Microsoft Hyper-v Server 2019 NAT networking & storage administration.

It was quite disturbing to see that the NAT network on Hyper-V server is non-existent, I believe there is a distinct difference between Hyper-V on the windows desktop platform vs windows server.

This is pretty much what happens when you end up with a bare-metal Hyper-V host, this reading is not for amateurs, and has been short-hand written as such.

It took some reading up on how to manage this mess - basically, if the Hyper-V host is not on a domain, you're in for a journey...  But now - I have NAT working, on a single IP address I am hosting my numerous personal domains in IIS, my mail server, a splunk dev indexer and a dev DB server, with some rock solid security configuration, which we will go in to in some depth.

Connecting to Hyper-V Server 2019 When Not Joined on to a Domain

• The host will need mapping using the hosts file, use the netBIOS name of the host and map to the public IP address.  In this example we use "NETBIOSNAME". (on your PC)
• Configure remote management via RDP, allow this, using the console that appears when you log in. (on host)
• netsh advfirewall set currentprofile state off (on host)
• Enable-PSRemoting (on host)
• Enable-WSManCredSSP -Role server (on host)
• winrm quickconfig (on your PC)
• Set-Item WSMan:\localhost\Client\TrustedHosts -Value "NETBIOSNAME" (on your PC)
  
• Enable-WSManCredSSP -Role client -DelegateComputer "NETBIOSNAME" (on your PC)
• Edit your local GPO, Computer Config -> Admin templates -> System -> Creds Delegation -> ... (on your PC)
• ... Allow Delegating Fresh Creds, Enable, Concatenate the defaults, add entry: wsman/NETBIOSNAME. (on your PC)
• ... Allow delegating fresh credentials with NTLM-only server authentication, Enable, same as above. (on your PC!)
• Check your firewall outbound make sure WinRM outbound rules are allowing you to escape your local subnet and the correct profiles are active - Pub, Priv & Domain. (on your PC)

Other things to consider:

• netsh advfirewall set currentprofile state on, whenever you log off for the day! This ensures that the server is fairly covered.
  
• When authenticating with the server, use the fully qualified NETBIOSNAME\Administrator for the username, do not use .\ or the username on its own!
• Hyper-V manager will remember your credentials for a week or so before you need to re-add them. (when saving the creds in windows)
• The connection via your Hyper-V manager is considered INSECURE, keep this in mind, we will talk about this later.

This should see that you are able to connect to the host and manage it well enough to get everything up and running.

Managing the Disks on Hyper-V Server 2019

There is no decent un-official way to manage the disks, other than diskpart! No thanks.  I ended up using "Server Manager" from within a management VM on the host - works well!

This is the only time ever in history that server manager has proven useful?

• You need to prep the source computer like you ddi with your desktop PC.
• Go to "All Servers" (left menu), right click on it, "Add servers" -> DNS -> Move it over to the right hand list.
• It will show as failed/errored, fine...
• Right click server, "Manage As".
• Go to file and storage services, there you will be able to see the server and all the disks, you can manage volumes there.

There is still the problem of managing RAID sets, and that using Computer Management from the server manager - does work a bit, it doesn't work for the MMC disk management, which is just terrible.  MS need to sort this out, it's the second edition of the OS and this is result?

Configuring the Network on Hyper-V Server 2019

You will find that creating a vSwitch in Hyper-V manager just ain't gonna do it..........

Your VM will simply fail to talk to the outside world, in fact, I believe your VM won't even be able to contact the host!

Let's assume you want a 192.168/24 range on there. (all below done on host)

• New-VMSwitch -SwitchName "CoreC" -SwitchType Internal
• Get-NetAdapter, make sure it all went well, find your new network (CoreC) note down the "ifIndex" in these results, assume it's "13" and note next line.
• New-NetIPAddress -IPAddress 192.168.0.1 -PrefixLength 24 -InterfaceIndex 13, replace "13" here with number obtained from last command.
  
• New-NetNat -Name CoreCNAT -InternalIPInterfaceAddressPrefix 192.168.0.0/24
• Get-NetNatExternalAddress, mull over your effort thus far!
• Exit Hyper-V manager and reload it.
• Go to settings for one of your VM's -> Network Adapter -> Virtual Switch -> CoreC.
• Go in to your VM, edit your IP configuration manually, use 192.168.0.whatever for your IP, use 255.255.255.0 as your mask, use 192.168.0.1 as your gateway and whatever you like as your DNS (google? ... 8.8.8.8 & 8.8.4.4)

Now you've managed to create a vSwitch that will allow your VM's to talk out to the web, and to each other.

Configuring the NAT for your Mail & Web Servers on Hyper-V Server 2019

This will cover adding NAT entries for a management server, a web server and a mail server, using 3 VM's on board the Hyper-V host.

• 192.168.0.2 - WWW Server with IIS on.
• 192.168.0.3 - Mail Server with TLS capability.
• 192.168.0.4 - Windows management server.
• 192.168.0.254 - Placeholder IP for builds.

Note: The "Placeholder" is where we will add NAT entries for SSH and RDP to be used for building servers, we do not want to use Hyper-V Manager often and need to keep using the remote management tools as low as possible.

On your Hyper-V host ...

• Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 443 -Protocol TCP -InternalIPAddress "192.168.0.2" -InternalPort 443 -NatName CoreCNAT (Web HTTPS)
• Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 80 -Protocol TCP -InternalIPAddress "192.168.0.2" -InternalPort 80 -NatName CoreCNAT (Web HTTP)
• Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 25 -Protocol TCP -InternalIPAddress "192.168.0.3" -InternalPort 25 -NatName CoreCNAT (Mail SMTP)
  
• Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 110 -Protocol TCP -InternalIPAddress "192.168.0.3" -InternalPort 110 -NatName CoreCNAT (Mail POP3)
  
• Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 143 -Protocol TCP -InternalIPAddress "192.168.0.3" -InternalPort 143 -NatName CoreCNAT (Mail IMAP)
  
• Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 465 -Protocol TCP -InternalIPAddress "192.168.0.3" -InternalPort 465 -NatName CoreCNAT (Mail SMTP TLS)
  
• Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 587 -Protocol TCP -InternalIPAddress "192.168.0.3" -InternalPort 587 -NatName CoreCNAT (Mail SMTP STARTTLS)
  
• Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 993 -Protocol TCP -InternalIPAddress "192.168.0.3" -InternalPort 993 -NatName CoreCNAT (Mail IMAP TLS)
  
• Add-NetNatStaticMapping -ExternalIPAddress "0.0.0.0/24" -ExternalPort 13389 -Protocol TCP -InternalIPAddress "192.168.0.4" -InternalPort 3389 -NatName CoreCNAT (Management RDP:13389 - optional)

With our mapping to our web server using a single IP, we can use Application Request Routing / URL Rewrite in IIS to host multiple sites securely, also shielding this behind cloudflare and keeping un-secure traffic safe within the host.  Multiple web sites can reside on the same instance, or they can be on another host.

Our management system needs configuring to be able to interface with the Hyper-V host on its 192.168.0.1 address, and this is accessible via RDP on port 13389 from the internet.  This provides a much better level of security than the Hyper-V manager from your PC!  Also, this is where you use "Server Manager" to manage the storage from.

The Placeholder IP of .254 is where you build and patch your future hosts - whether they be linux or windows, control ports can be opened there and the platform being built will not be sat there for long - strictly speaking, un-used NAT entries should not be sat there dormant.  The firewall on the host completely ignores the above mappings we have created, the host just passes the traffic straight through to the VM's!

Use Get-NetNatStaticMapping to view all your maps, use the StaticMappingID in the results field to manage the entries (Remove-NetNatStaticMapping).

Using Windows Firewall to Ring-Fence your Virtual Machines

We don't want the mail server talking to the WWW server, but we want the WWW server to be able to send SMTP comms out via the neighbouring mail server.

The solution: Windows Firewall.

Windows Firewall is still active and applies on your VM's on the host...  After creating the NAT mappings above, you will still need to set up the rules to allow the traffic, and the source will be bridged, so it will be the actual source!

I've used the firewall more on my Splunk dev box - allowing only traffic from my own house to communicate with it, and configuring rules so the VM can't communicate out to the internet.

What options we have:-

• IPSec / Connection Security Rules - We can use a PSK (Pre-shared Key) to set up connection security rules to encrypt traffic between VM's within the host.  You don't need kerberos/RADIUS/Certs to do this and it applies to all traffic, mutual configuration is all that is required!
• Block all/some inbound traffic.
• Block all/some outbound traffic.
• Allow/Block specific traffic between hosts.
• Changing network profiles to "Public" helps with surface area reduction.

Further Measures

This guide is missing everything else!!!

• Backup & Recovery.
• More fine grain management of the firewall on the host itself!
• Lack of managing RAID.
• Configuring the web & mail server securely.

Consideration has to be made regarding things like cyber attacks against the host and it's VM services.

Not to forget that something like Veeam might be able to perform backups for you, albeit inefficiently from a VM in the host itself - but beware, installing Veeam on the Hyper-V host carries severe risks.

The beauty of having such a host with a little network and complete control of every little detail:  It's one-shot configs being made that are well thought out!