Monthly Archives: November 2016

Announcements at AWS #Reinvent 2016

So been a busy day with a lot of new interesting stuff coming out, especially from Amazon’s conference Reinvent, where they announced loads of new stuff. This post is just a quick summary of the news I’ve managed to gather so far.

There has also been alot of updates happening before the conference started, for instance Liquidware Labs announced that they are going to support AWS workspaces: http://www.liquidwarelabs.com/company/media/liquidware-labs-announces-full-support-amazon-workspaces-leading-workspace-environment-management-suite

AWS Snowmobile: https://aws.amazon.com/blogs/aws/aws-snowmobile-move-exabytes-of-data-to-the-cloud-in-weeks/

AWS Snowball Edge: https://aws.amazon.com/blogs/aws/aws-snowball-edge-more-storage-local-endpoints-lambda-functions/

Amazon Lex: https://aws.amazon.com/blogs/aws/amazon-lex-build-conversational-voice-text-interfaces/

Amazon Rekognition: https://aws.amazon.com/blogs/aws/amazon-rekognition-image-detection-and-recognition-powered-by-deep-learning/

Amazon Polly: https://aws.amazon.com/blogs/aws/polly-text-to-speech-in-47-voices-and-24-languages/

Amazon LightSail: https://aws.amazon.com/blogs/aws/amazon-lightsail-the-power-of-aws-the-simplicity-of-a-vps/

Amazon EC2 instances with Programmable hardware: https://aws.amazon.com/blogs/aws/developer-preview-ec2-instances-f1-with-programmable-hardware/

EC2 Elastic GPU’s: https://aws.amazon.com/blogs/aws/in-the-work-amazon-ec2-elastic-gpus/ and these are the instances that can have a GPU attached to them

screen-shot-2016-11-30-at-8-57-37-am

Amazon GreenGrass: https://aws.amazon.com/greengrass/ 
https://aws.amazon.com/blogs/aws/aws-greengrass-ubiquitous-real-world-computing/

Amazon Aurora updates: https://aws.amazon.com/blogs/aws/amazon-aurora-update-postgresql-compatibility/

Amazon EC2 instance updates: https://aws.amazon.com/blogs/aws/ec2-instance-type-update-t2-r4-f1-elastic-gpus-i3-c5/

Amazon Partner finder network :https://aws.amazon.com/blogs/aws/introducing-the-partner-solutions-finder-find-expert-apn-partners-to-meet-your-needs-on-aws/

Networking SIG webinar–MAS deep dive and Container Orchestration

So again end of november and another successfull MYCUGC SIG Webinar, where we had over 150 attendees which is a number we are wery happy for considering this is our second webinar!

I’ve also posted a blog post on the networking SIG with the Q&A session from todays webinar, which can be found here –> https://www.mycugc.org/blog/follow-up-with-q&a-from-november-webinar

If you have any particular topic or subject you wish to hear more about please let us know!

For those interested, slide deck can be downloaded from here –> http://bit.ly/2gz2kvf

AzureStack breakdown of Distributed Firewall

Following up on the previous AzureStack blogpost (Software load balancing –> http://msandbu.org/azurestack-breakdown-of-load-balancing-component/) I wanted to continue on the firewall component, which is also a new component which is now part of Windows Server 2016 as well. The solution in place in AzureStack is the same one that is available in Azure aka (Network Security Groups) now compared to regular firewalls, the NSG can also be based on pure later 2 network, meaning that we can specify rules on virtual machines on the same subnet.

So again using the distributed firewall the central component here is the Network Controller, which is used to deploy and manage the policies across the different hosts. All Hyper-V host has a Network Controller Host agent service installed, which is used as a component for multiple services but for the distributed firewall it is a vSwitch port host agent running.

image

So all the ACLs are configured in each vSwitch port, independent of the actual host running the virtual machine, but ACL’s can also be associated to subnets as well. Since all the Hyper-V hosts in AzureStack have this component installed, and the rules apply regardless of where the virtual machine is located. So for instance if we have multiple hosts, the same rules will apply since the Network Controll Host agent service is quering the Network controller to get the central policy for a partciular virtual machine.

image

So all traffic will be inspected before they actually leave the switch, actually it is inspected on that particular port before the switch forwards the traffic to the destionation. The ACL’s that can be specified are 5 tuple on both directions, and all ACLs are applied regardless of what kind of operating system is running in the guest virtual machine.

Using Cloud App Security to detect Social Security Numbers in Office365

So after reading a fellow Norwegian MVP Jan Vidar writing a blog post about using Azure IP and RMS to automatic classify content based upon containing a Norwegian Nation ID number. I decided to build upon that post, and how we can use Microsoft Cloud App Security to do content inspection on files in Office365 to detect the presense of these types of numbers in files.

Jan Vidar goes a good job explaning how the Norwegian Nation ID number is built up –> https://gotoguy.blog/2016/11/25/protecting-norwegian-national-id-number-with-azure-information-protection-and-rms/ and for RMS he also uses RegEx to detect these kind of numbers since they have a specific sequence and how it is built up.

Now Cloud App Security which I have blogged about earlier has an option to connect to Office365 to do content inspection http://msandbu.org/microsoft-cloud-app-security-integrating-with-office365/

So to ensure this is going to work I typed in a bogus nation ID number in a work documented contained in a Onedrive for Buisness for a specific user.

image

Then I needed to create a content inspection policy.

image

So first we need to create a new file policy.

image

So I give it a name, specify where the policy is going to be applied which is OneDrive for buisness and that it applies to all files.

image

Then I enabled content inspection and specified that I needed to use a regular expression. For some reason I couldn’t use the same regex that Jan Vidar had so I needed to create a new one.

\b(?:0[1-9]|[12]\d|3[01])(?:[04][1-9]|[15][0-2])\d{7}\b

(This site http://regexr.com/ is a life saver!)¨

image

Then I just specify that it should create an alert for each matching file detected. Now depending on the amount of files in the OneDrive structure or the users it might take some time, but go into Investigate –> Files

image

Now eventually you can see the file appearing in the list, if you open the file you can see that it matched the policy “Social Security number” and scan complete which states that the policy has finished inspecting the content.

image

It now appears in the Alerting pane based upon the policy.

image

So from within the alerting pane I can for instance put the user in quarantine or open up the document to double check if the content is actually valid.

image

AzureStack– Breakdown of load balancing component

Being quite the networking geek I decided to breakdown the load balancing component that comes as part of AzureStack, which is actually the same load balancing component which is available from Azure as well.

Now the load balancing component is part of Windows Server 2016 release and controlled by the Network Controller. From a AzureStack perspective we have a Network Resource Provider which “translates” all operations from ARM to the Network Controller, so when a tenant or user goes into the Portal and configures a load balancer setup it will via the Network Resource Provider to the Northbound API on the Network Controller to configure the load balancer.

The Network Controller consists of multiple services which responsible for handling different NFV on the AzureStack, so for load balancing it has its own Software Load Balancer Manager, which stores the LB configuration even in a openvswitch database (OVSDB)

When setting up AzureStack, it will automatically deploy the SLB Host Agent Service on the Hyper-V host, which is responsible for NATing incoming requests to the correct virtual machine.

So if we look at a regular request for a load balanced VIP (IP 80.80.80.80) it will come the Edge Router, which will look at its routing table. The MUXVM or the MAS-SLB01 will advertise all Load balanced VIP using BGP with a /32 route. For multiple hosts the MUXVM can also be stacked using ECMP with the closest router so that you have a highly-available solution to reach the load balanced VIP. So when the request comes to the MAS-SLB01 (MUXVM) it will check with its load balancing policies from the network controller, it finds the VM which the traffic is destined for (10.0.0.4) the traffic will be transported using the SLB host agent services from the MUXVM. 

Overview picture showing the traffic flow for a single server

image

The server generates a response and sends it to the client, using its own IP address as the source, the host will now intercept the outgoing packet in the virtual switch which remembers that the client, now the destination, made the original request to the VIP. The host rewrites the source of the packet to be the VIP so that to the client does not see the internal private IP range. The host will then forward the packet directly to the default gateway for the physical network which uses the standard routing table to forward the packet on to the client which eventually receives the response. Now when you have a single host as the Azure Stack POC is today, it pretty easy. What if we have multiple hosts and then have multiple MUXVM’s how will it look like then?

Since the MUXVM using ECMP it means that incoming requests can come to either one of the MUX VM’s which have the BGP route presented, so it case it comes to the MUXVM on the other host, the traffic will be inspected by the policies defined on the Network controller which knows which hosts the virtual machines that are destined for the traffic are located. The incoming traffic will be proxied from the MUXVM on host 2 and then encapsulated using VXLAN across to the other host. The SLB Host agent will then inspect the traffic, remove the VXLAN header and then forward the traffic to the virtual machine on Host 1. The route back will go from the client –> SLB host agent service and then directly to the default gateway of the host.

image

So its important to note that AzureStack Load balancing is a DSR (Direct server return) meaning that traffic going back from the servers to the clients are not handled by the MUX-VM. So for instance if a host goes down and a MUX goes down the router in this case will just forward routes to another MUX and hope that the VM restartes on another host in the back.

Microsoft Cloud App Security integrating with Office365

As part of the new Microsoft Enterprise Mobility + Security E5 or as a standalone product, Cloud App Security is a new product which deliveres alot of cool functionality. Up until now, alot of the products in the EMS space have been aimed at controlling the endpoints (Intune) , controlling and protecting the data (Azure information protection),  and protecting the user (Azure AD) and with Cloud App Security, it is more of controlling the data flow and getting if users are violating rules and creating alerts if they for instance are sharing data with the competitors for instance. Another example might just be that an user clicked wrong and shared data with ALL external resources for instance.  (Here is the list of supported Cloud Appilcations and API’s https://docs.microsoft.com/nb-no/cloud-app-security/enable-instant-visibility-protection-and-governance-actions-for-your-apps)

Now it can integrate directly to different cloud applications using connectors which leverages the apps API’s to search and identify risks. Now in most cases that might not be enough, for instance an application might not have opened their APIs to dig down into the material, but Cloud app Security can also use uploaded traffic logs from on-premises proxies and firewalls like Palo Alto, Cisco, Forefront and such and also hypervisor, which allows it to collect larger amounts of  data and digest it ( Here is a list of supported network devices –> https://docs.microsoft.com/nb-no/cloud-app-security/set-up-cloud-discovery )

cloud discovery dashboard

Now I didn’t have any firewalls I could do log shipping from so I just used the built in app connector to Offiec365 to see how it worked. First I setup a connection with Office365 and the other applications which was pretty easy since I already had a Office365 tenant with my account

image

So now I wanted to create a policy which showed if some users were sharing any files/folders from OneDrive for Buisness with competitors or excluded domains for instance, so I went into Control –> Policies

image

From there I choose to create new policy based upon file policy.

image

I choose a default template which is aimed at sharing data with uauthorized domain

image

So here I specify which app this policy is going to be aimed at which is OneDrive for Buisness.
Now moving down the policy I can also, specify the policy to do content inspection on the files, to search for some specific content in the files.

image

I hate regex, but they ahve given some good example here how to use the filter policy part –> https://docs.microsoft.com/nb-no/cloud-app-security/working-with-the-regex-engine I can also specify governance rules, which allows me for instance to do automatic quarantine of the user which has done this for instance

image

But I just leave it at default and click Create. Now If I go back to the dashboard I can see that I have an alert being triggered after it has scanned the Office365 shares.

image

Bingo! “Recent Alerts: File Shared with unauthorized domain” now it was triggered because I have a one drive where I’ve shared something with an external user

image 

Now I have some pretty advanced features I can do directly from the alerting pane

image

To for instance put the user in quarantine, remove the collaborator or look at the users activities for instance, but this is just an example of policy uses. For instance I can also create a policy which looks for suspicious activity based upon where the users on from (ISP, Country) for instance. There are also some other nifty built-in policies

image

Now this product covers most of the used SaaS applications, but I feel like this should be baked into AzureAD and also given some more details around other SaaS applications, also maybe have the option to include Azure AD cloud app discovery as part of this as well?

importance of community–Introducing Slack for NetScaler and Citrix XenDesktop/XenApp

Over the years have spent endless times in forums and such I have always found the community a valuable asset to help even in desperate times when I’m stuck with an upgrade that does not work or get some feedback when I’m wondering about if “Will X work with Y?”

Also with my blogging I have gotten alot of requests on email about different topics, and sometimes it might go days before I even have the time to respond! Not because I don’t want to, just that there are only 24 hours in one day, and my day to day schedule is pretty full.

Now spending time on forums it pretty time consuming and just waiting for a reply from someone,  but nowadays I  find myself moving more and more away from forums and move more into Slack.

Slackis a real-time messaging tool, which I now use to collaborate with many different partners/vendors/programs and such its an easy way to IM with others. Now a while back I decided to create a Slack Team dedicated to NetScaler and today we have about 40 people in the different channels there, which is an easy way to get in touch with alot of knowledgeable people if you just want to ask a question or want to discuss features Smilefjes And a couple of days I ago I also created a Slack Channel just for the purpose of XenDesktop / XenApp as well, where people are joining slow and steady.

If you want to join either of these channels, send me an email to msandbu@gmail.com and ill get you invited.

Setting up Rancher to authenticate with AzureAD

Having been involved with Rancher as of late,  I’ve been working with setting up integrating it with Azure AD. Since I know that Rancher supports AzureAD as an authentication point (but no documentation from Rancher’s side)

image

So I’ve decided to write a quick blog post on the subject, on how to configure the authentication to AzureAD.

One thing that should be noted however is that even though Rancher supports AzureAD it is not being used to do RBAC this is still done within Rancher, so it means that we cannot for instance define groups in AzureAD and use them to control access. So there are a few things that it requires to setup.

Tenant ID:
Client ID:
Domain:
Admin Account Username:
Admin Account Password:

image

So this required that we define the application in AzureAD and setup some specific access rules for the application as well. So go into Azure AD and setup a new application

image

Choose “Add an application my orgranization is developing” and choose Native Client Application

image

Under redirect URL you just need to type in a valid URI, Rancher does not use this parameter for authentication

image

Then after the application is created we need to define some custom permissions so that it can authenticate users on-behalf of users

image

Also copy out the clientID, which is the ClientID we need to enter in the Rancher UI. The Tenant ID can be found in the Browser URL when you are working within the AzureAD tenant

image

Then enter the TenantID, ClientID, and domain name (Which will be used to authenticate against the domain

image

If successfull you will get this

image

So users will now be greeted with this login screen if they try to access Rancher

image

Now they do not need to enter a domain name since it defaults to the domain name specified in the setup.

Getting started with Microsoft OMS Service Map and Wire Data 2.0

Today Microsoft announced the public availability of Service Map (Previously known as Application Dependency Monitor) and a rewamped Wire Data 2.0 solution pack which is now available in Microsoft OMS.
I’ve blogged about Wire Data solution pack before which is a great way to get an overview of what kind of  traffic is going in and out of your infrastructure. Service Map is technology from a company called BlueStripe before Microsoft bought them.

Service Map is supported for more then just Windows Server!

  • Windows Server 2016

Windows Server 2012 R2
Windows Server 2012
Windows Server 2008 R2 SP1
Windows 10
Windows 8.1
Windows 8
Windows 7

Linux support:
Red Hat Enterprise Linux, CentOS Linux and Oracle Linux (with RHEL Kernel)

Now before we start deploying them we need to import the solution packs into OMS
image

  • Now both these new solutions require an additional compoent installed, which is the application dependency agent which is leveraged to do the component mappings and such.  But you need to remember that it interacts with the OMS agent, to ensure that data is forwarded to OMS using the correct workspace ID and such. When Serivce Pack is activiated a 300KB Management Pack is sent to all the Microsoft Monitoring Agents in that workspace.

ADM Agents

The simplest way to get and install it is to use the script like this.

wget https://aka.ms/dependencyagentwindows –O C:\somelocation\dp.exe

dp.exe /S  (To run a silent install, it fetches workspace ID from the OMS agent that is preinstalled)

After the agent is installed it will start to forward data to OMS.

image

So for instance we can see all processes running and what kind of interaction they have with each other, we can also se interactions with other servers and what kind of port they are using.

We can also drill down on individual processes and see what they are and how they are communicating with other servers, and what kind of command line parameter they are running under.

image

Now we also have Wire Data, which using the same type of agent to tap into what kind of traffic is going inside and out of your datacenter.

image

So for instance in my example here I have traffic categorized as “Unknown” traffic which might be a bad indication, but I can do drill down into that specific traffic and see what kind of traffic is happening.

By using the query

Type: WireData ApplicationProtocol=Unknown Direction=Outbound image

I can see what kind of traffic is going on, which is tagged as unknown, but in my case it was just some citrix components.  Now moving forward I would love to see some integration between Wire Data and Networking Performance Monitoring and being albe to “Classify” unknown data in Wire Data based upon personal tags for instance or based upon process name.

Veeam 9.5 a new opportunity for service providers!

So to be honest I was not aware of the awesome new features that came available with Veeam 9 which gave Veeam Service providers which have configured Veeam Cloud Connect the ability to do direct backup to a CloudConnect.

With the update to 9.5 coming, we will also see the option do to Veeam agents to do direct backup of endpoints and servers using the Veeam agent. This also opens up for a another option as well which is to do backup of cloud based servers as well using the samme solution.

The Windows agent which is coming soon which open up for this option, which will give a easy way to provide SMB easy server backup directly! or even regular endpoints, which makes things alot easier with for instance alot of companies are struggling with ransomware, and being able to just restore data from a backup endpoint directly from a veeam service proider will make things alot easier.

And the last option is of course to offer Disaster recovery options as well, which allow customers to replicate virtual machines to a service provider and being able to start up virtual machines there in case of disaster. This can be done for the customer via the cloud connect portal (or perhaps the https://go.veeam.com/orchestration Veeam orchestrator solution)

 image

when 9.5 is coming it will also support Windows Server 2016 and combining this with ReFS on the storage repository part and using block cloning it will speed up the repository speed when doing synthentic full backups for instance.

and last but not least, where bandwidth is congested, we can also deploy Veeam WAN accelerators to speed up the transfer process while sacrifising IOPS on the service provider end, but I truly belive that with 9.5, Veeam is giving alot of new oppurtunities for Service Providers!