Microsoft Forefront codename "Stirling" >
Forefront Codename 'Stirling' Forums
>
Forefront Threat Management Gateway
>
Forefront TMG and Windows Server 2008 with a Virtual Machine
Forefront TMG and Windows Server 2008 with a Virtual Machine
- Hello everyone
I have recently installed Server 2008 Standard x64 onto an AMD X2, and have installed Hyper-V from the Roles list, and have installed Server 2008 core as a VM. When I install TMG, either MBE or Beta 2, as soon as Windows loads and the login screen appears, the server will blue screen with the IRQ error of FWPKCLNT.SYS. I have also done the same setup with VMware Server 2.0.1 and the same thing happens. If I disconnect the drive containing the VMs so they do not start, the server does not blue screen and everything runs ok. The server has been fully updated, and I have even tried disabling the Windows Firewall service, but still the same reboting.
Is anyone able to shed some light on this little problem please?
Many thanks
All Replies
Where are you installing TMG ?? on Windows Server 2008 core ???
______________________________
Tarek Majdalani
MS Forefront Edge Security MVP
http://www.elmajdal.netNope TMG is going on Server 2008 Standard (hardware install not VM). Basically it looks like:
Server 2008 Standard
|
|-TMG
|-Hyper-V/VMware
|
|-Server 2008 Core
The FWPKCLNT.SYS file that is blue screening is on 2008 Standard.
Hopefully that makes sense!- Hi,
do you use VMware and Hyper-V on the same machine? Vmware uses its own networks and virtual network adapters. IMHO this could be the reason for your problems.
regards Marc
www.nt-faq.de
www.it-training-grote.de - Hi Marc
No they are not installed at the same time. After using Hyper-V with Server 2008, the disk was formatted and Server 2008 reinstalled, this time with VMware installed without Hyper-V. - I had this same problem with Beta 1. My configuration at the time was Server 2008 Enterprise and Hyper-V, then TMG installed on the same and the Server 2008 Standard on the VM Machine. TMG was causing the Network on the VM to BSOD the machine. As I was told at the time it was a problem that would be fixed in later builds. Though when Beta 2 came out I set my machine up so that the TMG was on the VM and the other VM does not cause problems.
Michael R. Mastro II - Yes at the moment I've found the problem with both MBE and Beta 2. I've currently got around the problem with a very unsatisfactory solution of using 2003 and ISA 2006 on the hardware, and running the 2008 R2 machines off VMware 2.0.1. I still hold out hope for a solution so I can finally get rid of 2003.
If I u/stand your config right , I believe you are using TMG in thehost and the server Core as the guest
Please refer to the best practices for configuring TMG in Virtual environment
http://technet.microsoft.com/en-us/library/cc891502.aspx
The document suggests using TMG as a guest and not as a Host
If you have specific reasons for using TMG in the host , can you provide the reasons?
Thanks
Bala Natarajan MSFT- Hi Bala
That's correct - TMG in the host, Core in the guest.
I'm doing it this way because I only have one server, of which one network port would be internet facing. Therefore to use TMG's firewall to protect the network it needs to be on the 1st network point, which is the host. As far as I can see installing it in a guest wouldn't protect the host's network adapter from the internet, and would only provide caching. I had this setup working in Server 2003 and ISA 2006, but wished to try it with TMG and Server 2008.
Cheers
Will
Therefore to use TMG's firewall to protect the network it needs to be on the 1st network point, which is the host. As far as I can see installing it in a guest wouldn't protect the host's network adapter from the internet,
If you have read the Technet article Bala refered it to you, you wouldn't have said so.....Also , Check Jim Harrison discussing the topic : Virtualize your ISA or Forefront TMG servers
In this interview, Jim discuss the different setup for ISA/TMG servers in a virtualized enviroment , and what is the advantages and disadvantages of each.
______________________________
Tarek Majdalani
MS Forefront Edge Security MVP
http://www.elmajdal.net- Hi Tarek
After reading/watching the above links, I would still like to get TMG installed on the host, so for now I have deleted all virtual machines, but have left Hyper-V installed for future VM use. The issue is still happening. Is there any way to get both working on the host correctly, or is this an unsupported configuration which therefore hasn't been tested by anyone?
Will - From your initial problem description
Quote
---------
When I install TMG, either MBE or Beta 2, as soon as Windows loads and the login screen appears, the server will blue screen with the IRQ error of FWPKCLNT.SYS. I have also done the same setup with VMware Server 2.0.1 and the same thing happens. If I disconnect the drive containing the VMs so they do not start, the server does not blue screen and everything runs ok. The server has been fully updated, and I have even tried disabling the Windows Firewall service, but still the same reboting.
----------
Unquote
previously if you disconnect the drive containing VMs everything seemed to be working fine and now even without any VM the issue seems to be continuing. Is this got anything to do with the drive?
If you still have the blue screen I would like to collect a full memory dump and look at the issue .Please send me your email address , i will send steps to collect full memory dump
Thanks
Bala Natarajan [MSFT]
balan@microsoft.com - Hi Bala
I've sent you an email now. As a follow up to that email, the 2 virtual machines I spoke of are still on the same HDD that was plugged into Server 2008, so hardware faults can be eliminated (as it is working fine with Server 2003).
Regards
Will - I too am attempting this configuration. My reasoning was to host my DMZ machines in a virtual environment & it seemed to make sense to have the Hyper-V host run TMG & then I could implement any number of LAN or DMZ connected virtul machines on this box. I don't have the available hardware to not combine at least one role with the Hyper-V host itself.
Although I have got TMG installed OK in this configuration, I've yet to implement either a LAN or DMZ connected vm on the box. When I do I will confirm the if the BSOD affects me too.
Another issue I have with this configuration:
I have created an access rule to permit DNS traffic from another of my LAN conneted Hyper-V hosts (2008 DC) and can see the rule being applied OK to the traffic, however I never get a response. All network adapters configured as per ISA /TMG best practise & this configuration has worked fine in my other ISA2006 lab. I can only assume it is a limitation of the "virtual" network interfaces that are created as part of Hyper-V config. Along with the issue in this post, maybe this is why all the "virtual" documentation points towards making the TMG a guest OS rather than installing on the host.
Would be interested to know if anyone else has experienced this behaviour.
Cheers
Douks - There is a bug that prevents running TMG on a Hyper-V parent.
You can run TMG on a guest, but not the parent partition.
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Wednesday, May 27, 2009 8:44 PM
I too am attempting this configuration. My reasoning was to host my DMZ machines in a virtual environment & it seemed to make sense to have the Hyper-V host run TMG & then I could implement any number of LAN or DMZ connected virtul machines on this box. I don't have the available hardware to not combine at least one role with the Hyper-V host itself.
Although I have got TMG installed OK in this configuration, I've yet to implement either a LAN or DMZ connected vm on the box. When I do I will confirm the if the BSOD affects me too.
Another issue I have with this configuration:
I have created an access rule to permit DNS traffic from another of my LAN conneted Hyper-V hosts (2008 DC) and can see the rule being applied OK to the traffic, however I never get a response. All network adapters configured as per ISA /TMG best practise & this configuration has worked fine in my other ISA2006 lab. I can only assume it is a limitation of the "virtual" network interfaces that are created as part of Hyper-V config. Along with the issue in this post, maybe this is why all the "virtual" documentation points towards making the TMG a guest OS rather than installing on the host.
Would be interested to know if anyone else has experienced this behaviour.
Cheers
Douks
See what happens and let us know if you can please. If the bug that Jim has spoken about causes a blue screen with Hyper-V, it may also be doing the same with VMware. I've removed 2008 for the time and replaced with 2003 and ISA 2006, but soon I'll be re-trying 2008 again with VMware, and when that happens I'll be sending Bala the crash reports so hopefully either he can see the fix or MS can make a patch.
When you say you don't get a response, do you mean the name doesn't resolve (ie the request goes out but nothing is sent back)? Can you see the reponse in the TMG log?
WillWill,
"VMWare" is a bit vague, since they offer multiple versions of multiple virtualization solutions.
You can't install TMG or ISA on an ESX parent, so that scenario is out.
If you're deploying ISA or TMG on a VMWare Server or VMWare Workstation host, let's hope you're not doing that for production.
Douks,
Some more details on your configuration are needed to understand what you're doing.
1. are you using synthetic or legacy NICs (synthetic are better)
2. are you using VLAN tagging?
3. if #2 is 'yes', excatly how have you configured the parent / guest / switches?
Jim Harrison Forefront Edge CS- Hi Jim
Sorry I thought you'd seen the previous posts. It's either Hyper-V or VMware server 2.0.1 I am using. Since as you say there's a bug with TMG and Hyper-V, VMware is the only way to go. As above, it works fine on 2003, and if it is an intentional bug with 2008, I don't really think that removing a compatibility is a good move. Either way, my setup requires ISA/TMG with virtual machines. I'm also avoiding the SBS route.
Just a query though, run me through the problems of VMware server 2 if you have time please.
Cheers
Will - Will,
The bug is only interesting if you install TMG on the parent. you can still install TMG on a guest and use that to protect the parent. I and many others have been using this technique for many years with great success. Bear in mind that the TMG-on-Hyper-V parent is not (yet?) a supported scenario.
There are no problems using VMWare Server with TMG that I'm personally aware of (except perhaps yours).
The key is that the support for Microsoft products on virtualization solutions that have not passed SVVP testing is very limited (in many cases, non-existent). The whole point of the SVVP program is to provide a reasonable level of assurance between multiple vendors that your chosen combination will work as designed and will be supportable by *both* vendors. Without this assurance, your deployments are potentially riding on thin ice.
HTH,
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Monday, June 01, 2009 4:34 PM
- Hi Jim
Am curious now as to how TMG on the guest can protect the host if the host is directly connected to the internet (sorry prob should have said that - not behind a router so ISA/TMG front facing - not the recommended scenario I know but that's how it is for the time). From what I can see the traffic would enter the host 1st, so anything malicious wouldn't get to the TMG as it would have already passed through the host, or is that incorrect?
Will - Jim
Sorry I've been busy the last few days. Thanks for the info re the bug - can you explain further / is it likely to be fixed in the RTM version (not that I'd dream of this setup for production, it just seems logical for test rig when you want guest machines on both sides of the firewall).
As promised I've proved the BSOD affects me too. BSOD when guest boots connected to either LAN virtual NIC or DMZ virtual NIC. No BSOD if booted without a virtual network - would be interesting to see if introducing a third netowrk card & connecting it to that caused the same issue (ie one not related to TMG config).
I was using synthetic NIC's, with the latest Integration services with no VLAN tagging (VLAN done by real switches).
1st card - On board Atheros 1Gb LAN (Asus M4A78Pro mainboard which by the way is great for Hyper-V rigs with full driver support on the disk).
2nd card - Intel Pro/100S Desktop Adapter I had lying around.
Before installing TMG configured the Hyper-V virtual networks...
1st card internal LAN (& domain connection)
2nd card external DMZ
Like Will, I still have reservations about configuring TMG on a guest, but I guess if that's the only supported config that's what I'll do next becuase I have to get this up & running this week. Flattening the box as I type...
Cheers
Douks - Hi guys,
You can use a TMG guest to protect the parent (and all others behind TMG) thisaway:
1. Create an "External" network (vNet), associated with the parent NIC that faces the Internet
2. At the parent, unbind *all* network protocols except for the Microsoft Virtual Network Switch protocol from the vNIC created for the parent on this vNet (hint: Hyper-V R2 allows you to hide external networks from the parent)
3. Build the TMG server as normal
The key here is to unbind any network protocols from the parent virtual NIC built by the Hyper-V virtual networking driver.
In this way, the parent does not present any network listeners to the Internet other than Ethernet and this is owned by the Hypervisor; not the parent partition itself.
HTH,
Jim Harrison Forefront Edge CS- Proposed As Answer byJim Harrison IsaDewd Tuesday, June 02, 2009 11:38 PM
There is a bug that prevents running TMG on a Hyper-V parent.
You can run TMG on a guest, but not the parent partition.
Jim Harrison Forefront Edge CS
Jim
Finished the new guest config tonight & getting a bit frustrated.
The whole build went to plan (Domain connected parent doing nothing, hosting domain connected TMG guest with Exchange Edge, all using 2 x physical NIC's virtualised with parent having no IP configuration on the perimeter NIC), but the DNS resolution issue persists. When you revealed the bug above, was this just the hyper-v parent issue, or the DNS one as well? You have mentioned the DNS issue as being a bug in this post... http://social.technet.microsoft.com/Forums/en-US/FTMGNext/thread/0e6446e0-f58e-423d-8492-edcfd8d599ee as well, but I'm not sure if this related to an earilier beta or if it's still a problem in a hyper-v guest environment with beta 2.
Please let me know, cheers
DouksAll
I have solved my DNS (access rule) problem...
Looking into the netork sets created after my install all didn't look well - I had taken the "back firewall" configuration option during the network configuration wizard as this fits my test environment. This resulted in the internal network correctly representing the my internal LAN stuff, but the permieter network included all other networks (including internet & all other private ranges). This is not what I wanted from the config as I wanted to be able to define rules to the perimeter (DMZ) differently from those to the internet. Anyway, I attempted to re-run the wizard, but no joy as it kept getting right to the end and then erroring out.
So, I've uninstalled the previous install of TMG & reinstalled, this time selecting "edge" as the topology in the network configuration wizard. Now everything (DNS forwarder rules, Web etc) are all working as expected.
I would be interested to know if anyone else experiencing the DNS (or any other access rule) problems under the hyper-v guest scenario has installed using the same topology that I did originally, as my findings suggest they may be the source of the problem. This topology caused me issues both when TMG was installed on the parent or the guest.
Apologies if this is a known issue with beta 2, but having just had a quick look through the release notes I can't see anything specific that relates to it.
Douks- This sounds more like a simple miscofiguration than anything else.
Changing the network template also changes a great deal about how TMG behaves in the network structure.
Without seeing the details of "before " and "after", it's impossible to say exactly what the root problem may have been, but I feel comfortable saying that it wasn't Hyper-V related.
Jim Harrison Forefront Edge CS
