BUILD HIGH AVAILABLE REMOTE DESKTOP GATEWAY INTEGRATED WITH AZURE MFA

    •  
     

    Build High Available Remote Desktop Gateway integrated with Azure MFA

    Implemented parts

    The following parts have been implemented:

    • On-Premises Infrastructure
    1. Microsoft Windows Server 2016 Standard Edition (3 Servers)
    2. A Highly Available Load Balanced RD Gateway Server Farm (RDG).
    3. Network Policy Server (Centralized NPS).
    • Enterprise Mobility + Security E3
    1. Microsoft Azure Multi-Factor Authentication

    Solution Requirements

    Prerequisites

    • Remote Desktop Gateway (RD Gateway) infrastructure
    • Azure MFA License
    • Windows Server software
    • Network Policy and Access Services (NPS) role
    • Azure Active Directory synched with on-premises Active Directory
    • Azure Active Directory GUID ID

    Network requirements

    The following table shows the required ports between RD Gateway, NPS Server, Internal network and WAN, and these ports must be opened for outbound and inbound

    Source Destination Protocol/Port
    Internet Gateway WAN NIC TCP: 443, 80

    UDP: 3391 (You have to enable UDP on the RD Gateway)Gateway LAN NICInternal networkTCP / UDP: 3389

    TCP: 5504

    TCP: 5985Gateway LAN NICDomain ControllersTCP / UDP: 88

    TCP: 135

    UDP: 123

    UDP 137

    TCP: 139

    TCP / UDP: 389

    TCP: 3268

    TCP / UDP: 53

    TCP / UDP: 445

    TCP: 5985

    TCP Dynamic Ports (NTDS RPC service)RD GatewayNPS ServerUDP: 1812

    UDP: 1813RD GatewayPerimeter network, should be opened for allowing HTTPS traffic from the client sitting on the Internet to the RD Gateway server in the perimeter network.TCP/ 443, 80

    Certificate requirements

    Public Certificate will be required that should contain the following SAN Names.

    Item

    SAN Names

    Domain Certificate

    RDS.3TALLAH.COM

    System requirements

    The following table shows the required subscription and license that should be provided by the time of the deployment:

    Product Name

    QTY

    Microsoft 365 subscription (E3 plan) or equivalent (MFA License)

    All users

    Microsoft Windows Server 2016 Standard Edition

    3

    The following table summarizes Microsoft products that will be deployed

    Product Name

    QTY

    Microsoft Windows Server 2016 Standard Edition

    3

    Network Policy and Access Services (NPS) role

    2

    Remote Desktop Gateway (RD Gateway) infrastructure

    2

    Authentication Flow

    1. F5 or any load balancer receives an Access request from a remote desktop user.
    2. F5 or any load balancer route the request to one of the RD Gateway serves.
    3. The Remote Desktop Gateway server receives an authentication request to connect to a resource, such as a Remote Desktop session. Acting as a RADIUS client, the Remote Desktop Gateway server converts the request to a RADIUS Access-Request message and sends the message to the RADIUS (NPS) server where the NPS extension is installed.
    4. The username and password combination are verified in Active Directory and the user is authenticated.
    5. If all the conditions as specified in the NPS Connection Request and the Network Policies are met (for example, time of day or group membership restrictions), the NPS extension triggers a request for secondary authentication with Azure MFA.
      1. Azure MFA communicates with Azure AD, retrieves the user’s details, and performs the secondary authentication using supported methods.
      2. Upon success of the MFA challenge, Azure MFA communicates the result to the NPS extension.
      3. The NPS server, where the extension is installed, sends a RADIUS Access-Accept message for the RD CAP policy to the Remote Desktop Gateway server.
    6. The user is granted access to the requested network resource through the RD Gateway.

    Deploy High-Available RD Gateway Server Farm

    Remote Desktop Gateway Server enables users to connect to remote computers on a corporate network from any external computer. The RD Gateway uses the Remote Desktop Protocol & the HTTPS Protocol to create a secure encrypted connection.

    RD Gateway server uses port 443 (HTTPS), which provides a secure connection using a Secure Sockets Layer (SSL) tunnel.

    Accounts

    All the following accounts have been used.

    Account or group name Source Description
    Guest001 Local AD Account for RD Gateway Access
    Office365 – EndUsers Local AD M365 Users License group
    Guest001@3tallah.Com Local AD Account to connect with Azure AD

    Environment

    Server details.

    Server Name IP Address Role
    RDG01P 192.168.1.16 Remote Desktop Gateway server role

    Network Policy Server (NPS) roleRDG02P192.168.1.17Remote Desktop Gateway server role

    Network Policy Server (NPS) role

    Install RD Gateway servers farm

    Install RD Gateway server role on both RD Servers farm

    Deploy NPS Role for NPS Extension server

    The Network Policy Server (NPS) extension for Azure Multi-Factor-Authentication (Azure MFA) provides a simple way to add cloud-based MFA capabilities to your authentication infrastructure using your existing NPS servers. With the NPS extension, you’ll be able to add phone call, SMS, or phone app MFA to your existing authentication flow without having to significantly increase your existing authentication infrastructure.

    Accounts

    All the following accounts have been used.

    Account or group name Source Description
    Guest001 Local AD Account for RD Gateway Access
    Office365 – EndUsers Local AD M365 Users License group
    Guest001@3tallah.Com Local AD Account to connect with Azure AD

    Environment

    Server details.

    Server Name IP Address Role
    NPSEx01 192.168.1.18 Network Policy Server (NPS) role

    NPS Extension for Azure MFA


    The next steps will install the NPS role in your new server:

    NPS Extension for Azure installation

    As a part of the configuration of the NPS extension, you need to supply admin credentials and the Azure AD ID for your Azure AD tenant. The following steps show you how to get the tenant ID:

    Get Azure AD ID

    Install the NPS extension

    1. Copy the setup executable file to the NPS server.
    2. On the NPS server, double-click the executable. If prompted, click Run.
    3. In the NPS Extension for Azure MFA dialog box, review the software license terms, check I agree to the license terms and conditions, and click Install.
    4. On the NPS Extension for Azure MFA dialog box, click Close.

    Configure certificates for use with the NPS extension

    In this step, you need to configure certificates for the NPS extension to ensure secure communications. The NPS components include a Windows PowerShell script that configures a self-signed certificate for use with NPS.

    This script performs the following actions:

    • Creates a self-signed certificate
    • Associates public key of certificate to service principal on Azure AD
    • Stores the cert in the local machine store
    • Grants access to the certificate’s private key to the network user
    • Restarts Network Policy Server service

    To use the script, provide the extension with your Azure AD Admin credentials and the Azure AD tenant ID that you copied earlier. Run the script on each NPS server where you installed the NPS extension. Then do the following:

    Configure NPS components on RD Gateway server

    Once you have an NPS server running on your RDS environment, you need to configure the RD Gateway connection authorization policies to work with the NPS server. The authentication flow requires that RADIUS messages be exchanged between the RD Gateway and the NPS server.  This means that RADIUS client settings must be configured on both RD Gateway and NPS server.

    Configure RD Gateway connection authorization policies to use a central store

    Remote Desktop connection authorization policies (RD CAPs) specify the requirements for connecting to a RD Gateway server. By default, RD CAPs are stored locally, and MFA requires that they be stored in a central RD CAP store that is running NPS. Follow the steps below to configure the use of a central store.

    On the RD Gateway server, open Server Manager.

    Configure RADIUS client on RD Gateway NPS

    NPS service

    The NPS server with the NPS extension for Azure needs to be able to exchange messages with the RD Gateway. To enable this message exchange, you need to configure the NPS components on the NPS server.

    Hence you must define an NPS client on the RD Gateway server to allow it to communicate to the NPS server with the NPS extension.

    Configure RADIUS timeout value on RD Gateway NPS

    To ensure there is time to validate users’ credentials, perform two-step verification, receive responses, respond to RADIUS messages, and if necessary, adjust the RADIUS timeout value.

    1. In the NPS (Local) console, expand RADIUS Clients and Servers, and select Remote RADIUS Server Groups. In the details page, double-click TS GATEWAY SERVER GROUP.
    1. Click OK two times to close the dialog boxes.

    Configure connection request policies on RD Gateway 1

    By default, when you configure the RD Gateway to use a central policy store for connection authorization policies, the RD Gateway is configured to forward CAP requests to the NPS server. The NPS server, along with the Azure MFA extension, processes the RADIUS access request. You need to perform the following tasks:

    • Create from MFA policy to determine what happens when you receive a request from the NPS server.
    • Create to MFA policy to determine when to forward a request to the NPS server
    • Disable the default connection request policy.
    Verify policies’ status and processing order.

    Create “From MFA” connection request policy

    Create “To MFA” connection request policy

    Disable default connection request policy

    Verify connection request policies list

    Once you have added the two new policies and disabled the default one, you need to ensure that the policies’ status and processing order are correct. Your policy list should look like the picture below:

    Configure Connection and Resource Authorization policies on RD Gateway 2

    Register server in Active Directory

    For the NPS server to function properly in this scenario, it needs to be registered in Active Directory.

    Create RADIUS client

    The RD Gateway needs to be configured as a RADIUS client to the NPS server.

    Create RADIUS server group

    You need a RADIUS server group to establish communication with the RD Gateway server.

    Create connection request policies

    Just like with the RD Gateway server, you must define policies to handle messaging exchange to/from the RD Gateway server.

    Create “From RD Gateway” connection request policy

    Create “To RD Gateway” connection request policy

     

    Verify connection request policies list

    Once you have added the two new policies, you need to ensure that the policies’ status and processing order are correct. Your policy list should look like the picture below:

    Configure Network Policy

    Because the NPS server with the MFA extension was designated as the central policy store for RD CAPs, you need to implement a new policy on the NPS server to authorize valid connections requests.

    Verify configuration

    To verify the configuration, you need to connect to your RD deployment through the RD Gateway server. Be sure to use an account that is allowed by your RD CAP.

    Open any of the available resources It may ask you to enter your credentials.

     

    References

    The following articles are references used in this design document:

    Title

    Reference

    Azure Active Directory

    https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis

    Custom Domain Name

    https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-custom-domain

    Integrate your Remote Desktop Gateway infrastructure using the Network Policy Server (NPS) extension and Azure AD

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension-rdg

    Remote Desktop Services – Multi-Factor Authentication

    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-plan-mfa

    Add high availability to the RD Web and Gateway web front

    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-rdweb-gateway-ha

    Remote Desktop Services – High availability

    https://docs.microsoft.com/en-us/windows-server/remote/remote-desktop-services/rds-plan-high-availability

    Integrate your existing NPS infrastructure with Azure Multi-Factor Authentication

    https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension

    END OF DOCUMENT

By 3tallah

Building A Highly Available Remote Desktop Gateway Farm integrated with Azure MFA

Many people are being forced to work from home for the first time during the coronavirus outbreak. That could have negative impacts on our productivity.

Microsoft and many other Tech vendors start to provide different aspects to help people to work from home with more productivity.

We as Partner trying to utilize the tools and solutions to provide our customers with the best secure remote work with some added value which giving the users the same feeling as the office environment for higher productivity

Hence we started building RD Gateway with Azure MFA for secure work and familiar experience across a variety of devices or web browsers. hashtag

For more information, you can read and download from here.

from 3tallah’s Blog https://ift.tt/3biKEzO

Step by Step Azure Firewall Deployment and Configuration

 
Contents
Securing a network perimeter is one of the most important aspects for any organization, here in this blog we are going to demonstrate Azure Firewall deployment and basic configuration.

Before we start let’s have a little brief about Azure Firewall and Its consideration.

  • Azure Firewall is stateful firewall as a Service with high availability integrated and unrestricted cloud scalability that protects Azure virtual network resources.
  • You can deploy Azure Firewall on any virtual network, but customers typically deploy it on a central virtual network and peer other virtual networks to it in a hub-and-spoke model.
  • Azure Firewall supports inbound and outbound filtering. Inbound protection is for non-HTTP/S protocols. For example, RDP, SSH, and FTP protocols.
  • Azure Firewall needs a dedicated subnet “AzureFirewallSubnet”
  • Azure Firewall is integrated with Azure Monitor for viewing and analyzing firewall logs.
  • Azure Firewall supports rules and rule collections.
    • A rule collection is a set of rules that share the same order and priority.
    • Rule collections are executed in order of their priority.
    • Network rule collections are higher priority than application rule collections, and all rules are terminating.
  • Azure Firewall cost:
    • Fixed fee: $1.25/firewall/hour,
    • Data Processing fee: $0.016 per GB processed by the firewall (ingress or egress)
    • A fixed hourly fee will be charged per a firewall deployment regardless of scale. In addition, data processing fee is billed per deployment for any date processed by your firewall.

In this post, you will learn step by step how to:

  • Set up a network environment (Vnets and SNets).
  • Deploy Azure Firewall
  • Create a default route to route traffic through Azure firewall.
  • Configure an application rule to allow access to www.3tallah.com
  • Configure a network rule to allow access to Google DNS servers
  • Create virtual machines for Test purpose.
  • Create Azure Bastion to connect to Workload Servers
  • Test the firewall

Set up the network

NOTE: Firewall and its Vnet should be in the same resource group.

Deploy Azure Firewall

Create a default route

Configure the outbound default route to go through the firewall for Servers Workload subnet.

Let’s Associate Azure firewall with Servers Workload (Snet-HUB-MGMT) subnet
Under Azure firewall Subnet Settings, Associate Servers Workload (Snet-HUB-MGMT) subnet.
Now its time to add a route for routing all traffic from Servers Workload subnet to Azure Firewall Appliance Private IP.
· Azure Firewall is actually a managed service, but virtual appliance works in this situation.
· For Next hop address, type the private IP address for the firewall that you noted previously.

Configure an application rule

Application rules are used to block and allow a website access to a subnet. 
This is the application rule that allows outbound access to *.3tallah.com.
1. Open the Azure Firewall and select the rules.

  • For Source, type 172.17.128.192/27. (Internal Workload Servers IP Range)
  • For Protocol:port, type http, https.
  • For Target FQDNS, type http://www.3tallah.com

Configure a network rule

Network Rules are applied first then the application rules and it is containing source addresses, protocols, destination ports, and destination addresses.
Creating a network rule to allow outbound access to Google DNS Server on port 53.

  • For Protocol, select UDP
  • For Destination address, type 8.8.8.8,8.8.4.4
  • For Destination Ports, type 53.

Create virtual machines

Change DNS addresses for the Workload Server NIC.

Create Azure Bastion to connect to Workload Servers

Test the firewall

· Connect to Workload Server using Azure Bastion.
· Browse to https://www.google.com, You should be blocked by the
· Open Internet Explorer and browse to https://www.3tallah.com, You should see my website home page.
· As shown in the below Blog.3tallah.com is accessible but images are not loaded and this is because we created a rule to allow *.3tallah.com Only, and those images source is blogspot.com.
Let’s Edit “FW-AppColl-3tallah.com” application rule collection and Allow blogspot.com then check the result.
As a result of allow both websites in the Azure Firewall, our website is accessible normally as shown below.
References:

from 3tallah’s Blog https://ift.tt/2VMcCPY