Category: Other

Web Application Proxy – on Azure

The Azure AD Application Proxy is a new feature available in Azure WAAD Premium. It allows administrators to securely publish internal websites using Azure’s technology. By using this, it will allow customers to make use of enterprise class hardware in their reverse proxy solutions protecting against DDOS attacks and many more other things. In this post we will look at a simple setup on how this would work.

Read more

RDS Gateway through WAP

I’ve been trying to get RDS Gateway to work behind my WAP proxy server which is included in Windows Server 2012 R2 and v.Next version. While it is possible to implement ADFS based authentication based on the URL:

But what if we wanted to publish the simple RDS Gateway on our backend server for direct RDP access.. ?

Read more


Geo Clustering exists in many options, and dependent highly on the requirements and technical capability. This post is to discuss some options and things to consider before deploying any geo-cluster.

Data GEO- Redundancy

The first dependency in clustering is storage capability. Data from the workload in the cluster will be written to disk and that data needs to be available on both sites. Within Microsoft SQL AlwaysOn can replicate the data for the instances and ensure it is available on both sites. It is also possible to have the storage perform data mirroring.

When sending data from site A to site B, two options exist: Synchronous and A-Synchronous.

Synchronous: Data is written to BOTH sites before the application or server receives a successful write notification

A-Synchonous: Data is written to the primary site, the application or server receives the write, and THEN the data is written to the second site.

Within a synchronous architecture, there is very limited chance of data-loss upon a failure, as the application knows the data is written in two locations. With A-synchronous data loss can occur.

While synchronous looks most tempting, it requires fast connections between the storage / servers in order to reduce latency for every I/O write action. Therefore this is not always possible and a-synchronous is the only option left.

Storage mirroring or AlwaysOn data replication must be used to provide data geo-redundancy

Read more

Data Offloaded Transfers – ODX

As we are seeing more and more Windows 2012 based Clouds and services.. I wanted to alert you to the following technology which is becoming more and more available in backend storage systems (and Windows 2012): ODX   If you are implementing Hyper-V, File services or any other Windows Server 2012 with a backend SAN […]

Read more

Mitigating attacks on your Active Directory network

Microsoft released a new whitepaper this week that gives an insight in why you should protect your privileged accounts. One of the techniques described is the PassTheHash attack which is a sophisticated attack but fairly easy to execute. These attacks have been seen in the “field” and are being used today. If you work with […]

Read more

MBAM – Install guide – tips

So as promised.. the install guide.. or at least some small tips as the installation is not that hard..

First of all, we are going to use a three server architecture. One server for the databases, one for the administration and monitoring and a group policy server.

To start, we need to create some groups in Active Directory, the service account for SQL and a service Account for the MBAM compliancy part. Create the following groups in AD and the following service accounts:
Read more

Microsoft BitLocker Administration & Monitoring – intro

Why we should BitLocker (or any other drive encryption) should be clear. A stolen laptop is only worth as much as the retrievable data on it + the value of the laptop. In large enterprises this could be millions of dollars, but for personal use this could lead to embarrassment or worse.

But enterprises seem to struggle with the implementation of BitLocker, amongst the pain points:

  • No auditing – unsure which laptops have it enabled or which ones don’t
  • Administrative overhead – administrators must manually enable it
  • Scripting – if enabled during deployment scripting is required
  • Storage of keys in Active Directory – clear text storage of recovery keys

In order to cope with these and other challenges, Microsoft has released the BitLocker Administration and Monitoring toolkit. For the ones that try to download it on the website, sorry, it is only available in the Microsoft Desktop Optimization Pack which comes with a software assurance agreement with Microsoft.

This post goes into the architecture, what users see of it.. and more in depth knowlegde.. soon, the post with the install instructions!

Read more

2FA via the cloud – Cryptocard

So many of you probably have been wondering what type of 2FA I am using for my tests. Instead of setting up internal servers, dealing with encryption keys and various tokens, I stumbled upon a cloud service that handles all of this for you. Now before we dive into the “commercial” part (although I did not see any money from them) the basics for configuring TMG with radius are also covered in this post, so if you prefer another vendor, your own radius/2FA solution, this post still applies.

Read more

Office 365 – Exchange interaction Design

Office 365 is booming.. everyday new companies decide to make the switch to easy online messaging and collaboration services on the cloud. While the cloud should make life easier for administrators, setting up the co-existence environment seems a bit harder. Although Microsoft has tons of help material available .This post is to clearify the interaction when settings up a co-existence environment with Office 365.

For this example I have added a TMG server to validate the requests. As many companies have additional firewalls in front of the TMG server, this is also displayed. And the TMG server serves another role to in the advanced setup, where we explain that it is possible to have OWA users use two-factor authentication while ActiveSync users can continue to authenticate against the federation server with their “passive” clients. (see the next post)

Read more

SharePoint to retrieve data from two LDAP directories

So no posts for a long time, been busy though.. and the latest addition to this blogpost is about SharePoint. Who would have thought.. In my case the customer wanted to enrich the User profiles that came from Active Directory with Novell attributes that where in a central identity store. While SharePoint is capable of […]

Read more