BizzOn IT Services

IT Service for Small and Mid-Size Businesses

If you are looking for perfect IT services for your small business, then you will find them here at BizzOn!

Check more at http://www.bizzon.us

 

Cheers

Configuring the MNV Gateway in the SCVMM 2012 R2 (Multi-Tenant Gateway)

In this post we will add the MNV Gateway Service as the virtualization gateway, as a network service within VMM. While performing this action, VMM will configure the RRAS role within the service to serve as a multi-tenant gateway that supports S2S VPN, NAT and BPG.

• Navigate to the fabric, expand networking and right click on Network Service to add a new Network Service

 

• Specify the name of this service of your own choice and a description. Click next
• On Next Page, click Browse and Select the VMMRunAs account.

 

• Give the following connection string

 

• Click Next on Certificates
• Click Test and check everything passed
• Click Next twice and finish
• Go to the properties of the “Gateway” created1.Click Connectivity and select the right front end and Back end. The front end is the external interface on the Gateway Host machine and the Back end is the network adapter which will be connected to the PA Network.

 

• Click OK
• Check the Job and all jobs should finish successfully

 

Cheers !!

 

Windows 2012 R2 – Layman Introduction to Network Virtualization

Very few people knew about Microsoft version of Network Virtualization when it all started with Microsoft Windows 2012 and System Center Virtual Machine Manager 2012. The technology was new and very few people were able to get it right with the limited set of documentation available. Since Windows Server 2012 R2 and SCVMM 2012 R2 have released, Network Virtualization has matured and now it’s been widely talked about. I still remember my first time working with Network Virtualization in the lab here at Iron Networks; I wasn’t sure what I was doing 🙂

Network Virtualization secure multi-tenant solution which provides a virtual network abstraction on top of a physical network. This abstraction provides virtual networks for different tenants to virtual machines which operate the same as a physical network, but still sharing the same address space as other tenants. For example, one tenant may want to use the address space of 192.168.10.0/24. If there is another tenant who wants to use the same address space, they cannot without using the Network Virtualization. With Network Virtualization, two or more tenants can share the same addresses on their respective virtual machines without disrupting the networks of other tenants. So, two tenants can use the same 192.168.10.0/24 network to address their virtual machines. Well, how this all works in the background is another topic and I will summarize it sometime soon in another blog entry. For now, let’s focus on the components required for the Network Virtualization to work.

For Network Virtualization to work properly, there are different components required, such as;

1. Host Machine(s) – Windows Server 2012 or Windows Server 2012 R2 Hyper-V Server which will host the tenant virtual machine. This could be a standalone server or could be clustered Hyper-V servers.
2. SCVMM 2012 R2 – System Center Virtual Machine Manager 2012 R2 to configure and manage the different bits and pieces together. Although, Network Virtualization can be configured and managed through PowerShell, but using SCVMM reduces the work by automating everything through its inbuilt modules. SCVMM defined the virtualization policy.
3. NVGRE Gateway – This is a Windows Server 2012 R2 Hyper-V machine with multiple virtual machines running. Each virtual machine can host multiple tenant networks and provides bi-directional external connectivity to the virtual machines. The gateway is required to route the traffic between the NVGRE and Non-NVGRE networks. The NVGRE gateway supports Site-to-Site VPN connections, NAT and Direct Routing. One NVGRE virtual machine gateway can support up to 200 S2S connections and 50 Virtual Networks (which can also translate to tenants). Different kind of topologies are explained here at http://technet.microsoft.com/en-us/library/jj134174.aspx
4. Provide Address Network – PA Network is a unique network and the IP addresses are assigned to each Hyper-V host that is routable across the physical network infrastructure. Each Hyper-V host requires at least one PA to be assigned.
5. Tenant Network – Tenant networks are the subnets which will be used to assign IP addresses to the tenant virtual machines hosted inside the NVGRE fabric.

Cheers !!

Windows Server 2012 Server Core DirectAccess Appliance

Hello Friends,

Iron Networks, previously known as nAppliance Networks has recently launched the new Windows Server 2012 DirectAccess Appliance. Myself with other engineers @Iron Networks have developed this appliance to work in secure networks by reducing the amount of restarts the appliance needs and pre-hardening the operating system. The appliance runs on Server 2012 Server Core and provides a command line interface to run the PowerShell cmdlets.

Visit our website at www.ironnetworks.com for contact information.

Cheers

Bye Bye Forefront

Hello Friends,

Since Forefront is kind of fading away, so I am shifting my focus more onto the Windows Server 2012 DirectAccess technology and related feature sets. I will not be posting any further Forefront UAG or TMG posts in future. My focus now will be Windows Server 2012.

I hope my posts on Windows Server 2012 will help you as much as UAG or TMG ones did in the past.

Thank You.

Cheers !!

Microsoft UAG 2010 – Allow attachment viewing in Outlook Web Access, but deny downloads

Recently working on a deployment, I came across an unusual request to allow the attachments to be viewed, but the users should not be able to download the attachments anywhere on their machines when accessing from the untrusted (non-domain joined machines) machines.

We have number of articles which describes how to block download and create UAG endpoint policies which can block specific attachment, but couldn’t find anything related to what I was asked to do. For completing the task, we did the following;

• Followed the article http://blogs.technet.com/b/exchange/archive/2007/03/23/3401668.aspx to enable the Web Ready Viewing of the documents in the browser.
• Then, on the UAG, publish the Exchange OWA 2007 as described at http://technet.microsoft.com/en-us/library/ee921443.aspx
• Then go to Advanced Trunk Configuration > Global URL Sets > click Download URLs and change the WebReadyView.aspx URL as shown below.

What this does is that, it removes the WebReadyView.aspx URL from “Download URLs” and UAG will not apply any download restriction policy on this URL. This will allow users to open the attachments in the web browser. Next, we will create the policy to determine the machines as trusted vs. untrusted. This can be another blog post in itself, but to keep it short and simple, we are using the “Network_Domains_DNS” expression to determine whether the machine is domain joined or not.

• To create the policy, follow the steps at http://blogs.technet.com/b/edgeaccessblog/archive/2010/11/08/creating-a-policy-for-a-corporate-machine.aspx
• You may also create your own policy using the expression “Network_Domains_DNS” or “Network_Domains_NetBIOS” as shown in the below snapshot.

 

• Now, we need to define this policy to be evaluated when users access the OWA application. To do so, go to the OWA application properties > Endpoint Policy Settings > Change the “Download Policy ” to what you created in the previous step .

 

• Activate the configuration

 

Cheers !!!

 

New book by my friend Ben Ben Ari on Windows Server 2012 DirectAccess

New Book by Ben Ben Ari

Order Now from http://www.packtpub.com/windows-server-2012-unified-remote-access-planning-and-deployment/book

 

Microsoft UAG 2010: Authorize users to Access Applications based on their IP address

This is a unique kind of configuration which I worked on with one of our cuistomers wherein they wanted to authorize the users to only access applications in the portal if they were coming in from a valid IP range. I thought it would be good to have it published so people out there can use the script and extend the capabilities. Note that the script i am publishing is in its ra state, so tweaking maybe required when using it in production.

To implement this scenario, we need the following;

1. A repository of kind “Other” in the UAG and name it IPAUTH

2. Copy the repository.inc from C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\samples to C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate and change the name to IPAUTH.inc

3. Copy the following script in the notepad and save it as PostPostValidate.inc under the C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\inc\CustomUpdate folder

<%

dim ip, x, classs

dim Sub1, compare_results

ip = GetSessionParam(g_cookie,SOURCE_IP_PARAM)
Public Function ip2num(ip)

Dim i, a, N

a = Split(ip, “.”)

 

N = CDbl(0)

For i = 0 To UBound(a)

N = N * 256 + a(i)

Next

 

ip2num = N

End Function

 

IPFinal = ip2num(ip)

 

RangeA = “010.000.000.000”

RangeAA = “010.255.255.255”

RangeB = “172.016.000.000”

RangeBB = “172.031.255.255”

RangeC = “192.168.097.000”

RangeCC = “192.168.255.255”

 

if IPFinal >= ip2num(RangeA) AND IPFinal <= ip2num(RangeAA) then

status = AddSessionUser(g_cookie, user_name, password, “IPAUTH”)

HEAVY_TRACE “The source IP address is from trusted network”

end if
if IPFinal >= ip2num(RangeB) AND IPFinal <= ip2num(RangeBB) then

status = AddSessionUser(g_cookie, user_name, password, “IPAUTH”)

HEAVY_TRACE “The source IP address is from trusted network”

end if
if IPFinal >= ip2num(RangeC) AND IPFinal <= ip2num(RangeCC) then

status = AddSessionUser(g_cookie, user_name, password, “IPAUTH”)

HEAVY_TRACE “The source IP address is from trusted network”

end if

%>
4. Add the IPAUTH repository in every application under the Authorization, which  you want the UAG to check for the IP Authentication

 

How it works?

When user logs into the UAG portal, the PostPostValidate.inc file retrieves the value of the SOURCE_IP_PARAM which is the source IP address of the user’s computer and then matches with the IP ranges defined in the script. You might want to change them to the IP ranges specific to your scenario. When the IP address matches, it will add the user’s authenticated session to the IPAUTH repository as authenticated. When a user clicks on the application and if the user session is added to the IPAUTH repository, the user is granted permission to access the application. Else, will be denied access.

Hope this helps

Cheers !!

UAG 2010: Error “Unknown error 0xc00000403” when adding UAG machine to a Array

You may encounter the following error while joining an array member to a UAG array.

Cause: After entering username, password and Domain UAG Array Manager machine verifies these credentials with the Domain Controller using kerberos. After successful verification, it allows member to join the array. But if Kerberos communication between the domain controller and the UAG server fails, then the credentials will not be verified and UAG throws the above error.

Soultion: Restart either DC or UAG Array Manager or both. It may re-establish Kerberos communication between DC and UAG and thus credentials can be verified sent by member machine.

UAG 2010: “Applying Network Access Protection configuration failed”

Problem:

When trying to activate the configuration on a UAG server, you might find that the activation failed and you can see the following error messages in the status window:

Error: Applying Network Access Protection configuration failed.

Error: The UAG DirectAccess configuration cannot be activated

Error: DirectAccess could not be activated.

This ironically happens even when Network Access Protection (NAP) is not in use at all. We tested it even with DirectAccess disabled.

Cause:

The reason is that the Health Registration Authority (HRA) sub role under Network Policy Server role is not installed. Under the hood, UAG tries to run the following command routinely as part of the activation process:

netsh nap hra reset caserver

This command resets the HRA settings, but since the HRA sub-role does not exist, NETSH returns an error and UAG activation fails. In the BIT tracing you can see the following line which illustrates that the command could not be executed at all

[2]0B88.0BE8::03/11/2011-18:59:06.579 [DA.ConfigAgent]Command [nap hra reset caserver] failed to execute.

The root cause can be easily seen by opening the Server Manager console on the UAG Server:

Solution:

Install the Health Registration Authority role from the server manager and re-actiavte the configuration

Cheers !!