Stuff I'm Up To

Technical Ramblings

Azure ADFS Certificate Notification — April 18, 2018

Azure ADFS Certificate Notification

We’ve been using Azure for a few months now so it’s about time our certificates would expire right? Well according to the email notification we’ve just received a certificate needs updating or we’ll lose access!

In order to provide your organization with uninterrupted access to Office 365 and Microsoft Azure Active Directory (Azure AD), you need to ensure your certificate for the domain(s) domain.tld is renewed and updated in Azure AD right away.

Our current certificate on file for domain(s) domain.tld expires on 5/5/2018.

If you don’t take action, your users will lose access on this date or, in the default configuration of Active Directory Federation Services, 15 days prior to 5/5/2018.

What you should do right now
If you are using AD FS with the default configuration, or are using a third party STS or a non-default configuration of AD FS, follow the article here.

Continue reading

Advertisements
Azure IPSec VPN Ups and Downs — January 31, 2018

Azure IPSec VPN Ups and Downs

Following our IPSec connection setup for Azure and the Juniper SRX we were seeing regular disconnections and a failure to re-establish a tunnel for extended period. This was very frustrating as about every 7 hours and 20 minutes we’d lose connection. We’d then have to restart the IPSec service on the SRX and it would come back up.

As our SRX is hosted inside another firewall the IPSec traffic is NAT’ed and we began to wonder if that was the problem.

So we did some log watching on the external firewall and grabbed some tcpdump information as the tunnel was down and saw nothing to indicate that packets were being dropped on the external firewall.

# tcpdump -nei any host [IP Address]

We monitored the internal and external IP’s and could see IPSec traffic.

Continue reading

Microsoft Azure and Juniper SRX — January 12, 2018

Microsoft Azure and Juniper SRX

We’re getting on the Microsoft Office 366 and band wagon. I’m not a Microsoft fan, and think it’s overpriced for the functionality we’ll actually use. This means we need to setup an IPSec VPN between the Juniper SRX and Azure.

Microsoft have a Github page with not just guidance, but specific configuration examples to help do this. Not just with Juniper, but a range of firewalls.

https://github.com/Azure/Azure-vpn-config-samples

We’ve got some consultants in setting up the Azure side of the VPN and once I got into the portal I laughed at how much they were charging for turning on the VPN feature and setting a private key – that’s it! There’s very little control to be able to do anything else and if you want logs to see why things aren’t going to plan, you’d better rely on your own device for that.

After a couple of hours they’d written some PowerShell to gather some information that was stale because we’d already moved on past that particular error.

But that said, the Azure side just works. Get your device side right and do your debugging from there and let Azure sit and just do it’s thing. You have to assume that Azure just works.

Continue reading