IT Service for Small and Mid-Size Businesses
If you are looking for perfect IT services for your small business, then you will find them here at BizzOn!
Check more at http://www.bizzon.us
Cheers
IT Service for Small and Mid-Size Businesses
If you are looking for perfect IT services for your small business, then you will find them here at BizzOn!
Check more at http://www.bizzon.us
Cheers
In this post we will add the MNV Gateway Service as the virtualization gateway, as a network service within VMM. While performing this action, VMM will configure the RRAS role within the service to serve as a multi-tenant gateway that supports S2S VPN, NAT and BPG.
Cheers !!
Very few people knew about Microsoft version of Network Virtualization when it all started with Microsoft Windows 2012 and System Center Virtual Machine Manager 2012. The technology was new and very few people were able to get it right with the limited set of documentation available. Since Windows Server 2012 R2 and SCVMM 2012 R2 have released, Network Virtualization has matured and now it’s been widely talked about. I still remember my first time working with Network Virtualization in the lab here at Iron Networks; I wasn’t sure what I was doing 🙂
Network Virtualization secure multi-tenant solution which provides a virtual network abstraction on top of a physical network. This abstraction provides virtual networks for different tenants to virtual machines which operate the same as a physical network, but still sharing the same address space as other tenants. For example, one tenant may want to use the address space of 192.168.10.0/24. If there is another tenant who wants to use the same address space, they cannot without using the Network Virtualization. With Network Virtualization, two or more tenants can share the same addresses on their respective virtual machines without disrupting the networks of other tenants. So, two tenants can use the same 192.168.10.0/24 network to address their virtual machines. Well, how this all works in the background is another topic and I will summarize it sometime soon in another blog entry. For now, let’s focus on the components required for the Network Virtualization to work.
For Network Virtualization to work properly, there are different components required, such as;
Cheers !!
Hello Friends,
Iron Networks, previously known as nAppliance Networks has recently launched the new Windows Server 2012 DirectAccess Appliance. Myself with other engineers @Iron Networks have developed this appliance to work in secure networks by reducing the amount of restarts the appliance needs and pre-hardening the operating system. The appliance runs on Server 2012 Server Core and provides a command line interface to run the PowerShell cmdlets.
Visit our website at www.ironnetworks.com for contact information.
Cheers
Hello Friends,
Since Forefront is kind of fading away, so I am shifting my focus more onto the Windows Server 2012 DirectAccess technology and related feature sets. I will not be posting any further Forefront UAG or TMG posts in future. My focus now will be Windows Server 2012.
I hope my posts on Windows Server 2012 will help you as much as UAG or TMG ones did in the past.
Thank You.
Cheers !!
Recently working on a deployment, I came across an unusual request to allow the attachments to be viewed, but the users should not be able to download the attachments anywhere on their machines when accessing from the untrusted (non-domain joined machines) machines.
We have number of articles which describes how to block download and create UAG endpoint policies which can block specific attachment, but couldn’t find anything related to what I was asked to do. For completing the task, we did the following;
What this does is that, it removes the WebReadyView.aspx URL from “Download URLs” and UAG will not apply any download restriction policy on this URL. This will allow users to open the attachments in the web browser. Next, we will create the policy to determine the machines as trusted vs. untrusted. This can be another blog post in itself, but to keep it short and simple, we are using the “Network_Domains_DNS” expression to determine whether the machine is domain joined or not.
Cheers !!!
This is a unique kind of configuration which I worked on with one of our cuistomers wherein they wanted to authorize the users to only access applications in the portal if they were coming in from a valid IP range. I thought it would be good to have it published so people out there can use the script and extend the capabilities. Note that the script i am publishing is in its ra state, so tweaking maybe required when using it in production.
To implement this scenario, we need the following;
1. A repository of kind “Other” in the UAG and name it IPAUTH
2. Copy the repository.inc from C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples to C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate and change the name to IPAUTH.inc
3. Copy the following script in the notepad and save it as PostPostValidate.inc under the C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate folder
<%
dim ip, x, classs
dim Sub1, compare_results
ip = GetSessionParam(g_cookie,SOURCE_IP_PARAM)
Public Function ip2num(ip)
Dim i, a, N
a = Split(ip, “.”)
N = CDbl(0)
For i = 0 To UBound(a)
N = N * 256 + a(i)
Next
ip2num = N
End Function
IPFinal = ip2num(ip)
RangeA = “010.000.000.000”
RangeAA = “010.255.255.255”
RangeB = “172.016.000.000”
RangeBB = “172.031.255.255”
RangeC = “192.168.097.000”
RangeCC = “192.168.255.255”
if IPFinal >= ip2num(RangeA) AND IPFinal <= ip2num(RangeAA) then
status = AddSessionUser(g_cookie, user_name, password, “IPAUTH”)
HEAVY_TRACE “The source IP address is from trusted network”
end if
if IPFinal >= ip2num(RangeB) AND IPFinal <= ip2num(RangeBB) then
status = AddSessionUser(g_cookie, user_name, password, “IPAUTH”)
HEAVY_TRACE “The source IP address is from trusted network”
end if
if IPFinal >= ip2num(RangeC) AND IPFinal <= ip2num(RangeCC) then
status = AddSessionUser(g_cookie, user_name, password, “IPAUTH”)
HEAVY_TRACE “The source IP address is from trusted network”
end if
%>
4. Add the IPAUTH repository in every application under the Authorization, which you want the UAG to check for the IP Authentication
How it works?
When user logs into the UAG portal, the PostPostValidate.inc file retrieves the value of the SOURCE_IP_PARAM which is the source IP address of the user’s computer and then matches with the IP ranges defined in the script. You might want to change them to the IP ranges specific to your scenario. When the IP address matches, it will add the user’s authenticated session to the IPAUTH repository as authenticated. When a user clicks on the application and if the user session is added to the IPAUTH repository, the user is granted permission to access the application. Else, will be denied access.
Hope this helps
Cheers !!
You may encounter the following error while joining an array member to a UAG array.
Cause: After entering username, password and Domain UAG Array Manager machine verifies these credentials with the Domain Controller using kerberos. After successful verification, it allows member to join the array. But if Kerberos communication between the domain controller and the UAG server fails, then the credentials will not be verified and UAG throws the above error.
Soultion: Restart either DC or UAG Array Manager or both. It may re-establish Kerberos communication between DC and UAG and thus credentials can be verified sent by member machine.
Problem:
When trying to activate the configuration on a UAG server, you might find that the activation failed and you can see the following error messages in the status window:
Error: Applying Network Access Protection configuration failed.
Error: The UAG DirectAccess configuration cannot be activated
Error: DirectAccess could not be activated.
This ironically happens even when Network Access Protection (NAP) is not in use at all. We tested it even with DirectAccess disabled.
Cause:
The reason is that the Health Registration Authority (HRA) sub role under Network Policy Server role is not installed. Under the hood, UAG tries to run the following command routinely as part of the activation process:
netsh nap hra reset caserver
This command resets the HRA settings, but since the HRA sub-role does not exist, NETSH returns an error and UAG activation fails. In the BIT tracing you can see the following line which illustrates that the command could not be executed at all
[2]0B88.0BE8::03/11/2011-18:59:06.579 [DA.ConfigAgent]Command [nap hra reset caserver] failed to execute.
The root cause can be easily seen by opening the Server Manager console on the UAG Server:
Solution:
Install the Health Registration Authority role from the server manager and re-actiavte the configuration
Cheers !!