We are setting up a new Network which includes a VM in Azure. I can connect to this via RDC.
However, our security guy wants me to access it through a second VM for security reasons. In other words, I first connect with RDC to a "jump server" (which is just another VM in Azure) and then from there, use RDC to connect to the second server.
Is this actually adding a layer of security? It seems to me that unless the RDC on my local machine had somehow gotten a virus or gotten hacked, that there is no benefit to the jump server.
If its a security requirement, the best approach is deploying all your VMs inside a Virtual Network. After that, configure a Point to Site VPN connection on Azure and install the client inside your operating system.
Using that, all your connections to the VMs are done through a secure path to Azure.
Related
I've developed a solution and tested it. It's uploaded to Azure using the convenient method of publishing XML file. Now I realize that it's supposed to be put in on-premise local server (it's an internal application not requiring access to the Internet).
When I go to the server, I use the RDP to access a system. In there, I execute a connection to another RDP. The second system is the one hosting both SQL Server and IIS where the application will reside.
Is it at all possible to construct such a publish XML? If so - how? If not - what should I request form the IT department to open/install on the innermost RDP so I can shove in my stuff by the oh-my-god-I'm-so-lazy press of a button?
You must install webdeploy on your host machine. With IIS and webdeploy installed you can use same publishing techniques as you did with Azure.
I think it goes without saying that you must have direct access to host. If it's on external network you have to open webdeploy's and IIS ports, if you do not want to open this externally I recommend VPN (maybe basic point-to-point) that will create direct line between your dev and host machine.
I'm using some hosted 2008R2 servers for testing scenarious in the Azures cloud and they seem to be working well for most things.
I need clients to directly access the server via VPN such that they have full IP access to the server, for, say, SMB NET USE drive mappings, which otherwise would not be available over the Internet.
Normally, you'd just install RRAS and configure VPN.
But on these VMs, the connection from a remote VPN client fails. I'm forwarding the correct endpoints (I believe), 47 & 1723 for PPTP and 50/51/500 for IPSEC. But they aren't getting through.
The server is listening on these ports.
All my searching seems to suggest you need to use "Azures connect" for VPN access, so does this mean you can't go direct to the server for clients? I don't want to go for the Azures Connect route as I'm just playing/testing and don't want to use any proprietory methods.
Confirmation that this is impossible would be useful to save me going mad.
Azure Connect is a very good way to start; it is an Azure service so I am not sure why you are reluctant to use it. I would keep an eye on performance; VPN could very well be faster. Here is my blog post on how Azure Connect works and the steps I took to make it work: http://geekswithblogs.net/hroggero/archive/2012/10/18/how-to-create-a-virtual-network-with-azure-connect.aspx
Regarding VPN, only certain devices are supported for the preview. Please refer to MSDN for a complete list of supported devices and protocol requirements: http://msdn.microsoft.com/en-us/library/windowsazure/jj156075.aspx
Recentely, I deploy a worker role that it will connect to internet and attemp to access some websites (For example: http://somewebsite.redmond.corp.microsoft.com/en-us/library/).
It successfully access the websites on my development machine running on emulator. But on the Azure virual machine that I deploy my worker role to, it is not able to access the websites. I try to open the websites on VM browering in IE, it is also not able to.
Have u emcounter similar issues? How do u deal with it?
This has nothing to do with accessing the Internet. The URL you provided isn't publicly visible (at least I can't access it from my machine). This means you're attempting to visit a URL behind a firewall, possibly requiring a VPN to access.
Windows Azure VM's, whether worker roles, web roles, or Virtual Machines, are in a public cloud and not behind any firewall. If you wanted to access it from a Windows Azure VM, you'd need to set up a Virtual Network, introduced in the Spring 2012 update. More information here.
Try using Elevated premissions for this. Once,I tried to access internet through RDP of a Role, It was working at that time hence it should be possible for you to access internet. But if are trying to download exes and execute, I Think that isn't possible.Please post you Results here.
Regards,
Vijay.
We integrate with a third-party service where we can run queries which is right now secured using HTTPS encryption and username/password. We send our queries from a service running on the Windows Azure cloud.
The third-party provider wants to migrate towards better security and they have asked us to either
Setup a VPN - which is problematic because for we'd need to use Azure Connect and they'd have to install the client endpoint service on their part.
Provide some IP address where the queries will come from so they can filter out anyone else at the firewall level - which is problematic because AFAIK you cannot fix the IP addresses of the Windows Azure Compute nodes.
Suggest another secure alternative - the only thing I could think of is to set up the VPN with them on a non-Azure server and then tunnel the requests through using Azure Connect - which is obviously extra work for us and also defeats the point of hosting the service on a cloud if it depends on a non-cloud service.
Any ideas?
Can they install the Azure Connect endpoint on another server on their DMZ network? i.e. not the actual server which hosts their service?
Can we somehow provide them with static IPs for incoming queries?
Any other solution that is scalable?
Thanks
If I understand the scenario correctly, your Azure service is a client to a 3rd party service. This scenario may be solved through the use of the Windows Azure AppFabric Service Bus. You would need to install a proxy app in the 3rd party's datacenter that would be responsible for establishing the connection to the service bus. The connection comes from inside the 3rd party's datacenter, so no new incoming holes in the firewall. The connection can handle WCF connections with all its security strengths, and users can be authenticated with ACS.
Here is a starting point: http://msdn.microsoft.com/en-us/library/ee732537.aspx
There is a hands on lab in the Windows Azure Platform Training Kit that explains most of the details that you'll need.
IMHO, HTTPS is already very good; and I don't exactly see how a VPN would make the system any more secure. In particular, VPN is no silver bullet, if your VM is compromised then the VPN connection is compromised too (same for HTTPS). On the other hand, the IP restriction would indeed reduce the attack surface.
Then, using a server outside the cloud is a poor idea indeed. Not only it defeats most of the benefits of the cloud (been there, done that and suffered a lot), but also it also makes the whole thing less secure with more complexity and more attack surface.
Windows Azure does not provide anything that look like a static IP at this point. In our experience, IP addresses for a given service change once in a while even if the service is only upgraded (and never deleted). Static IP addresses have been an important feature request for a long time, Microsoft will probably provide it at some point, but it might still take many months.
I am new to TFS and trying to setup where remote users can access the Source Repository and Work Items without having a VPN to the local network.
Is this possible?
From what I've seen the answer is NO. The TFS Proxy component does NOT appear to be what is needed to allow remote access, but rather a way to improve speed for remote users as long as they have VPN connection.
So how can configure TFS with NO VPN requirement?
Thanks ...
The second problem is how will you authenticate them? If you can't VPN to the network, there will be lot's of issues with the Domain access to the TFS.
Home made solution is to create an machine in DMZ and open it via RDP to the remote users (it's not safe at all)