Tag: Firewall

Connect Ubiquiti UniFi Dream Machine to Azure VPN

Connect Ubiquiti UniFi Dream Machine to Azure VPN

A couple of days ago I got a Ubiquiti UniFi Dream Machine, which is an all-in-one device with an access point, 4-port switch, and a security gateway. After the basic setup, I wanted to connect my Ubiquiti UniFi Dream Machine USG to an Azure VPN Gateway (Azure Virtual Gateway), using Site-to-Site VPN. In this blog post, I am going to show you how you can create a site-to-Site (S2S) VPN connection from your Ubiquiti UniFi Dream Machine to Azure Virtual Network Gateway.

Azure Virtual Network Gateway and Connection

I already have a virtual network in Azure with the address space 10.166.0.0/16, and I also deployed the Azure Virtual Network Gateway connected to that vNet. The next thing I did was to add a connection to the gateway.

Azure VPN Connection

Azure VPN Connection

You need the following:

  • Name for the connection
  • Set Connection type to Site-to-site (IPSec)
  • Create a local network gateway (basically the configuration of your local VPN gateway.
  • Define a shared secret

Configure Ubiquiti UniFi Dream Machine VPN connection

Now you can switch to your UniFI Dream Machine, which has an UniFI USG integrated. Under settings go to Networks and click on Create new Network

UniFi Network Azure VPN

UniFi Network Azure VPN

Here you configure the following:

  • Name of your VPN connection
  • VPN Type Manuel IPSec
  • Remote Subnets which is the Azure vNet address space (in my case 10.166.0.0/16)
  • Peer IP which is the public IP address of the Azure virtual network gateway
  • Local WAN IP
  • the pre-shared key (shared secret)
  • IPSec Profile: Customized
  • Key Exchange Version: IKEv2
  • Encryption: AES-256
  • Hash: SHA1
  • DH Group: 2

After that, the VPN will connect and the status of your Azure virtual network gateway connection will change to connected.

Dream Machine Azure VPN Connection

Dream Machine Azure VPN Connection

You can now reach your Azure virtual machine using the private IP address range.

Connected Azure VPN

Connected Azure VPN

I hope this was helpful and show you how you can connect a Ubiquiti Unifi Dream Machine (USG) to an Azure Virtual Network using a site-to-site VPN connection. If you want to learn more about Azure Virtual Network Gateways check out the following documentation:

If you want to know more about point-to-site VPN connection to Azure check out my blog posts:

If you have any questions, feel free to leave a comment.



Azure Firewall Setup

This is the Microsoft Azure Firewall

Last week Microsoft announced some cool new and long awaited Azure Network functionalities, which are now in public preview. One of them is the Azure Firewall, which is a fully stateful firewall as a service with built-in high availability and unrestricted cloud scalability. The Azure Firewall is centrally created, enforced, and allows you to log application and network connectivity policies across subscriptions and virtual networks.

This is especially helpful in scenarios where you simply want to block internet traffic or you need centralized management and logging. Obviously, there is still space for third-party firewall appliances with even more functionality, but if you need something easy to configure, without any additional licensing, which you can automatically configure using the existing tooling and has unrestricted scaling capabilities, the Azure Firewall is a great option.

It is also important to notice that the service is still in preview and additional functionality might be added as well as existing functionality might change.

Azure Firewall Spoke and Hub Network

(Image credit: Microsoft)

The Azure Firewall provides you with the following features:



5Nine Hyper-V Security Console

5nine Cloud Security for Hyper-V 4.0

Security is a critical part in your datacenter and with a high virtualization rate it gets even more critical and complex to manage. Gartner estimates that in 2014 roughly 75% of all servers will be virtual with the number continuing to rise, year after year. If you are working in a highly virtualized environment you know how difficult it can be to protect your virtual machines and networks. It is even harder if you are a cloud service provider and you want to protect your customer, sometimes you don’t even have access into the virtual machines and you cannot really make sure the customer does everything right.

For some customers I was looking for a solution with centralized management and a solution which has no impact on the performance of the virtual machines. Through some contacts I had the chance to talk with 5Nine Software which offer some great solutions for Hyper-V management and Hyper-V Security. And in December 5Nine Software released its latest beta version of Cloud Security for Microsoft’s Virtualization solutions called 5Nine Cloud Security for Hyper-V. The new version includes some new features like real-time active anti-virus protection, VM Security groups, a new LWF R2 VM Switch extension, role based access and most importantly support for NVGRE or in otherswords Hyper-V Network Virtualization support which will make especially service providers very happy.

5Nine Hyper-V Security Agentless

Some key details about the 5nine Cloud Security for Hyper-V:

  • Multi-tenant security
  • Agentless, host-based solution for AV scans
  • Supporting Windows Server 2012 R2 Hyper-V
  • Granular control over each virtual machine using Hyper-V Extensible Switch, no agent required
    • Configure the Advanced / Full Kernel mode Virtual Firewall for each VM individually
      • MAC Address filtering
      • ARP Rules
      • SPI (stateful packet inspection)
      • Network traffic anomaly analysis
      • Inbound and outbound per VM bandwidth throttling
      • MAC broadcast filtering
      • All filtering events logging with more data (UM logs only contain blocked events)
    • Configure network filtering rules on a per-VM basis
    • Set inbound/outbound traffic limits and bandwidth utilization by virtual machine
  • Meet the security demands of enterprise, management service providers (MSPs), public sector, and hosting providers who leverage Microsoft’s Hyper-V Server and Cloud Platform
  • Provide the first and only seamless agentless compliance and agentless security solution for the Hyper-V Cloud
  • Deliver multi-layered protection together with integrated, agentless antivirus and intrusion detection capabilities
  • Offer unmatched levels of industry-demanded protection and compliance (including PCI-DSS, HIPAA, and Sarbanes-Oxley)
  • Secure the Cloud environment with anti-virus technology that runs with virtually zero performance impact while simultaneously improving virtual machine density
  • Provide network traffic control between virtual machines
  • Enforce secure multi-tenancy and Virtual Machines Security Groups
  • Provide NVGRE support (Hyper-V Network Virtualization)
  • Detect and block malicious attacks
  • Supports any guest OS supported by Windows Hyper-V including Linux

Architecture

In my lab I had the chance to have a look at the latest beta and wow I was pretty impressed. Well the installation and the management is so easy, you don’t really need any documentation. That’s how a security product should work, it should not make your environment even more complex it should help you to keep your environment secure without adding extra complexity to it.

Let’s see first about the architecture of the environment which is pretty easy. Basically you have 3 components:

  • The Management Service – This would be your 5Nine management server which needs a SQL database (minimum MS SQL Express) and all Hyper-V Hosts are connected to this management server.
  • The Host Management Service – which is basically the software and agent running on the Hyper-V host itself.
  • The Management Console – The console where you can configure everything. The console is simply connected to the management server.

Some impressions

If we have a look at one of my Hyper-V Hosts after the installation you can see some new things on the server. Basically 5Nine Cloud Security adds some services to the Hyper-V hosts (not to the virtual machines) for management and malware protection.

5Nine Hyper-V Security Services

And if we have a look at the Hyper-V Virtual Switch, we can see a new extension added to it.

5Nine Hyper-V Virtual Switch Extension

 

The management console is where the magic happens and you configure your environment. the console in my opinion is pretty simple and you can easy find all the options you need.

5Nine Hyper-V Security Console

Besides the Virtual Firewall you can also configure Antivirus Protection, Firewall logging and a lot more.

5Nine Hyper-V Security Antivirus Settings

But wouldn’t it be great to just manage this from your favorite Datacenter Management tool, called System Center Virtual Machine Manager? Well in version 3 5Nine had created a plugin for Virtual Machine Manager which allows you so set all the settings directly from the VMM console.

5Nine Hyper-V Security System Center VMM Plugin

As I already mentioned I am pretty impressed and I think this is exactly what a lot of customers and service providers are looking for. It provides a simple, centralized and easy to manage Hyper-V Security solution and integrates perfectly in your datacenter.

 

 



Cisco UCS Hyper-V Cluster – Configure Blade Servers – Part 4

After we have installed the Cisco Blade Servers we now have to do some configuration on the Hosts.

  1. First I activate Remote Management like Remote Desktop, Remote MMC and Powershell.
  2. I add a Firewall rule for Remote Disk Managment
     netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes

    Firewall Rule

  3. After adding this firewall rule, I install the Multipath I/O feature
     ocsetup MultipathIo
  4. Now you can use the MPclaim command-line tool to manage Multipath I/O
    To view all detected enterprise storage:

     Mpclaim -e

    Add MPIO support for Fibre Channel devices:

     mpclaim.exe -r -i -d < _VendorID> < _ProductID>

    Important: Note that the vendor string length is 8 characters, the product string length is 16 characters, and both fields are padded with spaces as needed.
    More Information about the MPclaim command-line tool
    MPclaim

  5. With diskpart you can now see the disks. And you can format the disks with NTFS. Important after that you should take the disks offline to use them in the cluster.
    Diskpart
  6. In the Configuration Menu enable the Cluster Feature.
  7. On each note the all Cluster disks offline.
    select disk 2
    disk offline

In the next post we will configure the Network Adapters of the Cluster notes and create the virtual networks.



Remote Disk Management with “RPC server is unavailable” Error

If you have a Windows Server 2008 R2 Core Server or a Hyper-V R2 Server, which is also managed like a Core Server, you are really happy if you can use the Server Manager for this Remote Machine. Basiclly I had the the Remote Setup done. I could connect to the remote Machine with the Server Manager but when I tried to use the Disk Management on a remote Server and I got the following error “RPC server is unavailable”. After checking it I found the solution. The Problem is that the Firewall blocks the remote communication to virtual disk service. So you have to open the Firewall on the Management Machine

  1. First make sure you activated all the Remote Management options on the Remote Machine. I had all done this but its good to check that.
  2. Now you can run the following Command in cmd on the Management Machine to add the a new firewall rule
    netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes

firewall



Windows PPTP VPN with Cisco Linksys RV042

Cisco Linksys RV042

Today I was setting up my little lab, I decided to create a Windows PPTP VPN for my lab network which should give me more comfort. First I installed the Network Policy and Access Services Role and did the configuration. I also enabled PPTP Passthrough, added a port forwarding and a firewall rule to my Cisco Linksys RV042. I know the RV042 is not really a big deal, but you have a lot of jobs and if you don’t really need a lot of network options, like me in my lab, this is a pretty cool device.

I now tested the VPN Connection with my Windows 7 Client. Error 800 and 807 which basically means no connection through the firewalls with the VPN Server.

I checked again the Firewall Configuration on my RV042, and could not found any mistake. After a quick search with Google and Bing ;-) I saw a lot of posts with the same problem and the Linksys RV042.

After some search I came to a solution, I deactivated the SPI Firewall on the Device, and this caused the problem. After activating the SPI Firewall again, the error was gone and the VPN worked.