network provider (e.g. Broadcom, HP NCU, etc).<\/p>\n<p>There is a reminder to disable everything except the virtual switch protocol in the parent partition NICs that are used for external virtual switches.<\/p>\n<p>You should have a way to log into or manage\/monitor the parent partition separately from the virtual machine workloads.&#160; In other words, have a dedicated parent partition physical network card that is not used by virtual networks.&#160; This will allow you to manage the parent partition and it\u2019s other workloads if something like a DOS attack happens and the internet facing NIC for the TMG VM is being hammered.<\/p>\n<p>For your virtual machine disks, it is recommended that you place OS, SQL logs on different drives.&#160; If you are using host server internal disks then you\u2019ll need to create different LUNs.&#160; Things aren\u2019t that simple in a SAN where virtual disk systems are used, because different LUNs are actually striped across the same disks in the disk group.&#160; I\u2019d consider a CSV with all VHDs on there.&#160; And then you get into the normal CSV\/backup design decision making process.&#160; Remember to keep IOPS requirements (from the assessment) in mind.<\/p>\n<p>The <a href=\"http:\/\/technet.microsoft.com\/en-ie\/library\/cc891502(en-us).aspx\" target=\"_blank\">article<\/a> ends with a discussion of various virtual networking designs and how they will impact on the performance of your TMG VM.<\/p>\n<div style=\"padding-bottom: 0px; margin: 0px; padding-left: 0px; padding-right: 0px; display: inline; float: none; padding-top: 0px\" id=\"scid:0767317B-992E-4b12-91E0-4F059A8CECA8:1fb90f2f-0386-4be0-b8e6-43db40104ff2\" class=\"wlWriterEditableSmartContent\">Technorati Tags: <a href=\"http:\/\/technorati.com\/tags\/Security\" rel=\"tag\">Security<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Forefront\" rel=\"tag\">Forefront<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Hyper-V\" rel=\"tag\">Hyper-V<\/a>,<a href=\"http:\/\/technorati.com\/tags\/Virtualisation\" rel=\"tag\">Virtualisation<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>I was asked today about using (W2008 R2 SP1 Hyper-V) Dynamic Memory and Forefront Threat Management Gateway (TMG).&#160; To be honest, I hadn\u2019t looked at TMG on virtualisation before \u2013 Microsoft has a huge product catalogue. I searched, and found a long and detailed article on the subject.&#160; The guidance starts with understanding the network &hellip; <a href=\"https:\/\/aidanfinn.com\/?p=11237\" class=\"more-link\">Continue reading<span class=\"screen-reader-text\"> &#8220;Forefront TMG (or any Firewall) &#038; Virtualisation&#8221;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[20],"tags":[179,181,190,195],"class_list":["post-11237","post","type-post","status-publish","format-standard","hentry","category-hyper-v","tag-forefront","tag-hyper-v","tag-security","tag-virtualisation"],"aioseo_notices":[],"jetpack_featured_media_url":"","amp_enabled":true,"_links":{"self":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/11237","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=11237"}],"version-history":[{"count":0,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=\/wp\/v2\/posts\/11237\/revisions"}],"wp:attachment":[{"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=11237"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=11237"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/aidanfinn.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=11237"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}