So last week i had to add a new address space to a vNet as i needed a seperate subnet for Private Endpoints. I added a address space, configured the subnet and setup the private endpoints.
When i started testing i could not reach the private endpoints. I could see the traffic flow in the NSG logs and from other vNets trough the Azure Firewall. And i could not figure it out. I asked a few MVP friends and the answer was that this is a limitation in Azure.
This week we have been deploying a new environment in Azure for a client. With a secured vWAN Hub with Azure Firewall. The vWAN Hub is connected to a Cisco SD-WAN appliance that connects all of the clients physical location. We configured 2 new Domain Controllers, opened up the traffic between the Azure DC and on-premises DC. We could reach the Azure DC’s but not the other way arround.
With VMM 2019 we got the possibility to setup Azure Update Management for all new VM’s being deployed with VM Templates in VMM.
I see a great value in this as you do not need to setup a local WSUS server to do patching. And for any hoster you can easy have 1 single pane of glass in Azure to monitor and update the VM’s in your environment.
A few day’s ago the System Center team posted a blog on the Windows Server blog post about the upcoming 2019 release this month.
For the 2019 release there was not alot of new features but i wanted to highlight one, the new Azure Monitor overview page. It’s an integration between the DPM server wich is connected to Azure Backup and Azure Log Analytics.
One of the neat things you can do with Virtual Machine Manager is configure it to replicate Virtual Machines to a Azure Recovery Services Vault. And you can use Azure Site Recovery to fail those Virtual Machines over to Azure if you need to.
Let’s say your organization want’s to setup a solution against a 3rd party web solution that is hosted in the cloud like a accounting system. And your organization has a rule about this should be Single Sing-On and use your domain login credentials. You already have Azure AD Connector setup with password sync and have all the users synced to Azure AD. And then you realize that the Provider does not have a finished application with a guide in the Enterprise Application store. So what to do then?
So as i am starting a new job in less then 2 months, i thought it was time to move this site from a Virtual Machine running on my current employers S2D cluster to Azure. So i decided to share my way there. So i started googling on how to do this. There where some guides here and there. Some older ones and one from docs.microsoft.com, this one did not move everything. So i started with one, got a timeout error. Tried another did not work.
In the spring we wanted to setup SSO with our support portal freshdesk. This did not work as we where using a custom url, and the Azure SSO was expecting oursite.freshdesk.com as the reply back adress and not our custom url. This was a limitation in the Azure SSO setup.
NAS/VPN Server receives requests from VPN clients and converts them into RADIUS requests to NPS servers.
NPS Server connects to Active Directory to perform the primary authentication for the RADIUS requests and, upon success, passes the request to any installed extensions.
NPS Extension triggers a request to Azure MFA for the secondary authentication. Once the extension receives the response, and if the MFA challenge succeeds, it completes the authentication request by providing the NPS server with security tokens that include an MFA claim, issued by Azure STS.
Azure MFA communicates with Azure Active Directory to retrieve the user’s details and performs the secondary authentication using a verification method configured to the user.
The following diagram illustrates this high-level authentication request flow: