Windows Azure Virtual Network Site-to-Site IPsec VPN with Forefront TMG 2010

Microsoft announced Windows Azure Virtual Network and Windows Azure Virtual Machines in June 2012 to provide IaaS ‘Hybrid Cloud’ functionality.

What this allows is persistent Virtual Machines (which retain the same private addresses) running in Azure that can be joined to your on-premise Active Directory using a site-to-site IPsec VPN. The Azure VMs then act like a branch network with full connectivity and you can add Domain Controllers in the Azure Virtual Network.

pciazurelab

There some great blog posts available which guiding you through and enables cross-premises connectivity with your on-premise environment and Windows Azure. 

Enable Cross-Premises Connectivity to Windows Azure with Forefront Threat Management Gateway (TMG) 2010 source: ISAServer.org / Richard Hicks

Windows Azure Virtual Network VPN with TMG 2010 source: kloud.com.au

Technorati Tags: ,,,,,
Advertisements

DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server

This week I noticed some issues with DirectAccess on my Windows 7 client. For some strange reason both Infrastructure and Intranet tunnels are not established. When walking through the Advanced Firewall configuration I noticed that Internet Protocol security (IPsec) tunnel mode security associations (SAs) were not initiated. After some searching if found a post on Forefront forum which describes more or less the same behavior.

Thanks to Jason Jones if found my issue. By verifying the Name Resolution Policy Table (NRPT) configuration using netsh dnsclient show state and noticed that Direct Access Settings is misconfigured. The NRPT is configured using the DirectAccess Setup wizard. You can configure the rules also directly by yourself but take into account these settings are overridden when running the DirectAccess wizard!

Continue reading “DirectAccess Client Cannot Establish Tunnels to the DirectAccess Server”

Microsoft Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 released

Microsoft® Forefront Threat Management Gateway (TMG) 2010 Service Pack 2 (SP2) introduces new functionality to Forefront TMG 2010 Standard and Enterprise Editions.

The service pack includes the following new functionality and feature improvements:

New Reports
• The new Site Activity report displays a report showing the data transfer between users and specific websites for any user.

Error Pages
• A new look and feel has been created for error pages.
• Error pages can be more easily customized and can include embedded objects.

Kerberos Authentication
• You can now use Kerberos authentication when you deploy an array using network load balancing (NLB).

To read the release notes, see the Forefront TMG Release Notes (SP2). Before installing this service pack, it is highly recommended that you read the TechNet article Installing Forefront TMG Service Packs. Installing the service pack on Forefront TMG computers in an order other than as described in this article is unsupported.

Microsoft Forefront UAG SP2 can be downloaded here

Forefront UAG ISATAP hotfix KB977342 – ISATAP addresses not created for the VIP address

Recently Microsoft released a hotfix for Forefront UAG and applies to multiple Forefront UAG server scenario configured in an Array configuration.

Link Local ISATAP addresses are not created for the virtual IP address used by the Network Load Balancing (NLB) feature on a computer that is running Windows Server 2008 R2. This hinders the usage of NLB nodes as an ISATAP router.

This problem occurs because the IP Helper service does not let virtual IP address interfaces generate ISATAP tunneled addresses or 6to4 tunneled addresses as designed. For the DIP address ( Dedicated IP ) you will have an ISATAP address available but for the VIP ( Virtual IP ) there is no possibility of having Global Addresses support for the NLB VIP address ( Virtual IP) and no ISATAP addresses can be configured for a VIP.

More information can be found here

Comprehensive Resource for Licensing and Pricing

Windows Server, System Center, and Forefront Licensing Guide

The Windows Server, System Center, and Forefront Pricing and Licensing Guide is a comprehensive and detailed source of licensing information for the abovementioned brands. Download and print the Guide for specific product level pricing and licensing information.

This guide provides licensing information for the Windows Server 2008 R2 operating system and Microsoft System Center datacenter solutions. It includes updated licensing information and scenarios for:

  • The Windows HPC Server 2008 R2 operating system.
  • System Center solutions, which IT administrators can use to manage physical and virtual IT environments across datacenters, client computers, and devices.
  • The Virtual Desktop Infrastructure Suites, solutions that organizations can use to allow users to access desktops running in the datacenter.
  • The Enrollment for Core Infrastructure, a Microsoft Enterprise Agreement (EA) program that enables enterprise customers to purchase core infrastructure suite products under one enrollment for a three-year term at a reduced price.

The guide can be downloaded here

http://www.microsoft.com/en-us/server-cloud/buy/pricing-licensing.aspx

http://www.microsoft.com/licensing/licensing-options/enrollments.aspx#tab=1

http://www.microsoft.com/licensing/default.aspx

Thanks to Richard Hicks which pointed me to this useful guide.

Secure Application Access by using AD FS and UAG – UAG acting as ADFS Proxy Topology (via Security and Identity in the Cloud)

In the previous post I showed to you how UAG can be used with ADFS to publish Claims aware application and provide single sign-on into  such applications along with traditional applications which require UserID/password. In that demonstration UAG was configured with Form Based Authentication (FBA) and user was authenticating to UAG before they could get access to actual applications. Today’s demonstration shows a different UAG/ADFS topology, … Read More

via Security and Identity in the Cloud

How #Microsoft secures its data in a worldwide environment

This Microsoft IT Showcase slide gives you an overview how Microsoft secures its data. Maybe little bit outdated but still informative to get a picture of the high-level basics how to secure your corporate data.