Achieving Transitive routing between different region using V-net peering, Global Peering and Virtual Gateway

Sometime early last year Microsoft announced that Global peering is Generally available, that opened lot of possibilities.

One of the requirement that my client want to replace their existing VPN with Global Peering between UK West and UK South without using a Third party appliance to route the traffic.

The existing network looks like this,

FrontEndNetwork & Lab-Vnet are in UK West, DRNetwork is in UK South. Since they are in different region, there is a VPN between FrontEndNetwork and DRNetwork

There are 2 requirements,

  1. To replace VPN with Global Peering
  2. To make sure Lab-Vnet traffic to DRNetwork should be routed through FrontEndNetwork

The network should look like below.

There are few things that we need to achieve this goal.

1.Virtual Gateway subnet for FrontEndNetwork – That is subnet where all the traffic from Lab-Vnet to DRNetwork and viceversa should land.

2. Virtual Network Gateway for FrontEndNetwork – This is the ip address used by Lab-net and DRNetwork

3. Route Table, one for Lab-Vnet and One for DRNetwork

Before the implementation, i want to demonstrate the 2 vms on 2 different network doesn’t communicated with each other. The virtual machines are

  1. TestBackEnd – 192.1.0.4 from DRNetwork
  2. BackupServer – 10.0.0.4 from Lab-Vnet

Implementation,

Along with the 3 steps above, i’d like to show the peering between each network before we start creating other things.

Peering

Lab-vnet to FrontEndNetwork, from Lab-vent virtual network

DRnetwork to FrontEndNetwork from DRNetwork virtual network

Note: I have chosen “Allow Gateway transit” for now, as we don’t have the Virtual Gateway subnet on FrontEndNetwork

FrontEndNetwork to Lab-vent from FrontEndNetwork Virtual network

FrontEndNetwork to DRNetwork from FrontEndNetwork Virtual network

Creation of Virtual Gateway subnet

  • Navigate to the FrontEndNetwork
  • Click Subnets under Settings
  • Click “Gateway Subnet” on the right
  • Fill the details as below. The gateway subnet for my lab is 10.1.1.0/24

Creation of Virtual Network Gateway for FrontEndNetwork

  • Create a new Virtual network and associate to the FrontEndNetwork
Note: I can’t choose FrontEntNetwork because i’ve already created one for that subnet but you should have option to choose the V-net, if not check the region to make sure virtual gateway and Vnet are in the same subnet

Creation of Route table

  • Search for Routing Table,
  • Create a new Route Table. I’ve filled the following information,
  • Go to TrafficToDrNetwork Route table, Click Configuration and fill in the following information
Note: i’ve filled the next hop address as 10.1.1.4, this is the gateway subnet address for FrontEndNetwork. Usually Azure assign the 4th address as the gateway address by default.

Assigning Route table to LAB-Vnet and DRNetwork

  1. Navigate to Virtual Network – LAB-Vnet
  2. Click on the subnet that you want to route the traffic to DRNetwork
  3. Click on the RouteTable -> Choose the RouteTable that you have created through steps described above. In my case, Lab-vnet should send 192.1.0.0/24 traffic to 10.1.1.14 (RouteToDR)

Assigning Route table to LAB-Vnet and DRNetwork

  1. Navigate to Virtual Network – DRNetwork
  2. Click on the subnet that you want to route the traffic to Lab-Vent
  3. Click on the RouteTable -> Choose the RouteTable that you have created through steps described above. In my case, Lab-vnet should send 192.1.0.0/24 traffic to 10.1.1.14 (RouteToProd)


Before you start testing, go back to Lab-vnet and DRNetwork, Make sure the peering with FronEndNetwork is “User Remote Gateway” is checked under “Configure remote gateway settings”. You dont have to do anything on FrontEndNetwork peering.

Once you have saved the settings, you should be able to ping. If you run the Tracert you can see that it is going through 10.1.1.4

VJ

Token Signing certificate expiring – ADFS

What happens when your Token Signing Certificate is about to Expire and how you can recover from the situation.

The infrastructure is similar to the following,

Successful Authentication flow,

Application Authentication page -> Redirects to ADFS Sign page – > Users enters the username and password -> Credentials is validated by ADFS server with the Identity provider -> Issues a SAML token back to the User on Successful verification -> User is then redirected back to the application page with a successful sign in.

SAML failure

The flow works until the SAML is being issued to the web page but Application will fail to validate it with an error message SAML_RESPONSE_INVALID

Token signing certificate

Some application responded may respond with the error
SAML_RESPONSE_INVALID or some of them just ask the user for the credentials.

At this point we can confirm that SAML issued is invalid or wrong.

You might find on the internal ADFS servers Two certificates (Primary and secondary)

If your ADFS properties shows, (Get-ADFSProperties), the following

What happens is, The Token Signing certificate is set to auto-enroll exactly before 20 days of the existing certificate expiry date. After the generation of the new certificate, it automatically bring the new certificate as primary on the 5th Day.

As per the screenshot,

The certificate set to expire on 10/2/2019. 10/2/2019 – 20 days is 20/1/2019 as per AutoCertificateRollOver ADFS property. On 20th certificate got renewed as per CertificateGenerationThreshold Property. 20/1/2019 + 5 Days, the certificate switch happened as per CertificatePromotionThreshold.

Solution:

  1. Set the autoenrollment to false by running the cmdlet, Set-ADFSProperties -AutoCertificateRollover $False
  2. From ADFS Console, choose the old certificate as primary by “Set as primary” (“Set as Primary” option is disabled until first step is completed)
  3. This is just a temporary solution to keep the production running. Inform your application vendor to update the metadata. You can extract the metadata from, https://<adfs name>/FederationMetadata/2007-06/FederationMetadata.xml (This will contain the information about the newly enrolled certificate)
  4. Once the application vendor confirms that they have updated, follow step 1 and 2 to switch the primary and secondary certificate

Azure MFA is not working

If you have issues with Azure MFA, then you are likely affected due to issue caused by Microsoft.  Please check your message center in office 365 to confirm or call Microsoft.


This has been resolved completely. If you still face issues then it’s time to log it with Microsoft


We are back with MFA issue again.  MS is working

VJ

NPS Extension for MFA – All you need to know

NPS extension for MFA helps to make use of Azure MFA for on VPN connectivity.  Although the documentation from Microsoft is straight forward to explain how that work and how to configure, we don’t have much information online.

Let’s assume that you have a Radius server as

  1. Lab-DCRadius.
  2. Cisco-Asa

console1

 

  • I have configured Cisoco-ASA to use lab-DCRadius. On NPS server, I have configured CiscoASA as Radius client to access connection
  • Test the VPN using Cisco AnyConnect to LabVPN.Lab.com

From the following diagram, illustrate the flow.  (The above said registry keys play the role of transferring the secondary Auth to Azure MFA)

flow

Once you confirm that VPN is working,

Install the NPS extension from here, there are 2 version 1.0.1.16 & 1.0.1.20 (1.0.1.21 is available but on request to Microsoft)

To make sure Azure MFA accept the request from the NPS server,

Once you install it you have to run the script that comes with the NPS extension

  • Run Windows PowerShell as an administrator.
  • Change directories.
  • cd “C:\Program Files\Microsoft\AzureMfa\Config”
  • Run the PowerShell script created by the installer.

.\AzureMfaNpsExtnConfigSetup.ps1

  • Sign in to Azure AD as an administrator.
  • PowerShell prompts for your tenant ID. Use the Directory ID GUID that you copied from the Azure portal in the prerequisites section.
  • PowerShell shows a success message when the script is finished.

 

What this does is it

  1. Sets the registry with a some values
  2. Creates a self-signed certificate on your server and uploade the certificate on Azure.

To verify check the following registry key

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\AzureMfa

tempsnip

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\AuthSrv\

reg

To verify the certificate,

Local Certificate

  1. Open MMC -> File- > Add/Remove Snap-in-> Certificate -> Local Computer, Click Ok
  2. Navigate to Certificates -> Personal – >Certificates

You will find a certificate with the tenant Id.

  1. Go to the properties of the certificate, under details tab, look for Thumbprint, Copy it somewhere.
  2. Now open Azure module for Windows PowerShell
  3. Run the command in the screenshot

msol

  1. Copy the value in to a notepad and save it as .cer (if you have more than one cert, you might see more values. You have to copy each one of them in to a separate file and save it as .cer)
  2. Now open the save .cer file.
  3. Now under details tab, look for Thumbprint property.

Computer these 2 thumbprint and make sure they matches.

Gotchas

  1. What if registration fails – This usually happens either if your AD account doesn’t have access to local certificate store or Azure portal (GA admin is the requirement to upload the cert)
  2. How do I disable MFA on one of the NPS server to test it?
  • You can disable the MFA on NPS server.  This is essential to find out when you are troubleshooting to narrow down which NPS server is having the issue. To disable the MFA on a NPS server without de-registering it,
  • Navigate to the registry key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Serevice\AuthSrv\Parameters, Empty the following key values
    • AuthorizationDLLs
    • ExtentionDLL
  • This will stop the NPS to look for Secondary Auth
  1. How to renew the certificate when it expires
  • The certificate usually has 2 years of validity.  You can renew it by simply running AzureMfaNpsExtnConfigSetup.PS1

Known issue.

Recently, I have seen the ver. 1.0.1.20 is causing performance issue.  There is a newer version which fixes the problem 1.0.1.21.

Exclaimer for Office 365 – Update

Most of my customer use Exclaimer.  Eversince Office 365 started rolling out, Excliamer started Cloud signature to support Office365 customers.

If you have used on-prem Exclaimer signature manager (Exchange Edition) in the past, you must have come across Policy Tester which used to be very handy in troubleshooting.

policytester

This policy tester was missing in the Exclaimer Cloud.  This made troubleshooting really difficult,

But Exclaimer seem to have taken the feedback and brought this feature to the cloud as well.  It is called “Signature Rules Tester”

CloudExclaimer

https://cloudsupport.exclaimer.com/hc/en-us/articles/360008007993-What-is-the-Signature-Rules-Tester-

VJ

 

Monitoring ADFS through AAD Connect Health Agent

The AAD Connect comes with a Health Agent which monitors the AAD Connect and logs in to Azure AD.

The events can be viewed from portal.office.com and Choose Azure Active Directory. Under Manage -> Choose Azure AD Connect.

On the right pane, under Health and Analytics -> Click Azure Active Directory Connect HealthScreen Shot 2018-08-17 at 13.24.27

Now that we know how AAD Connect is being monitored by AAD Connect Health Agent, the same agent can also be used to monitor ADFS server and ADFS-Proxy server as well.

To do so,

  1. Download the AAD Connect Health Agent from https://www.microsoft.com/en-us/download/details.aspx?id=48261
  2. Run the setup, make sure you are installing ADFS agent.Screen Shot 2018-08-17 at 12.56.02
  3. It will prompt you to “Configure now”.  Click on it.
  4. You will see the followingCapture

Make sure you have enabled auditing on ADFS server to capture those events on Azure portal.

To do so,

  1. Open windows powershell on ADFS server,
  2. Run the following command

auditpol.exe /set /subcategory:”Application Generated” /failure:enable /success:enable

3. Open AD FS management console, Click on “Edit Federation Service Properties”, Under Event tab, check all the events.

adfs console

Once you’ve done that, you can see events will start showing up on Azure Active Directory Connect Health

Of course you can monitor lot of events.  To know more,

https://docs.microsoft.com/en-us/azure/active-directory/connect-health/active-directory-aadconnect-health-adfs

VJ