We noticed KES for Windows v 11.0 installed on W2k12 R2 servers with Hyper-V roles installed detects and blocks attacks to virtual web-servers running on those Hyper-V machines.
No traffic is allowed from outside to the host machines, only web-traffic is allowed to virtual web-servers. Network Threat Protection on the host machines shows attacks detected and blocked at host level destined to ports TCP 80 and 443. On the web-servers level nothing is detected, like attacks does not reach them, they are stopped on the host.
Again, on the boarder firewall TCP 80 and 443 are allowed only for virtual web-servers, but not underlying hardware machines, but attacks to those ports are detected and blocked on the Hyper-V servers. (No externally initiated traffic is allowed for hardware servers at all)
Is this an expected and officially supported behavior? Is it documented anywhere?
P.S. This is very useful, but we are not sure it's not something undocumented, which will disappear one day.