Understanding Dynamic Quorum in a Microsoft Failover Cluster

Windows Server 2012: Failover Clustering Deep Dive

Microsoft introduced an advanced quorum configuration option in Windows Server 2012/R2. You can choose to enable dynamic quorum management by cluster. There are major benefits of having dynamic quorum in any Microsoft cluster whether for Exchange DAG, SQL cluster, Hyper-v cluster or file server cluster. When you configure dynamic quorum, the cluster dynamically manages the vote assignment to nodes, based on the state of each node. Votes are automatically removed from nodes that leave active cluster membership, and a vote is automatically assigned when a node re-joins the cluster. Dynamic quorum remove dependencies of a quorum disk in Hyper-v and also enable multi-site cluster in a diverse geographic location without sharing common disk.

Pros:

  • With dynamic quorum management, it is also possible for a cluster to run on the last surviving cluster node.
  • By dynamically adjusting the quorum majority requirement, the cluster can sustain sequential node shutdowns to a single node.
  • The cluster software automatically configures the quorum for a new cluster, based on the number of nodes configured and the availability of shared storage.

Cons:

  • Dynamic quorum management does not allow the cluster to sustain a simultaneous failure of a majority of voting members. To continue running, the cluster must always have a quorum majority at the time of a node shutdown or failure.
  • If you have explicitly removed the vote of a node, the cluster cannot dynamically add or remove that vote.

How to configure a dynamic quorum?

Configure a standard cluster as you do in a Microsoft environment. Then use Quorum Configuration Wizard in Cluster Manager to configure advanced quorum.

  1. In Failover Cluster Manager, select the cluster that you want to change.
  2. With the cluster selected>under Actions>click More Actions> and then click Configure Cluster Quorum Settings> Click Next.
  3. On the Select Quorum Configuration Option page>click Advanced quorum configuration and witness selection
  4. On the Select Voting Configuration page>select an option to assign votes to nodes. By default, all nodes are assigned a vote.
  5. On the Configure Quorum Management page> enable the Allow cluster to dynamically manage the assignment of node votes
  6. On the Select Quorum Witness page>select Do not configure a quorum witness, and then complete the wizard
  7. Click Next>then click Next.

Once quorum is reconfigured then you run the Validate Quorum Configuration test to verify the updated quorum settings. Follow the steps to validate quorum.

  1. In Failover Cluster Manager, select the cluster> run the Validate Quorum Configuration test to verify the updated quorum settings.

VMware vSphere 6.0 VS Microsoft Hyper-v Server 2012 R2

Since the emergence of vSphere 6.0, I would like to write an article on vSphere 6.0 vs Windows Server 2012 R2. I collected vSphere 6.0 features from few blogs and VMware community forum. Note that vSphere 6.0 is in beta program which means VMware can amend anything before final release. New functionalities of vSphere 6.0 beta are already available in Windows Server 2012 R2. So let’s have a quick look on both virtualization products.

Features vSphere 6.0 Hyper-v Server 2012 R2
Certificates

 

Certificate Authority Active Directory Certificate Services
Certificate Store Certificate Store in Windows OS
Single Sign on VMware retained SSO 2.0 for vSphere 5.5 Active Directory Domain Services
Database vPostgres database for VC Appliance up to 8 vCenter Microsoft SQL Server

No Limitation

Management Tools Web Client & VI

VMware retained VI

SCVMM Console & Hyper-v Manager
Installer Combined single installer with all input upfront Combined single installer with all input upfront
vMotion Long distance Migration up to 100+ms RTTs Multisite Hyper-v Cluster and Live Migration
Storage Migration Storage vMotion with shared and unshared storage Hyper-v Live Storage Migration between local and shared storage
Combined Cloud Products Platform Services Controller (PSC) includes vCenter, vCOPs, vCloud Director, vCoud Automation Microsoft System Center combined App Controller, Configuration Manager, Data Protection Manager, Operations Manager, Orchestrator, Service Manager, Virtual Machine Manager
Service Registration View the services that are running in the system. Windows Services
Licensing Platform Services Controller (PSC) includes Licensing Volume Activation Role in Windows Server 2012 R2
Virtual Datacenters A Virtual Datacenter aggregates CPU, Memory, Storage and Network resources. Provision CPU, Memory, Storage and network using create Cloud wizard

Another key feature to be compared here that those who are planning to procure FC Tape library and maintain a virtual backup server note that vSphere doesn’t support FC Tape even with NPIV and Hyper-v support FC Tape using NPIV.

References:

http://www.wooditwork.com/2014/08/27/whats-new-vsphere-6-0-vcenter-esxi/

https://araihan.wordpress.com/2014/03/25/vmware-vs-hyper-v-can-microsoft-make-history-again/

https://araihan.wordpress.com/2013/01/24/microsofts-hyper-v-server-2012-and-system-center-2012-unleash-ko-punch-to-vmware/

https://araihan.wordpress.com/2015/08/20/hyper-v-server-2016-whats-new/

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Assumption:

I assume you have the following infrastructure ready.

  • Domain Controller: DC1PVDC01
  • Certificate Authority: DC1PVCA01
  • AD FS Server: DC1PVADFS01
  • Exchange Server: DC1PVEXCH01

Naming Convention:

  • DC1= Data Center 1 (location)
  • P=Production Systems
  • V=Virtual Server
  • DC=Domain Controller

So on so forth.

Proposed Web Application Proxy Server:

Option Description
Virtual Machine Name DC1PVWAP01
Memory 4GB
vCPU 1
Hard Disk 1 50GB
Network Adapter 2
Guest Operating System Windows Server 2012 R2
Hyper-v Integration Service Installed

Windows Server Role:

Role Web Application Proxy

 

Network Configuration

The network adapter name used within the operating system should be changed to closely match the associated WAP network name. The following binding order will be maintained within Windows operating systems:

  1. First in Order- WAP internal adapter connected to the trusted network.
  2. Second in Order- WAP external adapter connected to the un-trusted network.

The following are the network configuration for WAP server.

Option IP Address Subnet Default Gateway DNS
Internal Network 10.10.10.2 255.255.255.0 Not required 10.10.10.1
External Network 192.168.1.1 255.255.255.0 192.168.1.254 Not required

Important! External Network can be assigned public IP if WAP server isn’t placed behind frontend router/firewall. In an edge configuration WAP external network is configured with public IP and internal network is assigned an IP address of internal IP range.

Configuration Step 1 – Rename Network Adapters:

Rename all network adapters to descriptive names that ideally match the connection type and WAP wizard/console names. For example:

  • WAP adapter connected to the trusted network: Internal Network
  • WAP adapter connected to the un-trusted network: External Network

Configuration Step 2 – Configure Network Adapters:

The Internal Network adapter will normally be connected to your trusted environment. This could be your actual internal network (LAN) or could be a private DMZ (perimeter network) if using an intranet/back firewall.

Internal Network Adapter

  • Default Gateway should not be defined
  • DNS Servers should be defined
  • Client for Microsoft Networks binding – Enabled
  • File and Print Sharing for Microsoft Networks binding – Enabled
  • Register this connection’s address in DNS – Enabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Default

The External Network adapter will normally be connected to your un-trusted environment. This could be your actual Internet connection if using an edge deployment, or could be a public DMZ (perimeter network) if using an existing edge/front firewall.

External Network Adapter

  • Default Gateway should be defined
  • DNS Servers should not be defined
  • Client for Microsoft Networks binding – Disabled
  • File and Print Sharing for Microsoft Networks binding – Disabled
  • Register this connection’s address in DNS – Disabled
  • Enable LMHOSTS Lookup – Disabled
  • NetBIOS over TCP/IP – Disabled

Please Note: The ‘File and Print Sharing for Microsoft Networks’ binding on the TMG internal adapter is left at the default settings of Enabled on the WAP Internal Network adapter. This allows for the use of the Internal Network adapter for intra-array services when using a WAP cluster.

Configuration Step 3 – Amend Bind Order:

Edit the network adapter bind order to place the Internal Network adapter at the top (highest) position and the External Network at the bottom (lowest) position. For example:

  1. Internal Network (Highest)
  2. External Network (Lowest)

To amend network binding follow the steps below:

1. Click Start, click Network, click Network and Sharing Center, and then click Change Adapter Settings.

2. Press the ALT key, click Advanced, and then click Advanced Settings. If you are prompted for an administrator password or confirmation, type the password or provide confirmation.

3. Click the Adapters and Bindings tab, and then, under Connections, click the connection you want to modify.

4. Under Bindings for <connection name>, select the protocol that you want to move up or down in the list, click the up or down arrow button, and then click OK.

DNS Forwarding:

The following Fully Qualified Domain Names (FQDN) will be forwarded from ISP to your router:

Purpose Public Host Name Public IP Address
Exchange webmail.yourdomain.com 203.17.x.x
SharePoint sharepoint.yourdomain.com 203.17.x.x

 

External Firewall Rules

The following NAT rules will be added into perimeter network to publish application and services through WAP. This rule is only apply if you please Web Application Proxy (WAP) behind a firewall or Cisco ASA otherwise you don’t need it.

Rule(s) Description Source IP Destination IP Address Port NAT Destination
1 Exchange Any 203.17.x.x 443 192.168.1.2
2 SharePoint Any 203.17.x.x 443 192.168.1.3

 

Building Web Application Proxy Server on Windows Server 2012 R2 Steps:

  1. Install Windows Server 2012 R2.
  2. Configure TCP/IP of Windows Server 2012 R2
  3. Join Web Application Proxy server to Domain
  4. Install Web Application Proxy Role
  5. Configure Kerberos Constraint Delegation
  6. Configure the firewall to allow HTTPS traffic on port 443 for clients to communicate with the AD FS server
  7. Configure Firewall if WAP Server placed behind a Cisco ASA
  8. Install Public certificate into Web Application Proxy Server
  9. Publish Application

Configure Kerberos Constraint delegation

1. On the domain controller, open Server Manager. To do this, click Server Manager on the Start screen.

2. Click Tools, and then click ADSI Edit.

3. On the Action menu, click Connect To, and then on the Connection Settings dialog box, accept the default settings to connect to the default naming context, and then click OK.

4. In the left pane, expand Default naming context, expand DC=yourdomain, DC=com, expand CN=Computers, right-click CN=DC1PVWAP01, and then click Properties.

5. On the CN=DC1PVWAP01 Properties dialog box, on the Attribute Editor tab, in the Attributes list, select servicePrincipalName, and then click Edit.

6. On the Multi-valued String Editor dialog box, in Value to add, enter HTTP/DC1PVWAP01.yourdomain.com and click Add. Then enter HTTP/DC1PVWAP01 and click Add. The Values list now contains two new entries; for example, HTTP/DC1PVWAP01.yourdomain.com and HTTP/DC1PVWAP01.

7. On the Multi-valued String Editor dialog box, click OK.

8. On the CN=DC1PVWAP01 Properties dialog box, click OK.

9. In Server Manager, click Tools, and then click Active Directory Users and Computers.

10. In the navigation pane, under yourdomain.com, click Computers. In the details pane, right-click the Web Application Proxy server, and then click Properties.

11. On the DC1PVWAP01 Properties dialog box, on the Delegation tab, click Trust this computer for delegation to specified services only, and then click Use any authentication protocol.

12. Click Add, and on the Add Services dialog box, click Users or Computers.

13. On the Select Users or Computers dialog box, in Enter the object names to select, enter the name of the web servers that use Integrated Windows authentication; for example, WebServ1, and then click OK.

14. On the Add Services dialog box, in the Available services list, select the http service type, and then click OK.

15. On the DC1PVWAP01 Properties dialog box, click OK.

Configure AD FS (Optional when using pass-through pre-authentication)

1. On the Start screen, type AD FS Management, and then press ENTER.

2. Under the AD FSTrust Relationships folder, right-click Relying Party Trusts, and then click Add Relying Party Trust to open the Add Relying Party Trust Wizard.

3. On the Welcome page, click Start.

4. On the Select Data Source page, click Import data about the relying party published online or on a local network. In Federation metadata address (host name or URL), type the federation metadata URL or host name for the partner, and then click Next.

5. On the Specify Display Name page type a name in Display name, under Notes type a description for this relying party trust, and then click Next.

6. On the Choose Issuance Authorization Rules page, select either Permit all users to access this relying party then click Next.

7. On the Ready to Add Trust page, review the settings, and then click Next to save your relying party trust information.

8. On the Finish page, click Close. This action automatically displays the Edit Claim Rules dialog box. For more information about how to proceed with adding claim rules for this relying party trust, see the Additional references.

9. in the AD FS Management console, you must set the endpoint to be Proxy Enabled

Configure Certificate Template in CA

Note: This steps is only applicable when using Enterprise certificate authority.

1. Open the Certificate Templates snap-in.

2. In the details pane, right-click an existing certificate that will serve as the starting point for the new certificate, and then click Duplicate Template.

3. Choose whether to duplicate the template as a Windows Server 2003–based template or a Windows Server 2008–based template.

4. On the General tab, enter the Template display name and the Template name, and then click OK.

5. Define any additional attributes such as mark “private key exportable” for the newly created certificate template.

Export & Import Certificates into Web Application Proxy Server

This is a very important steps for published app to work correctly. You must export .pfx certificate from application servers (Exchange, SharePoint or Lync Server) to Web Application Proxy Server so that internet explorer, web application proxy server and application servers validate same certificates.

Exporting a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Export.
  7. Choose Yes, export the private key and include all certificates in certificate path if possible.
    Warning: Do not select the delete private key option.
  8. Leave the default settings and then enter your password if required.
  9. Choose to save the file and then click Finish. You should receive an “export successful” message. The .pfx file is now saved to the location you selected.

Importing from a .pfx File

  1. On the Start menu click Run and then type mmc.
  2. Click File > Add/Remove Snap-in.
  3. Click Certificates > Add.
  4. Select Computer Account and then click Next. Select Local Computer and then click Finish. Then close the add standalone snap-in window and the add/remove snap-in window.
  5. Click the + to expand the certificates (local computer) console tree and look for the personal directory/folder. Expand the certificates folder.
  6. Right-click on the certificate you want to backup and select ALL TASKS > Import.
  7. Follow the certificate import wizard to import your primary certificate from the .pfx file. When prompted, choose to automatically place the certificates in the certificate stores based on the type of the certificate.

Install Web Application Proxy Role

1. On the Web Application Proxy server, in the Server Manager console, in the Dashboard, click Add roles and features.

2. In the Add Roles and Features Wizard, click Next three times to get to the server role selection screen.

3. On the Select server roles dialog, select Remote Access, and then click Next.

4. Click Next twice.

5. On the Select role services dialog, select Web Application Proxy, click Add Features, and then click Next.

6. On the Confirm installation selections dialog, click Install.

7. On the Installation progress dialog, verify that the installation was successful, and then click Close.

Configure Web Application Proxy

1. On the Web Application Proxy server, open the Remote Access Management console: On the Start screen, click the Apps arrow. On the Apps screen, type RAMgmtUI.exe, and then press ENTER. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Yes.

2. In the navigation pane, click Web Application Proxy.

3. In the Remote Access Management console, in the middle pane, click Run the Web Application Proxy Configuration Wizard.

4. On the Web Application Proxy Configuration Wizard, on the Welcome dialog, click Next.

5. On the Federation Server dialog, do the following, and then click Next:

  • In the Federation service name box, enter the fully qualified domain name (FQDN) of the AD FS server; for example, fs.yourdomain.com.
  • In the User name and Password boxes, enter the credentials of a local administrator account on the AD FS servers.

6. On the AD FS Proxy Certificate dialog, in the list of certificates currently installed on the Web Application Proxy server, select a certificate to be used by Web Application Proxy for AD FS proxy functionality, and then click Next.

7. The certificate you choose here should be the one that whose subject is the Federation Service name, for example, fs.yourdomain.com.

8. On the Confirmation dialog, review the settings. If required, you can copy the PowerShell cmdlet to automate additional installations. Click Configure.

9. On the Results dialog, verify that the configuration was successful, and then click Close.

Publish Application using AD FS Pre-Authentication

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and then click Next.

4. On the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

5. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://sp.yourdomain.com/app1/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://sp/app1/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.

6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

7. On the Results page, make sure that the application published successfully, and then click Close.

Publish an integrated Windows authenticated application

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Pre-authentication page, click Active Directory Federation Services (AD FS), and then click Next.

4. On the Relying Party page, in the list of relying parties select the relying party for the application that you want to publish, and then click Next.

5. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://owa.yourdomain.com/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://owa/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.
  • In the Backend server SPN box, enter the service principal name for the backend server; for example, HTTP/owa.yourdomain.com.

6. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

7. On the Results page, make sure that the application published successfully, and then click Close.

Publish Application using Client Certificate Pre-Authentication

You can publish an application using pre-authenticated client certificate. This steps only be performed using Windows PowerShell. Open Elevated Windows PowerShell prompt in WAP Server. Change the following command as required and issue the command.

Add-WebApplicationProxyApplication

-BackendServerURL ‘https://app.yourdomain.com/&#8217;

-ExternalCertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’

-ExternalURL ‘https://app.yourdomain.com/&#8217;

-Name ‘Client certificate preauthentication application’

-ExternalPreAuthentication ClientCertificate

-ClientCertificatePreauthenticationThumbprint ‘123456abcdef123456abcdef123456abcdef12ab’

Publish Application using Pass-through Pre-Authentication

1. On the Web Application Proxy server, in the Remote Access Management console, in the Navigation pane, click Web Application Proxy, and then in the Tasks pane, click Publish.

2. On the Publish New Application Wizard, on the Welcome page, click Next.

3. On the Preauthentication page, click Pass-through, and then click Next.

4. On the Publishing Settings page, do the following, and then click Next:

  • In the Name box, enter a friendly name for the application.
  • This name is used only in the list of published applications in the Remote Access Management console.
  • In the External URL box, enter the external URL for this application; for example, https://maps.yourdomain.com/.
  • In the External certificate list, select a certificate whose subject covers the external URL.
  • In the Backend server URL box, enter the URL of the backend server. Note that this value is automatically entered when you enter the external URL and you should change it only if the backend server URL is different; for example, http://maps/.
  • Web Application Proxy can translate host names in URLs, but cannot translate path names. Therefore, you can enter different host names, but you must enter the same path name. For example, you can enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of http://app-server/app1/. However, you cannot enter an external URL of https://apps.yourdomain.com/app1/ and a backend server URL of https://apps.yourdomain.com/internal-app1/.

5. On the Confirmation page, review the settings, and then click Publish. You can copy the PowerShell command to set up additional published applications.

6. On the Results page, make sure that the application published successfully, and then click Close.

Publish Application using Windows Store App or Oauth2

You can publish an application using pre-authenticated Windows Store App. This steps only be performed using Windows PowerShell. Open Elevated Windows PowerShell prompt in WAP Server. Change the following command as required and issue the command.

Set-WebApplicationProxyConfiguration –OAuthAuthenticationURL ‘https://fs.yourdomain.com/adfs/oauth2/&#8217;

Add-WebApplicationProxyApplication

-BackendServerURL ‘https://storeapp.yourdomain.com/&#8217;

-ExternalCertificateThumbprint ‘1a2b3c4d5e6f1a2b3c4d5e6f1a2b3c4d5e6f1a2b’

-ExternalURL ‘https://storeapp.yourdomain.com/&#8217;

-Name ‘Windows Store app Server’

-ExternalPreAuthentication ADFS

-ADFSRelyingPartyName ‘Store_app_Relying_Party’

-UseOAuthAuthentication

Part 1: Install and Configure Forefront UAG Step by Step

Part 2: Publish RDS using Forefront UAG 2010 Step by Step

Part 3: Publish Exchange Server 2010 Using Forefront UAG 2010 Step by Step

Part 4: Redirect Web Application from HTTP to HTTPS using Forefront UAG 2010 Step by Step

Part 5: Publish SharePoint Server 2010 Using Forefront UAG 2010 Step by Step

Part 6: Forefront UAG Patching Order

Forefront TMG 2010: How to install and configure Forefront TMG 2010 —-Step by step

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part I

Deploy Web Application Proxy Role in Windows Server 2012 R2 –Part II

Web Application Proxy is a role in Windows Server 2012 R2. Web Application Proxy brings some functionality of Microsoft Forefront TMG and Microsoft Forefront UAG but not all of them. Since Microsoft phased out Forefront product line except FIM. Web Application Proxy provides functionality or role in Windows Server 2012 R2 for customer who still wants use Microsoft platform to publish their application such as Exchange 2013, Lync 2013 and SharePoint 2013 to external clients and vendors.

Web Application Proxy provides pre-authentication and authorization method using Active Directory Federation Services including multifactor authentication and access control. Deployment of ADFS is separate to Web Application Proxy which means you must have a separate server hosting ADFS role.

Benefits of Web Application Proxy

  • Pre-authentication—Only authenticated traffic can get into the corporate network.
  • Network Isolation—Incoming web traffic cannot directly access backend servers.
  • Selective Publishing—Only specific applications and paths within these applications are accessible.
  • DDoS Protection—Incoming traffic arrives at Web Application Proxy before hitting the corporate network. Because Web Application Proxy acts as a proxy, many DDoS attacks can be prevented from reaching the backend servers.
  • Selective Ports- Apply deny ALL and allow selected ports. This policy will prevent SQL injection.
  • Extended validation– URL validation and verification using public certificate authority. Support strong security and encryption using SHA and 2048 bit certificate encryption.

Web Application Proxy Infrastructure

  • Active Directory Domain Services (AD DS)
  • Internal Domain Naming System (DNS)
  • External DNS Name Resolver or ISP
  • Active Directory Federation Services (AD FS)
  • Active Directory Certificate Services (AD CS)
  • Web Application Proxy Server(s)
  • Public Certificate Authority
  • Internal Enterprise Certificate Authority
  • Backend Application Server(s)

Web Application Proxy Network

Web Application proxy can be deployed in several topologies. In all these scenario Web Application Proxy needs two network adapter.

Edge Firewall: Behind a frontend firewall like Cisco ASA to separate it from internet. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server.

DMZ: Behind a frontend firewall like Cisco ASA to separate it from internet and before corporate firewall like Cisco ASA to separate it from corporate network. Firewall must allow HTTPS (443) traffic to and from Web Application Proxy server. For client certificate authentication, you must also configure the firewall to allow traffic on port 49443.

Edge Configuration: One network adapter directly connected to internet and another network adapter connected to corporate network. Web Application Proxy can be a member of an Active Directory Domain.

TCP/IP Configuration Examples

Scenario Internal NIC External NIC
non-domain joined IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: 10.10.10.254

DNS:10.10.10.21

IP:192.168.0.10Subnet: 255.255.255.0

Gateway: NIL

DNS: NIL

Domain Joined IP: 10.10.10.20Subnet: 255.255.255.0

Gateway: NIL

DNS:10.10.10.21

IP: 203.17.x.x Public IPSubnet: 255.255.255.0

Gateway:203.17.x.254 Public Gateway

DNS: 8.8.8.8 or Public DNS

DNS Requirement

  • Internal DNS: Web Application Proxy must resolve internal fully qualified domain name of backend application server such as Exchange or SharePoint server. You must configure correct DNS record and TCP/IP Settings of Web Application Proxy Server either using DNS server or editing hosts file in WindowsSystems32DriversEtc location.
  • External DNS: External client must resolve fully qualified domain name of application. In this case, you must configure HOST (A) record in public DNS server. Note that the external URL must resolve to the external IP address of the Web Application Proxy server, or the external IP address of a firewall or load-balancer placed in front of the Web Application Proxy server.

Load Balancer Consideration

Web Application Proxy does not have in-built load balancer or ISP redundancy functionality. Depending on your requirements, you can use any hardware or software load-balancer to balance load between two or more Web Application Proxy Servers.

Domain Joined or non-domain joined

Web Application Proxy can be deployed without joining the server to an Active Directory domain or by joining the Web Application Proxy server to a standalone domain in a perimeter network.

You can deploy Web Application Proxy with a read-only domain controller. However, if you want to deploy Web Application Proxy and DirectAccess on the same server, you cannot use a read-only domain controller.

Authentication Consideration

Web Application Proxy can work with the following authentication protocols.

  • AD FS pre-authentication
  • Integrated Windows authentication
  • Pass-through pre-authentication

Network Time Protocol (NTP)

You must have a proper NTP server in your organization. NTP server can be your domain controller or a Cisco Core Switch. Timestamp must identical between AD FS and Web Application Proxy Server.

Certificate Authority

There are two types of certificate requirements for Web Application Proxy Server- Public CA and Enterprise CA.

  • Public CA: External clients to be able to connect to published web applications using HTTPS, Web Application Proxy must present a certificate that is trusted by clients. In this case you must bind a public certificate with published application in backend server and web application proxy server.
  • Enterprise CA: AD FS certificates must match federation service value. AD FS can use internal Enterprise CA. For examples, Common Name (CN) of Certificate is adfs.superplaneteers.com

Supported Certificate Template

Web Server Certificate with single common name, subject alternative name (SAN) certificates, or wildcard certificates.

Pass-Through Pre-Authentication

When you publish Exchange and SharePoint using Web Application proxy Server, you can pass-through authentication to the specific application instead of AD FS or Web Application Proxy. In this case Web Application Proxy forwards the HTTPS request directly to the backend server using either HTTP or HTTPS. Pass-through authentication is still a worry-free deployment because it prevent DDoS and SQL injection and provide network isolation.

Resolved: WSUS Post Deployment Failed on Windows Server 2012

Error:

2013-11-21 09:43:36  Config file did not contain a value “ContentDirectory”
2013-11-21 09:43:36  Microsoft.UpdateServices.Administration.CommandException: A required configuration value was not found in the system. This is usually caused by installing WSUS through PowerShell and not specifying a configuration file. Review the article Managing WSUS Using PowerShell at TechNet Library (http://go.microsoft.com/fwlink/?LinkId=235499) for more information on the recommended steps to perform WSUS installation using PowerShell.
   at Microsoft.UpdateServices.Administration.PostInstall.GetConfigValue(String filename, String item)

Issue: This is a known issue on Windows Server 2012. Microsoft WSUS team posted an work around to resolve the issue.

Solution: In the WSUS server, open PowerShell, type the following depending on which database you have:

For WID
%programfiles%update servicestoolswsusutil.exe postinstall CONTENT_DIR=C:Wsus

SQL Server databases
%programfiles%update servicestoolswsusutil.exe postinstall CONTENT_DIR=C:Wsus SQL_INSTANCE_NAME=<database server name>

Here content_dir is your real directory where you would like to install WSUS and pointed that directory during WSUS installation and rest are self explanatory. Once you do that you will see output in the logs available in C:UsersthermomixadminAppDataLocalTemp directory.

2013-11-21 09:56:46 Postinstall started

2013-11-21 09:56:46 Detected role services: Api, Database, UI, Services

2013-11-21 09:56:46 Start: LoadSettingsFromParameters

2013-11-21 09:56:46 Content local is: True

2013-11-21 09:56:46 Content directory is: E:WSUS

2013-11-21 09:56:46 SQL instname is: SQL Server Name

2013-11-21 09:56:49 Value is E:WSUS

2013-11-21 09:56:49 Fetching group SIDs…

2013-11-21 09:56:49 Fetching WsusAdministratorsSid from registry store

2013-11-21 09:56:49 Value is S-1-5-2

2013-11-21 10:17:41 Saving Subscription

2013-11-21 10:17:52 Creating default subscription succeeded.

2013-11-21 10:17:54 Populating Auto-Approval Rules.

2013-11-21 10:18:18 Populating Auto-Approval Rules Succeeded.

2013-11-21 10:18:23 StartServer completed successfully.

2013-11-21 10:18:23 Marking PostInstall done for UpdateServices-Services in the registry…

2013-11-21 10:18:23 Mark initialization done in database…

2013-11-21 10:18:25 End: Run

2013-11-21 10:18:25 Postinstall completed

Microsoft Virtual Machine Converter: Switching from vSphere to Hyper-v Made Easy

    Are you having difficulty funding a renewal license of expensive VMware vSphere? There is an alternative brand that adds greater value to the business reducing costs, and accelerating your journey to the cloud. Making the shift from VMware to Microsoft could be the wise decision you ever made after years of working as a CIO or IS Manager. By migrating from VMware to Microsoft, you gain a unified infrastructure licensing model and simplified vendor management, off course it gives you less pain in your wallet too.
    Whether you are looking to add value to your organisation, save cost, support grown or you are a fanatical environmentalist reducing carbon foot print, Hyper-V is the correct choice for you. A move to Microsoft’s virtualization and management platform can help you better meet your business needs. Simply buying Windows Server 2012 data center, you get the cloud computing benefits of unlimited virtualization and lower costs consistently and predictably over time.
    System Center 2012 enables physical, virtual, private cloud, and public cloud management using a single platform. It offers support for multi-hypervisor management, third-party integration and process management, and deep application diagnostics and insight. You can see what is happening inside the performance of your applications, remediate issues faster, and achieve increased agility for your organization.
    With the help of free tools like Microsoft Assessment and Planning Toolkit (MAP), and with the Microsoft Virtual Machine Converter (MVMC), you can quickly, easily and safely migrate over to Hyper-V.  For enterprise customers with large numbers of virtual machines to migrate, the Migration Automation Toolkit (MAT) provides the scalability to handle mass migrations in an automated fashion. System Center 2012 and Hyper-v Server 2012 support guest virtual machine of all major Linux and Unix distribution inclusive Microsoft OS off course.
    In a nutshell Microsoft Virtual Machine Converter:
  • Provides a quick, low-risk option for VMware customers to evaluate Hyper-V.
  • Converts VMware virtual machines to Hyper-V virtual machines.
  • Convert virtual hardware and keep same configuration of original virtual machine.
  • Supports a clean migration to Hyper-V with un-installation of VMware tools on the source virtual machine.
  • Provides GUI or scriptable CLI and Windows PowerShell, making it simple to perform virtual machine conversion.
  • Installs integration services for Windows 2003 guests that are converted to Hyper-V virtual machines.
  • Supports conversion of virtual machines from VMware vSphere 4.1 and 5.0 hosts.
  • Support migration of guest machine that is part of a failover cluster.
  • Supports offline conversions of VMware-based virtual hard disks (VMDK) to a Hyper-V-based virtual hard disk file format (.vhd file).
      • Relevant Articles
        Microsoft Virtual Machine Converter Solution Accelerator
        Migration Automation Toolkit (MAT)
        Cost Calculator
        Download Windows Server 2012
        Download System Center 2012
        Hyper-v vs vSphere
        Is VMware’s fate heading towards Novell?