Azure Site-to-Site IPSec VPN connection with Citrix NetScaler (CloudBridge)

An Azure Site-to-Site VPN gateway connection is used to connect on-premises network to an Azure virtual network over an IPsec/IKE (IKEv1 or IKEv2) VPN tunnel. This type of connection requires a VPN device located on-premises that has an externally facing public IP address assigned to it.

In this example, I am going to use Citrix CloudBridge feature of a NetScaler. The Citrix CloudBridge works in a pair, one at each end of a link, to accelerate traffic over the link. The transformations done by the sender are reversed by the receiver. One CB virtual appliance  can handle many links, so you do not have to dedicate a pair to each connection. You need just one CB virtual appliance per site to handle traffic to and from Azure datacenter to on-premises datacenter. In a Citrix CloudBridge Connector tunnel, IPSec ensures:

  • Data integrity
  • Data origin authentication
  • Data confidentiality (encryption)
  • Protection against replay attacks

The below exercise creates a IPSec tunnel between 66.128.x.x (On-prem) to 168.63.x.x (Azure).

Basic Requirements:

  • Make sure that the public IPv4 address for your VPN device is not located behind a NAT firewall
  • Make sure you have correct NSG rules are configured for you to access on-premises VM from Azure VM or vise-versa.

IP Address Requirements:

IP address of the CloudBridge Connector tunnel end point (CB Appliance) in the on-premises side 66.128.x.x
IP address of the CloudBridge Connector tunnel end point in the Azure VPN Gateway 168.63.x.x
Datacenter Subnet, the traffic of which is to traverse the CloudBridge Connector tunnel 10.120.0.0/23
Azure Subnet, the traffic of which is to traverse the CloudBridge Connector tunnel 10.10.0.0/22

Citrix NetScaler Settings

IPSec profile CB_Azure_IPSec_Profile IKE version = v1

Encryption algorithm = AES

Hash algorithm = HMAC SHA1

CloudBridge Connector tunnel CB_Azure_Tunnel Remote IP = 168.63.x.x

Local IP= 66.128.x.x (SNIP)

Tunnel protocol = IPSec

IPSec profile= CB_Azure_IPSec_Profile

Policy based route CB_Azure_Pbr Source IP range = Subnet in the datacenter =10.120.0.0-10.120.1.254

Destination IP range =Subnet in Azure =10.10.0.1 – 10.10.3.254

IP Tunnel = CB_Azure_Tunnel

Azure VPN Gateway Settings

Public IP Address of the Azure VPN Gateway 168.63.x.x
Local Network On-prem Network VPN Device IP address = 66.128.x.x (SNIP)

On-prem Subnet =10.120.0.0/24

Virtual Network CloudBridge Tunnel in Azure Side Address Space of the Azure vNET= 10.10.0.0/22

Trusted Subnet within the vNET = 10.10.0.1/24

Untrusted Subnet within the vNET = 10.10.1.1/24

Gateway Subnet=10.10.2.0/24

Region Australia East
VPN Type Route-based
Connection Type Site-to-site (IPsec)
Gateway Type VPN
Shared key Sample Shared Key DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM

Configuration of Citrix NetScaler CloudBridge Feature

Step1: Create IPSec Profile

add ipsec profile CB_Azure_IPSec_Profile –psk  DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM  -ikeVersion v1 –lifetime 31536000

Note: DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM is also used in the Azure VPN connection.

Step2: Create IPSec Tunnel

add iptunnel CB_Azure_Tunnel 168.63.x.x 255.255.255.255 66.128.x.x –protocol IPSEC –ipsecProfileName CB_Azure_IPSec_Profile

Step3: Create PBR Rule

add pbr CB_Azure_Pbr -srcIP 10.120.0.0-10.120.1.255 –destIP 10.10.0.0-10.10.3.255 –ipTunnelCB_Azure_Tunnel

Step4: Apply Settings

apply pbrs

You can configure NetScaler using GUI as well. here is an example.

  1. Access the configuration utility by using a web browser to connect to the IP address of the NetScaler appliance in the datacenter.
  2. Navigate to System > CloudBridge Connector.
  3. In the right pane, under Getting Started, click Create/Monitor CloudBridge.
  4. Click Get Started> In the CloudBridge Setup pane, click Microsoft Windows Azure.
  5. In the Azure Settings pane, in the Gateway IP Address* field, type the IP address of the Azure gateway. The CloudBridge Connector tunnel is then set up between the NetScaler appliance and the gateway. In the Subnet (IP Range)* text boxes, specify a subnet range (in Azure cloud), the traffic of which is to traverse the CloudBridge Connector tunnel. Click Continue.
  6. In the NetScaler Settings pane, from the Local Subnet IP* drop-down list, select a publicly accessible SNIP address configured on the NetScaler appliance. In Subnet (IP Range)* text boxes, specify a local subnet range, the traffic of which is to traverse the CloudBridge Connector tunnel. Click Continue.
  7. In the CloudBridge Setting pane, in the CloudBridge Name text box, type a name for the CloudBridge that you want to create.
  8. From the Encryption Algorithm and Hash Algorithm drop-down lists, select the AES and HMAC_SHA1 algorithms, respectively. In the Pre Shared Security Key text box, type the security key.
  9. Click Done.

Configuration of an IPSec Site-to-Site VPN in the Azure Subscription 

Step1: Connect to Azure Subscription

Login-AzureRmAccount

Get-AzureRmSubscription

Select-AzureRmSubscription -SubscriptionName “99ebd-649c-466a-a670-f1a611841”

Step2: Create Azure Resource Group in your region

New-AzureRmResourceGroup -Name TestRG1 -Location “Australia East”

Step3: Create vNET and Subnets

$subnet1 = New-AzureRmVirtualNetworkSubnetConfig -Name “Tursted” -AddressPrefix 10.10.0.0/24

$subnet2 = New-AzureRmVirtualNetworkSubnetConfig -Name “UnTursted” -AddressPrefix 10.10.1.0/24

$subnet3 = New-AzureRmVirtualNetworkSubnetConfig -Name “GatewaySubnet” -AddressPrefix 10.10.2.0/24

$vnet=New-AzureRmVirtualNetwork -Name TestVNet1 -ResourceGroupName TestRG1 -Location “Australia East” -AddressPrefix 10.10.0.0/22 -Subnet $subnet1, $subnet2, $subnet3

Set-AzureRmVirtualNetwork -VirtualNetwork $vnet

Step4: Create On-premises Network

New-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1 -Location “Australia East” -GatewayIpAddress “66.128.x.x” -AddressPrefix “10.120.0.0/24”

New-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1 -Location “East US” -GatewayIpAddress “23.99.221.164” -AddressPrefix @(“10.120.0.0/24”,”10.120.1.0/24”)

Step5: Request a Public IP Address

$gwpip= New-AzureRmPublicIpAddress -Name gwpip -ResourceGroupName TestRG1 -Location “Australia East” -AllocationMethod Dynamic

Step6: Create Gateway IP Address

$vnet = Get-AzureRmVirtualNetwork -Name TestVNet1 -ResourceGroupName TestRG1

$subnet = Get-AzureRmVirtualNetworkSubnetConfig -Name “GatewaySubnet” -VirtualNetwork $vnet

$gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $subnet.Id -PublicIpAddressId $gwpip.Id

Step7: Create VPN Gateway

New-AzureRmVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1 -Location “Australia East” -IpConfigurations $gwipconfig -GatewayType Vpn -VpnType RouteBased -GatewaySku VpnGw1

Step8: Extract public IP address of the VPN Gateway

Get-AzureRmPublicIpAddress -Name GW1PublicIP -ResourceGroupName TestRG1

Step9: Create VPN Connection

$gateway1 = Get-AzureRmVirtualNetworkGateway -Name VNet1GW -ResourceGroupName TestRG1

$local = Get-AzureRmLocalNetworkGateway -Name Site2 -ResourceGroupName TestRG1

New-AzureRmVirtualNetworkGatewayConnection -Name VNet1toSite2 -ResourceGroupName TestRG1 -Location “East US” -VirtualNetworkGateway1 $gateway1 -LocalNetworkGateway2 $local -ConnectionType IPsec -RoutingWeight 10 -SharedKey “ DkiMgMdcbqvYREEuIvxsbKkW0FOyDiLM”

Step10: verify Connection

Get-AzureRmVirtualNetworkGatewayConnection -Name MyGWConnection -ResourceGroupName MyRG

Deploy Work Folder in Azure Cloud

The concept of Work Folder is to store user’s data in a convenient location. User can access the work folder from BYOD and Corporate SOE from anywhere. The work folder facilitate flexible use of corporate information securely from supported devices. The work folder can be deployed on-premises and in Azure Cloud. In this article, I will demonstrate how to deploy Work Folder in Azure. Before that, let’s start with application of Work Folder.

Applications of Work Folder in Corporate Environment

  • Provide a single point of access to work files from a user’s work and personal devices
  • Access the work files online and offline. While accessing offline, the data can be synced back to the Sync Server when the device connected to internet or intranet again
  • Deploy with existing deployments of Folder Redirection, Offline Files, and home folders
  • Use Windows File Server, SMB Share and other CIFS share for example NetApp CIFS share
  • Use file classification and folder quotas, to manage user data
  • Apply security policy and encryption to encrypt Work Folders and use a lock screen password
  • Use Microsoft Failover Clustering with Work Folders to provide a high-availability solution

Enhanced Functionality:

  • Azure AD Application Proxy support
  • Faster change replication
  • Integrated with Windows Information Protection (WIP)
  • Microsoft Office integration

Supported Environment:

  • NetApp CIFS, Windows File Server or Windows SMB Storage as the UNC path of Sync Share
  • Windows Server 2012 R2 or Windows Server 2016 for hosting sync shares with user files
  • A public certificate or internal certificate domain joined computer
  • Windows Server 2012 R2 level AD DS Schema
  • Windows 10 version 1703,
  • Android 4.4 KitKat and later
  • iOS 10.2 and later

Internal DNS records (CNAME records)

  • workfolders.domain.com pointed to syncserver1.domain.com and sycserver2.domain.com
  • sts.domain.com point to ADFS Servers
  • enterpriseregistration.domain.com pointed to ADFS servers

Internal DNS records (Host A Record)

  • syncserver1.domain.com
  • syncserver2.domain.com

Publishing Work Folder for mobile workforce

  • Access from Internet or use Azure Credentials
  • Web Application Proxy
  • Active Directory Federation Services (AD FS) with public DNS record sts.domain.com and enterpriseregistration.domain.com
  • A public DNS record i.e. CNAME = workfolders.domain.com
  • A public certificate from a public CA i.e. CN= workfolders.domain.com SAN=syncserver1.domain.com, syncserver2work.domain.com. There must be private key associated with the certificate which means the certificate must in pfx format before importing into the sync servers.

Deploy Work Folder Server

  1. Log on to Azure Portal, Deploy a Windows Server 2016 from Azure Marketplace. Since we will be using this VM for Sync Share. I would recommend selecting an L series VM which storage optimised VM.
  2. Once the VM is provisioned, attached premium data disk for high I/O and low latency file store.
  3. Build a Windows Server 2016, Configure TCP/IP and Join the server to the domain
  4. Remote into the server using domain admins credential. Open the Add Roles and Features Wizard.
  5. On the Select installation type page, choose Role-based or feature-based deployment.
  6. On the Select destination server page, select the server on which you want to install Work Folders.
  7. On the Select server roles page, expand File and Storage Services, expand File and iSCSI Services, and then select Work Folders.
  8. When asked if you want to install IIS Hostable Web Core, click Ok to install the minimal version of Internet Information Services (IIS) required by Work Folders.
  9. Click Next until you have completed the wizard.
  10. Repeat the steps for all Work Folder Servers.

Install Certificate on the Work Folder Server

  1. On the Windows server 2016 where you want to install the SSL certificate, open the Console.
  2. In the Windows start menu, type mmc and open it.
  3. In the Console window, in the top menu, click File > Add/Remove Snap-in.
  4. In the Add or Remove Snap-ins window, in the Available snap-ins pane (left side), select Certificates and then click Add
  5. In the Certificate snap-in window, select Computer account and then click Next
  6. In the Select Computer window, select Local computer: (the computer this console is running on), and then click Finish
  7. In the Add or Remove Snap-ins window, click OK.
  8. In the Console window, in the Console Root pane (left side), expand Certificates (Local Computer), right-click on the Web Hosting folder, and then click All Tasks > Import.
  9. In the Certificate Import Wizard, on the Welcome to the Certificate Import Wizard page, click Next.
  10. On the File to Import page, browse to and select the file that you want import and then, click Next.
  11. Notes: In the File Explorer window, in the file type drop-down, make sure to select All Files (*.*). By default, it is set to search for 509 Certificate (*.cert;*.crt) file types only.
  12. On the Private key protection page, provide the password when you exported the certificate, check Mark the Private Key exportable for future use, and check import all extended properties.
  13. On the Certificate Store page, do the following and then click Next, Select Place all certificates in the following store and click Browse.
  14. In the Select Certificate Store window, select Web Hosting and click OK.
  15. On the Completing the Certificate Import Wizard page, verify that the settings are correct and then, click Finish.
  16. Repeat the steps for all Work Folder Servers.

Bind the Certificate:

  1. Log on to a jump box where IIS Management Console is installed, Open IIS Management Console, Connect to Work Folder Server. Select the Default Web Site for that server. The Default Web Site will appear disabled, but you can still edit the bindings for the site and select the certificate to bind it to that web site.
  2. Use the netsh command to bind the certificate to the Default Web Site https interface. The command is as follows:

netsh http add sslcert ipport=<IP address of Sync Share Server>:443 certhash=<Cert thumbprint> appid={CE66697B-3AA0-49D1-BDBD-A25C8359FD5D} certstorename=MY

Create Active Directory Security Group

  1. You need minimum two AD security groups for Work Folder. One for Work Folder Admin and another for Work Folder Sync Share. For this article, let’s assume we have a Sync Share. We will create two Security Groups named FS-HRShareUser-SG and FS-HRShareAdmin-SG
  2. Make sure these security group scope is Global not Universal. In the Members section, click Add. The Select Users, Contacts, Computers, Service Accounts or Groups dialog box appears.

Create a Sync Share

  1. In Server Manager, click File and Storage Services, and then click Work Folders.
  2. A list of any existing sync shares is visible at the top of the details pane. To create a new sync share, from the Tasks menu choose New Sync Share…. The New Sync Share Wizard appears.
  3. On the Select the server and path page, specify where to store the sync share. If you already have a file share created for this user data, you can choose that share. Alternatively you can create a new folder.
  4. On the Specify the structure for user folders page, choose a naming convention for user folders within the sync share. Select either User alias or User alias@domain
  5. On the Enter the sync share name page, specify a name and a description for the sync share. This is not advertised on the network but is visible in Server Manager
  6. On the Grant sync access to groups page, specify the group that you created that lists the users allowed to use this sync share.
  7. On the Specify device policies page, specify whether to request any security restrictions on client PCs and devices. Select either Automatically lock screen, and require a password or Encrypt Work Folders based on your requirements.
  8. Review your selections and complete the wizard to create the sync share.

Setup a Tech Support Email Address

  1. In Server Manager, click File and Storage Services, and then click Servers.
  2. Right-click the sync server, and then click Work Folders Settings. The Work Folders Settings window appears.
  3. In the navigation pane, click Support Email and then type the email address or addresses that users should use when emailing for help with Work Folders. Click Ok when you’re

Publish Work Folder using ADFS Server

You can set up and configure the relying party trust for Work Folders, even though Work Folders hasn’t been set up yet. The relying party trust must be set up to enable Work Folders to use AD FS. Because you’re in the process of setting up AD FS, now is a good time to do this step.

To set up the relying party trust:

  1. Log on to ADFS Server. Open Server Manager, on the Tools menu, select AD FS Management.
  2. In the right-hand pane, under Actions, click Add Relying Party Trust.
  3. On the Welcome page, select Claims aware and click Start.
  4. On the Select Data Source page, select Enter data about the relying party manually, and then click Next.
  5. In the Display name field, enter WorkFolders, and then click Next.
  6. On the Configure Certificate page, click Next..
  7. On the Configure URL page, click Next.
  8. On the Configure Identifiers page, add the following identifier: https://workfolders.domain.com/V1. This identifier is a hard-coded value used by Work Folders, and is sent by the Work Folders service when it is communicating with AD FS. Click Next.
  9. On the Choose Access Control Policy page, select Permit Everyone, and then click Next.
  10. On the Ready to Add Trust page, click Next.
  11. After the configuration is finished, the last page of the wizard indicates that the configuration was successful. Select the checkbox for editing the claims rules, and click Close.
  12. In the AD FS snap-in, select the WorkFolders relying party trust and click Edit Claim Issuance Policy under Actions.
  13. The Edit Claim Issuance Policy for WorkFolders window opens. Click Add rule.
  14. In the Claim rule template drop-down list, select Send LDAP Attributes as Claims, and click Next.
  15. On the Configure Claim Rule page, in the Claim rule name field, enter WorkFolders.
  16. In the Attribute store drop-down list, select Active Directory.
  17. In the mapping table, enter these values:
    • User-Principal-Name: UPN
    • Display Name: Name
    • Surname: Surname
    • Given-Name: Given Name
  18. Click Finish. You’ll see the WorkFolders rule listed on the Issuance Transform Rules tab and click OK.
  19. In the AD FS snap-in, select the WorkFolders relying party trust, On the properties, choose the Encryption tab, Remove the certificate encryption
  20. Choose the Signature tab and make sure the Work Folder Certificate was imported
  21. Click Apply, Click Ok.

Set relying part trust options

These commands set options that are needed for Work Folders to communicate successfully with AD FS, and can’t be set through the UI. These options are:

  • Enable the use of JSON web tokens (JWTs)
  • Disable encrypted claims
  • Enable auto-update
  • Set the issuing of Oauth refresh tokens to All Devices.
  • Grant clients access to the relying party trust

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -EnableJWT $true

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -Encryptclaims $false

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -AutoupdateEnabled $true

Set-ADFSRelyingPartyTrust -TargetIdentifier “https://workfolders.domain.com/V1&#8221; -IssueOAuthRefreshTokensTo AllDevices

Grant-AdfsApplicationPermission -ServerRoleIdentifier “https://workfolders.domain.com/V1&#8221; –AllowAllRegisteredClients

Enable Workplace Join

To enable device registration for Workplace Join, you must run the following Windows PowerShell commands, which will configure device registration and set the global authentication policy:

Initialize-ADDeviceRegistration -ServiceAccountName domain\svc-adfsservices$

Set-ADFSGlobalAuthenticationPolicy -DeviceAuthenticationEnabled $true

Set up AD FS authentication

To configure Work Folders to use AD FS for authentication, follow these steps:

  1. Log on to Sync Share Server. Open Server Manager.
  2. Click Servers, and then select your Work Folders server in the list.
  3. Right-click the server name, and click Work Folders Settings.
  4. In the Work Folder Settings window, select Active Directory Federation Services, and type in the ADFS URL. Click Apply. In the test example, the URL is https://sts.domain.com.

Publish the Work Folders web application

The next step is to publish a web application that will make Work Folders available to clients. To publish the Work Folders web application, follow these steps:

  1. Import Work Folder Certificate into WAP Servers
  2. Open Server Manager, and on the Tools menu, click Remote Access Management to open the Remote Access Management Console.
  3. Under Configuration, click Web Application Proxy.
  4. Under Tasks, click Publish. The Publish New Application Wizard opens.
  5. On the Welcome page, click Next.
  6. On the Preauthentication page, select Active Directory Federation Services (AD FS), and click Next.
  7. On the Support Clients page, select OAuth2, and click Next.
  8. On the Relying Party page, select Work Folders, and then click Next. This list is published to the Web Application Proxy from AD FS.
  9. On the Publishing Settings page, enter the following and then click Next, use these values:
  1. The confirmation page shows the Windows PowerShell command that will execute to publish the application. Click Publish.
  2. On the Results page, you should see the application was published successfully.

Configure Work Folders on the client

To configure Work Folders on the non-domain join client machine, follow these steps:

  1. On the client machine, open Control Panel and click Work Folders.
  1. Click Set up Work Folders.
  1. On the Enter your work email address page, enter either the user’s email address (for example, user@domain.com) or the Work Folders URL (in the test example, https://workfolders.domain.com), and then click Next.
  2. If the user is connected to the corporate network, the authentication is performed by Windows Integrated Authentication. If the user is not connected to the corporate network, the authentication is performed by ADFS (OAuth) and the user will be prompted for credentials. Enter your credentials and click OK.
  3. After you have authenticated, Click Next.
  4. The Security Policies page lists the security policies that you set up for Work Folders. Click Next.
  5. A message is displayed stating that Work Folders has started syncing with your PC. Click Close.
  6. The Manage Work Folders page shows the amount of space available on the server, sync status, and so on. If necessary, you can re-enter your credentials here. Close the window.
  7. Your Work Folders folder opens automatically. You can add content to this folder to sync between your devices.

To configure Work Folders on the domain joined client machine, follow these steps:

  1. Configure using GPO, use Go to User Configuration > Administrative Templates > Windows Components > Work Folders > Specify Work Folders settings.
  2. Specify Work Folder URL as workfolders.domain.com
  3. Apply the GPO to selected OU.

Relevant Article:

Work Folder FAQ

NetApp CIFS shares not mounting to Windows Server 2012

 

Configure Azure B2B, Azure Rights Management for on-premises SharePoint, Exchange and File server

Azure Information Protection (Azure RMS) is an enterprise information protection solution for any organization. Azure RMS provides classification, labeling, and protection of organization’s data.

Note: This deployment also enables Azure B2B access for the Published Applications in Azure AD.

Azure Prerequisites

  • A subscription that includes Azure Information Protection. For example, PAYG, EA or E5
  • A global administrator account (@domain.onmicrosoft.com) to sign in to the Azure portal

Minimum On-premises Prerequisites

  • An operational Active Directory Federation Services
  • An operational Azure Active Directory Connect
  • An Active Directory Domain Controller
  • An RMS Connector Server
  • RMS Client version 2.1 or above installed on the SharePoint or File Server or Exchange Server
  • Azure Information Protection for Microsoft Office 2016
  • A matching UPN (dmain.com) which has been federated to Azure AD
  • Publicly routable domains name (domain.com)
  • Publicly routable DNS Records (spirm.domain.com, sts.domain.com)
  • Public certificates with SAN or an wild card certificate
  • Public certificate must have private key or PFX format
  • An operational SharePoint or File Server or Exchange Server to be protected by Azure RMS

Deploy On-prem Infrastructures:

  1. Register and verify domain.com to Azure ARM Portal
  2. Install and configure Active Directory Federation Services
  3. Install and configure Web Application Proxy Server
  • Install and configure Azure Active Directory Connect. AAD Connect installation pretty straight forward. To use Azure RMS you have to select three extra steps in AAD Connect. Either you can modify existing configuration to the below or if you are installing from scratch then you have to select an additional features. To provide the RMS functionality to synced users, Azure RMS has been selected in AAD Connect Wizard along with the Azure AD Apps.
  • On the AAD Connect Installation Page, click Customize to start a customized settings installation.
  • On User Signin Page Select Federation With ADFS.
  • On the Optional feature Page, Select Azure AD App and Attribute Filtering. Make sure you select all features which include Azure RMS
  1. Activate Azure RMS
  • Sign to Azure Portal using a Global Admin user (@domain.onmicrosoft.com)
  • Open Azure Information Protection, Click RMS Settings, Click Activate.
  1. If you are protecting SharePoint Server then you have to the additional steps on ADFS Server and SharePoint Server mentioned below.

Internal CNAME DNS record:

  • domain.com pointed to ADFS Server
  • domain.com pointed to SP Server
  • domain.com pointed to RMS Connector Server

ADFS Configuration:

Add a Claim Provider Trust using Wizard, type the name of the Claim Provider as “AzureAD” Select the URL to import metadata from https://login.microsoftonline.com/domain.onmicrosoft.com/federationmetadata/2007-06/federationmetadata.xml

Right Click on the the Azure AD Claim Provider, Edit Claim Rule and Add a custom claim rule

c:[]  => issue(claim = c);

 Add SharePoint 2013/2016 as a Relying Party Trust with the below properties:

Method to Add RP: Manual

Name: SP

RP Identifier: urn:sharepoint:domain

Enable WS-Federation and provide the following passive reply url: https://spirm.domain.com /_trust/

 Add two Claim Rules

UPN Claim Rule

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name”%5D
 => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn&#8221;, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

B2B User Claim Rule

c:[Type == “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress”%5D
 => issue(Type = “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn&#8221;, Issuer = c.Issuer, OriginalIssuer = c.OriginalIssuer, Value = c.Value, ValueType = c.ValueType);

Specify AzureAD as SharePoint 2013 Claim Provider

Set-AdfsRelyingPartyTrust -TargetName “SP”  -ClaimsProviderName @(“AzureAD”)

Specify Claim Provider for Internal Users:

Set-AdfsProperties -IntranetUseLocalClaimsProvider $true

Add Azure Web Application:

Log on to portal.azure.com, Click Azure AD, On the App registration section, Register an Azure Web Application using the below parameter:

Grant Access to Azure AD user and B2B User to this Application

  • Sign in to the Azure Active Directory admin center with an account that’s a global admin for the directory.
  • Select Azure Active Directory and then Users and groups.
  • On the Users and groups blade, select All users, and then select New Guest user.
  • Go back to newly registered App, Assign access permission to the guest user

Assign RMS Licenses to Azure B2B users:

Connect-MsolService

$AccountSkuId = “domain:ENTERPRISEPACK”

$UsageLocation = “AU”

$Users = Import-Csv c:\temp\userlist.csv

$Users | ForEach-Object {

Set-MsolUser -UserPrincipalName $_.UserPrincipalName -UsageLocation $UsageLocation

Set-MsolUserLicense -UserPrincipalName $_.UserPrincipalName -AddLicenses $AccountSkuId

}

Where userlist.csv contain userprincipal name or B2B username in first column. Further references.

Azure Licenses for B2B user https://docs.microsoft.com/en-us/azure/active-directory/active-directory-b2b-licensing

Configure Right Management Connector

  • Download Rights Management Connector on the server where you are going to install the Connector.
  • Create a Service account in Windows Active Directory with federated UPN SVCRMS@domain.com
  • SVCRMS@domain.com is AAD Synced Account.
  • Open AD users and Computers, Add SVCRMS@domain.com as a member of domain admins group.
  • Sign into Azure Portal, Assign SVCRMS@domain.com as global admin, Azure RightsManagement global administrator
  • On the computer on which you want to install the RMS connector, run exe with Administrator privileges. When prompted for credential use SVCRMS@domain.com account and alphanumeric password.

Note: do not install RMS connector on Exchange, File and SharePoint Server.

SharePoint Specific Configuration: Reference1 and reference2

Add-PSSnapIn Microsoft.SharePoint.PowerShell

$cert = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2(“c:\ADFSCertificates\STSTokenSigning.cer”)

New-SPTrustedRootAuthority -Name “Token Signing Cert” -Certificate $cert

$emailClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress” -IncomingClaimTypeDisplayName “EmailAddress” -SameAsIncoming

$upnClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.xmlsoap.org/ws/2005/05/identity/claims/upn” -IncomingClaimTypeDisplayName “UPN” -SameAsIncoming

$roleClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/role” -IncomingClaimTypeDisplayName “Role” -SameAsIncoming

$sidClaimMap = New-SPClaimTypeMapping -IncomingClaimType “http://schemas.microsoft.com/ws/2008/06/identity/claims/primarysid” -IncomingClaimTypeDisplayName “SID” -SameAsIncoming

$realm = “urn:sharepoint:dealdocs”

$signInURL = “https://sts.dealdocs.com/adfs/ls/”

$ap = New-SPTrustedIdentityTokenIssuer -Name “ADFS” -Description “AD Federation Server” -realm $realm -ImportTrustCertificate $cert -ClaimsMappings $emailClaimMap,$upnClaimMap,$roleClaimMap,$sidClaimMap -SignInUrl “https://sts.dealdocs.com/adfs/ls/” -IdentifierClaim $emailClaimmap.InputClaimType

Download and run GenConnectorConfig.ps1  the below command on SP Server. This command automate changes in registry values.

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetSharePoint2013

Configure RMS Connector for SharePoint Server

  1. On the SharePoint Central Administration Web site, in the Quick Launch, click Security.
  2. On the Security page, in the Information Policy section, click Configure information rights management.
  3. On the Information Rights Management page, in the Information Rights Management section, select Use this RMS server type https://rmsconnector.domain.com).
  4. Click OK.
  5. Next step Add users to SharePoint Library

For Exchange Server, Download and run GenConnectorConfig.ps1  on Exchange Server

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetExchange2013

Run the below command in Exchange Server

Set-IRMConfiguration -InternalLicensingEnabled $true

For File Server Download and run GenConnectorConfig.ps1  on File Server

.\GenConnectorConfig.ps1 -ConnectorUri https://rmsconnector.contoso.com -SetFCI2012

Create classification rules and file management tasks to protect documents with RMS Encryption.

Testing:

  • Download Azure Information Protection  and protect a document for B2B user
  • Upload the document into SharePoint Library
  • Request the B2B user to access from the invitation you have sent.

Configuring Azure ExpressRoute using PowerShell

Microsoft Azure ExpressRoute is a private connection from on-premises networks to the Microsoft cloud over a private peering facilitated by a network service provider. With ExpressRoute, you can establish a faster, low latencies and reliable connection to Microsoft cloud services, such as Microsoft Azure, Office 365, and Dynamics 365. ExpressRoute is available to all continent and in all geopolitical boundaries.

ExpressRoute Circuit Connectivity Model

  • Co-located at a cloud exchange- The on-premises infrastructure is co-located in a facility with Microsoft Azure Cloud, you can order virtual cross-connections to the Microsoft cloud through the co-location provider’s Ethernet exchange. Data center providers can offer either Layer 2 cross-connections, or managed Layer 3 cross-connections between your infrastructure in the colocation facility and the Microsoft cloud.
  • Point-to-point Ethernet connections- You can connect your on-premises infrastructure to the Microsoft cloud through point-to-point Ethernet links. Point-to-point Ethernet providers can offer Layer 2 connections, or managed Layer 3 connections between your site and the Microsoft cloud.
  • Any-to-any (IPVPN) networks- You can integrate company WAN with the Microsoft cloud. IPVPN providers are typically MPLS connection between your branch offices and data centers. The Microsoft cloud can be interconnected to company WAN to make it look just like another branch office.

Key Features:

  • Layer 3 connectivity between your on-premises network and the Microsoft Cloud through a connectivity provider.
  • Connectivity to Microsoft cloud services across all regions in the geopolitical region.
  • Global connectivity to Microsoft services across all regions with an ExpressRoute premium add-on.
  • Dynamic routing between your network and Microsoft over industry standard protocols (BGP).
  • Built-in redundancy in every peering location for higher reliability.
  • QoS support for Skype for Business.
  • Bandwidth starting from 50Mbps to 10Gbps

Subscription requirements:

  • A valid and active Microsoft Azure account or an active Office 365 subscription. This account is required to set up the ExpressRoute circuit. ExpressRoute circuits are resources within Azure subscriptions.

Partners Requirements:

Network requirements:

  • Redundant connectivity-Microsoft requires redundant BGP sessions to be set up between Microsoft’s routers and the peering routers, even when you have just one physical connection to a cloud exchange.
  • Routing-ExpressRoute provider needs to set up and manage the BGP sessions for routing domains. Some Ethernet connectivity provider or cloud exchange provider may offer BGP management as a value-add service.
  • NAT-Microsoft only accepts public IP addresses through Microsoft peering. If you are using private IP addresses in your on-premises network, you or your provider need to translate the private IP addresses to the public IP addresses using the NAT.
  • QoS-Skype for Business has various services (for example; voice, video, text) that require differentiated QoS treatment. You and your provider should follow the QoS requirements.
  • Network Security- consider network security when connecting to the Microsoft Cloud via ExpressRoute.

ExpressRoute Peering

  • Private peering- The private peering domain is considered to be a trusted extension of on-premises core network into Microsoft Azure. You can set up bi-directional connectivity between your core network and Azure virtual networks.
  • Public peering- In a simple terminology, the public peering is a network peering between public domain to on-premises DMZ and connect to all Azure services on their public IP addresses from company WAN without having to connect to the internet.
  • Microsoft peering- ExpressRoute provides private network connectivity to Microsoft cloud services. Infrastructure and platform services running in Azure often benefit by addressing network architecture and performance considerations. Therefore, we recommend enterprises use ExpressRoute for Azure.
  • Microsoft peering is used specifically for SaaS like Office 365 and Dynamics 365, were created to be accessed securely and reliably via the Internet. Therefore, we only recommend ExpressRoute for these applications in specific scenarios.

 Provisioning an ExpressRoute

Step1: Login and Select the subscription

Login-AzureRmAccount

Get-AzureRmSubscription

Copy the name of the subscription to be used for next command.

Select-AzureRmSubscription -SubscriptionId “Company Default”

Step2: Copy the name of the ExpressRoute Provider information to be used for next command.

Name, PeeringLocations, BandwidthsOffered, Sku

Get-AzureRmExpressRouteServiceProvider

Step3: Create new ExpressRoute

New-AzureRmExpressRouteCircuit -Name “On-premtoAzureCloud” -ResourceGroupName “ExpressRouteRG” -Location “Australia East” -SkuTier Standard -SkuFamily MeteredData -ServiceProviderName “Equinix” -PeeringLocation “Sydney” -BandwidthInMbps 200

Once you have created new ExpressRoute, you will see the below status of ExpressRoute.

NotProvisioned & Enabled, Provisioning & Enabled, Provisioned & Enabled

Step4: Record Subscription ID, service Key, Location and send this information to your ExpressRoute circuit provider to provision and activate services.

get-help New-AzureRmExpressRouteCircuit –detailed

Step5: List of All ExpressRoute and record the information for next command

Get-AzureRmExpressRouteCircuit -Name “ExpressRouteARMCircuit” -ResourceGroupName “ExpressRouteResourceGroup”

Step5: Connect a virtual network in the same subscription to a circuit

$circuit = Get-AzureRmExpressRouteCircuit -Name “MyCircuit” -ResourceGroupName “MyRG”

$gw = Get-AzureRmVirtualNetworkGateway -Name “ExpressRouteGw” -ResourceGroupName “MyRG”

$connection = New-AzureRmVirtualNetworkGatewayConnection -Name “ERConnection” -ResourceGroupName “MyRG” -Location “East US” -VirtualNetworkGateway1 $gw -PeerId $circuit.Id -ConnectionType ExpressRoute

Step6: Create Azure private peering for Azure Services

Make sure that you have the following items before you proceed with the next steps:

  • A /30 subnet for the primary and secondary link. This must not be part of any address space reserved for virtual networks.
  • A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
  • AS number for peering. You can use both 2-byte and 4-byte AS numbers. You can use a private AS number for this peering. Ensure that you are not using 65515.

$ckt = Get-AzureRmExpressRouteCircuit -Name “ExpressRouteARMCircuit” -ResourceGroupName “ExpressRouteResourceGroup”

Add-AzureRmExpressRouteCircuitPeeringConfig -Name “AzurePrivatePeering” -ExpressRouteCircuit $ckt -PeeringType AzurePrivatePeering -PeerASN 100 -PrimaryPeerAddressPrefix “10.0.0.0/30” -SecondaryPeerAddressPrefix “10.0.0.4/30” -VlanId 200

Set-AzureRmExpressRouteCircuit -ExpressRouteCircuit $ckt

Get-AzureRmExpressRouteCircuitPeeringConfig -Name “AzurePrivatePeering” -Circuit $ckt

Step7: Configure Azure public peering for the circuit if you require a public peering refer to the explanation section.

  • Make sure that you have the following information before you proceed further:
  • A /30 subnet for the primary and secondary link. This must be a valid public IPv4 prefix.
  • A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
  • AS number for peering. You can use both 2-byte and 4-byte AS numbers.

Add-AzureRmExpressRouteCircuitPeeringConfig -Name “AzurePublicPeering” -ExpressRouteCircuit $ckt -PeeringType AzurePublicPeering -PeerASN 100 -PrimaryPeerAddressPrefix “12.0.0.0/30” -SecondaryPeerAddressPrefix “12.0.0.4/30” -VlanId 100

Set-AzureRmExpressRouteCircuit -ExpressRouteCircuit $ckt

Step8: Configure Microsoft peering for the circuit if you require a public peering refer to the explanation section.

  • Make sure that you have the following information before you proceed:
  • A /30 subnet for the primary and secondaary link. This must be a valid public IPv4 prefix owned by you and registered in an RIR / IRR.
  • A valid VLAN ID to establish this peering on. Ensure that no other peering in the circuit uses the same VLAN ID.
  • AS number for peering. You can use both 2-byte and 4-byte AS numbers.
  • Advertised prefixes: You must provide a list of all prefixes you plan to advertise over the BGP session. Only public IP address prefixes are accepted. You can send a comma separated list if you plan to send a set of prefixes. These prefixes must be registered to you in an RIR / IRR.
  • Customer ASN: If you are advertising prefixes that are not registered to the peering AS number, you can specify the AS number to which they are registered. This is optional.
  • Routing Registry Name: You can specify the RIR / IRR against which the AS number and prefixes are registered.

Add-AzureRmExpressRouteCircuitPeeringConfig -Name “MicrosoftPeering” -ExpressRouteCircuit $ckt -PeeringType MicrosoftPeering -PeerASN 100 -PrimaryPeerAddressPrefix “123.0.0.0/30” -SecondaryPeerAddressPrefix “123.0.0.4/30” -VlanId 300 -MicrosoftConfigAdvertisedPublicPrefixes “123.1.0.0/24” -MicrosoftConfigCustomerAsn 23 -MicrosoftConfigRoutingRegistryName “ARIN”

Set-AzureRmExpressRouteCircuit -ExpressRouteCircuit $ckt

To Upgrade the SKU from metered to unlimited. Implement the below command to upgrade ExpressRoute SKU

$ckt = Get-AzureRmExpressRouteCircuit -Name “ExpressRouteARMCircuit” -ResourceGroupName “ExpressRouteResourceGroup”

$ckt.Sku.Family = “UnlimitedData”

$ckt.sku.Name = “Premium_UnlimitedData”

Set-AzureRmExpressRouteCircuit -ExpressRouteCircuit $ckt

Login to Exchange Online PowerShell using MFA

Once you enable MFA on Admin account, you will be denied access to EXO using PowerShell until you update Azure PowerShell version to latest.

Download and install Microsoft Online Services Sign-In Assistant and Azure Active Directory Connection preview

Use Connect-MsOlService Cmdlets, you will prompted to signin in a browser with MFA. Once correct MFA is provided, you are signed into Office 365.

Create Azure Internal Load Balancer using PowerShell

Input Parameters:

Subnets: Subnet_10.x.x.x
Resource Groups (Service Name): ServerGroup1
VMs: Server1, Server2
InternalLoadBalancerName: InternalLB1
Port: 443

Find the Subnets where you would like to create a internal load balancer.

Get-AzureVNetSite

Find the VMs which you would like to add to this internal load balancer

Get-AzureVM -ServiceName ServerGroup1

Create a Internal Network

Add-AzureInternalLoadBalancer -ServiceName ServerGroup1 -InternalLoadBalancerName InternalLB1 -SubnetName “Subnet_10.x.x.x” -StaticVNetIPAddress 10.x.x.x

Add VM to this network

Get-AzureVM -ServiceName ServerGroup1 -Name Server1 | Add-AzureEndpoint -LBSetName “InternalLB1” -Name “InternalLB1” -DefaultProbe -InternalLoadBalancerName “InternalLB1” -Protocol tcp -PublicPort 443 -LocalPort 443 -LoadBalancerDistribution sourceIP | Update-AzureVM

Add second VM to this network

Get-AzureVM -ServiceName ServerGroup1 -Name Server2 | Add-AzureEndpoint -LBSetName “InternalLB1” -Name “InternalLB1” -DefaultProbe -InternalLoadBalancerName “InternalLB1” -Protocol tcp -PublicPort 443 -LocalPort 443 -LoadBalancerDistribution sourceIP | Update-AzureVM