Hybrid Cloud, Azure, AWS and System Center

Monday, 20 July 2015

Secure Federation Server Farm (ADFS) With Multi Factor Authentication (MFA)

In our previous blog, we have covered about setup federation farm. AD FS is a standards-based service that allows the secure sharing of identity information between trusted business partners (known as a federation) across an extranet.

Most people will deploy Web Application Proxy to avoid publish ADFS to the Internet. Yes, this is one of the way. But we want to be more secure !

In order to achieve more secure environment, we can deploy MFA in our on-premise environment. Check out on our deployment scenario:

[ Scenario]

Domain Controller
ADFS Farm
Application Proxy
Azure Subscription
Office365 (for testing app)

[ Before setup scenario ]

User login to portal.office.com with valid username. Page will redirect to ADFS server page and request to enter valid password. At this moment, communication has reached to Web Application Proxy and ADFS. ADFS will verify the username and password where user account is reside in the domain controller.

After authenticated, it will redirect to Office365 portal without 2nd level authentication.

[ Configuration for MFA]

Go to Azure Management Portal and create a new Multi Factor Auth provider under Active Directory Section. You can enable either per user based or per authentication.

Click on Manage, download the MFA Server and install on the protected server.

Install the MFA Server and use the Activation Credential (valid for every 10 minute). Skip any configuration wizard.

Click on ADFS and configure the settings that you require and click Install ADFS Adapter. After installation of ADFS Adapter, you’re require to restart the server.

Next step is Add User. Click on Users and Import from Active Directory. For our test purpose, we select alphauser@ms4ucloud.info. By default, user will be disable if no phone number is enter.

Just edit the user, enter phone number and tick enable

Perform a test by entering a valid password. You will receive a call. Just press # to confirm.

We are still not yet complete.Open Powershell on ADFS server and execute

.\Register-MultiFactorAuthenticationAdfsAdapter.ps1

Restart the server and modify the global policy from ADFS Snap-in. Go to Authentication Policies | Edit Global Multi Factor Authentication.

Set a policy. We just enable MFA for alphauser login from Extranet either he is using unregistered or registered devices.

[Verification]

Time for verification and make sure it is working as expected.

This round rather than redirect to Office365 after key in credential, the system will prompt user to 2nd level authentication. You will receive a call. Just press # to confirm and enter additional security question.

Once completed, you will able to access Office365 portal.

In this article, we have secure our environment by enabling MFA when customer using Active Directory Federation Server with Office365.

Monday, 25 May 2015

Slide : Get Started With Microsoft Azure Virtual Machine

During MVP Community Day (2015), we have delivered an online session about “Get started with Microsoft Azure Virtual Machine”.

The target audience is for those who are beginner and would like to learn about Azure Infrastructure as a Service.

During an hour session, here is a sneak peak of the system that we use. The system was quite easy to use.

Thanks to the support team that assisting during the session.

Slide

Recording

You can view from MVP Community Portal – Click here and proceed to the our title.

Thursday, 14 May 2015

Configure Site to Site VPN to Microsoft Azure Using RRAS

In our previous post, we have talked on building RRAS to connecting two subnet and network address translation. If you’re interested, feel free to check out here.

Next, we are going to embark a journey to Hybrid Cloud by connecting to Microsoft Azure by using RRAS.

[ Scenario]

Continue from previous post setup. We are changing it to include demand-dial.

[ Before – on Azure]

Create Virtual Network and create dynamic VPN Gateway. Take note and Gateway IP Address and Pre-Shared Key

[ Configuration on RRAS]

1. Modify to include demand dial. Set LAN and demand dial routing on Ipv4 router

2. Add a demand dial interface and modify accordingly

3. Connection type set to VPN

4. VPN Connection set to use IKE v2

5. Enter Azure VPN Gateway IP that you have created on previous step

6. Tick Route IP Packet on this interface and enter destination route detail (enter Azure virtual network information)

7. On Credential, leave it empty. We are going to set pre-shared key later.

8. Modify the demand dial interface. Go to security tab and set to use pre-shared key

[ Verification]

Try establish connection from RRAS
Connect on Azure Portal

Yeah! Both reported connected

To make sure that both side can access, perform ping test and tracert.

[ Test result]

From Azure VM to on-prem DC VM

From on-prem DC VM to Azure VM

Easy right! That’s concluded our configuration to establish site to site vpn to Microsoft Azure by using RRAS.

Tuesday, 5 May 2015

Veeam FastSCP For Microsoft Azure Beta Available

It is time for us to disclosed news about new beta version Veeam FastSCP that can support for Microsoft Azure Virtual Machine. Previously it was build for Vmware ESX/ESXi File Management which allow user to copy files from ESX to Windows, Windows to ESX, or directly ESX to ESX to ESX. Veeam claimed Veeam FastSCP can copy files 6x faster than WinSCP and other SCP based tools. Hmmm…

Now where does this beta tool fit?

Well, for those who are often copying data into/from Microsoft Azure may find this tool is useful. Prior of this tool, we often use:

1st method -use “Copy & Paste” feature. But this feature has a 2GB limit and suitable for smaller file.

How about big data till 900+ GB of data?

2nd method - copy a data into an empty virtual disk, upload to Azure Storage and attach virtual disk. But this method is not flexible and may take longer period.

So the solution that come to the rescue is….

“Veeam FastSCP” – It’s FREE! which allow us to secure file copy for Azure VM. Here is some key functionality about the product:

Reliable copy of file of local files to Azure VM and files in Azure VM to on-premises
Secure file copy with no independent encryption or VPN needed
Copying files without UI open until the file copy completes
Automatic scheduling of file copy jobs for nightly or weekly copies to/from Azure VM
No scripting needed. (Just a few click inside a wizard driven UI)

Let have a quick walkthrough:

1. Connection to Azure VM is using port 5986 (Powershell port). Therefore it only work on Windows VM.

2. Once connected, able to view Azure VM Volume and you may start your operation.

3.Here is a couple of action that you can perform

4. View progress from Job & History. You can enable pause & resume the job.

5. To configure scheduling, just modify the existing job. It can be everyday copy a backup of database from on-premise/azure back to azure VM/on-premise. It like having an orchestrator that continuously execute a job.

Meanwhile, during our veeam briefing session, there is no limit of size that you can transfer.

Well, you probably would like to give it a test and see does it work as expected. Smile

Do you find this tool handy? If yes, please feel free to download from here. Enjoy!

Saturday, 25 April 2015

Slide : Disaster Recovery to the Cloud with Microsoft Azure

During Global Azure Bootcamp (2015), i have presented about data protection and site recovery to protect your workload with one solution for different infrastructure either hyper-v, vmware, storage or physical server.

Agenda during Global Azure Bootcamp (Malaysia):

Event pictures:

My session:

Join the Racing Game Lab (available now till end of this weekend). How to participate, please follow the link as posted in below picture

Slide

Disaster Recovery to the Cloud with Microsoft Azure from Lai Yoong Seng

Demo video

Demo 1:- Recovery data on laptop from Microsoft Azure by using Microsoft Azure Backup

Description:- In this demo, we show how easy to recover a data when you’re mobile. As long you have laptop and Internet connection, able to use Microsoft Azure Backup to restore data.

Demo 2:- Recover Azure Virtual Machine by using Microsoft Azure Backup

Description:- We can now protect Azure VM by using Azure Backup from the management portal.

Demo 3: ASR Scenario : Hyper-V to Azure

Description:- In this scenario we got 2 workload running on Microsoft Hyper-V (DB & Web). We configure to replication to Microsoft Azure by using ASR. From there, we can perform planned, unplanned and test failover. In this demo, we have executed test failover and clean up after complete our testing.

Demo 4: ASR Scenario:- Vmware/Physical Server to Azure

Description : In this demo, we have look into how easy to move your existing VMware VM or physical server to Microsoft Azure by using ASR with Inmage Scout technology

Demo 5: ASR Scenario:- Vmware to Vmware using Inmage Scout

Description: In this demo, we use Inmage Scout to configure a protection from Vmware host at primary site to secondary site which using Vmware host as well.

About me

MVP: Hyper-V, (ericlaiys/laiys), Malaysia Lai, Hyper-V MVP has more than 12 years of IT industry experience. He specializes in Hyper-V and System Center products. Lai has actively presents Microsoft Virtualization Day, Microsoft Cloud Day, Microsoft Tech-Ed New Zealand (2011), Microsoft Techday 2011(Singapore) and local community such as MVUG, TechInsight, ELITE and SCUG events. He actively blogs on Virtualization and System Center at http://www.ms4u.info and is the founder of Malaysia Virtualization User Group (MVUG). Please feel free to leave a comment or email to ms4ucloud@gmail.com