This is my first time setting up either Hyper-V or Windows 2008, so please bear with me.
I am setting up a pretty decent server running Windows Server 2008 R2 to be a remote (colocated) Hyper-V host. It will be hosting Linux and Windows VMs, initially for developers to use but eventually also to do some web hosting and other tasks. Currently I have two VMs, one Windows and one Ubuntu Linux, running pretty well, and I plan to clone them for future use.
Right now I'm considering the best ways to configure developer and administrator access to the server once it is moved into the colocation facility, and I'm seeking advice on that. My thought is to set up a VPN for access to certain features of the VMs on the server, but I have a few different options for going about this:
Connect the server to an existing hardware firewall (an old-ish Netscreen 5-GT) that can create a VPN and map external IPs to the VMs, which will have their own IPs exposed through the virtual interface. One problem with this choice is that I'm the only one trained on the Netscreen, and its interface is a bit baroque, so others may have difficulty maintaining it. Advantage is that I already know how to do it, and I know it will do what I need.
Connect the server directly to the network and configure the Windows 2008 firewall to restrict access to the VMs and set up a VPN. I haven't done this before, so it will have a learning curve, but I'm willing to learn if this option is better long-term than the Netscreen. Another advantage is that I won't have to train anyone on the Netscreen interface. Still, I'm not certain if the capabilities of the Windows software firewall as far as creating VPNs, setting up rules for external access to certain ports on the IPs of Hyper-V servers, etc. Will it be sufficient for my needs and easy enough to set up / maintain?
Anything else? What are the limitations of my approaches? What are the best practices / what has worked well for you? Remember that I need to set up developer access as well as consumer access to some services. Is a VPN even the right choice?
Edit: I am probably going to use option 2, with RRAS set up to create a VPN, but I am still interested in your input.
I would personally have a separate physical firewall (Netscreen or whatever you're confortable with) that handles the VPN separately and invest in an out-of-band management system (like Dell's DRAC) to give you low-level access to your server (and firewall's console port if/when you want to update your firmware) in case of hung or crashed (trust me: this will happen) VMs or host, or when you want to do worry-free Windows Updates, etc.
The Netscreen should support IPSec mobile VPN access with an added benefit of two-factor (certificates and passphrases) for authentication. Been a while since I've used one, but I believe they have several VPN options available.
Going with a hardware firewall (or really, a "Unified Threat Management" appliance as firewalls with all the bells and whistles that most of them have nowadays) will also give you some flexibility down the road with regards to proxying SMTP/DNS requests, DMZs, etc. when you move to a production web hosting environment.
Firewall is unnecessary. Especially for ahyper-v host. Most hosts have 2-3 network cards anyway. Use ONE for hyper-v, do NOT allow hyper-v itself to be used there (i.e. only for VM's) and you dont heed hyper-v there to protect the server ;)
On the other one - use windows firewall ONLY allow remote desktop. Done.