Share this:

In Azure there are multiple options to add a Firewall to your Azure landing zone. But the standard Azure firewall comes with an option Classic or firewall policy, and there is a good change that you already have an Azure firewall classic then you can migrate to a premium SKU see the link to get the process  https://docs.microsoft.com/en-us/azure/firewall/premium-migrate?WT.mc_id=AZ-MVP-4025011

Azure Firewall pricing

https://azure.microsoft.com/en-us/pricing/details/azure-firewall?WT.mc_id=AZ-MVP-4025011

Azure Firewall Standard

• Stateful firewall as a service
• Built-in high availability with unrestricted cloud scalability
• Centralized network and application level connectivity policy
• Threat intelligence-based filtering
• Support for hybrid connectivity through deployment behind VPN and ExpressRoute Gateways

Azure Firewall Premium (Public Preview)

• Built-in TLS Inspection for customer’s selected encrypted applications
• Ability to detect and block malicious traffic through advanced IDPS engine
• Restrict access to Web content via built-in URL Filtering for both plain text and encrypted traffic
• Web Categories provide enhanced content filtering capabilities
• IDPS signatures and Web categories are fully managed and constantly updated

Initial I setup a Azure Firewall premium

Premium firewalls support additional capabilities, such as SSL termination and IDPS. Additional costs may apply. Migrating a Standard firewall to Premium will require some down-time.

As you can see there is an option standard or premium and use the Firewall policy or the Classic.  In premium there is no classic any more the only option is firewall policy.

Choosing the Premium and the option firewall management is gray out.

As I already have some Firewall policy’s I can already attach these to my new firewall, this is one of the great options, In the firewall manager you can create Firewall policy’s with out having a azure firewall running, you can already prepare the landing zone with all kind of rules .

Keep in mind that the firewall must be in the same resource group as your vnet.

Setting up a Azure Firewall with PowerShell is easy but you need to have the resources already in place

# Create the firewall
$Azfw = New-AzFirewall `
    -Name $FirewallName `
    -ResourceGroupName $rgNamevnet `
    -Location $Location `
    -VirtualNetworkName $VnetName `
    -PublicIpName $pip01 `
    -SkuTier Premium

Now that The Firewall I created We can see the policy’s attached in the Firewall manager.

Azure Firewall Manager is a security management service that provides central security policy and route management for cloud-based security perimeters.

Firewall Manager can provide security management for two network architecture types:

Secured virtual hub

An Azure Virtual WAN Hub is a Microsoft-managed resource that lets you easily create hub and spoke architectures. When security and routing policies are associated with such a hub, it is referred to as a secured virtual hub.

Hub virtual network

This is a standard Azure virtual network that you create and manage yourself. When security policies are associated with such a hub, it is referred to as a hub virtual network. At this time, only Azure Firewall Policy is supported. You can peer spoke virtual networks that contain your workload servers and services. You can also manage firewalls in standalone virtual networks that aren’t peered to any spoke.

Azure Firewall Premium Preview in the Azure portal | Microsoft Docs

So now that the firewall is in place and we already had an policy attached but you can change that real quick.

Go to the Firewall blade and her you can see the policy and change it directly

Or if you go to the firewall manager and select the virtual networks you can see a good overview of where and what is attached to the vnet

Remember the firewall need to be in the same resource group as your network, and there come’s also the hard part if you want to switch policy’s

Looking at the firewall policys from here you can add them to a hub or a vnet

 

here you see an overview of the firewall policy’s

When associate a policy to a vnet or multiple vnets we got a good overview on what is available and what not.

Adding the Policy to a network,

The firewall manager blade with all the rules and options

You can  add rule collection groups and rule collections, In a rule collection group can hold multiple rule collections, I would advise you to build these collections as it is real handy if you want to change later some item or you want to export a collection and import them in a different collection group

Also new is the application rules here you can set web category’s that are allowed or denied.

using the application rules with the internet categories is still in preview but is a great addition for Azure virtual desktop #AVD

Setting up the web categories is easy selectable in the destination type. and then select one or multiple.

Remember the naming if you want to find this later in your rules, keep it clean and neat

Keep in mind that when you are selecting multiple categories the naming field is also corresponding to that 

Removing the Firewall does not mean that you will loose the policy’s  or removing the policy and loose the firewall unless…

Keep in mind when you remove a policy and you will set the little checkbox the firewall will be removed. If it is added to multiple vnets you may have a failure on the firewall deletion as there is still a policy attached

Overall the firewall manager is a great step to a modern security management in Azure, there a multiple items that I could wish for in the Firewall manager like management of all the NSG’s who nice would that be and traffic logging etc one thing is clear Azure is getting better and better and true the more options we get the more complex items we are building, and that’s fine keeps me off the streets and my work is never gets boring

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

 

Share this:

Webinar – Your 5 Most Critical M365 Vulnerabilities Revealed and How to Fix Them

Microsoft 365 is an incredibly powerful software suite for businesses, but it is becoming increasingly targeted by people trying to steal your data. The good news is that there are plenty of ways admins can fight back and safeguard their Microsoft 365 infrastructure against attack.

This free upcoming webinar, on June 23 and produced by Hornetsecurity/Altaro, features two enterprise security experts from the leading security consultancy Treusec – Security Team Leader Fabio Viggiani and Principal Cyber Security Advisor Hasain Alshakarti. They will explain the 5 most critical vulnerabilities in your M365 environment and what you can do to mitigate the risks they pose. To help attendees fully understand the situation, a series of live demonstrations will be performed to reveal the threats and their solutions covering:

· O365 Credential Phishing

· Insufficient or Incorrectly Configured MFA Settings

· Malicious Application Registrations

· External Forwarding and Business Email Compromise Attacks

· Insecure AD Synchronization in Hybrid Environments

This is truly an unmissable event for all Microsoft 365 admins!

The webinar will be presented live twice on June 23 to enable as many people as possible to join the event live and ask questions directly to the expert panel of presenters. It will be presented at 2pm CEST/8am EDT/5am PDT and 7pm CEST/1pm EDT/10am PDT.

Don’t miss out – Save your seat now!

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Share this:

There are multiple ways on how to use a VPN and how to connect and use this. In this blog I use an Azure Virtual WAN Hub with associated security and routing policies configured by Azure Firewall Manager.

When connecting to your Virtual Hub over the IKEv2 protocol, you can use certificate-based authentication or RADIUS authentication. However, when you use the OpenVPN protocol, you can also use Azure Active Directory authentication.

I will use the open VPN with Azure Active Directory authentication. Remember this is only supported on Windows 10 as you will need the Azure VPN client from the microsoft store.

For giving the vpn application the proper permissions, you need to register the application to your Azure AD first.

below is the default URL that can be used to trigger the registration, use the proper rights to create an enterprise App in you Azure AD

https://login.microsoftonline.com/common/oauth2/authorize?client_id=41b23e61-6c1e-4545-b367-cd054e0ed4b4&response_type=code&redirect_uri=https://portal.azure.com&nonce=1234&prompt=admin_consent

Sign in with the proper credentials

Using the wrong account will end up in

AADSTS50020: User account  from identity provider ‘live.com’ does not exist in tenant ‘Microsoft’ and cannot access the application ‘4b4′(Azure VPN) in that tenant. The account needs to be added as an external user in the tenant first. Sign out and sign in again with a different Azure Active Directory user account.

When Accepted the you will be redirected to the Azure portal.

In the Azure portal you can go to the Azure active directory and

Enterprise applications | All applications  and search for Azure VPN

Now that the basics are in place, we can configure our Site to Site VPN profile the following information is needed.

Go to your Virtual Wan and select the user VPN configuration

Create User VPN ##### I noticed during the writing of this blog post the screens may differ as the portal changed the layout#######

• Configuration name – Enter the name you want to call your User VPN Configuration.
• Tunnel type – Select OpenVPN.
• Authentication method – Select Azure Active Directory.
• Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
• Issuer – https://sts.windows.net/tenantID/
• AAD Tenant – https://login.microsoftonline.com/TenantID

Select open VPN

go to the Azure Active Directory <> properties and grab the Tenant ID

Set the switch to yes and new fields will open.

 

• Audience – Type in the Application ID of the Azure VPN Enterprise Application registered in your Azure AD tenant.
• Issuer – https://sts.windows.net/3078684f/   ## remember the /  this must be at the end
• AAD Tenant – https://login.microsoftonline.com/3078684f

#the number is your tenant ID

Now that the VPN user profile is created we can configure the HUB

Now that the user vpn profile is created we can create the P2S VPN.  Select your hub

Select the user VPN point to site VPN  select create

Creating a VPN gateway you need to select the just created User profile.  

Select a proper IP subnet and if needed a DNS server for the workload into that network

Updating a hub can take 30 minutes or more.

Download User VPN profile as we need this on the Windows 10 client later.

Use the VPN profile to configure your clients.

1. On the page for your Virtual WAN, click User VPN configurations.
2. At the top of the page, click Download user VPN config.
3. Once the file has finished creating, you can click the link to download it.
4. Use the profile file to configure the VPN clients.

To download the Azure VPN client on your windows 10 test device.

Use this link to download the Azure VPN Client.

Open the VPN Client you can add a new VPN or import a Connection

 

For Importing the Connection we need the just downloaded zip file and extract this in the AzureVPN folder there is a XML that holds the vpn configuration.

 

 

If any thing goes wron with the import it is 99% your pbk file,

 

go to the following folder and delete the files – this will probably also remove your other vpn connections it you had any.

%userprofile%\AppData\Roaming\Microsoft\Network\Connections\Pbk\rasphone.pbk

C:\Users\admin\AppData\Local\Packages\Microsoft.AzureVpn_8wekyb3d8bbwe\LocalState

Now that the Import worked and you are ready to connect to the VPN in Azure.

  Use your Azure AD credentials or your FIDO2 key

 

  Now we are fully connected to the Secure Virtual WAN in Azure

It can take some time to see your connection in the portal

Showing the above it all is easy to setup this but I already see the questions yes but I need to do this on 5000 Windows 10 devices.  

Microsoft Endpoint Management is your best friend.

Deploy VPN with Microsoft Endpoint Management 

We create a Custom Template and do not select the VPN option as this is not for uploading the XML

In our Custom settings we add the Following settings

• Name: Enter a name for the configuration.
• Description: Optional description.
• OMA-URI: ./User/Vendor/MSFT/VPNv2/demo01_hub-weu/azurevpnconfig.xml (this information can be found in the azurevpnconfig.xml file in the tag Name).
• Data type: String (XML file).

Now that this is done we can create some assign ments and test this on the pilot group

 

As you can see there are a few steps involved and are linked together

 

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Share this:

PowerCLI: An Aspiring Automator’s Guide

Getting into scripting can be daunting. It’s easier to just use existing scripts found online, but if you choose this route you’ll quickly run into limitations. If you take the time to learn how to create your scripts, trust me, you’ll never look back!

Automating vSphere is particularly useful for countless applications and the best way is through PowerCLI – a version of PowerShell developed specifically for VMware. Learn how to develop your own PowerCLI scripts with this free 100+ page eBook from Altaro, PowerCLI: The Aspiring Automator’s Guide.

Written by VMware vExpert Xavier Avrillier, this eBook presents a use-case approach to learning how to automate tasks in vSphere environments using PowerCLI. We start by covering the basics of installation, set up, and an overview of PowerCLI terms. From there we move into scripting logic and script building with step-by-step instructions of truly useful custom scripts, including how to retrieve data on vSphere objects; display VM performance metrics; how to build HTML reports and schedule them; the basics on building functions; and more!

Stop looking at scripts online in envy because you wish you could build your own scripts.

Get started on your path to automation greatness – Download the eBook now!

 

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile

Share this:

The Microsoft Ability Summit is a two-day, free digital event experience that brings together people with disabilities, allies, and accessibility professionals to Imagine, Build, Include, and Empower the future of disability inclusion and accessibility. We encourage all to join on May 5-6, 2021 and spread the word throughout your internal and external communities.

Registration is now open for Ability Summit on May 5-6th

Registration for Ability Summit is open!

• Wednesday, May 5 from 9:00 AM – 12:30 PM, PT
• Thursday, May 6 from 9:00 AM – 12:30 PM, PT

Microsoft Ability Summit 2021 will feature:

• Keynotes from Microsoft executives and notable members of the disability community
• Expert panels featuring exciting projects and innovations
• Demos of the latest accessibility features in Office, Windows, Xbox, and more
• All sessions will be recorded and available post-event so no matter what time zone you are in, you can access the content at a time that works for you!

Registration is now open for Ability Summit on May 5-6th

Follow Me on Twitter @ClusterMVP

Follow My blog https://robertsmit.wordpress.com

Linkedin Profile Robert Smit MVP Linkedin profile

Google  : Robert Smit MVP profile