Jesper M. Christensen

SharePoint and Security

Category Archives: Windows Azure

Creating a Windows Azure virtual network with site-to-site VPN to SonicWALL


One of the great new features of Windows Azure is the ability to create a site-to-site VPN connection to your local network.

Microsoft delivers configuration instructions for Cisco and Juniper and currently only deliver information and step-by-step configuration details for these devices.

In this blogpost I will guide you through configuring a new virtual network to a SonicWALL device through the Windows Azure web portal.

Creating a Local Network

For establishing the connection to a local network you can define your local network before actual creating a new Virtual Network in Windows Azure. This will give you the possibility to create a site-to-site connection in the “New Virtual Network” configuration wizard.

Access the network configuration section in the Windows Azure web portal.

Click the tab called “Local Networks”

Here you click “+ Create” button on the bottom of the page.

Fill out the Name and the public IP address of the VPN gateway.

Then click the next-arrow to proceed to step 2.

You will fill out the subnet(s) and click the checkmark button to create this entry.

Creating a new Virtual Network and the gateway connection in Windows Azure

It is vital that you create the virtual network before you create the virtual machines in Windows Azure as it is not easy to change to another network for the machines (at the moment).

You will access your portal and click the “+ NEW” button and select “Network” and “Custom Create”

Here you will fill in details regarding the network such as Name, Region to be used and select or create an affinity group.

Then click the next-arrow to proceed to step 2.

Here you will create your address space and subnets. It is important that you know a bit about subnetting as the address space must include all the subnets you create. The address space is used for “grouping” the addresses and will be used for routing and the VPN tunnel. The network is virtualized and do not conflict with any other networks in Windows Azure.

I create two subnets as the screenshot shows.

Then click the next-arrow to proceed to step 3.

On this configuration screen you will choose a DNS (if any, the default is a Windows Azure default). If you need to create additional domain controllers for an existing domain from your local network it could be a good idea to fill this out.

This is also the page where you configure the actual connection to the local network. You will type in the subnet of the Windows Azure network that is available for the local network. In this example I will provide access to all my Windows Azure subnets.

Click the checkmark button to create the new Virtual Network and configure the Windows Azure VPN connection.

Note: You cannot change the VPN connection details without deleting the gateway. This takes a while and will delete the Windows Azure VPN entry. Afterwards you can create a new gateway and VPN connection again for this Virtual Network.

Configuring the SonicWALL for the VPN connection to the Windows Azure gateway

This example is made from a SonicWALL with an enhanced firmware installed. The enhanced firmware is not required for this to work and just use the same configuration details for a standard firmware.

Log on to your SonicWALL as an admin and go to the “Network” and “Address Objects” menu.

Create a new Address Object (and possibly an Address Group also for future reconfigurations) that defines the Windows Azure network used in the VPN tunnel.

Now you will start the VPN configuration wizard from the button in the upper right corner of the SonicWALL – click Wizards and choose “VPN Wizard”

Choose Site-to-Site

Fill in a name, the preshared key and the Remote Peer IP Address. You can find this by accessing the Windows Azure web portal, go to the “Networks” area and clicking your Virtual Network. On this dashboard you can see the “Gateway IP address” which you will use. The preshared key can be found by clicking the “View Key” on the same page.

 

Select which subnets you want the Windows Azure networks to access internally and the Windows Azure networks created before

Now select the security settings for this tunnel. This can be different in your configuration or future Windows Azure standards and can be found in the configuration script generated by the Windows Azure Virtual Network Download-wizard. Download the file and check the content.

Now you can complete your wizard and both NAT entries and the VPN tunnel will be created.

Edit the VPN tunnel and configure the ID’s for this tunnel to match the public IP of the SonicWALL and the internal Windows Azure gateway IP (you can see this in the SonicWALL log in an error message. Microsoft could change the settings to support other VPN vendors that do not support their auto-IP-ID configuration):

Also check the proposals section for this – The exchange method must be set to “Main mode”

To active this you can try pinging an address on the remote subnet and you should be able to reach this after the VPN tunnel has initialized. Alternatively you can enable the “Keep alive” on the “Advanced” tab of the VPN tunnel configuration on the SonicWALL.

Note: All Windows Azure Windows Servers has activated the Windows Firewall and you need to either disable the firewall (not recommended!) or add an allow-entry for ICMPv4 traffic in this.

You can check the status of the site-to-site connection on the Windows Azure web portal “Networks” area and clicking your Virtual Network.

I hope this guide helps you configuring a site-to-site tunnel between the networks.

Advertisements

Using CloudXplorer to access Windows Azure Storage


If you have create a blob storage location in Windows Azure you might want to get access to this. John Craddock was so friendly to show me how easy this was using the free product CloudXplorer from ClumfyLeaf (http://clumsyleaf.com/products/cloudxplorer)

You need some details to access your storage of course, and you find these from the Windows Azure Portal in the Storage section (I have hidden my storage ID’s and use these fake ones for this post).

  • Take a note of the name, I will use: TestID7283947

Simply click on the storage partition you want to access and afterwards click the “Manage Keys” button at the bottom of the page.

This will reveal the access keys for this storage location:

  • Copy one of the keys

Now you are ready to add this storage location to your CloudXplorer. Please download this from http://clumsyleaf.com/products/cloudxplorer , install and run the program.

Go to the accounts page by clicking “File”, “Accounts…” and click the “New” button and choose “Windows Azure Account…”


Here you can fill in your storage details and tick the “Use SSL/TLS”

Now you have added the storage location and can access this through the CloudXplorer:

Windows Azure – Can we use it for SharePoint now?


I head the great news on the Microsoft TechEd 2012 Europe conference: You can even install Microsoft SharePoint on the Windows Azure virtual machines!

I see endless possibilities in Azure for testing purposes, data and active directory redundancy, external access and extranets and the list just continues.

New functionality in Windows Azure

The new functionality that had been introduced in Windows Azure which makes it possible to work with:

  • Virtual Machines (Windows & Linux from templates or own vhd-images)
  • Virtual Networks (separation of networks in Windows Azure)
  • Site-to-Site VPN connection (e.g. to your own LAN)
  • …much more

With these new features we are in fact able to run almost any type of program, server or service in the cloud – including Microsoft SharePoint.




Fig. 1 – Diagram of Windows Azure and the internal network connection

If you already have Microsoft Hyper-V machines (VHD-files) the good news is that these are fully compatible with Windows Azure. You can actually just copy the files between your environment and Windows Azure as you please. For this process please check out my blogpost “Using CloudXplorer to access Windows Azure Storage“.

I was determined to check this out right away and started my setup of test environment. This included installing a new domain controller, SQL Server and SharePoint farm in the cloud. I would connect this Windows Azure environment to my internal network with the new site-to-site VPN functionality – even though I had SonicWALL as firewall. At present time Windows Azure only supports (or actually provides the configuration details) to Cisco and Juniper VPN devices.

Getting started

Signing up for a Windows Azure account is quite easy – just enroll on http://www.WindowsAzure.com

The pricing on Windows Azure services is in my opinion very fair as you only pay for what you use – space, usage and time. The price calculator is easy to use and gives you an exact overview of your spending.

Fig. 2 – Example of the monthly fee for 24 hours Windows Azure Windows Server

If you are connected to a Microsoft Partner or own a MSDN subscription you are entitled to activate some “free resources”. Read more on the Pricing, Member offers section on the website.

Preparing the environment for SharePoint

This blogpost provides you with a quick introduction of Windows Azure and do not go into much detail. You can read more information about Windows Azure and the services on the Microsoft Windows Azure website

I will post installation guides for the following setup soon:

This will provide you with an environment that is ready for a Microsoft SharePoint installation. More guides will follow on installation and access configuration to the SharePoint sites.

I will update the above headlines with the links to these blogposts.

Considerations regarding your data

Microsoft will keep the virtual machines and data online according to the service you buy. As default the data is stored on three physical drives but it is possible to buy local and geo redundant storage locations.

Please make sure you also make a backup/restore plan for your data as Microsoft only provides Infrastructure as a Service (IaaS). Of course you also need to have the licensing in place for the products you run.

Also check the support possibilities and make sure all the above matches your needs.