We are considering deploying Windows 8.1 (or Windows 10) client Hyper-V to about 50 users and manage them via Hyper-V Manager from a 2012 R2 server or IT workstation running Windows 10 with Hyper-V Manager from the RSAT tools.

The plan is for the users to have a semi-locked down physical workstation they will use for Office, Internet access, email, IM and other apps that work fine with a limited user account.  

The users that are developers will have a Hyper-V VM running a Windows clients that they will have full admin access to run developer and debugging tools, do snapshots etc. and it will need to have access to a development network and restricted access only for a whitelist of IP ranges and domains so that  Internet restrictions cannot be bypassed by using VPNs or proxies.

Is it possible for the Hyper-V client machine to have network access to a separate and isolated network without the host having to have two NICs connected to two different wall ports?

We need to keep the VM isolated on its own network and away from the regular office and production network. If the VM became infected with malware, we don't want it to be physically possible for malware to to spread between the host and the VM or between the host network and the VM's network.

If there are two NICs, it would be pretty easy for the user to bypass security by simply swapping the cables.

• Edited by MyGposts Saturday, July 11, 2015 4:46 AM

We are considering deploying Windows 8.1 (or Windows 10) client Hyper-V to about 50 users and manage them via Hyper-V Manager from a 2012 R2 server or IT workstation running Windows 10 with Hyper-V Manager from the RSAT tools.

The plan is for the users to have a semi-locked down physical workstation they will use for Office, Internet access, email, IM and other apps that work fine with a limited user account.  

The users that are developers will have a Hyper-V VM running a Windows clients that they will have full admin access to run developer and debugging tools, do snapshots etc. and it will need to have access to a development network and restricted access only for a whitelist of IP ranges and domains so that  Internet restrictions cannot be bypassed by using VPNs or proxies.

Is it possible for the Hyper-V client machine to have network access to a separate and isolated network without the host having to have two NICs connected to two different wall ports?

We need to keep the VM isolated on its own network and away from the regular office and production network. If the VM became infected with malware, we don't want it to be physically possible for malware to to spread between the host and the VM or between the host network and the VM's network.

If there are two NICs, it would be pretty easy for the user to bypass security by simply swapping the cables.

  How could it be possible? If both networks had to use the same physical NIC, there has to be some sort of software network bridge with a filter to control which packets go where. You could never be 100% confident that no traffic could ever cross over. As Milos said, your best bet would be VLANs, where your VLAN router looked after the separation.

The problem with hardware vs software is that anyone could simply swap the cables at their desk to try to bypass restrictions.

They can just plug the network cable intended for the VM into the network jack connected to the local network.

With the network connections managed in software and the user having no admin rights on the local workstation, we could be more confident that they would stay separated.

  Yes, we got that bit. With VLANs you only use one NIC. The VLAN controller in the VLAN router separates the traffic.

I am not getting how an external VLAN router would recognize the VMs running on the hosts vs hosts themselves connecting through the same NIC and keep them isolated.