Install and Configure VMware NSX

Recently we have been looking to implement zero trust networking. One way to achieve this was to use physical firewall and multiple VLAN’s to break out traffic and restrict access to each VLAN this would take a long time to complete and is quite difficult to manage.

It would require adding between 30 to 60 additional VLAN to our physical servers and VMware and re assinging IP to each server which would cause a lot of downtime.

As an alternative to this I have been looking at VMware NSX to try achieve this same segmentation without the need to redesign the entire VMware networks.

NSX consists of multiple components under different planes like management, control, and data plane’s below is an image of the different plane’s. 

In the next set of posts I am going to go thorough install and configuring a basic NSX deployment. I will be setting this up in a Lab environment and will use nested ESXi and appliances.

It is recommended to have NSX installed on its own management cluster along with vCenter.

First step is to download the OVA for NSX current version is 6.4.4

https://my.vmware.com/web/vmware/details?productId=417&downloadGroup=NSXV_644

below are the system requirments to deploy NSX

NSX Component Hard Drive Memory vCpu
NSX Manager 60 16 4
NSX Controller 20 4 4

NSX 6.4.4 is not supported on vSphere 5.5 below are the supported and recommed verison of vSphere to run NSX 6.4.4:

  • For vSphere 6.0:
    Supported: 6.0 Update 2, 6.0 Update 3
    Recommended: 6.0 Update 3. vSphere 6.0 Update 3 resolves the issue of duplicate VTEPs in ESXi hosts after rebooting vCenter server. SeeVMware Knowledge Base article 2144605 for more information.
  • For vSphere 6.5:
    Supported: 6.5a, 6.5 Update 1
    Recommended: 6.5 Update 1. vSphere 6.5 Update 1 resolves the issue of EAM failing with OutOfMemory. See VMware Knowledge Base Article 2135378 for more information.

Once the OVA is downloaded logon to vCenter right-click on datacenter and deploy OVF Template.

NSX6_1

Select the location of OVANSX2

Give the appliance a nameNSX3

Select the Cluster that will run the applianceNSX4

Click next NSX5

Accept the licence agreement and click continueNSX6

Chose Thick ProvisionNSX7

Select the network that will be used for the management networkNSX8

The next screen is where all the customization will be setup

Appliance Password:

HostName:

Network settings: management IP, subnet, gateway, DNS and NTP. Leave blank if  you want to use DHCP but its recommend to use static addressesNSX9NSX10

Once all setting are configured click next and confirm all settings on the last screen. Once finished the OVA should start to deploy. (Note that this failed the first time for me as I selected a host and there seems to be an issue with this in vCenter 6.7, once I selected the cluster the OVA deployed without issue)NSX11

Once the OVA had been deployed I decided to edit the memory size as I was running low on memory so I change it from 16Gb to 8Gb but for production this should be left at 16Gb.

After this you can connect using DNS name configured above or through the management IPNSX12

The last step in this post is to connect NSX to vCenter

Logon using  admin and the password specified in the config of the OVA

Click on Manage vCenter Registration NSX13

both the lookup and vCenter server connection will need to be configuredNSX15

Add vCenter server and user name / passwordNSX16NSX18

There will be a prompt to trust the vCenter certificate click yes to continueNSX17

Once configured both status should show as connectedNSX19

Open the vCenter web client and once logged on there should now be an addtional tab for Networking & Security. (At the time of this post this option is only available in the Flash version of the Web client not the HTML 5 version) 

NSX20NSX21

In the next post we will start to configure the NSX and controllers.

Azure Configure vNet peering

To allow communication between vNet’s in Azure we can set up peering connections. This is useful if there is a need to have different vNet’s for things like web app’s and backend database zones.

To configure peering we will require two different vNets both must be in the same Azure region.

Currently when I try to ping a VM that is running in a different vNet there is no communication.vNet01

Logon to Azure

Go to All services > Virtual networksvNet04

Once in Virtual networks select the network that will be configure for peeringvNet02

Once the network blade is open go to peering > AddvNet03

Enter a Name, select the Subscription that the other vNet is in. Then Select the Virtual Network. Under configuration select Enabled and the last step tick Allow forwarded trafficvNet05

Below are some details on three options:

Allow forwarded traffic: This setting allows the peer’s forwarded traffic (traffic not originating from inside the peer virtual network) into your virtual network.
Allow gateway transit: Allows the peer virtual network to use your virtual network gateway. The peer virtual network cannot already have a gateway configured, and must select ‘use remote gateway’ in its peering settings.
Use remote gateway: You will need to Select this option if you wish to use your peer’s virtual network gateway. The peer virtual network must have a gateway configured, as well as ‘allow gateway transit’ enabled. Only one peering in this virtual network can have this enabled. You cannot use this setting if you already have a gateway configured in your virtual network.

Once all settings are confirmed click ok to create the peeringvNet06vNet07

Two allow communication both ways, there will need to peering setup on the App network aswell.

Once both are enabled we can now see response to ping requestsvNet08

To lock down communication between the networks we can add NSG’s to restricted what inbound and outbound traffic is allowed from the subnet’s.

Configure MFA For Azure Application Proxy

On the last post we setup Azure Application Proxy to allow internal application’s to be made available externally using AAD integration.

To add additional security to the setup we can enable MFA for the group or users that will be allowed access.

To enable MFA we need to create a conditional access policy and enable on the application proxy.

First step Login to Azure

Go to Azure Active Directory (AAD)AZ1

Go to Enterprise applications

AZ3

Select the Application proxy that will require MFA to be enabledMFA6

Once in the Application proxy go to Conditional Access and select New policyMFA1

Give the policy a meaningful name as it will appear in the overall Conditional Access policy’s aswell as on the Application. This will make it easier to manage if there are multiple policy’s.

Then select Users and groups and select the required users or groupMFA2

Next select the cloud apps that will require MFA in this case it is the Exchange ECP application that was configured previouslyMFA3

We will not setup conditions but if this is required it can be set to only allow access from certain devices types, location & sign-in risk level.

Next go to Access controls and then Grant tab. Select Grant access, tick Require multi-factor authentication and Requires one of the selected controls MFA4

Last step is to Enable the policy

MFA7

Click create at the bottom of the policy

The policy should now show and have tick under Enabled MFA5

Now when we try to access the ECP Application proxy URL,

we should be prompted for MFA MFA8

and asked to register and verify a device to be use for MFAMFA9

It is a good idea to enable MFA for application as it gives an additional layer of security.

Configure Azure Application Proxy To Access Internal Application

To access internal applications we can use Azure Application proxy to integrate with Azure AD and allow remote access to internal resources.

To use Azure Application Proxy requires Azure AD basic,  Premium P1 or Premium P2 subscription.

An Account with Global administrator rights

The Azure application proxy connector requires Windows Server 2012 R2 or later

Below are pre-req ports and URL’s

Port number How it’s used
80 Downloading certificate revocation lists (CRLs) while validating the SSL certificate
443 All outbound communication with the Application Proxy service
URL How it’s used
*.msappproxy.net
*.servicebus.windows.net
Communication between the connector and the Application Proxy cloud service
mscrl.microsoft.com:80
crl.microsoft.com:80
ocsp.msocsp.com:80
http://www.microsoft.com:80
Azure uses these URLs to verify certificates
login.windows.net
login.microsoftonline.com
The connector uses these URLs during the registration process.

The following diagram shows how Azure AD and Application Proxy work together to provide single sign-on to on-premises applications.azureappproxxy

To start we need to download and configure the proxy connector

Login to Azure

Go to Azure Active Directory (AAD)AZ1

Once in AAD go to Application proxy

AZ2

Click Download connector serviceAPinstall0

Once downloaded run the MSI on the server that will be used as the application proxy connector (I used a server in a DMZ zone). It will prompt for an Azure account with Global admins rights.

Once configured the server should now show in the application proxy tabAPinstall4

Once connected and active next step is to configure application

Go to AAD and Enterprise applications

AZ3

Once in Enterprise applications click on New application APinstall7

Click on On-premises applicationAPinstall8

Below is a description for each field and option available in the application proxy

Field Description
Name The name of the application that will appear on the access panel and in the Azure portal.
Internal URL The URL for accessing the application from inside your private network. You can provide a specific path on the backend server to publish, while the rest of the server is unpublished. In this way, you can publish different sites on the same server as different apps, and give each one its own name and access rules.

If you publish a path, make sure that it includes all the necessary images, scripts, and style sheets for your application. For example, if your app is at https://yourapp/app and uses images located at https://yourapp/media, then you should publish https://yourapp/ as the path. This internal URL doesn’t have to be the landing page your users see. For more information, see Set a custom home page for published apps.

External URL The address for users to access the app from outside your network. If you don’t want to use the default Application Proxy domain, read about custom domains in Azure AD Application Proxy.
Pre Authentication How Application Proxy verifies users before giving them access to your application.

Azure Active Directory – Application Proxy redirects users to sign in with Azure AD, which authenticates their permissions for the directory and application. We recommend keeping this option as the default, so that you can take advantage of Azure AD security features like conditional access and Multi-Factor Authentication. Azure Active Directory is required for monitoring the application with Microsoft Cloud Application Security.

Passthrough – Users don’t have to authenticate against Azure Active Directory to access the application. You can still set up authentication requirements on the backend.

Connector Group Connectors process the remote access to your application, and connector groups help you organize connectors and apps by region, network, or purpose. If you don’t have any connector groups created yet, your app is assigned to Default.

If your application uses WebSockets to connect, all connectors in the group must be version 1.5.612.0 or later.

Fill out the details required. I am using passthrough for pre authentication for the web site but this can be changed to AAD which then requires authentication before the site can be accessed.

(I created a basic IIS page on an internal web server to test with)APinstall9

Next step copy the external URL and try to access the site. There should be no prompt and the site should load

(Yay my lovely test site is available 🙂 )APinstall13

I decided to also allow access to my internal Exchange server and to also test the AAD pre-authentication.

First create a second application proxy and set the Pre Authentication to Azure Active DirectoryAPinstall14

I wanted to use a custom domain name for the second application proxy so I changed the external URL to the custom domain name in Azure.

Once a custom domain is selected we can add a certificate to match the URL.

There will be a warning that a CNAME entry will be required to point from the custom URL to the msappproxy.net addressAPinstall18

(This will require a CNAME record to be created on public DNS server that will map the application proxy to msappproxy.net)CNAME

Once configured we need to add a user or group to allow access.

Go to the application proxy, select the required application proxy and click on Users and groups, Add user and select either the user or group that will be allowed accessAPinstall16APinstall15

Copy the link for the application proxy.

Unless a valid cert was also uploaded you will receive a cert error click continue to site.

It should now prompt for AAD authentication. Use an account that has access right to the proxyAPinstall11

Once logged in the ECP page should now show. APinstall10

 

 

SCCM Task Sequence Windows 10 Language Pack’s Install

On a recent project there was a requirement to install different language pack’s and configure regional / keyboard settings. I was having issue getting this working so I though I would do a post on how I ended up getting it working correctly.

To skip the OOBE initial setup screen we can use a unattended XML answer file. I have done a different post for creating a basic answer file see link below.

https://thesleepyadmins.com/2019/05/31/create-windows-10-answer-file/

If this is not setup you will be prompted to complete the initial Windows 10 setup along with selecting the language settings.

The next problem I had was trying to find the language packs I ended up downloading the language pack ISO from the Microsoft visual studio site.

lp

Once downloaded I need to mount the ISO and copy the required lp3

Once all the required language packs where copied. Create a new packages for each packlp4lp5lp6lp7lp8

The next step is to configure the XML file’s that will be used to configure the regional and keyboard settings for each language pack. I used this support how to as a reference for the XML:

https://support.microsoft.com/en-ie/help/2764405/how-to-automate-regional-and-language-settings-in-windows-vista-window

Below is the XML file that was used for the German language pack:

lp11

Below is the export from the above XML file: (Check double quotes if coping as the format can change when coping and that will cause issues)

<gs:GlobalizationServices xmlns:gs=”urn:longhornGlobalizationUnattend”>

<!– user list –>
<gs:UserList>
<gs:User UserID=”Current” CopySettingsToDefaultUserAcct=”true” CopySettingsToSystemAcct=”true”/>
</gs:UserList>

<!– system locale –>
<gs:SystemLocale Name=”de-DE”/>

<!–User Locale–>
<gs:UserLocale>
<gs:Locale Name=”de-DE” SetAsCurrent=”true” ResetAllSettings=”false”/>
</gs:UserLocale>

<!–location–>
<gs:LocationPreferences>
<gs:GeoID Value=”94″/>
</gs:LocationPreferences>

<!– input preferences –>
<gs:InputPreferences>
<gs:InputLanguageID Action=”add” ID=”0407:00000407″ Default=”true”/>
<gs:InputLanguageID Action=”remove” ID=”0409:00000409″/>
</gs:InputPreferences>

</gs:GlobalizationServices>

I used the below sites to get the GEO ID & the Input Locales

GEO ID : https://docs.microsoft.com/en-ie/windows/desktop/Intl/table-of-geographical-locations

Input Locales: https://docs.microsoft.com/en-us/windows-hardware/manufacture/desktop/default-input-locales-for-windows-language-packs

Once we have all the language packs completed create a single package with all the XML’s file’s or add the XML’s to the Language packages created above. I went with one package for all the XML’slp15

Next step is to add the steps to the Windows 10 task sequence

Add a run command line task, use the command below and replace with the required language pack .cab file. Select the corresponding package.

Below is for the german .cab

dism.exe /norestart /online /add-package /packagepath:.\Microsoft-Windows-Client-Language-Pack_x64_de-de(German).cablp10

After this step add a restart task lp12

Next step is to apply the XML file’s to set the regional / Keyboard settings. Below is the command line I used

rundll32.exe shell32,Control_RunDLL intl.cpl,,/f:”.\German.xml”

When copying the command above check that the double quotes are in the correct format or the command could fail to apply the xml fileLP13

After this step do another restart, the last step I did was to configure time zone for each region. I used the below site to get the time zone values

Time Zone Values: https://support.microsoft.com/en-us/help/973627/microsoft-time-zone-index-values

Below is the command line to set the time zones

cmd.exe /c tzutil.exe /s “W. Europe Standard Time”lp14

Below is the finished task sequence with all languages addedlp17

Last step was to set a condition to apply each package. I used host name as the condition to apply the language packs as each country has its own naming convention this was the easiest way for melp16

Once this is competed I tested and all packages were applied without error.

lp1lp2

SUP Migration WUHandler Error CWuaHandler::SetCategoriesForStateReportingExclusion

Just want to put this up in case anyone else run in to this issue. I had to test migrated WSUS and SUP role from my Primary site server to its own standalone server, so I could complete the same task in production.

After the migration all updates showed as unknown for all devices. I check the update deployment log and WUAHandler.log under c:\Windows\CCM and the update scan started but just sat at  the below log output

Assignment({968F78AA-AE13-495C-83D9-74920944C702}) already in progress state (AssignmentStateDetecting). No need to evaluate

sup2

When I checked the WUAHandler log I could see the below but the site never registered the new WSUS server.

CWuaHandler::SetCategoriesForStateReportingExclusion called with {GUDI } for bundles

I checked the general bits like the site status, component status and wsyncmgr.log all where green and working correctly. I then checked a few post online and most pointed to a Content version / MinSourceVersion miss match issue from the WSUS DB.

I checked this and my content version was the same as in MinSourceVersion so that was not the issue.  I then had a look at the Window update registry key on the clients to see if the new WSUS was registered. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

It wasn’t 😦

Finally had a look boundary (Should have done this first ) and turns out I was a bit forgetful and didn’t add the new site server to the boundary group’s so no client’s where able to see the new SUP server.

Once I added to all boundary groups and did an update scan cycle all updates started to show a few hours later and the WUAHanlder log now showed the WSUS connection.

sup3

yay it’s all fixed 🙂

Point to take away, always add new site servers to boundary groups first 🙂

 

Removing WSUS on SCCM Server Causes HTTP Error 500.19

Recently I was migrating my WSUS deployment off my SCCM server to a new standalone server so that I could enable Windows 10 and Windows Server 2016 updates.

After removing the role I started getting critical alerts for the management Point, Clients couldn’t be installed and I was getting 500.19 error from the SCCM IIS site.

SCCM MP Errorsccmerror2

IIS Errorsccmerror

I had a quick search and found a blog post by Jörgen Nilsson that had the reason for the error.

https://ccmexec.com/2014/03/uninstalling-wsus-on-primary-site-server-causing-http-error-500/

When removing the WSUS role there are configuration settings that are written to the Applicationhost.config that reference a .dll file used by WSUS that is removed during the WSUS role removal. The Applicationhost.config is located under C:\Windows\System32\inetsrv\config

If we check the Applicationhost.config there should be an entry the same as below:

<scheme name=”xpress” doStaticCompression=”false” doDynamicCompression=”true” 
dll=”C:\Windows\system32\inetsrv\suscomp.dll” staticCompressionLevel=”10″ 
dynamicCompressionLevel=”0″ />

Running the following command will remove the references of .dll that is installed by WSUS

%windir%\system32\inetsrv\appcmd.exe set config -section:system.webServer/httpCompression /-[name=’xpress’]sccmerror3

After running the above command the management point is back working and I can now access all SCCM URL’ssccmerror4

Remote Desktop Services 2012 R2 Deployment Part 3

In the last post we setup the RD connection broker HA to add additional resilience to the RDS deployment. In this post we are going to create and configure RDS collection.

To create a collection go to

Server Manager > Remote Desktop Services > Collections

Click on tasks and Create Session Collectionrdsc3

rdsc2

Give the collection and Namerdsc4

Select the required session hosts that will be used for this collectionrdsc5

Add user group that will have access I have left as domain users but this can be change to any security group to restrict accessrdsc6

In this setup we wont be using server profile disk but if this is required just enable and select a network location to save the VHDX user disks for the users profilesrdsc7

Click next and confirm all setting are correct continue with the deploymentrdsc8

Once this is completed we can now see the collection

Next step is to configure the session collection settings.

Select the collection and go to task Edit Propertiesrdsc16

First tab is just for changing the Name, adding a description and showing the session collection in RD web accessrdsc17

Second tab is for user / groups that will have access to the specific collectionrdsc18

Security allow you to change the security layer and encryption level. The default is negotiate (This will use the most secure layer that is supported by the client. ) and client compatible (This encrypt’s to the max strength that the client supports.)

rdsc19

To change session time out go to session. I am going to end disconnected sessions after 3 hours, never disconnect active sessions and set idle session limit to 3 hoursrdsc9

Load Balancing can be changed to session limits or prioritize one server over another by change Relative weight value or Session Limit value. In this case we will leave the defaultsrdsc10

Allow or deny redirction of local resource to the RDS session host ie Audio devices, local disk, printer .etcrdsc20

The last tab is to enable or disable user profile disk and specify network location and setting to be save to the profile disk. rdsc21

Once the collection is created and all setting are configured, we should now see the collection show in the RD web page.

RDSc12.png

click on the collection to launch the session and you should see the connection broker HA DNS address show as the connection address on the RDP session

rdsc13

In part 4, we will look at customizing the RDS web page and deploying the RDS licencing role.

 

 

 

Remote Desktop Services 2012 R2 Deployment Part 2

In the last post we setup the two RDS server that will be used for RD web access, connection broker and sessions hosts. In this post we will go through setting up RD connection broker HA to give more resilience to the RDS deployment.

To add connection broker HA we need to have server with SQL 2008 R2 or above and have a load balancer or DNS round robin to redirect traffic. I am using SQL 2014 with just the database engine and management tools selected. I have used a separate SQL server / RDS licensing for this as I don’t want the database on either of the current RDS servers.

I am going to use DNS round robin for redirecting traffic to both brokers as I don’t have a load balancer setup so I setup the below 4 DNS records on my internal DNS serverrdsbrokerha12

Once the database server is setup we need to create a security group and add the two RDS server that will be used as connection brokers. rdsbrokerha20

Once this group has been created we can set up the SQL permissions. Open SQL management studio on the database server and create a new login for the group

rdsbrokerhardsbrokerha1

Give dbcreator access as this will be required when setting up the HA deploymentrdsbrokerha2

To connect to the database SQL Server Native client is require on both the RD connection brokers. The latest version of this client is from SQL 2012 and can be downloaded from Microsoft : https://www.microsoft.com/en-us/download/details.aspx?id=50402

Once the client is installed go to Control Panel\All Control Panel Items\Administrative Tools and go to ODBC Data Sources (64-bit). Click Add and select SQL Server Native Client 11.0rdsbrokerha3

Enter in a Name, Description and SQL server that the permission where setup for the security group aboverdsbrokerha4

Leave as integrated windows authenticationrdsbrokerha5

Make sure that the application intent is readwrite the rest of the setting can be left as defaultrdsbrokerha6rdsbrokerha7

Once completed run a test to make sure that the database can be accessedrdsbrokerha8rdsbrokerha9

Once this is completed on both RD connection brokers we can start to set up the HA deployment.

Go back to the RDS deployment page and right-click on RD connection broker and click Configure High Availabilityrdsbrokerha10

Database connection string: (We need to put in SQL server name & the database name that will be created during the deployment.)

DRIVER=SQL Server Native Client 11.0;SERVER=<name of SQL server>;Trusted_Connection=Yes;APP=Remote Desktop Services Connection Broker;DATABASE=<name of database>

Folder to store database files: (I used the default SQL location)

Add in DNS Name: HARDSBroker.Lab.local

rdsbrokerha13

Next page is just to confirm all the settings are correctrdsbrokerha14rdsbrokerha15

Once HA has been configure we can now add the additional connection broker. Right click on RD connection broker and click Add RD Connection Broker Serverrdsbrokerha16

Select the required serverrdsbrokerha17

Click Add rdsbrokerha18

Once completed both server should now show the RD Connection Broker role as installed.rdsbrokerha19

In part 3, we will go over creating  and configure RDS collections

 

 

Remote Desktop Services 2012 R2 Deployment Part 1

I recently had a request to build a new Windows Server 2012 R2 RDS farm as the existing single Windows server 2012 RDS deployment as it was crashing and users where getting a bit angry. So I decided to build out the deployment on my test domain to make sure it would work out as expected.

I will be using three servers for this deployment as I want to co-locate some roles as to keep the number of servers to a minimum as this is a small 20 users setup.

I have two servers that will be RDS session host, connection brokers and RDS web access and one that will be used later as the licensing and SQL server for RDS broker HA setup.

To start we need add all servers to server manager on one of the RDS servers. rds1rds3

Once all servers are added to server manager and showing as online we can start to install the RDS roles.

Go to mange on the top right of server manager and click add roles and features

On the Installation type select Remote Desktops Services installation. rds4

Next select standard deployment rds5

Select session-based desktop deploymentrds6

Only one RD connection broker can be select during initial setup HA will be setup after intial setuprds7

Select Install the RD web access role on RD connection broker. We can add the RD web access to the second server afterrds8

Select both servers that will be used for sessions hosts. rds9

Next confirm if all servers have been selected for the correct roles and deployrds10

The deployment progress screen should then show it can take a while for this to complete rds13

Once the deployment has completed there will be the RDS icon on server manager. All servers need to be added to server manager or you be able to mange the deploymentrds14

To finish the current deployment I will add the second RD web access server to do this click on task above deployment servers and add RD Web Access Servers and select second server that will have the role addedrds18rdsc19

Last step I want to do was to use a wild card cert that I have from my internal CA so that I don’t get any cert errors when access the RD web access URL.

I wont go through generating the cert here but once you have the cert you can go to Deployment overview and click on edit deployment properties. rds15

Go to certificates. Select the roles you want to assign the cert to in my case it was the two RD connection broker and RD web access. click select existing certificate and select the cert that will be used. You can also create a new certificate on this windows aswell. rds16

Once cert is applied and all status say ok you should no longer get a cert error when access the RD web access URLrds17

We will use DNS round robin to load balance between the two RD web access servers and this will create a single URL for users to access.

rds19

We can now access the RDS web page using: HTTPS://RDS.Lab.Local/RDWeb

Instead of having to go to each individual serversrdsc11

In part 2, we will go through setting up a second connection broker for high availability deployment.