Archives mensuelles : août 2010

Guide de Tuning des performances de Windows 2008 R2

Le sujet peut sembler complexe tant il couvre un grand nombre de domaines. La tâche n’est pourtant pas impossible. Si on commence en découpant le problème en fonction des rôles et fonctionnalités de Windows 2008 R2. Pour cela, l’équipe “Windows Performance Team” a publié un guide pour nous aider. Il est plus que complet :

  • Web Servers
  • File Servers
  • Active Directory
  • Remote Desktop Sessions Host
  • Remote Desktop Gateway
  • Hyper-V
  • Networking

 

Et j’en passe. Bref, le Performance Tuning Guidelines for Windows Server 2008 R2 est un must à conserver dans un coin. Après, un seul défaut : Rien sur DirectAccess, …

 

Benoîts – Simple and Secure by Design (J’insiste sur le Secure)

DirectAccess et Citrix

Dans la série des problématiques simples mais pouvant devenir compliqué, voila Citrix. D’un coté, nous avons un client Citrix qui supporte IPV6 sauf lorsqu’il se connecte à la Citrix Access Gateway. D’un autre coté, le même client doit pouvoir résoudre les adresses IPv6 et IPV4.

6012_image_42B85AFC

 

Pour faire simple, allez faire un tour du coté de Tom Shinder “Configuring DirectAccess to Support Citrix Connections”. Le chemin vers DirectAccess n’est pas toujours si simple.

 

Benoîts – Simple and Secure by Design (J’insiste sur le Secure)

UAG DirectAccess et le pré-requis des deux adresses IP publiques

Les exigences de mise en œuvre de DirectAccess peuvent paraître contraignantes mais ce n’est ni plus ni moins que que l’expression de la RFC4380 en ce qui concerne les adresses IPv4 publiques. La RFC impose des adresses IPv4 publiques (Après, qu’elle soient consécutives, c’est un autre problème).

 

Initialement dans le DirectAccess intégré dans Windows 2008 R2, il y avait un  bogue dans l’interface de configuration qui faisait que les adresses IPv4 publiques ne pouvaient pas être considérées comme consécutives si elles n’étaient pas dans la dernière décimale, dizaine ou centaine. Concrètement, des adresses IPv4 publiques finissant par 9 et 10 n’étaient pas considérées comme consécutives. Jusqu’à maintenant, j’avais toujours considéré que ce problème concernait aussi UAG. Et bien il n’en est rien.

 

Un grand merci à mon collègue Youssef pour avoir rétablit la vérité :

clip_image002

 

Si on était dans l’interface de configuration DirectAccess de Windows 2008 R2, la validation des pré-requis aurait échoué. Dans UAG, la validation des pré-requis ne pose pas de problème. Grand merci à mon collègue pour avoir rétablit la vérité.

 

Update : Encore un grand merci à mon collègue Youssef pour avoir re-validé avec le DirectAccess de Windows 2008 R2. Le bogue avait bien été corrigé avec la RTM.

 

Note : Si quelqu’un trouve le pourquoi et le qui a décrété que les adresses IPv4 publiques devaient être consécutives, je suis preneur, et je pense que je ne suis pas le seul, …

 

Benoîts – Simple and Secure by Design (J’insiste sur le Secure) / Youssef

Guide de dépannage de NAP avec UAG DirectAccess

Tout frais, histoire de compléter la série des UAG DirectAccess Test Lab Guides, le guide de dépannage de NAP avec UAG DirectAccess. Pour ma part une bonne base de dépannage de NAP coté client pour écrire par exemple un guide d’exploitation de la solution.

 

Benoîts – Simple and Secure By Design (J’insiste sur le Secure)

Forefront Identity Manager (FIM) 2010 Capacity Planning Guide

ForeFront identity Management est un produit complexe. Il intègre à la fois une partie technique (qui est tout de même conséquente) ainsi qu’une partie organisationnelle à base de workflow (au moins aussi conséquente si ce n’est plus).

 

Afin que l’assemblage des deux parties produise le résultat attendu, il peut être intéressant de disposer d’éléments de réflexions sur le “capacity planning” de tous les éléments impliqués depuis le matériel, les bases de données, la volumétrie des change opérations.

 

Le document FIM 2010 Capacity Planning Guide de Microsoft propose aussi une démarche pour réaliser un test de performance grandeur nature.

 

Un document à conserver dans un coin histoire de s’assurer que l’infrastructure qui sera mise en œuvre va tenir la route.

 

Benoîts – Simple and Secure by Design (J’insiste sur le Secure)

DirectAccess and the KB977377

According to KB977377 that provides additional information regarding “Vulnerability in TLS/SSL could allow spoofing”, this update will cause the DirectAccess IP-HTTPS interface to stop function on the Windows 7 operating system.

 

If the update is already installed on your environment, check the proposed workaround to correct the problem.

 

BenoîtS – Simple and Secure by Design (I emphasize on “Secure”)

DirectAccess high availability with UAG 2010 : part 1

It’s my first post fully written in English, so i want to apologize at first. The goal of this series is to describe how to configure DirectAccess on a UAG farm, so a high availability scenario. Let’s start with the basics, that is to say the architecture and a little Visio of my DirectAccess Lab.

Lab

I won’t describe all components in this architecture except the Internet server that provides me DNS/DHCP and most important a fake “Public PKI infrastructure“. This server also provides me a NAT private network to simulate a home network. Others components are basic Windows 2008 servers that are reachable through their ISATAP interfaces.

High availability considerations

As a Teredo requirement, DirectAccess requires two public IPv4. These addresses must be in a row (A stupid Microsoft requirement, this is not a mandatory when reading RFC?). In a Network Microsoft Network Load Balancing scenario, this is also a requirement. These two IPv4 public addresses will be used as VIP NLB addresses for the external interface. An additional internal interface will also be configured with a VIP for the internal address.

For these reasons, a high availability DirectAccess scenario using UAG 2010 require :

  • Two public IPv4 addresses in a row for External NLB (for External VIP)
  • One public IPv4 address for each node joined to the External NLB
  • One private IPv4 address for each node joined to the internal NLB
  • One private IPV4 address for the Internal NLB VIP (Will be used for ISATAP)

 

UAG provides high availability for DirectAccess by tweaking the Network Load Balancing feature of Windows. For this reason, it is not possible to directly configure the Windows NLB feature. UAG rely on it’s array feature to provide scale-in and scale-out.

 

UAG array considerations

Deploying UAG in array require a common storage for configuration data. This service will be provided by the array manager that will be hosted on my first UAG server. Access to this array require a service account that must have administrator level privileges on all array nodes.

 

Web console consideration

Because the UAG web console rely on Java. Please to not forget to install a java Runtime Environment on all array members.

 

What next :

 

BenoîtS – Simple and Secure by Design (I emphasize on “Secure”)

DirectAccess high availability with UAG 2010 : part 6

And for the last post of this series, the DirectAccess Configuration. Let start with a minimal checklist in order to avoid headache.

 

Check-list

First step is to check activation status of each node. If one ore more node is not operational, solve this problem first.

PRE0

 

Second step is to check NLB status and synchronization status of each node. If necessary wait for the NLB feature to be fully operational before continuing.

PRE1

 

Because I have an internal VIP for my UAG farm, the DNS ISATAP record need to point to the VIP. At this point also check that all your UAG network interface cards DNS suffix are properly configured if you don’t want to have activation issue with ISATAP.

PRE2

 

Each of our node should have a properly configured certificate but also our IP-HTTPS certificate, with the private key.

PRE4

 

For more UAG DirectAccess check-list, see “Basic troubleshooting steps for UAG DirectAccess” from the UAG blog team.

 

DirectAccess configuration

Just like Windows DirectAccess or standalone UAG DirectAccess deployment, the first operation is to select one or more Windows security groups that will be used for filtering purpose on the DirectAccess client GPO.

0

 

Because UAG was configured in an array and the required KB977342 was installed. The load balancing checklist was successful (in Windows Network Load balancing).

1

 

The tricky screen. if everything is properly configured, you should have correct content for both internet and internal network cards.

2

 

By default and by design, i keep NAT64 and DNS64. My LAN is IPV4 based, no need to change this.

3

 

The certificates headache. First, you select our internal PKI infrastructure. UAG will check clients certificates status to this PKI. If you have imported the IP-HTTPS certificate with a friendly name, you should have no problem to select the good certificate.

4

 

At this point, you can activate Smart Card support for IPSEC Tunnels and also support for an optional but highly recommended Network Access Protection infrastructure. The next screen deal with the Network Location server witch is a simple web server that properly responds to HTTPS request with a content when clients are connected to the LAN.

7

 

As illustrated bellow, our Network Location Server is also declared as an exclusion for the Name Resolution Policy Table. Why? Because if it’s possible to reach it from the internet, clients will consider they are located on the LAN.

8

 

By Default, the UAG wizard will reference all domain controllers in the NRPT (it is considered that each domain controller is also a DNS server). You can add or remove domain controllers, but don’t forget about high availability.

9

 

If you setup a Network Access Protection infrastructure and select the checkbox, don’t forget to add the HRA. This might be useful if you want to see NAP working with DirectAccess.

10

And the last configuration screen to select the deployment mode. Enabling the end-to-end authentication mode will configure an additional group policy that will be applied to application servers included in one or more security groups. This group policy will configure IPSEC endpoint for these servers.

11

 

And now Powershell time (drum roll).

12

 

As told in a previous post of this series, UAG is not UAG without his activation process. Note that this activation process includes group policy deployment. For this reason, check that each UAG node applied this GPO with a “GPUPDATE /FORCE” command.

13

 

Activation is successful, but just like NLB, this do not mean the end.

14

 

This is the end

Let start with a last UAG activation monitoring.

15

 

As each node is activated with configuration data from the central location, we can consider our DirectAccess UAG farm ready.

16

 

Conclusion

This UAG/DirectAccess deployment scenario might be long and complex to setup but if you follow the rules and checklists this will work.

 

BenoîtS – Simple and Secure by Design (I emphasize on “Secure”)

DirectAccess high availability with UAG 2010 : part 4

This post will focus on IP-HTTPS certificate installation process. As descried in the Forefront UAG DirectAccess prerequisites, By default, on a single UAG deployment scenario, we have a public certificate for the IP-HTTPS interface. A public CRL must be reachable for this certificate. If you do not have a public certificate, you can use your internal PKI if you follow the steps as described by the edge man : “How to Configure UAG to Publish Your Private Certificate Revocation List”.

 

Certificate request

As described in the UAG DirectAccess Design guide, the certificate request must :

  • Include a subject field with the FQDN of the external UAG interface (the first external VIP in our Network load Balancing Scenario)
  • Certificate role must be “Server authentication”
  • The CRL must be reachable on Internet, before IP-HTTPS interface initialization!
  • The certificate must have a private key
  • The certificate must be imported directly into the personal store on each UAG array nodes!

 

If we use the certificate request wizard in the IIS management console (on my first UAG server), here, what my request look like :

CERT0

Note that the FQDN point to the first external virtual IP address of the UAG array.

 

Certificate installation on UAG1

The delivered certificate must be installed on the personal store of my first UAG server. In order to distinguish this certificate from the others, add a friendly name to avoid mistakes.

CERT1 

The imported certificate will be immediately exported in a password protected file. This is a requirement to export also the private key.

CERT2

 

Additional nodes

On each additional node, the exported certificate must be imported. This import process will also set the private key.

CERT3

 

If you check, you will see that the certificate is status is considered as OK. Our additional UAG servers trust the certificate issuer and can access to it’s certificate revocation list :

CERT4

 

As an additional configuration step, i recommand to follow recommandations as described in  the Deep dive into UAG DirectAccess (Certificate Enrollment) of the UAG Team blog.

 

Next, post, we’ll start tricky thinks, with NLB deep dive.

 

BenoîtS – Simple and Secure by Design (I emphasize on “Secure”)

DirectAccess high availability with UAG 2010 : part 3

The longest part. This post will present initial configuration of my two Microsoft Unified Access gateway 2010 servers.

 

UAG1, my first node

My first UAG server will also be configured as an array manager service that will provides a common storage for all nodes joined in the array. The first step is to specify internal and external network. Because we do not need the VPN/SSL feature of UAG, the SSL Networking Tunneling interface will remain unassigned :

CONF_INIT_UAG1

 

UAG rely on TMG for it’s own protection. So TMG need to know internal subnets (Note the RFC1918 compliant internal IP plan).

CONF_INIT_UAG2

 

By default, each UAG store it’s own configuration into his ADLDS instance. My first UAG server will be an array member.

CONF_INIT_UAG3

 

Because it’s my first array member, it is also my array manager.

CONF_INIT_UAG4

 

A service account is required for all array node. This account must have administrator level privilege on each node.

CONF_INIT_UAG5

 

My first array member is automatically configured. Note that others array node must be declared in the array manager before installation. Otherwise additional node setup will fail. Only internal IP or host names must be declared.

CONF_INIT_UAG6

 

My first array member almost ready. It is not because that the initial configuration process is terminated that UAG is operational. We’ll se that later something called the “UAG Activation”.

CONF_INIT_UAG7

 

As final configuration step, the Windows Update feature will be configured to check for UAG updates. Note that because our UAG server do not have access to external DNS, updates must be provided by an internal WSUS infrastructure. Be sure to add UAG product family in the WSUS configuration.

CONF_INIT_UAG8

 

UAG cannot be ready without an activation. The goal of this process is to push the configuration to the central database for all UAG array members.

CONF_INIT_UAG9

 

Consider that even if you see the interface bellow, this do not mean that UAG is ready. It is a little more bit complicated. For a DirectAccess scenario, our UAG farm is far to be ready.

CONF_INIT_UAG10

 

Important notice : The initial configuration of UAG is using a local ADLDS database and the console is still linked to it. For This reason, close the Management console before any additional configuration on the first node.

 

UAG2, my additional node

My second UAG initial configuration process begin with already covered subjects. For this reason, i will focus only on differences. My second UAG server will be member of an array :

CONF_INIT_UAG14

 

But this time, this is an additional node for an existing array.

CONF_INIT_UAG15

 

This step need more information. Our additional member must join the array. The Array must be located using an internal FQDN or internal IP address of my first UAG server. The join process will only fail if :

  • Array manager is not reachable
  • Array node not declared ad member before
  • Array service account is invalid

 

CONF_INIT_UAG16

 

As indicated by the dialog box, the UAG management console must be closed at the end of this process. Next time we will launch the console, it will point to the common storage.

CONF_INIT_UAG17

 

Check my array

As i told you before, it is not because the activation process is terminated that UAG is ready. This is a little bit more complicated. Many UAG, TMG and also windows components must be properly configured. The activation process can be monitored through the Forefront Unified Access Gateway activation Monitor console.

CONF_INIT_UAG19

 

Note that activation process cannot start on additional array node before node hosting the AMS  is activated.

 

BenoîtS – Simple and Secure by Design (I emphasize on “Secure”)