Okay here's an interesting question. In two parts:
- Is it advisable to run TMG as a hyper-v guest in production? (something is nagging me that it's not a good idea, but it's possible to give a VM exclusive access to a NIC and technically the "host" is just another guest with special privileges).
- If run TMG as a hyper-v guest, should I place the host in the Internal network or is DMZ safe enough? My concern here is obviously that the Host machine could be considered a weak link. The DMZ is behind a NAT and I'm not giving the Host machine any external access. I only give internal machines access to the host. Is this enough or should I bring the host Internal?
Or back to point 1, should I scrap that Idea altogether and put TMG on a separate physical machine? (so I lied, I guess it's in 3 parts).
For Clarification
My design is as follows (all running on on physical box)
Machine A – Hyper-V Host does not have access to any host NICS only virtual networks created through Hyper-V. Also runs (currently) the DMZ DC with a one way trust to the internal Domain. And DNS / DHCP for internal. Connected to DMZ virtual network only.
Machine B – TMG Guest Machine Three-leg configuration: External is connected to a physical NIC assigned a publicly accessible IP. Internal and DMZ are both connected to virtual networks. Firewall rule in place to allow Machine A to handle AD communications with Internal DC/DNS. Also physical NIC for DMZ connected to wireless AP.
Machines C-?? Internal Network Services and clients They are connected to the Internal virtual network and are given access on a case by case basis.
Everything is working correctly, I just want to make sure that I'm not creating some gaping hole in my network with this configuration.
Best Answer
It looks like Microsoft has "officially" announced support of of TMG on Hyper-V - http://www.microsoft.com/forefront/threat-management-gateway/en/us/default.aspx
As Tatas stated. Just because TMG is on the hypervisor, there is no technical requirement for the hypervisor itself to be exposed. The virtual-to-physical NIC assignments under the hypervisor is the only requirements in placing TMG into a functioning configuration. The hyperisor can stay put based on your "normal" deployment for hypervisors per your environment.
As long as there are no rampant hypervisor exploits, then running TMG and similar products are/should be just as "safe" as it would be on physical hardware.
With that said, there may be some operational advantages to having perimeter-type applications on physical hardware when it comes to addressing and/or responding to out-of-band situations (e.g. network utilization spikes, hypervisor issues, etc.).