In the last couple of years now, Microsoft has been working actively with new features in Azure Active Directory. For those who aren’t aware of what that is I can tell you briefly. It is identity as a service hosted in Azure (Its not the same as regular Active Directory even thou it shares the same name, but it is a user administration system and stores users in a catalog but it is built for the cloud. You also don’t have features like Group Policy and the notion of Machine objects are not present (well almost not) ill come back to that.
So when you set a Intune account, Office365 account or CRM online it will automatically create a Azure Active Directory tenant. All users that are created will be populated into that Azure AD tenant. From an administrator point-of-view all they will see is the users listed in their administration portal. In order to get full benefit of Azure Active Directory you need to go into Azure.
(Before I go into specifics you need to be aware of that there are 3 edtions of Azure Active Directory, free, basic and Premium) You can see the different features that are included in all 3 here –>
And also take note that Premium is also included in Microsoft EMS package (With Azure Rights Management and Intune) https://msdn.microsoft.com/en-us/library/azure/dn532272.aspx
So what do I mean that its built for the cloud ? well first of regular Active Directory which today is well established and one of the key important features of an on-premise setup does not work well with all the SaaS services that are being added to many enterprises today. Now many vendors include Active Directory integration in their Service (like Dropbox and such) but this is because that there are no native features in Active Directory.
Azure Active Directory on the other hand is built to be a platform which can include all the applications you want and work as an identity provider for all your SaaS applications or be on-premise. Now many are familiar with the syncronization tools that Microsoft offer to give a consistent user experience between on-prem and Office365. These tools will place users in Azure Active Directory tenant and will then allow us to build upon with new features and add integrations with other SaaS applications. We can also use Azure Active Directory standalone if we want a more pure cloud based setup.
So what does Azure Active Directory consist of ?
- Azure Access Control
- Azure Authentication System (SAML, OpenID & Oauth, WS-federation)
- Azure Graph
- Azure Rights Management Service
- Azure Multi-factor authentication
So all these services have a set of sub-features as well, but with all this Azure Active Directory can be a platform for managing identity across different clouds. So what might it look like ? Let’s think of a traditional enterprise where the HR application is where all new employees might be generated, the IT needs to setup a Active directory user and then he would need to provisiong access to all SaaS apps that the company uses.
What would it look like with Azure Active Directory setup with the different tools that Microsoft offers ?
Lets look at the example again, a new employee is setup in the HR system. Microsoft Identity Mnager(which is vNExt of Forefront) has a connector which allows it to grab hold of the information and has a workflow of how new employees should be setup and provisions a user in the local Active Directory. Azure AD Connect (Which is the new and upcoming Dirsync and AAD sync) will based upon the filters sync the user to Azure Active Directory. There can also be an ADFS which allows for true SSO since then ADFS will work as an SAML iDP and users can access it in real-time, another option is the setup user syncronization with password hash, this allows for users to use their username and passwords (a bit delayed when a password has been changed and a sync has not been run) but it does not give users a true SSO to services in Azure.
Now that the users are in Azure we can setup access to other SaaS services like SalesForce, Dropbox, other Social media applications and maybe even Citrix. Another option is to setup an internal application which we want to publish. This requires another feature called application proxy which will allow the users to authenticate users their Azure AD credentials (with or without MFA) then proxy a connection to a on-prem service)
So far I’ve covered some of the basics. Lets look how it looks like. this is a screenshot from my management portal here I have one catalog
Inside here I have multiple users, some are cloud only and some are synced from on-premise. Here I also have option to manage MFA for my tenant ( I have a valid subscription)
Also inside the tenant catalog I have a bunch of different options which we are going to go trough.
First of lets look at the configuration part. First of is the part to customize sign-in experience for our users.
So we can define background logo and background screen and such. Just basic stuff so when users try to login they might see this.
We also have configuration options for users password reset
We can also define a password write back feature (Which allows new passwords generated in Azure AD be written back to an on-premise Active Directory. Note that this requires Active Directory sync services be setup with write back feature.
As I mentioned earlier was that Azure AD has no idea about machine objects, well they kinda do. This is another preview feature but it allows for Windows 10 machines to “join” Azure Active Directory and allow for user login using their Azure AD credentials
(From a Window 10 tech preview machine)
After joining the Azure AD domain you can now sign it with your credentials
There are also alot of different options regarding Group Managment in Azure
And one important part is Application Proxy
I have blogged about this before (https://msandbu.wordpress.com/2015/02/19/publishing-internal-applications-using-azure-active-directory-using-application-proxy/)
So let’s talk abit about the important part.. The Applications. Now Azure has some possibilities when adding applications. Work as an front-end authentication feature for instance on-prem applications. single-sign on for web based applications (password and federated SSO) and setting up MFA.
So let’s start with adding Facebook for our tenant and seting up the new feature called password roll-over (Which allows Azure AD to automatically update a password on behalf of the user)
So head on over to applications and choose add from Gallery
Find Facebook from the list and choose OK.
Click on Configure Single sign-on and choose Password SSO (Note that this requires that a user authenticate first with a username and password using a browser which has Azure AD extension installed. So when the user authenticated the extension will take the username and password, encrypt it and store it in the Azure AD tenant, so next time the users logs inn they don’t need to enter a username and password.
Then lets assign some users. Go into users and groups and find a users and choose Assign
Now we can also enter a username and password on behalf of the user
(Note that for Linkedin, Twitter and Facebook) we have the preview feature automatic password rollover)
Then click OK.
Now let’s add an on-prem application, now as I’ve blogged about it before it won’t show what the steps are but just to show what’s new.
For on-premise applications we can configure access rules, let’s for instance say that all users (except for sales users) need to use MFA when accessing this application outside of the Office.
Note that this is based upon IP whitelisting to allow who needs to access with or without MFA. Now this is part of the cloud based MFA feature, it is also possible to download a server component MFA which you can attach to your on-prem services as well using traditional AD https://msandbu.wordpress.com/2014/05/05/azure-multifactor-authentication-and-netscaler-aaa-vserver/
Now note that you can also use Azure Active Directory as an SAML iDP and use Graph API when developing other applications and setup integration with it. Now there are also some applications like Salesforce which offer full identity management
true SSO and provisioning.
But this is only a few vendors which has added this support. Now if we are approaching a enterprise with “Hey you should get Azure AD, its great stuff!” and they have like 200 applications SaaS based which they use how can you get the overview ? Microsoft has also created something called Cloud App discovery (Which also is in preview –> https://appdiscovery.azure.com/)
Which is basically an agent that you download and run in your infrastructure it will gather info and find out what applications are being using and try to map them aganst those that Microsoft has support for.
So when you have setup the applications and given users access how does it look like ?
and voila user access!
Now this was just a brief touch into Azure Active Directory. In the last 6 months these features has been added to Azure AD
•Dynamick Group membership
•Azure AD Connect Health
•200+ applications in the gallery list
•SaaS provisioning attributes
•MIM in Public Preview
•Azure AD Proxy
•Azure AD on iOS and Android
•Conditional Access pr App
And this list will continue to grow, if you want to see what’s happning on Azure AD I suggest you follow Alex Simons (@Alex_a_simons) on twitter (He is the Product Manager for Azure AD, and from the looks of it from the feature list, he is feeding his developers Red Bull or something stronger)
and follow the Azure AD blog http://blogs.technet.com/b/ad/
Stay tuned for more news about Azure AD
Something caught my eye earlier today that I wasn’t aware of. With Citrix Reciever 4.2, Citrix introduced support for Audio over UDP with Netscaler Gateway. Now this is huge since ICA proxy has always been TCP but now it adds support for Audio over UDP which gives it a much better performance since it does’nt have the required overhead that TCP does.
So checking out Citrix edocs I didn’nt find much info. All I noticed was the information in the release notes of Citrix Receiver. Then out of the blue comes this blogpost –> http://discussions.citrix.com/topic/361759-udp-audio-through-netscaler-with-dtls/
Which basically states in order to setup audio over Netscaler Gateway using UDP (DTLS) we need to define Citirx Receiver Policies
Then we need to enable DTLS on the Netscaler Gateway (Which now is supported on the e-builds)
Then we are all set. You can use the HDX monitor insider a ICA-session to see that audio over UDP is enabled.
This is an issue I have seen a couple of times now, therefore I decided to write a blogpost about it. In january I got some issues with out test servers running Office365 and Shared Computer support that the credential tokens where not working and users needed to reauthenticate when opening another Office application.
Now I have also gotten a couple of questions on email and some on the Microsoft forum asking about the same.
Now I did a bit of troubleshooting and didn’t figure out what the issue was right away, but this feature had been working for quite some time therefore It must have been an update that was the issue and since Office365 is Click-to-run which is updated by Microsoft it must have been a new build that makes this happen.
Therefore I used the Group policy templates that comes with Office365 (Which can be downloaded here –> http://www.microsoft.com/en-us/download/details.aspx?id=35554)
(Here are the version builds) http://support2.microsoft.com/gp/office-2013-365-update
And specified which build to use, then I choose the November build and Shared computer support worked as intended again. Therefore it seems like there is an bug/issue on the December and february build.
Today Veeam announced a RC of Veeam B&R Patch 2 RC and Veeam Endpoint Backup which now allows us to integrate with a Veeam repository
NOTE: This is RC not intended for Production, but please give it a try and give Veeam some feedback on this great product!
You can fetch the RC releases here –> http://forums.veeam.com/veeam-endpoint-backup-f33/veeam-endpoint-backup-free-rc-t26694.html#p139052
One can never be to careful, so don’t install this in production… Or you can’t
So the setup is pretty simple, install the endpoint backup product on a server, define a backup mode
then choose backup repository!
Define a username and password which has access to the backup repos
Then let the magic fly!!!
to be continued!
Citrix just recently announced the tech preview of the latest Storefront X1 (and Reeiver for web X1) so is this where we finally can get back the web interface features that have been missing for some time?
So what’s new ? As you can see after a installation the management is still the same
Just have some new features available. We can now customize website apperance (Add logos)
We can define what type of Website type we want (Classis is the regular Green bubble Storefront)
We can also add shortcuts to website (Why not resources!!)
We can also create featured App groups which can be department specific. And we can use keywords in applications to differenciate the applications.
Now the new website GUI has had a new overhaul
But it still has much of the same CSS properties available like with regular StoreFront, now the new Receiver X1 web is located under inetpub\wwwroot\Citrix\Websitename\receiver
And desktops and appliations look alot nicer as well
Looking forward to the new Citrix Receiver as well! happy customizations!
There is no denying that Microsoft is moving more and more focus into their cloud offerings, even with solution such as Office365, EMS (Enterprise Mobility Suite) and of course their Azure platform.
EMS being the latest product bundle in the suite gives customers Intune, Azure Rights Management and Azure Active Directory Premium. So if a customer already has Office365 (their users are already placed with Azure AD and can then easily be attached to EMS for more features)
We are also seeing that Microsoft is adding more and more management capabilities against Office365 into their Intune suite (Which is one of the keypoints which no other vendors have yet) but is this type of management something we need ? or is it just to give it a “key” selling point?
Now Microsoft has added alot of MDM capabilities to Intune, but they are nowhere close to the competition yet. Of course they have other offerings in the EMS pack, like Azure Rights Management, which are quite unique on the way it functions and integrates with Azure AD and Office365. As of 2014 Microsoft isn’t even listed on the Gartner quadrant for EMM (which they stated would be the goal for 2015)
But it will be interesting to se if Microsoft’s strategy is to compete head-to-head on the other vendors or if they wish to give the basic features and dvelve more into the part of Azure AD and identity management across clouds and SaaS offerings.
Citrix on the other hand, have their XenMobile offering which is a more complete EMM product suite (MDM and MAM, Follow me data with Sharefile, and so on) Now Citrix has a lot of advantages for instance over using Sharefile against OneDrive. Sharefile has encryption of data even thou it is locally and running on a sandboxed application( on a mobile device), while the only option that OneDrive has is using as a part of Rights Management Service (of course OneDrive has extensive data encryption in-transit and at rest https://technet.microsoft.com/en-us/library/dn905447.aspx
Citrix also has MicroVPN functionality and secure browser access running VPN access using Netscaler, while Microsoft also has a secure browser application which is much more limited to restricting which URLs to open and what content can be viewed from that browser.
So from a customer side you need to ask yourself.
- what kind of requirement does my buisness have?
- Do I use Office365 or a regualr on-premise setup?
- Do I need the advanced capabilities ?
- How are my users actually working ?
Is there a best of both worlds using both of these technologies ?
Now of course there are some feature that overlaps using Offic365 and EMS + XenMobile, but there are also some features which are important to be aware of.
* Citrix has Sharefile storage controller templates in Azure (Meaning that if a customer has an IaaS in Azure, they can setup a Sharefile connector in Azure and use that to publish files and content without using OneDrive)
* Citrix has a Sharefile connector to Office365 (Which allows users to use Sharefile almost as a file aggregrator for communicating between Office365 and their regular fileservers) which allows for secure editing directly from ShareFile.
* Citrix XenMobile has alot better MDM features for Windows Phone that Intune has at the moment.
* Azure AAD has a lot of built-in SSO access to many of Citrix web based applications (Sharefile, GTM, GTA and so on) since users are already in Azure AD premium it can be used to grant access to the different applications using SSO)
* Netscaler and SAML iDP (If we have an on-premise enterprise solution we can use the Netscaler to operate as an SAML identity provider against Office365 which allows for replacement for ADFS which is required for full SSO of on-premise AD users to Office365
* Office365 ProPlus with Lync is supported on XenApp/XD with Lync optimization pack (Note that this is not part of XenMobile but of Workspace suite)
* Netscaler and Azure MFA (We can use Azure MFA against Netscaler to publish web based applications with traffic optimization)
* Netscaler will also soon be available in Azure which allows for setting up a full Citrix infrastructure in Azure
But in the future I would be guessing that Microsoft is moving forward with the user collaboration part, it is going to become the heart of identity management with Azure AD directory and rights management, while Citrix on the other hand will focus more and enabling mobility using solutions like EMM ( MAM ) and follow me data aggregator and secure file access and devices. Citrix will also play an important part in hybrid setup using Netscaler with Cloud bridge and as an identity provider on-premise
Now before I start, I have already been blogging about settings up Veeam Cloud Connect in Auzre https://msandbu.wordpress.com/2014/11/12/veeam-cloud-connect-for-microsoft-azure-walkthrough/
And its important to remember the Veeam Cloud Connect is only available for Veeam Service Providers (or VCP Veeam Cloud Providers)
This is more of a technical overview of the solution.
On-premise Veeam customers which have version 8 (should also have patch 1 installed) Can add a service provider from their console, this can be a IaaS solution running in Azure.
End customers are given a usage quota on the cloud repositories. This shows how much data they can store on their cloud repostitory.
So how to setup this in Azure ?
- Use either the template from Veeam which is in the Azure Marketplace (NOTE: This requires a paid subscribtion in order to be activated)
- Download the BITS and install it ourselves.
Now when setting this up in Azure there are a few things to take notice of.
Firstly always check of where the closest datacenter to the customers are, you can use this third-party website as a reference –> http://www.azurespeed.com/
The first two virtual machines are used as a cloud gateway proxy. They will handle the incoming data but not store the data. Important things to take note of here is the bandwidth requirements depending on how many customers, since they operate as a proxy I would try to keep them as cheap as possible. So if we look at the A-instance virtual machines
A2 gives us 200 Mbps bandwidth and should be adequate for Gateway proxy performance. On a side note here, A instances do not have SSD drives, so if we want to setup customers using WAN acceleration we should use the D-series (Which has SSD enabled drivers on the D:\ partition) Which gives it a good boost on doing the digest work of comparing blocks. (Ref blogpost IOPS performance in Azure –> https://msandbu.wordpress.com/2013/07/16/azure-and-iops-performance/)
There are also some other limits that need to be taken in account. First of when planning for repositories. Data disks in Azure only support up to 1 TB pr disk, meaning that if you need to store data over 1 TB you need to setup Storage spaces running across many drives (Note that storage spaces and geo-replication are not supported)
Also there is a cap for 500 IOPS or data disk, this can be increased a bit by using storage spaces as well. For a regular A4 instance (there as maximum of 16 data disks) look at this reference sheet https://msdn.microsoft.com/en-us/library/azure/dn197896.aspx there is higher amounts of IOPS for D and G-series. Also allows for higher amounts of stored data.
Then you might think (well thats not much data? a maximum amount of 32 TB) important to note that this is not a replacement for on-premise backup. And that moving 32 TB of data from Azure during an outage back on-premice might restrict itself because of the internet bandwidth available at the customer. Just for info, moving 1000 GB over 100 MBps link requires 23 hours… (If your customers require more data and better bandwidth and lower latency, well Azure is not the right solution
Lastly its important to setup load balancing for our cloud gateways. Now the cloud gateways already have built-in load balancing, and will redirect internally based upon traffic. What we need is to load balance the initial request to the Cloud Gateway, since after the first connection, Veeam will keep a list of the availabe cloud gateways.
Now there are two ways to do this using Azure. Either we can use regular DNS based round robin, this means that we have multiple A-records for the same FQDN. When Veeam connects it is able to download all the A-records and try them one after one. Problem with DNS round is that it has no option to check health, and therefore it might take more time.
We can also use Traffic Manager (Which is Azure Load balancing) which has the ability to do health probes to check if they are alive or not. The negativ of this is that when a DNS request is make to our Traffic Manager DNS alias it will only respond with one IP-address & FQDN.
Setting up traffic manager in Azure is a pretty simple case, you just setup it up, give it a URL (Which then needs to be attached using CNAME to a FQDN of your choice on your domain.
And note that this requires that we have multiple cloud services (Which again have their own public IP address)
Now the monitoring part here is a bit tricky, since it by default uses HTTP GET commands to verify the existence of a server. Either using HTTP or HTTPS, which require installation of IIS and then setup ACL’s on the endpoints to only respond from Microsoft Traffic manager.
The instances running as a cloud gateway need to be put in a availabilty group in order to get SLA from Microsoft. When in a availability group, Microsoft knows they can take one of the roles down in the group when they have maintance, and allowing for the other one to keep running.
The repositories can be customer specific (depending on the size) but should not be placed in a availability group (since there are no options for shared storage in the backend to keep it redundant) if a virtual machine is not placed in a availability group the azure administrator will get a notice 2 weeks before hand, and in most cases it will just cause the virtual machine to reboot once and it will be up and running again.
So suddenly yesterday I was struck with lightning or something, I was about to have a lync meeting when it suddently wouldn’t start. Keept giving me application stopped responding, so I took a quick restart, that didn’t work as well. Even thou it has been working for the last couple of months.
Took a quick look in the event log and then I saw this
So ntdll, exports the native windows API. So why did this suddenly stop working ?
Then it got me thinking what has changed the last couple of days on my computer. Updates!
Took a quick look into the different Windows updates that were posted but tried uinstalling them gave me no luck. Then I remembered that I installed a new graphics driver from AMD the other day (Which was created on 6th of february) when I rolled back to the previous driver from january Lync started working again.
So one of the few cool features in Azure Active Directory is the integration for all kind of applications either it be SaaS or internal applications. So it allows us to externally publish applications which are only accessible from the inside. The internal applications are published to the users and are accessable from the application portal. This also gives us the possibility to have an authentication layer infront of all applications using Azure AD.
So let’s go ahead and publish our internal application. Head on over to the appliaction pane in Azure AD and choose New, then choose Publish an application that will be accessiable from outside your network.
Next I need to enter the information on the internal application and Authentication layer, it is by default published using an external URL
Next I need to give my users access to the application
Next I head on over to the application dashboard and choose enable application proxy, then I download the application proxy connector (note: it does not require a public IP adress)
The installation of the connector is pretty simple
Then login with a Azure AD credential
Then it will automatically register with Azure AD tenant, then if on the users try to open the app portal the application will appear
So when a user tries to open the application it will communicate using the proxy connector (Notice the URL)
Voila, we have just published an internal application using the Azure AD proxy)
So this is something I’ve struggeled a bit with in the past, also see it on a couple of forums post on Citrix, and there are as always not so detailed info on how to verify on “WHAT THE HELL IS WRONG WITH THE D*** CONNECTION TO DNS AND LDAP!!!”
So therefore I decided to write this post, since both DNS and LDAP are crucial in adding to the Netscaler.
So lets start with DNS. There are a couple of ways to add DNS on the Netscaler. Either its UDP, TCP or TCP & UDP. Now UDP is the one that is typical used since a default DNS uses UDP, TCP is more for Zone transfers and so on.
So what happens if we add a DNS server using UDP, Well the Netscaler is going to do a ping against the DNS server to see if it is alive (So if ICMP is blocked it will show as DOWN) It will check every 20 seconds to see if it respons on UDP/53. Also imporatant to note that it does use the SNIP address to communicate with the DNS server.
How can we verify that it can do name lookup ? (By default most of the built-in cmdlets like nslookup, dig and so on do not work with Netscaler since it has its own DNS feature built-in, and those cmdlets will only query the local DNS not the external one.
So to test DNS use the command
show dns addRec hostanem
So if we switch from UDP to TCP it will try to use TCP Handshake to verify if it is available, but not going to give use the regular DNS query. So what if we cannot reach the DNS server? Using ping from the cmdlet uses NSIP by default
but with ping in Netscaler we can define a source address (Which we can set to be one of the SNIP addresses.)
ping ip-address –S source-address
If you make a trace file you can also see that it works as it should.
If your SNIP does not have access to the DNS server you need to either define ACLs which allow it to communicate with the DNS server, create a new SNIP which has local access to the DNS server or define a policy based routing which define where the SNIP needs to go to inorder to access the DNS servers.
For instance if I want to setup a specific route for my DNS traffic from my SNIP ( I can setup a PBR) which looks like this (This is a policy route only for ICMP)
After I create the PBR I have to run the command apply pbrs
So that took take of DNS, what about LDAP ? When we setup LDAP servers in Netscaler we have the ability to do retrieve attributes button, great! well almost… it uses the endpoint client IP to retrieve attributes (not the NSIP itself) so it by default uses NSIP. So we can use PING to verify network connectivity. We can also use telnet to verify connectivity since telnet originates from the NSIP.
Shell –-> Telnet
open 192.168.60.1 389 (This can try to connect to the LDAP port 389)
How can you verify it works ? It says connected, if it stands on Trying…. the port is not available. If you want to can change that the Netscaler uses SNIP instead of NSIP, this can be done by setting up a load balanced AD server role, then point the LDAP authentication policy to that vServer.