I’ve keep [wrongly] assuming that this is common knowledge.  But then again, I never new that Ctrl+C copies the text from a message box.  (Really I didn’t, one of the most handiest things on earth, and I never knew until last year)

I digress, More importantly: patching, firewalling or anti-virus on the host does not protect any of the virtual machine guests!  In fact, if you experiment (not on live servers), you can remove TCPIP from the host, and the guests will still work and talk over the wire.  You can read more about this craziness over here.

Anyway, the reason I got starting on this topic, is the ISA Server Product Team have a post on their blog this morning, “ISA on a Virtual Server host does not protect the guest machines” - so I thought I’d repost it over here and share some more of the Virtual machine Lovin’.  An edited snippet is below:

You may think that installing ISA on the host machine would protect the guest machines. But it doesn’t! You can verify it easily - run some traffic between the guest machine and the Internet (say, browse to some public web site), and see that the traffic passes even though there’s no rule that would allow it. Also, the traffic does not appear in the ISA log at all.

The reason for this is that Virtual Server uses an NDIS driver to route traffic to its guest machines, according to their MAC addresses. Since NDIS drivers are located below ISA’s driver (fweng.sys), the traffic is routed before ISA even sees it

One way you can accomplish this idea is to have another NIC (call it Internal), connect the guest machines only to that NIC, and have ISA route/NAT traffic between that NIC and the “real” (External) NIC: