June 3, 2013
by EduTech
0 comments

New enhancements for Windows Azure Infrastructure Services and Web Sites, and added new BizTalk Services

This is an update for new and existing customers of Windows Azure, Today Microsoft released new enhancements for Windows Azure Infrastructure Services and Web Sites, and added new BizTalk Services.

Infrastructure Services: new options and new features

True cloud economics with per-minute billing

Starting June 3, 2013, Windows Azure Virtual Machines, web roles, and worker roles are billed by the minute rather than by the hour. Microsoft SQL Server and BizTalk Server running in Virtual Machines are also billed by the minute. You will pay for what you use instead of rounding up to the nearest hour.

Additional security option for Virtual Machines: public endpoint access control lists

We added a security option so that you can control inbound traffic to your virtual machines. Define how traffic from outside of your corporate firewall communicates with your Virtual Machine public endpoints through PowerShell and soon at the management portal. Public Endpoint ACLs put additional security controls at your fingertips. You are in charge!

More options for building your security-enabled private connection to Windows Azure

By using Windows Azure Virtual Network, you can retain select data and apps on-premises and connect them to your cloud through a security-enabled private connection. Starting June 3, you have even more device options for setting up your site-to-site connection. Virtual Network now supports integration with WatchGuard, F5, and Citrix virtual private network (VPN) devices, in addition to Cisco and Juniper.

If you prefer a software-based VPN solution, recent enhancements to site-to-site connectivity enable you to use Windows Server 2012 Routing and Remote Access Server (RRAS) as an on-premises VPN server. Windows Azure gives you the flexibility to use either software-based or hardware-based VPN solutions.

Preview of SSL for sites hosted on Windows Azure Web Sites Reserved instances with custom domain names

Secure Sockets Layer (SSL) helps you secure traffic to your sites with custom domain names hosted on Windows Azure Web Sites.

What is SSL?

SSL is a key piece of technology for companies that want to do business on the web and is used to help secure traffic between the website and the browser. We are announcing support for SNI-based and IP-based SSL certificates for Web Sites Reserved instances. SNI is supported by most modern browsers in use today. SNI-based SSL allows websites without a dedicated IP address, which is a key feature for websites hosted in cloud environments. IP-based SSL works in all browsers. For more information on SSL, please refer to the Web Sites Services webpage.

What does SSL cost?

Refer to the table below for SNI-based and IP-based SSL preview and general availability pricing. For additional pricing information, please see the Pricing Details webpage.

How to enable and use SSL

1. Purchase an SSL certificate from a certificate authority or locate an existing SSL certificate for your website.

2. Navigate to the Windows Azure Management Portal.

3. In the Scale Tab, scale your website to reserved mode (if you have not already done so).

4. In the Configure tab, Click “Manage Domains” and set up your custom domain name.

5. In the Configure tab upload the SSL certificate.

6. Then, explicitly enable SSL.

BizTalk Services preview: integrate the cloud and the enterprise

By using Windows Azure BizTalk Services, you can integrate your Windows Azure services, software as a service, and on-premises applications easily though a configuration-driven experience.

BizTalk Services helps you manage your trading partners with rich Electronic Data Interchange capabilities. You can connect any cloud endpoint to on-premises line-of-business systems using ready-to-go adapters for SAP, Oracle, SQL Server, and PeopleSoft. You can do all this in an on-demand, security-enabled, and dedicated environment.

With the drag-and-drop interface, you can build integration message flows to receive messages from various sources (such as HTTP, FTP, SFTP, and REST), validate and transform them to destination formats, and route the messages to endpoints in the cloud or on-premises.

How to get started

1. In the Windows Azure Management Portal, in the bottom left corner, click NEW.

2. Under APP SERVICES, click BIZTALK SERVICE.

3. Click CUSTOM CREATE, and then follow the steps.

Windows Azure BizTalk Services is available in Developer, Basic, Standard, and Premium offerings. Refer to the table below for BizTalk Services preview and general availability pricing. For additional pricing information, please see the Pricing Details webpage.

Thanks,

Windows Azure Team

May 30, 2013
by EduTech
0 comments

Windows Azure – Setup AD Federation Services & DirSync for Office 365

As per my previous blog post which explained how to setup Windows Azure Networks, Storage and Virtual Machines, This post will now walk you through how to setup Active Directory Federation Services & Directory Sync for Office 365 using Windows Azure.

For the purpose of this blog post I am not extending my existing on premise directory services infrastructure into windows azure, but I will be covering this in my next article. The following is assuming that you are creating a completely new Active Directory Forest within Windows Azure which I understand is not what everyone is going to want to do but the procedure would be the same if you were to extend, I just won’t be discussing the extending part in this article.

To get started you need to create 3 Virtual Machines within Windows Azure at a minimum

Domain Controller
Active Directory Federation Services Server
Directory Sync Server

Note: I am not going to be using an AD FS Farm in this particular article and I am not deploying an AD FS Proxy. I will cover this is my next article due to some of the work involved on the azure aspect I’ve kept this rather brief as the below is a general overview on how to get these services to work in Windows Azure, but the core software configuration is the same as the On Premise Configuration.

Configuration of Office 365 Service

Follow these steps in order to ensure your Office 365 Tenancy is ready to handle Directory Sync & Federation Services

Add your Private Domain which you are going to use for Federated Services within Office 365 if you have not already done so
Add the relevant DNS Records in order to use the services within Office 365 i.e. Exchange Online, Lync Online, SharePoint Online
Create a new DNS A Record for your Private Domain for Example: adfs.yourdomain.co.uk

Windows Azure Virtual Machine Connectivity

Ensure that your Virtual Machines are in the same Virtual Network when they are created, this will enable the machines to be in the same network subnet and be assigned a relevant IP Address to allow them to communicate with each other.
Ensure that your Network Adapter DNS Configuration is correct to allow your servers to be added to your domain etc.
Windows Azure currently does not support a customer reserving a VIP outside of the lifetime of a deployment. At first glance, this appears contradictory to existing Windows Server Active Directory best-practices but because the dynamic IP addresses of Windows Azure virtual machines that are attached to a Windows Azure Virtual Network persist for the lifetime of the virtual machine, the Windows Server Active Directory requirements for IP addressing are met (as are those for DNS if co-located with the DC).

Configuration of Directory Sync Service

To enable replication of your Active Directory Users to Windows Azure Active Directory within Office 365 we need to go ahead and configure Directory Sync. If you have done this On Premise then the configuration is basically the same.

Login to your Office 365 Portal Administration
Go to Users and Groups > Activate Active Directory Synchronization (this process can take up to 24 hours)

While you are waiting for this service to be activated, jump over to Windows Azure and login to your Directory Synchronization Server and download (dirsync.exe) which can be located within the Office 365 Management Portal.

Once Downloaded, Ensure that you are logged on with your Domain Admin Account and then launch the Directory Sync Installer, Once this has completed you then need to wait for the service to activate and then you can go ahead and start the Directory Sync Configuration Wizard.

Follow the instructions on the wizard and once completed ensure that Directory Sync has completed, for more information on this you can view the following article: http://technet.microsoft.com/en-us/library/jj151797

Configuration of Active Directory Federation Services

To enable Single Sign On using Active Directory Federation Services, We need to go ahead and deploy a AD FS Server Infrastructure. If you have done this process On Premise then you will find the configuration is very similar the only thing that you need to do different with Azure is ensure that you have created an Endpoint for HTTPS (443) traffic.

I have written an earlier blog post which explain how to configure Active Directory Federation Services on Server 2008R2 which can be found here: http://www.edutech.me.uk/technical/setup-ad-federation-services-with-office-365/. Some changes are to be made for Server 2012.

Although the configuration is the same as mentioned in that article, if your using Server 2012 in windows azure then I will cover the changes below.

AD FS is now built into Server 2012 and is fully supported with Office 365 which means you no longer have to go ahead and download AD FS 2.0 from the Microsoft Download Centre. All you have to do is add this as a Role within Server Manager or using PowerShell.
No Hotfix is required now as per AD FS when using Multiple Federated Domains.

Once you have installed the Active Directory Federation Service, You have completed the Configuration Wizard and Tested the Service as per the above article. You will need to login to Windows Azure and Create an Endpoint on this server to allow HTTPS (443) traffic, to do this

Login to Windows Azure Management Portal
Select ‘Virtual Machines’ from the left hand side navigation pane
Select your Federation Services Virtual Machine
Select Endpoints
Click Add Endpoint (& configure as per the image below)

In this article I am not going to talk about setting up an AD FS Farm within Windows Azure, but basically when you want to load balance the machines you do have the option to configure this when you setup a Endpoint. To learn more about this see the following article: https://www.windowsazure.com/en-us/manage/windows/common-tasks/how-to-load-balance-virtual-machines/

You also need to ensure that you point your federation service URL Example: adfs.yourdomain.co.uk to your Virtual Machine Public VIP. In order to obtain the Public IP for your Server do the following:

Login to Azure Management Portal
Click on Virtual Machines, and then select the Virtual Machine for ADFS
Scroll down the dashboard, and then on the right hand side you will see your Public VIP
Change your DNS A Record to point to this Public VIP

Once you have completed the Configuration of AD FS and Created your Endpoints, As per the article above you need to ensure you convert the domain to a federated domain, again to do this

Launch MOSM Powershell Console
Type: $cred=Get-Credential (then type in your local admin credentials on office 365 (administrator.tenancy.onmicrosoft.com)
Type: $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection
Type: Import-PSSession $Session
Type: Import-Module MSOnline
Type: Connect-MsolService –Credential $Cred
Run – Convert-MSOLDomainToFederated –domainname domain.com -SupportMultipleDomain
Run – Update-MSOLFederatedDomain –domainname domain.com

*Note: -supportmultipledomain is only required if you plan on adding more than 1 federated domain.

Once you have Deployed AD FS & Dirsync you can go ahead and test the services using http://testexchangeconnectivity.com

and that it’s basically, not too complicated once you get your head around Windows Azure Virtual Machines it’s practically the same as your On Premise Deployment.

At present this deployment does not contain an AD FS Proxy Server and it is recommended to include one of these in a production environment. In a future blog post I will expand further on how to add an AD FS Proxy Server within Azure (DMZ) and I will also explain how to extend your existing Domain Services Environment into Windows Azure.

If you have any questions be sure to let me know,

Thanks

James.

May 28, 2013
by EduTech
0 comments

Windows Azure – Setup Network, Storage & Virtual Machine

I have finally found the time to start writing some posts about Windows Azure and with some of the major components becoming Generally Available over the past few weeks I thought it was about time I got around to it. The reason I have an interest in Windows Azure is mainly from a IaaS point of view. I deploy Active Directory Federation Services & Directory Sync for Office 365 quite often for enterprise companies and I have been waiting for this to go GA so that these companies can now use Windows Azure Infrastructure to handle Active Directory Federation Services & Directory Sync for their Office 365 Deployment. It will also help them make the first big steps to using cloud services going forward.

In this blog post I am going to cover:

Windows Azure Account Creation
Windows Azure Virtual Network Configuration
Windows Azure Storage Configuration
Windows Azure Virtual Machine Configuration

So, lets get started:

Windows Azure Account Creation:

Browse to http://www.windowsazure.com to create the account
Sign-up for a Free Trial Initially if you wish to get familiar with Windows Azure
Follow the instructions until your logged into your Management Portal

Windows Azure Virtual Network Configuration:

Login to Windows Azure Management Portal
Select Networks from the left hand side navigation bar
Select ‘Create a Virtual Network’

Type in your Virtual Network Details

Type in your DNS and VPN Connectivity Information. In this particular scenario I am not going to be extending my existing Domain Services On Premise Environment into Windows Azure and I have no reason to connect to On Premise Infrastructure so I won’t be covering this but I will do at a later date. We will configure DNS at a later date.

Virtual Network Address Space. I will configure a standard /24 bit Address Space for the purposes of this blog post and I won’t be creating any subnets but in a production environment this needs to be planned accordingly. For the purpose of this blog post we will use a /24 subnet.

Go ahead and complete the wizard which will then create your Virtual Network.

Windows Azure Storage Configuration

We now need to go ahead and create a Storage Group, To do this you need to Select Storage from the left hand navigation pane and this will launch the wizard.

Type in a URL for your Storage Account, This must not contain any Spaces, Hyphens etc. as it needs to resolvable by DNS.
Select your Affinity Group, which should be in the list as you previously created this when you setup the Virtual Network.
Select Storage Account.

Windows Azure Virtual Machine Configuration

Now we have a Virtual Network / Storage Account we can go ahead and create a Virtual Machine, To do this you need to complete the following tasks

Select Virtual Machines from the Left hand Navigation Panel
Select ‘From Gallery’
Type in a Name for your Virtual Machine Instance, The Size of the VM, Username & Password

Click Next, Select Standalone Virtual Machine and type in a DNS Name
Select your Storage Account, and your Affinity Group/Virtual Network and the Subnet you created earlier and then click next.

You now have the option to place this into an Availability Set but for the purpose of this demo we won’t be doing this so you can go ahead and click on the ‘Tick’ Button which will complete the wizard and start the provisioning process.

Once the machine has been provisioned, you will be able to connect to it instantly with your username and password that you specified in the wizard.

Click on Virtual Machines within the Azure Management Portal, Select the Provisioned Machine which should have a status of ‘Running’ once all tasks have been completed, and then select the ‘Connect’ Button in the bottom navigation pane. This will basically download an RDP file to your computer which you can save if you wish and then you connect to your Virtual Machine.

Once you have logged into your virtual machine you will notice that it is assigned one of the IP Addresses from your Subnet and your ready to install your server roles.

In the next few articles I will cover how to Create an Active Directory Domain Controller, Federation Services Server & Directory Sync Server and how to connect this to your Office 365 Tenancy.

If you require any further information then you can head over to the Windows Azure Website: http://www.windowsazure.com/en-us/develop/net/fundamentals/intro-to-windows-azure/

For Reference, You can create your Virtual Machines using a script which is as follows:

Import-Module “C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\Azure.psd1″ Import-AzurePublishSettingsFile ‘*E:\PowerShell\ MyAccount.publishsettings*’ Set-AzureSubscription -SubscriptionName *subscriptionname* -CurrentStorageAccount *storageaccountname* Select-AzureSubscription -SubscriptionName *subscriptionname*

#Deploy the Domain Controller in a virtual network #

#Specify my DC’s DNS IP (127.0.0.1) $myDNS = New-AzureDNS -Name ‘myDNS’ -IPAddress ’127.0.0.1′ $vmname = ‘*ContosoDC1*’ # OS Image to Use $image = ‘MSFT__Win2K8R2SP1-Datacenter-201207.01-en.us-30GB.vhd’ $service = ‘*myazuredemodcsvc*’ $AG = ‘*YourAffinityGroup*’ $vnet = ‘*YourVirtualNetwork*’

#VM Configuration $MyDC = New-AzureVMConfig -name $vmname -InstanceSize ‘Small’ -ImageName $image | Add-AzureProvisioningConfig -Windows -Password ‘My$Password’ | Set-AzureSubnet -SubnetNames ‘**BackEnd**’

New-AzureVM -ServiceName $service -AffinityGroup $AG -VMs $MyDC -DnsSettings $myDNS -VNetName $vnet

In order for the script to work you will need to ensure that you download the Windows Azure PowerShell Module from Manage > Downloads

Then Open a PowerShell Console and type

Import-Module ‘C:\Program Files (x86)\Microsoft SDKs\Windows Azure\PowerShell\Azure\Azure.psd1′

You will need to download a copy of your Azure Settings which you can do by typing in the following command:

Get-AzurePublishSettingsFile

If you want to use an alternative Image then you can get a list of them by using the following command:

Get-AzureImage

All this information is available on the Windows Azure Website, For more information on how the script works and Windows Azure please visit the followingURL: http://www.windowsazure.com/en-us/manage/services/networking/active-directory-forest