Microsoft Azure AZ-800 — Section 16: Implementing on-premises and hybrid network connectivity Part 4
125. Implement and manage Network Policy Server role
All right, so, I want to take a look at installing some stuff here and how we can configure NPS and all that.
So here we are on NYC Server one and I’m going to go into server manager and go to admiral roles and features manager roles and features from there. We’re going to click next, next and next. All right. As far as installing all this goes now, if I want to install a web app proxy, I can expand this out. I’ve already installed Raaz. I could install web app proxy by selecting that option right there. And if I want to do NPS Network Policy and access services, I’m going to select that option right there.
OK, so that’s how I can install services that I want to get. Mainly what I want to focus on right now is network policy and access services.
So, I’m going go ahead now and click next and next and next again. And from there, we’re going to go ahead and click Install and I’ll pulls a video while it’s being installed. All right, so once that’s done, I’m just going to hit close and can click up here. You’ll notice that it says the feature was successfully installed, So, we’re going to click tools and then we’re going to go over here to network policy service. We’re going to go ahead and open that up.
So once NPS is loaded up on the screen here, you’ll notice I have some different objects that I can configure. Number one, I have this thing called radius clients and servers now. One thing to understand about Radius Client is that when you think of Radius clients, most people think, Oh, this like the Windows computers that are connecting into a VPN or whatever. No, actually Radius client would be a server that is all communicating with the radius of the server.
So this would be either a the RaaS servers themselves if they are authenticating directly with NPS or B. And this the perfect world scenario. If you were using a radius proxy, your radius proxy would authenticate with NPS directly on behalf of those servers.
So the radius proxy would be the radius server for your RaaS servers, and then the radius proxy would be a radius client to your NPS server.
OK.
So this would show all of the machines that are that are using that are used as a client.
So, if you needed a point of server to your radius server, you can do that like in R&S now. In my case, I actually have Raz directly installed on my server because I only have so many servers to play around with here. But if I go to server manager, I go to ol’s remote routing, remote access. What I can generally do, I can right click the server, go to properties, click on security and then authentication methods. If this a RaaS server, that is not the Radius server because it is the radius server. In my case that I can click authentication methods and I’ll have an option that’ll let me point to the radius server as the accounting and the authentication provider. And in my case. You’ll notice this message right here. It says because NPS is installed, you must use it to configure authentication and accounting providers.
So, I have no choice because RaaS is installed directly on with our NPS server. I have to use it. I have no choice. That’s just a rule. But ultimately, if this was a RaaS server that was not, then I would have an option. And if you want to try that out, you can install it like if you have your domain controller, for example, if you’re playing around with this as well, you can install RaaS on your main controller and then try pointing it to the server and you’ll see what I’m talking about. But ultimately, that’s what you would see. And then, of course, the ways that you authenticate your various ways. You have EAP Extensible Authentication Protocol, which is going to support smart cards and biometric authentication. You got me chat version too, which is password based authentication. And then these right here chap is challenge handshake authentication protocol. It’s an older protocol. It’s not really considered secure today. It uses an encryption algorithm called MD5 hashing algorithm, actually. And then P&P. Well, that’s unencrypted password is, as we say, pappas crap. Don’t ever use pap. Pap is actually something that was released in Windows 2000 for the DOS today, really to allow dos computers to connect, but it’s sort of an old remnant of that. And then you’ve got allow Machine Cert authentication for Ikee version two. If you’re using IP version two for VPN, you can use a digital certificate for authentication with that.
So that’s what they’re talking about there. But ultimately, the thing I wanted to mainly get across to you here is that the authentication method is a raster who could point to your radius server for authentication.
Now this the actual Imps server. But if I wanted to make this the radius proxy, I could.
OK.
So you actually you when you install apps, you can make it full blown NPS server or you can make it a radius proxy.
So to make it a radius proxy, you go to policies and there’s these things called connection requests policies and it tells you right here connection request policies allow you to designate whether connection requests are processed locally or forwarded.
So basically, if I want to make this a radius proxy, I can create a policy that just basically says forward it to the server that’s internal to my network. All right, which you’ve seen my drawing. You know what I mean by the internal NPS server? And so that’s what these connection request policies are now, ultimately one of the biggest things and most important things that. That network policy said was going to do is it’s going to control who gets in what users get in.
OK. And so, we want to we want to be able to control that now. If you actually jump. Let me jump over to my domain controller real quick.
So here I am on NYC DC one, if I go to ols and I go to Active Directory users and computers. I want to show you some defaults here that you’re going to notice for each user.
So, if I go here to a user like, I’ll just pick on myself, which is the administrator, actually, you’ll notice that I have a Darwin Tab. Oddly enough, it’s called dial in, but it’s going to involve any type of remote access connection. You have this thing called network access permission. You’ll notice that you have three options allow denying nine control through NPS.
So, if you just want to allow this person always to connect him through remote access without even having to go through policies, you can, you can say, just allow. But the default is to use the NPS policies. And so this going to be the default option for, you know, allowing somebody to connect in. And So, we’re going to let the NPS decide. And if you jump back over to my server now, my NYC server one, which is NPS, the default is actually to deny everybody even the admin is going to be denied.
So you have to configure this. You actually have to allow this by creating this network policy here.
So there is a default rule with NPS and the default rule is called Deny, Deny all. You don’t see it on the screen here, although there is a couple of older policies here that just say Deny connections to Microsoft routing remote access server that’s denying everybody and then you have connection to other access servers. This guy right here is denying everything. If you want to allow everyone, you can actually go into this policy and say Grant. But in our case, let’s say we want to allow particular people, just specific people during certain times.
OK, so, I can right click network policies, I can click new, give it a name. Like maybe this for salespeople sales users, OK? And also, if you were using if you wanted to, you could. You could click on type of network access server remote desktop gateway remote access services. You can kind of pick pick here. You can say unspecified, which means it’ll support anything. There’s also vendor specific. If you had a different hardware devices created by different vendors like Cisco, you can look up their Vendor ID number and Raz and Radius will base it on their Vendor ID, so there’s different vendor specific numbers that can be associated there as well. But I’m not going to do that. I can go to conditions.
So then the conditions I have various conditions I can set like, for example, I can say Windows Groups and I could say sales if I got a group called sales. Actually, I got sales support. Yeah, we’ll just do that. Sales support. That’s maybe that’s the group. And then I could, you know, have all these different things I could do. How about day and time restriction? So, we’ll say that we will allow salespeople the ability to connect in. This going to be when this policy is going to take effect really between 9:00 a.m. and. 6:00 p.m. Monday through Friday, so, we’ll set that to committed.
So this going to all this would permit them during that time, but we still have to set allow on the policy. Access is granted OK or access is based on the user Darwin. Will the Darwin privileges are going to say use NPS anyway? So that doesn’t matter.
So, we’ll click next. And this where we can set the authentication as we want.
OK? There’s even an old one called Spath Shiva password authentication protocols, old technology that’s been deprecated now, but that gives us the ability to choose, you know, we’re going to support smart cards and all that. And then I’ve also got some constraints I can say, you know, if you’re idle for a certain amount of time, disconnect you, your sessional time out, after the amount of time, you know, maybe set that to a few hours. That’s a kick people off so, they can’t stay on 24-7. Seven. This makes it worth their idle for a certain amount of time they get kicked off even a caller ID for our additional date time restrictions because ultimately I want somebody logging and it’s not going to kick them off even at six o’clock. It’s not going to kick them off. It’s just I can’t log in past six o’clock based on that screen. I just showed you. But this would actually let you say a set a day and time restriction that’ll kick them off. And there’s even what’s called a Nash port type, where you can specify the type of connection they have to be using when they connect in. You wanted to require them to be using like a VPN or you want to even DSL. There’s all these different options your ISDN that have to be connecting in one of these types of connections, or they wouldn’t be allowed in. But most people don’t mess with that, but you could mess with that if you wanted to. All right. And then from there, I’ve got some other things here. I can configure there’s the vendor specific thing you saw. There’s that bandwidth allocation protocol, which will let you control how much bandwidth they’re allowed to use. You can set IP filters, encryption require a certain type of encryption, and you can even configure their IP settings here.
So from there going to click next, I’m going to click finish, and I’ve now created this policy notice that it has a processing order.
So, if you had another policy that conflicted with this, the processing order with a lower number has the higher priority, and that’s how that gets handled.
OK.
So the other thing that we have here is accounting and accounting would configure our logging side of things. Accounting is how long people are logged on when they logged on, when they log off, what they did while they were logged on. That’s all what all of this, and you could configure the accounting settings here. If you’ve got a SQL database or if you want to use a local TEX file, you can use a text file.
So there’s various options there you could go with. Specify your log file the things you want to log, and then from there, basically you’ve set up your accounting. Here’s your logs right here. And as far as the things that can be configured, you had some templates here shared secret to allow you to create some passwords that users can use to authenticate with. Basically, you can have it where your RaaS servers authenticate with that shared secret password, which if you go back over and you look at your RaaS settings again, what’s go to routing and remote access? Right click our server, go to properties, you’ll see that there are areas where you can put in a pre shared key for things.
OK. This will show your radius clients that are connected in remote radius servers. That’s if you have a proxy or if the server is acting as a proxy. All right. Or and here’s where you can put IP filters if you want to filter out, have input filters or output filters on certain types of IP addresses that you want to allow or not allow. But ultimately, NPS, you’ll see those are the things you can configure. There’s a lot of little things that you can you can do to restrict and block and allow traffic and definitely something interesting. But again, it’s mostly going to be the biggest benefit to it is if you’ve got quite a few RaaS servers that you’re managing and you want to try to centrally control the traffic that’s coming in.
126. Understanding Azure Relay
I now like to go over the concept of Azure Relay, so what is Azure Relay? So this a feature that has been in Azure for a few years now. They have made it a little bit better over the years, but ultimately it’s a feature has been around for a while. And what it essentially does is it allows us to expose services and our corporate network out to the internet and allow communications between different services such as web servers out on the internet with web application servers that are internal. The benefit here is we’re not having to open up any kind of incoming ports in order to do that. It’s all relayed through Azure, so you have an internal web server, for example, there’s got some kind of an application. It’s interacting with the Azure service out on the internet. The relay service, which is an interacting with your web server now with Azure, you, there’s also the Azure 80 proxy, which kind of does all of this for you now.
So a lot of people are using Azure 80 proxy instead of Azure Relay because it’s a whole lot easier to configure and you don’t need so much web coding involved.
So unfortunately, the downside of Azure Relay is you really need a web developer involved. If you’re not a web developer and understand the coding of it, then configuring it is a little bit of a pain in the butt.
So, it’s not really something that people specifically will have to do a lot of configuring themselves. They are expected to know what it is, and you’d have to point your web developers into the right place on how they can configure their web servers to support it. But ultimately, the idea here, though, is we’re not having to open up any kind of incoming port. Just got to have outgoing ports, you know, https and all that outgoing on the internet communicate with a relay gateway that’s out on the internet through Azure. And then that relay gateway can be configured to relay traffic to some kind of a web application or something that’s running out on the internet.
So you can have web application out on the internet, communicating with web application internal that’s private that they can relay information back and forth if you want.
So, you know, there’s a few different options there, a few different ways you would use this. They mentioned the traditional one way here request response and peer to peer communications.
So one machine communicating with another machine or a client communicating with the service out on the internet securely. You could use it for that. Other thing would be distribution.
So, if you dealt with event and programming before where you can generate events and code, you might have events that are being sent out to a service on the internet and need to be relayed back. A reply needs to be relayed back. And then finally, there’s bidirectional UN buffer socket communication across network boundaries.
So, if you had a situation where you had some different secure networks that needed to be able to communicate with each other, there’s not like a direct connection could even be another company or even another cloud service like IWC. You could have information being relayed that way.
OK, so the basic usage flow here, you’ll have an on-premise service that connects to the relay service through an outbound port.
So, it’s just like a port going out. Like, again, a TDPs, you could do 80. But for the most part, everybody wants this to be secured and then it creates this a bi directional socket that essentially encrypts everything. All right. Same kind of, you know, technology we’ve been using for decades now with SSL and all that. But almost everything now is using TLS transport layer security.
So that tells you the client will communicate with with the on from a service by sending traffic to the relay server.
So you have a client out on the internet, client out on the internet, interacts with this relay service that’s stored in Azure and then that relay stuff internally. Again, this kind of seeping over into the Azure 80 proxy idea, which of course, is what most everybody is using now. And in Azure 80 proxies, a whole lot easier to configure than this because you’re not really having to deal with so much of the code side of things on your website. But ultimately, this still is available option. Then they tell you here that the basically the relay service is going to relay the data to the on from a service and in the relay it back through the bi directional socket to the client.
So you get a message sent from a client, maybe through a web app. The web app is communicating through the relay and it’s talking to the web server that’s internally and that gets relayed back. And again, I know that probably sounds a lot like Azure 80 proxy because, well, you’re getting the same thing out of that. But ultimately, this came out even before Azure 80 proxy did.
So this was sort of the forerunner of it.
OK. What are the features? And there’s two ways you can use this one is through what’s called a hybrid connection. This the one Microsoft is sort of shining on right now. This the one they recommend. It’s completely open standards and supports all the different platforms, including non Microsoft like IWC and the Google Cloud and all that. And then there’s the older, which is the WCF relay. This the Windows Communication Foundation. It uses the WCF. Framework that’s on your computer, so this mostly for legacy and the reason they still support this because there are still companies out there that have developed web apps that you don’t utilize the WCF.
So this mostly for backwards compatibility. And if you’re taking the exam, that’s going to be the big thing you want. Remember, their hybrid is the preferred, but if you need backwards compatibility with legacy, the older development and all that older coding, that’s going to be WCF.
OK, so then you’ve got a hybrid connection’s kind of taking a deeper look with a hybrid connection. Again, this the this secure, it’s completely open standards. It uses all the latest and greatest programming support for whatever programming language you want, and it’s all based on supporting the HDTV in website protocols on the internet.
OK.
So again, big thing here is this compatible. This going to be the most compatible option.
OK, then the older the older is going to sport dot net framework, and that’s about it. Dot net framework and communicates the windows, the WCF. And then it’s it’s mostly for older apps that have been developed to support that.
OK. And So, it’s going to do that by creating this thing called a basically a WCF channel and that interacts with this thing called the service bus in the cloud that’s able to relay between the cloud service and your on-premise server. All right.
Now what’s the main difference? This little Table kind of helps understand that.
So WCF Relay supports WCF in windows. It supports the dot net framework as well, but it doesn’t support any of those others.
So you can see hybrid supports all those others. Really, the only thing hybrid doesn’t support is WCF.
So clearly, you can see that they’ve built this to be the most compatible option. All right now, if you are working with developers and you’re going to need to do this sort of thing there, this link right here that I’m providing you is a great place to start. They’ve got a lot of examples and configurations, so, If you’re working with the web developer to get this to work, this going to be the place to go. But hopefully, ultimately, now that hopefully gives you a good idea of what the Azure relay is.