Hi,

I was wondering whether there are any best practice guidelines for the
initial setup of the current Hyper-V RC? My main question is regarding
network connectivity - can the Hyper-V parent partition be connected to the
internal network and be a domain member (for management and VM backup
purposes), even if the child partitions it hosts were connected to a
less-secure network such as a DMZ? I'm assuming this is not a recommended
configuration unless the VMs can be configured to have no access whatsoever
to the parent partition?



Thanks!

Best practice is to have nothing at all running in the parent partition
of a server running Hyper-V. That is the recommended configuration.

"NJC1" <NJC1@xxxxxx> wrote in message
news:524230FC-A448-49CF-832E-2F3DDC476E6A@xxxxxx

> Hi,
>
> I was wondering whether there are any best practice guidelines for the
> initial setup of the current Hyper-V RC? My main question is regarding
> network connectivity - can the Hyper-V parent partition be connected to
> the
> internal network and be a domain member (for management and VM backup
> purposes), even if the child partitions it hosts were connected to a
> less-secure network such as a DMZ? I'm assuming this is not a recommended
> configuration unless the VMs can be configured to have no access
> whatsoever
> to the parent partition?
>
> Thanks!

Hi Bill,

Many thanks for the speedy response - I wasn't planning on running anything
apart from the Management Consoles for Hyper-V plus some agents for VM backup
and parent partition OS monitoring purposes (nothing too resource intensive).

"NJC1" wrote:

> Hi,
>
> I was wondering whether there are any best practice guidelines for the
> initial setup of the current Hyper-V RC? My main question is regarding
> network connectivity - can the Hyper-V parent partition be connected to the
> internal network and be a domain member (for management and VM backup
> purposes), even if the child partitions it hosts were connected to a
> less-secure network such as a DMZ? I'm assuming this is not a recommended
> configuration unless the VMs can be configured to have no access whatsoever
> to the parent partition?
>
> Thanks!

Questions about DMZ operations can get tricky. The real point is that a
vm can only access a physical network through a physical NIC on the host. If
you have a vm connected to a DMZ you must have a NIC in the host connected
to that DMZ somehow. If you also have another NIC in the host connected to
some other network there is always a possibility of a leak from one network
to the other, no matter how slight the risk may be.

"NJC1" <NJC1@xxxxxx> wrote in message
news:01910F92-5A1B-4CBA-AF39-70B8EF70D062@xxxxxx

> Hi Bill,
>
> Many thanks for the speedy response - I wasn't planning on running
> anything
> apart from the Management Consoles for Hyper-V plus some agents for VM
> backup
> and parent partition OS monitoring purposes (nothing too resource
> intensive).
>
> "NJC1" wrote:
>

>> Hi,
>>
>> I was wondering whether there are any best practice guidelines for the
>> initial setup of the current Hyper-V RC? My main question is regarding
>> network connectivity - can the Hyper-V parent partition be connected to
>> the
>> internal network and be a domain member (for management and VM backup
>> purposes), even if the child partitions it hosts were connected to a
>> less-secure network such as a DMZ? I'm assuming this is not a recommended
>> configuration unless the VMs can be configured to have no access
>> whatsoever
>> to the parent partition?
>>
>> Thanks!

NJC1,

If you have _any_ device with two NICs with one connected to each zone (such
as a firewall), then there is also a possibility of a leak from one network
to the other, no matter how slight the risk may be.

So in your case, if TCP/IP is not actually bound to the host adaptor, then
your risk is fairly small.

--
Dave Harry

"Bill Grant" <not.available@xxxxxx> wrote in message
news:%23qLLInG0IHA.4848@xxxxxx

> Questions about DMZ operations can get tricky. The real point is that a
> vm can only access a physical network through a physical NIC on the host.
> If you have a vm connected to a DMZ you must have a NIC in the host
> connected to that DMZ somehow. If you also have another NIC in the host
> connected to some other network there is always a possibility of a leak
> from one network to the other, no matter how slight the risk may be.
>
> "NJC1" <NJC1@xxxxxx> wrote in message
> news:01910F92-5A1B-4CBA-AF39-70B8EF70D062@xxxxxx

>> Hi Bill,
>>
>> Many thanks for the speedy response - I wasn't planning on running
>> anything
>> apart from the Management Consoles for Hyper-V plus some agents for VM
>> backup
>> and parent partition OS monitoring purposes (nothing too resource
>> intensive).
>>
>> "NJC1" wrote:
>>

>>> Hi,
>>>
>>> I was wondering whether there are any best practice guidelines for the
>>> initial setup of the current Hyper-V RC? My main question is regarding
>>> network connectivity - can the Hyper-V parent partition be connected to
>>> the
>>> internal network and be a domain member (for management and VM backup
>>> purposes), even if the child partitions it hosts were connected to a
>>> less-secure network such as a DMZ? I'm assuming this is not a
>>> recommended
>>> configuration unless the VMs can be configured to have no access
>>> whatsoever
>>> to the parent partition?
>>>
>>> Thanks!

>

Yes, I agree. There is no real reason to know or care whether the
machines and networks are virtual or physical. If a network design is
basically sound, it really doesn't matter. A network is a network!

"Dave Harry" <DaveHarry@xxxxxx> wrote in
message news:OevGuCQ0IHA.3464@xxxxxx

> NJC1,
>
> If you have _any_ device with two NICs with one connected to each zone
> (such as a firewall), then there is also a possibility of a leak from one
> network to the other, no matter how slight the risk may be.
>
> So in your case, if TCP/IP is not actually bound to the host adaptor, then
> your risk is fairly small.
>
> --
> Dave Harry
>
> "Bill Grant" <not.available@xxxxxx> wrote in message
> news:%23qLLInG0IHA.4848@xxxxxx

>> Questions about DMZ operations can get tricky. The real point is that
>> a vm can only access a physical network through a physical NIC on the
>> host. If you have a vm connected to a DMZ you must have a NIC in the host
>> connected to that DMZ somehow. If you also have another NIC in the host
>> connected to some other network there is always a possibility of a leak
>> from one network to the other, no matter how slight the risk may be.
>>
>> "NJC1" <NJC1@xxxxxx> wrote in message
>> news:01910F92-5A1B-4CBA-AF39-70B8EF70D062@xxxxxx

>>> Hi Bill,
>>>
>>> Many thanks for the speedy response - I wasn't planning on running
>>> anything
>>> apart from the Management Consoles for Hyper-V plus some agents for VM
>>> backup
>>> and parent partition OS monitoring purposes (nothing too resource
>>> intensive).
>>>
>>> "NJC1" wrote:
>>>
>>>> Hi,
>>>>
>>>> I was wondering whether there are any best practice guidelines for the
>>>> initial setup of the current Hyper-V RC? My main question is regarding
>>>> network connectivity - can the Hyper-V parent partition be connected to
>>>> the
>>>> internal network and be a domain member (for management and VM backup
>>>> purposes), even if the child partitions it hosts were connected to a
>>>> less-secure network such as a DMZ? I'm assuming this is not a
>>>> recommended
>>>> configuration unless the VMs can be configured to have no access
>>>> whatsoever
>>>> to the parent partition?
>>>>
>>>> Thanks!

>>

>