Hi,

I am setting up a Hyper-v NVGRE gateway on Windows Server 2012 R2. Now from what I have read the gateways have 3 NICs and one interface dedicated to public IP addresses, I haven't been able to find any information about how the gateways are secured.
Can they be protected behind hardware firewalls?
Are they already secured at the time of install out of the box?
Do we have to use and configure the windows firewall on the gateway for protection?

Any best practice out there, real like experience / examples or some documentation on this subject as I am struggling?

Many thanks in ad

This is a question IT engineers encounter many times.

The HVN (Hyper-V Network Virtualization) Gateway is in fact a RRAS (Routing and Remote Access Servers). A HVN Gateway can be hosted behind a front-end firewall with 1:1 routing. But the RRAS does not do firewall inspection other then IP port filtering. This filtering on the other only configuratble with PowerShell and I'm not sure if it is supported either. When you apply NAT, the network traffic will be filtered by the front-end firewall. When you configure VPN connectivity all traffic is allowed to pass-through the VPN site-to-site connection.

I am also looking for other solutions (venders) that can be implemented as a virtual switch extension and offer more robust and granual services (e.g. firewall services). F5 does seems to offer such a solution.

Hi,

i have created some blogs on hyper-v.nu about nvgre gateway.

My recommendation:

• Put the gateway Hyper-V host and GW VM's in a separate domain.
• Connect the GW VM's directly to internet.
• Enable the Windows Firewall. look after the Network Connection Profile as there are different rule sets for Private, Public and Domain rules. Make sure the external interface is marked as public profile. If you use the toolkit i created for GW deployment its configured for you.
• if your company policy doesn't allow to directly connect to the internet put firewall in front, but transparently, or create a public subnet behind that firewall so your GW VM's have public ip's.
• Only use inspection on traffic (IDS), don't block it, if you really need to, create a common allow list for regular ports. Otherwise tenants need to open service requests at your helpdesk to open ports if they want to publish application via a NAT rule.
• since you put the hosts and GW VM's in a separate domain you managed to separate it from your management domain, what is in my sense the best practice.
• Use 3th party NVGRE vendors like Boudewijn mentioned as BIG IP F5.