Jump to content


  • Posts

  • Joined

  • Last visited

  • Days Won


Blog Entries posted by proximagr

  1. proximagr
    Microsoft offers for free it’s antimalware service. When you create a new VM you have the option to enable it. This will install the System Center Endpoint Protection client to the VM managed by Azure. If you have added this but now you want to remove it and add some other antivirus/antimalware solution you cannot do it by just uninstalling the client from the VM. The client will auto re-insalled by Azure. There are two ways to completely uninstall the program and remove it from Azure. One is using the new Portal and one using PowerShell.
    Using the Portal
    Go to https://portal.azure.com/ Browse the VM Go to the Configuration section and click on Extensions Click the Microsoft.Azure.Security extension You can delete it using he Delete button At any time you can re-add it, by clicking the Add button at the Extensions window

    Using PowerShell
    First connect PowerShell to your Azure subscription, as described to this post and then:
    # First check the Antimalware Service Status, you need to select the Azure VM and then get the status:
    $servicename = "myVMservice"
    $vmname = "myVMname"
    $vm = Get-AzureVM –ServiceName $servicename –Name $vmname
    Get-AzureVMExtension -Publisher Microsoft.Azure.Security -ExtensionName IaaSAntimalware -Version 1.* -VM $vm
    #First remove the service from Azure
    Remove-AzureVMExtension -Publisher Microsoft.Azure.Security -ExtensionName IaaSAntimalware -VM $vm
    # Then uninstall the Antimalware Client from the VM
    Get-AzureVM -ServiceName $servicename -Name $vmname | Set-AzureVMExtension -Publisher Microsoft.Azure.Security -ExtensionName IaaSAntimalware -Version 1.* -Uninstall | Update-AzureVM
    source: http://www.e-apostolidis.gr/microsoft/remove-microsoft-antimalware-service-from-a-vm/
  2. proximagr
    This post is bout Exchange/Office 365 Hybrid Deployments, when for some reason we need to completely delete a user account and mailbox from Office 365 in order to re-sync it.
    First you need to exclude the user from DirSync
    Open the “Synchronization Service Manager” (cn be fount at “C:\Program Files\WindowsAzureActiveDirectorySync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe”) Navigate to “Metaverse Search” and click on “Add Clause” Be sure that you choose Displayname as Attribute, and then configure your search Double click an entry, and open the tab connectors Activate the line with the “Active Directory Connector” Management Agent and click on “Disconnect… In the disconnect object accept question, choose “Disconnector (Default)” to remove the connector. Explicit Disconnector will lock the object to be a connector again.

    You can then rerun your search, and the specific account will not be shown anymore. And after a sync, the object will also be removed from the azure Directory
    Then you need to remove the user object from the Office 365 portal using the PowerShell
    Open PowerShell “Windows Azure Active Directory Module” $msolcred = get-credential connect-msolservice -credential $msolcred Get-MsolUser -ReturnDeletedUsers | FT UserP*,ObjectId Remove-MsolUser -ObjectId abc1234-12abc-123a-ab12-a12b3c4d5f6gah -RemoveFromRecycleBin -Force Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force

    Then at the next scheduled sync of te DirSync the user will be recreated. Also you can force the DirSync to creaate the user faster.

    soure: http://www.e-apostolidis.gr/microsoft/delete-user-from-office-365-with-dirsync/
  3. proximagr
    There are many reasons to have your Disks stored at separate Storage Accounts, per Cloud Service. One is that a Storage Account in Azure provides 20000 IOPS and every disk in Standard Tier 500 IOPS. Azure support suggests to don’t have more than 40 disks per Storage Account. Also you may want to have your disks lined (go to Azure, Cloud Services, selsect a Cloud Service and you can see the “Lined Resources” tab, there you can link storage accounts to the Cloud Service) to the same Cloud Services as their VMs. The problem is that if you have an Azure VM and you try to “attach an empty disk” you will realize that the disk will be created at the default Storage Account of the Subscription and there is no option to change this.
    Here is a PowerShell command that creates a VHD at a specified Storage Account, creates a Disk and attaches it to a VM:
    Get-AzureVM "servicename -Name "vmname" | Add-AzureDataDisk -CreateNew -DiskSizeInGB XXX -DiskLabel "diskname" -MediaLocation "https://storageaccountname.blob.core.windows.net/vhds/vhdname.vhd"-LUN X | Update-AzureVM
    Some more info on this command:
    First of all you need to connect to your Azure Subscription, you can follow this Post on how to do it.
    Then create a Storage Account using the GUI or PowerShell, here is the Microsoft’s link http://azure.microsoft.com/en-us/documentation/articles/storage-create-storage-account/
    Then you need to list the disks that are already connected to your VM in order to view the LUN number that you will use. The OS disk is not listed on this command. The first data disk consumes the LUN 0, the second the LUN 1 and so on. The command is:
    Get-AzureVM -ServiceName "servicename" -Name "vmname" | Get-AzureDataDisk
    source: http://www.e-apostolidis.gr/microsoft/create-a-disk-in-specific-storage-account-and-attach-it-to-a-vm-in-azure/
  4. proximagr
    Αυτό το post είναι οι σημειώσεις μου από διάφορα migrations Exchange 2007 & 2010 σε Office 365 Hybrid Deployment. Για Exchange 2013 είναι σχεδόν το ίδιο, αλλά αρκετά πιο εύκολο!
    Όπως είπα είναι οι σημειώσει μου μαζί με διάφορες προσθέσεις από διάφορα blogs, κάτι σαν Checklist και όχι Tytorial ή Guide.
    1. Τι χρειάζεται:
    2 x ADFS NLB (for identity federation)
    2 x ADFS Proxy Servers NLB (for identity federation)
    1 x domain member server for DIrSync
    1 x SQL 2008 R2 server that will store the DirSync database
    1 x Exchange 2010 Service Pack 2 + based hybrid deployment server (for rich coexistence with Exchange Online)
    Access to public DNS of Domain (company.com)
    3rd Party Certificates (if you have on old exchange 2007 a wildcard export and import to 2010)
    Domain User for ADFS service account
    Configure UPN for company.com domain
    2. Γενικά τα βήματα:
    1. Add Domain (company.com) to Office 365
    2. Add TXT record to DNS for verification
    3. Specify domain cervices (Exchange, Lync, Sharepoint)
    4. ADFS (&/or Farm)
    Add IIS Role, Configure NLB sts.company.local (add hosts, add A record, enable MAC spoofing), add Certificate (SelfSigned or 3rd Party) & bind default site to 443
    Setup ADFS Federation server
    AD FS 2.0 Federation Server Configuration Wizard
    Domain User for ADFS service account
    5. ADFS Proxy (&/or Farm)
    Add IIS Role, Configure NLB sts.company.com (add hosts, add A record, enable MAC spoofing), add Certificate (SelfSigned or 3rd Party) & bind default site to 443
    Add host A to Public DNS (sts.company.com)
    Add host record to proxy servers for sts.company.local local IP (ADFS NLB Address)
    Setup ADFS Federation server proxy
    AD FS 2.0 Federation Server Configuration Wizard
    6. Convert Domain to a Federated Domain
    On Office 365 portal then downloads then step 3 “Set up and configure your office desktop apps”
    de-select everything (only to install MOSM for powershell)
    On office 365 portal then users then manage (SSO), install MOSM for powershell
    Open MOSM and “$Cred=Get-Credential” add creds, then “Connect-Msolservice –Credentials $Cred” then “Convert-MsolDomainToFederated –DomainName “office365lab.dk”” and “Get-MsolDomain | fl”
    Configure UPN for company.com domain
    Go to login.microsoftonline.com and check SSO login
    7. DirSync
    o365 portal then users then set up under directory synchronization (after activate needs some hours)
    o365 portal then users then set up ude active directory synchronization under step 4 download DirSync tool
    Verify dirsync:
    o365 portal then users then set up under actice directory synchronization check “active directory synchronization is activated” or powershell: “Get-MsolCompanyInformation | fl DirectorySynchronizationEnabled”
    run “Directory Sync Configuration”, add creds, check “Enable Exchange hybrid deployment”. If you want to select OU, groups, users, etc then dont check “synchronize directories now”
    Edit sync: “C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell” and run “miisclient” guide (http://blogs.msdn.com/b/denotation/archive/2012/11/21/installing-and-configure-dirsync-with-ou-level-filtering-for-office365.aspx)
    Force Sync:
    With powershell go to C:\Program Files\Microsoft Online Directory Sync” folder and from here run the “DirScConfigshell.psc1” script and on the new windows run “Start-ynOnlineCoexistenceSync”
    8. Hybrid Deployment
    Configure NLB on Exchange 2010 HUB/CAS
    ADD 3rd party certificate (if you have on old exchange 2007 a wildcard export and import to 2010)
    assign services SMTP & IIS
    Configure URLS
    Set-OwaVirtualDirectory -Identity “EX03\OWA (Default Web Site)” -InternalURLhttps://hybrid.office365lab.dk/OWA -ExternalURL https://hybrid.office365lab.dk/OWA
    Set-OwaVirtualDirectory -Identity “EX04\OWA (Default Web Site)” -InternalURLhttps://hybrid.office365lab.dk/OWA -ExternalURL https://hybrid.office365lab.dk/OWA
    Set-EcpVirtualDirectory -Identity “EX03\ECP (Default Web Site)” -InternalURLhttps://hybrid.office365lab.dk/ECP -ExternalURL https://hybrid.office365lab.dk/ECP
    Set-EcpVirtualDirectory -Identity “EX04\ECP (Default Web Site)” -InternalURLhttps://hybrid.office365lab.dk/ECP -ExternalURL https://hybrid.office365lab.dk/ECP
    Active Sync
    Set-ActivesyncVirtualDirectory -Identity “EX03\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync -ExternalURLhttps://hybrid.office365lab.dk/Microsoft-Server-Activesync
    Set-ActivesyncVirtualDirectory -Identity “EX04\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync -ExternalURL https://hybrid.office365lab.dk/Microsoft-Server-Activesync
    Set-OABVirtualDirectory -Identity “EX03\oab (Default Web Site)” -InternalUrlhttps://hybrid.office365lab.dk/oab -ExternalURL https://hybrid.office365lab.dk/oab
    Set-OABVirtualDirectory -Identity “EX04\oab (Default Web Site)” -InternalUrlhttps://hybrid.office365lab.dk/oab -ExternalURL https://hybrid.office365lab.dk/oab
    Set-WebServicesVirtualDirectory -Identity “EX03\EWS (Default Web Site)” -InternalUrlhttps://hybrid.office365lab.dk/ews/exchange.asmx -ExternalURLhttps://hybrid.office365lab.dk/ews/exchange.asmx
    Set-WebServicesVirtualDirectory -Identity “EX04\EWS (Default Web Site)” -InternalUrlhttps://hybrid.office365lab.dk/ews/exchange.asmx -ExternalURLhttps://hybrid.office365lab.dk/ews/exchange.asmx
    Set-ClientAccessServer –Identity EX03 -AutoDiscoverServiceInternalUri:https://hybrid.office365lab.dk/Autodiscover/Autodiscover.xml
    Set-ClientAccessServer –Identity EX04 -AutoDiscoverServiceInternalUri: https://hybrid.office365lab.dk/Autodiscover/Autodiscover.xml
    9. Configure DNS to Exchange 2010
    Configure SPF Record (http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/)
    Add public DNS v=spf1 ip4: ip4: include:outlook.com -all
    o365 portal then domains then SMTP domain properties under DNS management create SPF TXT record (name @ value v=spf1 ip4: ip4: include:outlook.com -all)
    10. Add o365 Tenant to EMC
    from EMC add exchange forest
    Connect to Exchange Online with powershell “$TenantCreds = Get-Credential” then “$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUrihttps://ps.outlook.com/powershell/ -Credential $TenantCreds -Authentication Basic –AllowRedirection” then “Import-PSSession $Session” then to test “Get-Mailbox | Get-MailboxStatistics | ft -a” or “Get-AcceptedDomain”
    11. Configuring Exchange 2010 Hybrid
    EMC – on premises – Organization Configuration” – “Hybrid Configuration” – “New Hybrid Configuration”
    Add TXT record to public DNS
    Add transport certificate (3rd party)
    12. Now on can use EMS Get-HybridConfiguration για έλεγχο ότι όλα είναι OK.
    EMC on-premises
    A federation trust with the Microsoft Federation Gateway (MFG) has been established for the specified domain | On-Premises Org Configuration – federation trust
    an organizational relationship has been established with the Exchange Online organization in Office 365 | On-Premises Org Configuration | organization relationships
    “tenant_name.mail.onmicrosoft.com” has been added as an accepted domain | on-premisis – org conf – hub – accepted domains
    “tenant_name.mail.onmicrosoft.com” and “office365lab.dk” has been added as a remote domain | on-premises – org conf – hub – remote domains
    The default E-Mail Address policy has been updated, so that it stamps a secondary proxy address (alias@tenant_name.mail.onmicrosoft.com) on mailbox user objects | on-premisis – org conf – hub – e-mail address policies
    The HCW also creates a receive connector on each of the hybrid servers | on-premiss – server conf – HUB – receive connectors
    the HCW will create a send connector that will route all e-mail messages destined for “tenant_name.mail.onmicrosoft.com” to Exchange Online in Office 365 | on-premisis – org conf – hub – send connectors
    EMS: Get-OrganizationRelationship | fl
    EMC online
    Org conf – HUB – remote domains
    Org conf – Organization Relationships
    FOPE (forerfront access form ECP – Mail Control
    check Two connectors (inbound & outbound)
    Move mailbox = new remote move request | it will move to Mail Contact
    New mailbox online: Mail Contact – new remote mailbox
    13. After move
    Generally, Windows Phone 8 and iOS clients will be able to automatically update the ActiveSync profile, while Android based clients must have their ActiveSync profile recreated.
    Outlook will need to close with admin message, re-open and add credentials
    14. Decommission
    Move all mailboxes to Exchange Online, point all on-premise line of business applications, network devices and so on to Exchange Online, configures mail flow to go directly in and out of Exchange Online. In this scenario, you decommission all on-premise Exchange servers, but still use DirSync and ADFS for federation. With DirSync, the on-premise Active Directory is the source of authority, which means you should provision users in the on-premise Active Directory and then have them synchronized to Office 365/Exchange Online. In this cae, it’s usually a good idea to keep a single Exchange 2010 server on-premise, so you can use the Exchange 2010 EMC or cmdlets for the provisioning. Alternatively, you remove all Exchange 2010 servers and have an identity solution such as FIM provision the on-premise Active Directory objects with the required mail attributes in order for Exchange Online to treat them as mail enabled users. Bear in mind that with DirSync enabled, most user/mailbox attributes in Exchange Online are read-only meaning you must write to them via the on-premise Active Directory user/group object.
    source: http://www.e-apostolidis.gr/everything/exchange-20072010-hybrid-deployment-migrating-to-office-365/
  5. proximagr
    I was looking for a free solution to have an email notifications for Azure backup. After reading other blogs and technet site I end up to use PowerShell Send-MailMessage attached to the Azure Backup Logs. In short, when the Azure Backup log is created, the script lists the last 2 days events, creates an html file and mails the report with the html as attachment to you.
    First find the Azure backup Event Log, it under “Applications and Services Logs, CloudBackup, Operational” and select to attach a task to the log. This will trigger the task on every event created under this log. On the other hand you can attach the task to a specific event.
    Create a Task and attach the below PowerShell script. Here you will find the powershell.exe “C:\Windows\System32\WindowsPowerShell\v1.0″
    Crate a folder c:\IT and Copy the below script on a text file and name it “eventemail.ps1″. Finally change the required fields.
    $date = (Get-Date).AddDays(-2)
    $event = Get-WinEvent -FilterHashtable @{ LogName = "cloudbackup"; StartTime = $date; }
    $event | ConvertTo-Html message,timecreated | Set-Content c:\it\backup.html
    if ($event.EntryType -eq "Error")
    $PCName = $env:COMPUTERNAME
    $EmailFrom = "FROM_EMAIL_HERE"
    $EmailTo = "YOUR_EMAIL_HERE"
    $EmailSubject = "Server $PCName Backup Failure report"
    Write-host "Email Sent"
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -body "$($event.Message) $($event.TimeCreated)" -Attachments "c:\it\backup.html" -SmtpServer $SMTPServer
    write-host "There is no error. Below the logs files."
    $PCName = $env:COMPUTERNAME
    $EmailFrom = "FROM_EMAIL_HERE"
    $EmailTo = "YOUR_EMAIL_HERE"
    $EmailSubject = "Server $PCName Backup Success report"
    Write-host "Sending Email"
    Send-MailMessage -From $EmailFrom -To $EmailTo -Subject $EmailSubject -body "$($event.Message) $($event.TimeCreated)" -Attachments "c:\it\backup.html" -SmtpServer $SMTPServer
    The “write-host ” lines can be removed. They are useful only for troubleshooting by running the script manually on powershell.
    source: http://www.e-apostolidis.gr/microsoft/azure-backup-email-notification/
  6. proximagr
    The DirSync by default runs every three hours. And you will realized that there is no GUI way to change that. To change the sync interval we need to change a configuration file.
    1. Go to the below directory on your DirSync Server:
    C:\Program Files\WindowsAzureActiveDirectorySync
    (there are two similar directories, one with spaces between the words and one without. We want the one without spaces)
    Here we will find the main executable of the DirSync Scheduler, the “Microsoft.Online.DirSync.Scheduler.exe” and its assosiated Config file, the “”Microsoft.Online.DirSync.Scheduler.exe.Config”.
    2. Open the “Microsoft.Online.DirSync.Scheduler.exe.Config” file using notepad
    Find the line with key=”SyncTimeInterval”, the default is the below:
    <add key=”SyncTimeInterval” value=”3:00:0″ />
    The “value” is the frequency of the schedule. The default “3:00:0″ means 3 hours.
    We can change the value to what best fits our organization’s needs and based to how often we make changes to Active Directory. To reduce it to one hour change it to:
    <add key=”SyncTimeInterval” value=”1:00:0″ />
    3. Once we finish changing the file, save and close it. Then go to the Services (services.msc) and restart the “Windows Azure Active Directory Sync Service” service, Service name: “MSOnlineSyncScheduler”.

    Source: http://www.e-apostolidis.gr/microsoft/alter-the-office-365-dirsync-schedule/
  7. proximagr
    You can easily provide Full Access Permissions using the GUI, just Edit the mailbox you want, go to Mailbox Delegation and provide Full Access. Both Exchange 2013 and Online is the same. But if you have to provide Full Access massively then you need PowerShell.
    The command for a single user is:
    Add-MailboxPermission -Identity "employee" -User "manager" -AccessRights FullAccess
    with that command user “manager” will be granded with Full Access permissions to user “employee”
    Now lets see how the user “manager” can take Full Access to many users, lets say “all Sales department”. The steps are two, first we need to query the “Sales Department” users and then we need to pipeline it to provide access to user “manager”
    example 1: Using Active Directory OU container

    get-mailbox -OrganizationalUnit domain.local/users/salesdpt | Add-MailboxPermission -User "manager" -AccessRights FullAccess
    example 2: Using a txt list. As usual create a txt file and make a per-line list with title “employee” like this:
    Save it as c:\access.txt and then run this command:
    Import-CSV c:\access.txt | Foreach { Add-MailboxPermission -User "manager" -AccessRights FullAccess }
    To view the permission change the “Add-MailboxPermission” with “Get-MailboxPermission”
    To remove the permission change the “Add-MailboxPermission” with “Remove-MailboxPermission”
    Just a final addition, when you provide Full Access permission to a user, at my example the “manager”, Outlook auto-maps the accounts that the manager gains access. So the next time he will open outlook, all mailboxes will be visible. You can force to don’t auto-map by adding -AutoMapping:$false at the end of the script, like this:
    Add-MailboxPermission -Identity "employee" -User "manager" -AccessRights FullAccess -AutoMapping:$false
    Be careful: with great power comes great responsibility!
    source: http://www.e-apostolidis.gr/microsoft/exchange-2013-online-grand-full-access-to-mailboxes/
  8. proximagr
    After my previous post, the internal load balancer with two VMs, this is a scenario using the External Load Balancer. The configuration includes a Load Balancer with a Static Public IP at the frond end and two VMs at the back end. The load balancer has two static routes for RDP, one for each VM and one load balance rule, the TCP port 80, common for web sites and applications. It uses a probe that checks a web page on both hosts to verify if they are active.
    Lets start. First we need to install the AzureRm module. If not Windows 10 then first install the https://www.microsoft.com/en-us/download/details.aspx?id=48729<br/>Then Open Powershell ISE and execute the following commands. I have added a lot of comments to help customize based to the needs.
    Set-ExecutionPolicy RemoteSigned
    Install-Module AzureRM
    #Define the variables
    $ResourceGroupName = "myresourcegroup"
    $StorageAccountName = "mystorageaccount"
    $vnetname = "VNET-01"
    $NSGname = "NSG-01"
    $locationName = "West Europe"
    $publicipname = "mypublicip"
    $vnet = Get-AzureRmVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
    #Create a new resource group
    New-AzureRmResourceGroup -Name $ResourceGroupName -Location $locationName
    #Create storage account
    New-AzureRmStorageAccount `
    -ResourceGroupName $resourcegroupName `
    -Name $storageaccountName `
    -Type Standard_LRS `
    -Location $locationName
    #Create Virtual Network and a private IP address for front end IP pool
    $FESubnet = New-AzureRmVirtualNetworkSubnetConfig -Name FE-SUBNET -AddressPrefix
    $BESubnet = New-AzureRmVirtualNetworkSubnetConfig -Name BE-SUBNET -AddressPrefix
    $vnet = New-AzureRmVirtualNetwork `
    -Name $vnetname `
    -ResourceGroupName $ResourceGroupName `
    -Location $locationName `
    -AddressPrefix -Subnet $FESubnet,$BESubnet
    $FESubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name FE-SUBNET -VirtualNetwork $vnet
    $BESubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name BE-SUBNET -VirtualNetwork $vnet
    #Create Public IP
    $publicIP = New-AzureRmPublicIpAddress `
    -Name PublicIp `
    -ResourceGroupName $ResourceGroupName `
    -Location $locationName `
    –AllocationMethod Static `
    -DomainNameLabel $publicipname
    #Create FrontEnd IP pool and BackEnd address pool
    $APPfrontendIP = New-AzureRmLoadBalancerFrontendIpConfig `
    -Name APP-LB-Frontend `
    -PublicIpAddress $publicIP
    $APPbeaddresspool= New-AzureRmLoadBalancerBackendAddressPoolConfig -Name "APP-LB-backend"
    #Create load balancer rules, NAT rules, probe and load balancer
    $APPinboundNATRule1= New-AzureRMLoadBalancerInboundNatRuleConfig `
    -Name "RDP1" `
    -FrontendIpConfiguration $APPfrontendIP `
    -Protocol TCP `
    -FrontendPort 33389 `
    -BackendPort 3389
    $APPinboundNATRule2= New-AzureRMLoadBalancerInboundNatRuleConfig `
    -Name "RDP2" `
    -FrontendIpConfiguration $APPfrontendIP `
    -Protocol TCP `
    -FrontendPort 33390 `
    -BackendPort 3389
    $APPhealthProbe = New-AzureRMLoadBalancerProbeConfig `
    -Name "HealthProbe" `
    -RequestPath "/index.aspx" `
    -Protocol http `
    -Port 80 `
    -IntervalInSeconds 15 `
    -ProbeCount 2
    $APPlbrule = New-AzureRMLoadBalancerRuleConfig `
    -Name "HTTP" `
    -FrontendIpConfiguration $APPfrontendIP `
    -BackendAddressPool $APPbeAddressPool `
    -Probe $GAPPhealthProbe `
    -Protocol Tcp `
    -FrontendPort 80 `
    -BackendPort 80
    $APPLB = New-AzureRMLoadBalancer `
    -ResourceGroupName $ResourceGroupName `
    -Name "APP-LB" `
    -Location $locationName `
    -FrontendIpConfiguration $APPfrontendIP `
    -InboundNatRule $APPinboundNATRule1,$APPinboundNATRule2 `
    -LoadBalancingRule $APPlbrule `
    -BackendAddressPool $APPbeAddressPool `
    -Probe $APPhealthProbe
    #Create the network interfaces for the backend VMs
    $vnet = Get-AzureRMVirtualNetwork -Name $vnetname -ResourceGroupName $ResourceGroupName
    $APPbackendSubnet = Get-AzureRMVirtualNetworkSubnetConfig -Name FE-SUBNET -VirtualNetwork $vnet
    #Create 1st NIC with first NAT rule for RDP
    $APPbackendnic1 = New-AzureRMNetworkInterface `
    -ResourceGroupName $ResourceGroupName `
    -Name APP-lb-nic1-be `
    -Location $locationName `
    -PrivateIpAddress `
    -Subnet $APPbackendSubnet `
    -LoadBalancerBackendAddressPool $APPLB.BackendAddressPools[0] `
    -LoadBalancerInboundNatRule $APPLB.InboundNatRules[0]
    #Create 2nd NIC with second NAT rule for RDP
    $APPbackendnic2 = New-AzureRMNetworkInterface `
    -ResourceGroupName $ResourceGroupName `
    -Name APP-lb-nic2-be `
    -Location $locationName `
    -PrivateIpAddress `
    -Subnet $APPbackendSubnet `
    -LoadBalancerBackendAddressPool $APPLB.BackendAddressPools[0] `
    -LoadBalancerInboundNatRule $APPLB.InboundNatRules[1]
    #Create a Virtual Machine and assign the NIC
    # Set the existing virtual network and subnet index
    $vnet=Get-AzureRMVirtualNetwork -Name $vnetName -ResourceGroupName $resourcegroupName
    #Create Availability Set
    New-AzureRmAvailabilitySet –Name $availabilitysetName –ResourceGroupName $resourcegroupName -Location $locationName
    # First VM
    # Specify the name, size, and existing availability set
    $availabilitysetSet=Get-AzureRmAvailabilitySet –Name $availabilitysetName –ResourceGroupName $resourcegroupName
    $vm=New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $availabilitysetSet.Id
    #Add a 1023 GB additional data disk
    $storageAccount=Get-AzureRmStorageAccount -ResourceGroupName $resourcegroupName -Name $storageaccountName
    $vhdURI=$storageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + $diskName + ".vhd"
    Add-AzureRmVMDataDisk -VM $vm -Name $diskLabel -DiskSizeInGB $diskSize -VhdUri $vhdURI -CreateOption empty
    #Specify the image and local administrator account, and then add the NIC
    #To find the Publisher, Offer and SKU use the Get-AzureRmVMImagePublisher, Get-AzureRmVMImageOffer and Get-AzureRmVMImageSku commands
    $cred=Get-Credential -Message "Type the name and password of the local administrator account."
    $vm=Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred
    $vm=Set-AzureRmVMSourceImage -VM $vm -PublisherName $pubName -Offer $offerName -Skus $skuName -Version "latest"
    $vm=Add-AzureRmVMNetworkInterface -VM $vm -Id $backendnic1.Id
    #Specify the OS disk name and create the VM / For Create NEW OS Disk
    $storageAccount=Get-AzureRmStorageAccount -ResourceGroupName $resourcegroupName -Name $storageaccountName
    $osDiskUri=$storageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + $diskName + ".vhd"
    $vm=Set-AzureRmVMOSDisk -VM $vm -Name $diskName -VhdUri $osDiskUri -CreateOption fromImage
    New-AzureRmVM -ResourceGroupName $resourcegroupName -Location $locationName -VM $vm
    #Second VM
    # Specify the name, size, and existing availability set
    $availabilitysetSet=Get-AzureRmAvailabilitySet –Name $availabilitysetName –ResourceGroupName $resourcegroupName
    $vm=New-AzureRmVMConfig -VMName $vmName -VMSize $vmSize -AvailabilitySetId $availabilitysetSet.Id
    #Add a 1023 GB additional data disk
    $storageAccount=Get-AzureRmStorageAccount -ResourceGroupName $resourcegroupName -Name $storageaccountName
    $vhdURI=$storageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + $diskName + ".vhd"
    Add-AzureRmVMDataDisk -VM $vm -Name $diskLabel -DiskSizeInGB $diskSize -VhdUri $vhdURI -CreateOption empty
    #Specify the image and local administrator account, and then add the NIC
    #To find the Publisher, Offer and SKU use the Get-AzureRmVMImagePublisher, Get-AzureRmVMImageOffer and Get-AzureRmVMImageSku commands
    $cred=Get-Credential -Message "Type the name and password of the local administrator account."
    $vm=Set-AzureRmVMOperatingSystem -VM $vm -Windows -ComputerName $vmName -Credential $cred
    $vm=Set-AzureRmVMSourceImage -VM $vm -PublisherName $pubName -Offer $offerName -Skus $skuName -Version "latest"
    $vm=Add-AzureRmVMNetworkInterface -VM $vm -Id $backendnic2.Id
    #Specify the OS disk name and create the VM / For Create NEW OS Disk
    $storageAccount=Get-AzureRmStorageAccount -ResourceGroupName $resourcegroupName -Name $storageaccountName
    $osDiskUri=$storageAccount.PrimaryEndpoints.Blob.ToString() + "vhds/" + $vmName + $diskName + ".vhd"
    $vm=Set-AzureRmVMOSDisk -VM $vm -Name $diskName -VhdUri $osDiskUri -CreateOption fromImage
    New-AzureRmVM -ResourceGroupName $resourcegroupName -Location $locationName -VM $vm
    Source: http://www.e-apostolidis.gr/microsoft/azurerm-create-external-load-balancer-with-two-vms/
  9. proximagr
    Azure Web Farm using IIS & Azure File storage
    This post is my view of a complete guide, from A to Z, including both the Windows Server part and the Azure Portal part on how to build a Web Farm using IIS & Azure File storage. Following this guide you will have a functional two server IIS Web Farm using Azure File storage.
    To create a Web Server Farm the mail requirement is a high available common storage. I see that when deploying on Azure, a lot of people are using DFSR for common storage. This solution has two major issues, the first is the cost, because you need at least two Windows Servers and second the replication speed that many times doesn’t cover the web servers needs.
    Azure File storage provides a very fast, high available and cheap solution to create a web server farm on Azure.
    Azure File storage supports both SMB 2.1 & 3.0 protocol. Every share can be up to 5TB, storing unlimited number of files and each file can be up to 1TB. Of course we can create as many shares as needed up to 500TB that is the Storage Account limit. Also every share provided 1000 IOPS.
    For this guide I used one Windows Server 2016 for Domain Controller, two Windows Server 2016 for web servers and one Standard Storage Account for Azure Files. Of course you can create an IIS Web Farm with workgroup server, but I will cover this at an other post.
    I will skip the part of creating the Azure VMs, the domain and joining the servers on it, so I assume that there is a domain and the other two servers are member servers of the domain.
    Just a note, when creating the Azure VMs that will be part of the IIS Farm remember to add them to the same Availability Set. This will inform the Azure Fabric to have the VMs to different update & fault domains
    Step 1. Add the Web Server role
    From the Server Manager, click Add roles and features and add the “Web Server (IIS)” role and at the next screen add all the features your app needs.
    Step 2. Add Application Request Routing
    For more feature and control over the IIS load balance add the Application Request Routing (ARR) using the Web Platform Installer. The Web Platform Installer uses the Internet Explorer engine so I disable the “IE Enhanced Security Configuration” just for the installation and then enable it. You can do it from the Server Manager, at the Server section.

    Next, open the IIS Manager and at the Actions Panel (on the right) click the “Get New Web Platform Components”

    Search for “arr”, and add the Application request routing 3.0
    Step 3. Create an Azure Storage Account for Azure File Storage
    To create the Azure File storage shares, go to the Azure Portal, click the + button and create a Standard Storage account (you can just search for storage account)

    Select General purpose and Standard performance (Premium does not support Azure Files)

    once the storage account is created, open it and click the “Files” button

    Click the “+ File share” to add a file share

    Give it a name and quota limit

    After clicking OK the share will be created and it will be listed at the shares blade.

    Click on it to get the connection string and then click Connect to get the access key. At this point copy the “Connecting from Windows” command. We will use this to mount the share to the web servers.

    Finally click the File Share and at the new blade press “+Add Directory” and create two directories, one Configuration and one Data
    Step 4. Configure Windows Firewall & NSG
    Open the port 80 (and nay other requires ports) at the Windows firewall and at the NSGs
    for the windows firewall, go to the Servers’s control panel, Windows Firewall and click “Advanced Settings”

    go to the Inbound Rules, add New Rule and select Port

    Select TCP 80 (and any other needed for your application/site)

    Allow the rule for all profiles, provide a name and press finish to create the rule

    For the NSGs , go to the Azure Portal, open the NSGs of the web servers and add an http allow rule like below
    Step 5. Create the IIS Shared Configuration
    Go back to the first web server, open Computer Manager and add a new user with username and password the same as the connection string of the Azure Files share. You will need this for the IIS Service to access the Azure File storage share.

    Add the user to the IIS_IUSRS group

    Then open the IIS Manager and click the “Shared Configuration”

    at the Action pane click “Export Configuration”

    add the Azure File storage Share UNC path and “Connect As” using the share’s credentials

    Enter a complex encryption key and press ok to export the configuration to the Azure File storage “configuration” share

    Now we can enable the Shared Configuration, add the Configuration Share path and the same credentials and click apply.

    it will ask for the encryption key and finally the Shared Configuration will be enabled. You will need to restart the IIS Manager console

    at this point we can change the path of application pools, ftp applications etc to the Data folder share of the Azure File storage. Just note that you will need to use the UNC path “\azurefilesol.file.core.windows.netiisfarmData” and not any mapped drive.
    Repeat the above steps to the second web server. At the Shared Configuration don’t export the configuration, just enable the Shared Configuration.
    Finally we can create the Farm, from the IIS Manager, right click at the “Server Farms” and click “Create Server Farm…”

    give a farm name,

    add both servers and press Finish

    Press NO at the URL rewrite rule auto creation

    And the farm is ready

    as mentioned before, deploy your Web Site, Web Application etc to the Data file share, always using the full UNC path “\azurefilesol.file.core.windows.netiisfarmData”. All the website data will reside at the Azure File storage.
    If you need more than 1000 IOPS create more Azure Files storage shares and divine your website/application data.
    Run the following command to allow access to the Azure File storage. Change the file://”path” as needed
    C:WindowsMicrosoft.NETFramework64v4.0.30319>caspol -m -ag 1. -url file://azurefilesol.file.core.windows.net/iisfarm/* FullTrust
    Step 5. Azure Load Balancer
    Finally, create a Load Balancer to distribute incomming traffic to the farm. For this guide I will create an External Load Balancer, but also an Internal Load Balancer is supported.
    First, find and create the Load Balancer from the Azure Portal

    provide a name, for external load balancer select Public, select Dynamic or Static IP, resource group, location and press Create

    Then go to the new load balancer and create a health probe

    create an http probe

    provide a name, select Availability Set for association and add both the Web Servers

    finally create a load balancing rule to load balance the TCP port 80 at the farm

    once the load balance rule is created you can browse the public ip / name of the load balancer

    Now, browse to the load balancer’s IP and you are good to go!

    The post Azure Web Farm using IIS & Azure File storage appeared first on Apostolidis IT Corner.

  10. proximagr
    First we need to install the Azure PowerShell module from http://go.microsoft.com/fwlink/p/?linkid=320376&clcid=0x409
    Then open PowerShell and follow the below commands:
    #Get your subscription file - The browser will open, you will need to login to the Azure Subscription and finally it will download the <subscriptonname>.publishsettings file
    #Connect to your Subscription
    Import-AzurePublishSettingsFile -PublishSettingsFile "full path to downloaded file"
    Source: http://www.e-apostolidis.gr/microsoft/connect-powershell-to-azure/
  11. proximagr
    This is a fast way to manage Calendar permissions of a mailbox. Same commands are for both Exchange on-premises and Exchange Online (Office 365). For Exchange Online first connect Powershell to Office365, as described to previous posts.

    # To check current permissions
    Get-MailboxFolderPermission -Identity "user@mydomain.com":\calendar
    # To add calendar permissions, permission can be Editor,Reviewer,Author etc
    Add-MailboxFolderPermission -Identity "user@mydomain.com":\calendar -User "manager@mydomain" -AccessRights Editor
    # To change the calendar permission of an existing access (thi swill change the access to Author
    Set-MailboxFolderPermission -Identity "user@mydomain.com":\calendar -User "manager@mydomain" -AccessRights Author
    # To remove calendar permissions
    Remove-MailboxFolderPermission -Identity "user@mydomain.com":\calendar -User "manager@mydomain"
    source: http://www.e-apostolidis.gr/microsoft/exchange-calendar-permissions-using-powershell/
  12. proximagr
    <p>Σήμερα δημοσιεύτηκε η συνέντευξή μου με τίτλο “<span data-offset-key="900n3-0-0">Το Azure εξελίσσεται”</span> στο NetFax τεύχος #4230, <span data-offset-key="900n3-0-0"> όπου συζητάω για τις τάσεις που θα μας απασχολήσουν στο Microsoft Azure & το Cloud! </span></p>
    <p><img class="alignnone size-full wp-image-2796" src="https://www.e-apostolidis.gr/wp-content/uploads/2019/08/netfax4.jpg"alt="νετφαχ" width="568" height="1075" /></p>
    <p>Ευχαριστώ όλη την ομάδα που συνέβαλε για αυτήν την συνέντευξη & φυσικά <span data-offset-key="900n3-0-0">Read more @netfax </span></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2F%25ce%25b5%25ce%25bb%25ce%25bb%25ce%25b7%25ce%25bd%25ce%25b9%25ce%25ba%25ce%25ac%2F%25cf%2584%25ce%25bf-azure-%25ce%25b5%25ce%25be%25ce%25b5%25ce%25bb%25ce%25af%25cf%2583%25cf%2583%25ce%25b5%25cf%2584%25ce%25b1%25ce%25b9-%25ce%25bf%25ce%25b9-%25cf%2584%25ce%25ac%25cf%2583%25ce%25b5%25ce%25b9%25cf%2582-%25cf%2580%25ce%25bf%25cf%2585-%25ce%25b8%25ce%25b1-%25ce%25bc%25ce%25b1%25cf%2582-%25ce%25b1%2F&linkname=%CE%A4%CE%BF%20Azure%20%CE%B5%CE%BE%CE%B5%CE%BB%CE%AF%CF%83%CF%83%CE%B5%CF%84%CE%B1%CE%B9%20%26%20%CE%BF%CE%B9%20%CF%84%CE%AC%CF%83%CE%B5%CE%B9%CF%82%20%CF%80%CE%BF%CF%85%20%CE%B8%CE%B1%20%CE%BC%CE%B1%CF%82%20%CE%B1%CF%80%CE%B1%CF%83%CF%87%CE%BF%CE%BB%CE%AE%CF%83%CE%BF%CF%85%CE%BD%21%20%40Netfax"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2F%25ce%25b5%25ce%25bb%25ce%25bb%25ce%25b7%25ce%25bd%25ce%25b9%25ce%25ba%25ce%25ac%2F%25cf%2584%25ce%25bf-azure-%25ce%25b5%25ce%25be%25ce%25b5%25ce%25bb%25ce%25af%25cf%2583%25cf%2583%25ce%25b5%25cf%2584%25ce%25b1%25ce%25b9-%25ce%25bf%25ce%25b9-%25cf%2584%25ce%25ac%25cf%2583%25ce%25b5%25ce%25b9%25cf%2582-%25cf%2580%25ce%25bf%25cf%2585-%25ce%25b8%25ce%25b1-%25ce%25bc%25ce%25b1%25cf%2582-%25ce%25b1%2F&linkname=%CE%A4%CE%BF%20Azure%20%CE%B5%CE%BE%CE%B5%CE%BB%CE%AF%CF%83%CF%83%CE%B5%CF%84%CE%B1%CE%B9%20%26%20%CE%BF%CE%B9%20%CF%84%CE%AC%CF%83%CE%B5%CE%B9%CF%82%20%CF%80%CE%BF%CF%85%20%CE%B8%CE%B1%20%CE%BC%CE%B1%CF%82%20%CE%B1%CF%80%CE%B1%CF%83%CF%87%CE%BF%CE%BB%CE%AE%CF%83%CE%BF%CF%85%CE%BD%21%20%40Netfax" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2F%25ce%25b5%25ce%25bb%25ce%25bb%25ce%25b7%25ce%25bd%25ce%25b9%25ce%25ba%25ce%25ac%2F%25cf%2584%25ce%25bf-azure-%25ce%25b5%25ce%25be%25ce%25b5%25ce%25bb%25ce%25af%25cf%2583%25cf%2583%25ce%25b5%25cf%2584%25ce%25b1%25ce%25b9-%25ce%25bf%25ce%25b9-%25cf%2584%25ce%25ac%25cf%2583%25ce%25b5%25ce%25b9%25cf%2582-%25cf%2580%25ce%25bf%25cf%2585-%25ce%25b8%25ce%25b1-%25ce%25bc%25ce%25b1%25cf%2582-%25ce%25b1%2F&title=%CE%A4%CE%BF%20Azure%20%CE%B5%CE%BE%CE%B5%CE%BB%CE%AF%CF%83%CF%83%CE%B5%CF%84%CE%B1%CE%B9%20%26%20%CE%BF%CE%B9%20%CF%84%CE%AC%CF%83%CE%B5%CE%B9%CF%82%20%CF%80%CE%BF%CF%85%20%CE%B8%CE%B1%20%CE%BC%CE%B1%CF%82%20%CE%B1%CF%80%CE%B1%CF%83%CF%87%CE%BF%CE%BB%CE%AE%CF%83%CE%BF%CF%85%CE%BD%21%20%40Netfax" data-a2a-url="https://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/%cf%84%ce%bf-azure-%ce%b5%ce%be%ce%b5%ce%bb%ce%af%cf%83%cf%83%ce%b5%cf%84%ce%b1%ce%b9-%ce%bf%ce%b9-%cf%84%ce%ac%cf%83%ce%b5%ce%b9%cf%82-%cf%80%ce%bf%cf%85-%ce%b8%ce%b1-%ce%bc%ce%b1%cf%82-%ce%b1/" data-a2a-title="Το Azure εξελίσσεται & οι τάσεις που θα μας απασχολήσουν! @Netfax"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/%cf%84%ce%bf-azure-%ce%b5%ce%be%ce%b5%ce%bb%ce%af%cf%83%cf%83%ce%b5%cf%84%ce%b1%ce%b9-%ce%bf%ce%b9-%cf%84%ce%ac%cf%83%ce%b5%ce%b9%cf%82-%cf%80%ce%bf%cf%85-%ce%b8%ce%b1-%ce%bc%ce%b1%cf%82-%ce%b1/">Το Azure εξελίσσεται & οι τάσεις που θα μας απασχολήσουν! @Netfax</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>

    <a href="https://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/%cf%84%ce%bf-azure-%ce%b5%ce%be%ce%b5%ce%bb%ce%af%cf%83%cf%83%ce%b5%cf%84%ce%b1%ce%b9-%ce%bf%ce%b9-%cf%84%ce%ac%cf%83%ce%b5%ce%b9%cf%82-%cf%80%ce%bf%cf%85-%ce%b8%ce%b1-%ce%bc%ce%b1%cf%82-%ce%b1/"class='bbc_url' rel='nofollow external'>Source</a>
  13. proximagr
    <h1><strong>AzureRm | Create Site to Site VPN</strong></h1>
    <p>This post is part of a general idea, to create an end-to-end high available application infrastructure solution in Azure using internal load balancer with the new AzureRm commands and Azure PowerShell v.1.0 preview.</p>
    <p>We will create a Gateway, request a Public IP and establish a Site to Site VPN. At the time I am writting this post there is no option to create the VPN ising the Portal, the only way is using PowerShell. Also there is no option to download the configuration for the local firewall/router, like the classic deployment.</p>
    <p>The AzureRm commands are installed directly from the PowerShell using the Install-Module AzureRM & Install-AzureRM commands.</p>
    <p>So lets start:</p><pre class="crayon-plain-tag">#Login
    #Create Gateway for VPN
    # add the local (office) public ip and local networks
    $resourcegroupName ="RMDemoRG"
    $locationName ="West Europe"
    $vnetName = "NRPVnet"
    New-AzureRmLocalNetworkGateway -Name localsite -ResourceGroupName $resourcegroupName -Location $locationName -GatewayIpAddress "XXX.XXX.XXX.XXX" -AddressPrefix @('','')
    # Create the Gateway Subnet
    $vnet = Get-AzureRmVirtualNetwork -ResourceGroupName $resourcegroupName -Name $vnetName
    Add-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -AddressPrefix -VirtualNetwork $vnet
    Set-AzureRmVirtualNetwork -VirtualNetwork $vnet
    # create gateway and request azure public ip
    $gwpip= New-AzureRmPublicIpAddress -Name RMDemoPIP -ResourceGroupName $resourcegroupName -Location $locationName -AllocationMethod Dynamic
    $vnet = Get-AzureRmVirtualNetwork -Name $vnetName -ResourceGroupName $resourcegroupName
    $GWsubnet = Get-AzureRmVirtualNetworkSubnetConfig -Name 'GatewaySubnet' -VirtualNetwork $vnet
    $gwipconfig = New-AzureRmVirtualNetworkGatewayIpConfig -Name gwipconfig1 -SubnetId $GWsubnet.Id -PublicIpAddressId $gwpip.Id
    New-AzureRmVirtualNetworkGateway `
    -Name RMDemoGW `
    -ResourceGroupName $resourcegroupName `
    -Location $locationName `
    -IpConfigurations $gwipconfig `
    -GatewayType Vpn `
    -VpnType PolicyBased #PolicyBased For Static & RouteBased for Dynamic VPN
    # Get the Public IP
    Get-AzureRmPublicIpAddress -Name RMDemoPIP -ResourceGroupName $resourcegroupName
    # Establish the VPN connection
    $gateway1 = Get-AzureRmVirtualNetworkGateway -Name RMDemoGW -ResourceGroupName $resourcegroupName
    $local = Get-AzureRmLocalNetworkGateway -Name LocalSite -ResourceGroupName $resourcegroupName
    New-AzureRmVirtualNetworkGatewayConnection `
    -Name localtovpn `
    -ResourceGroupName $resourcegroupName `
    -Location $locationName `
    -VirtualNetworkGateway1 $gateway1 `
    -LocalNetworkGateway2 $local `
    -ConnectionType IPsec `
    -RoutingWeight 10 `
    -SharedKey 'ABCDEFG1234567890'
    #check the VPN status
    Get-AzureRMVirtualNetworkGatewayConnection -Name localtovpn -ResourceGroupName $resourcegroupName -Debug</pre><p>Finally, since there is no way to download the configuration script at this time, the sample configurations can be found here: <a href="https://github.com/Azure/Azure-vpn-config-samples"target="_blank">https://github.com/Azure/Azure-vpn-config-samples</a></p>
    <p>After the creation of the VPN, that can be done only using PowerShell, we can use the portal to view the status and the settings</p>
    <p><a class="a2a_button_email" href="http://www.addtoany.com/add_to/email?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazurerm-create-site-to-site-vpn%2F&linkname=AzureRm%20%7C%20Create%20Site%20to%20Site%20VPN"title="Email" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/email.png" width="16" height="16" alt="Email"/></a><a class="a2a_button_print" href="http://www.addtoany.com/add_to/print?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazurerm-create-site-to-site-vpn%2F&linkname=AzureRm%20%7C%20Create%20Site%20to%20Site%20VPN" title="Print" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/print.png" width="16" height="16" alt="Print"/></a><a class="a2a_dd a2a_target addtoany_share_save" href="https://www.addtoany.com/share#url=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fazurerm-create-site-to-site-vpn%2F&title=AzureRm%20%7C%20Create%20Site%20to%20Site%20VPN" id="wpa2a_2"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></p><p>The post <a rel="nofollow" href="http://www.e-apostolidis.gr/microsoft/azurerm-create-site-to-site-vpn/">AzureRm | Create Site to Site VPN</a> appeared first on <a rel="nofollow" href="http://www.e-apostolidis.gr">Proxima's IT Corner</a>.</p>

    <a href="http://www.e-apostolidis.gr/microsoft/azurerm-create-site-to-site-vpn/"class='bbc_url' rel='nofollow external'>Source</a>
  14. proximagr
    When we create a VM on Azure, at the same time we create a Cloud Service. Later we can create more VMs on the same cloud service. Each cloud service has a unique Public IP. For as long the Cloud Service has at least one VS running this Public IP remains the same. If all VMs of a Cloud Service are off then the Public IP is released and next time the VM is powered on it will take a new Public IP.
    Using PowerShell we can reserve a Public IP for as long as the Cloud Service exists, with or without VMs.
    First we need to create a Virtual Network from the portal. Go to “Networks” and create a new Virtual Network. We can use the “Quick Create”.
    Second we need the Azure PowerShell installed, it can be found here: http://azure.microsoft.com/en-us/documentation/articles/install-configure-powershell/ and we connect using the username/password method, the command is Add-AzureAccount

    #Create the Public IP Reservation:$reservedIP = "reserved ip name"$location = "West Europe"New-AzureReservedIP -ReservedIPName $reservedIP -Location $location #Collect the configuration settings for the new VM:$serviceName = "azure service name for VM"$adminUser = "VM admin user name"$password = "VM admin password"$location = "West Europe"$reservedIP = "reserved ip name"$vmName = "VM name" #Choose the size of the VM. Use this list: https://msdn.microsoft.com/en-us/library/dn168976%28v=nav.70%29.aspx#$vmSize = "Medium" #Provide the Operating System. Use this post to get a list of the available images: https://msdn.microsoft.com/en-us/library/azure/jj157191.aspx?f=255&MSPPError=-2147217396$imageFamily = "Windows Server 2012 R2 Datacenter"$imageName = Get-AzureVMImage | where { $_.ImageFamily -eq $imageFamily } | sort PublishedDate -Descending | select -ExpandProperty ImageName -First 1 #Add the configuration settings for the new VM to a variable:$vm1 = New-AzureVMConfig -Name $vmName -InstanceSize $vmSize -imagename $imagename | Add-AzureProvisioningConfig -Windows -AdminUsername $adminUser -Password $password | set-azuresubnet subnet-1 #Create the VM and the Cloud Service with the Reserved Public IPNew-AzureVM -Location $location -VMs $vm1 -vnetname testnet2 -servicename $servicename -reservedipname $reservedipname Δίνουμε την εντολή για να ξεκινήσει η δημιουργία.
  15. proximagr
    <p>First we need to create a certificate request</p>
    <p>Open the Microsoft Exchange Management Console and navigate to Microsoft Exchange -> Server Configuration.</p>
    <p>On the right panel press the “New Exchange Certificate”</p>
    <p id="IcnajXr"><img class="alignnone size-full wp-image-1027 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b27be99f9e.png"alt="" /></p>
    <p>The “New Exchange Certificate” wizard will start. Enter a friendly name, just a name to remember what this certificate is about.</p>
    <p id="JDRaiCG"><img class="alignnone size-full wp-image-1028 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b27fdbb3cf.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b27fdbb3cf.png 591w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b27fdbb3cf-300x130.png 300w" sizes="(max-width: 591px) 100vw, 591px" /></p>
    <p>no need to check the wildcard option</p>
    <p id="EtdTZXg"><img class="alignnone size-full wp-image-1029 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2865f2737.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2865f2737.png 582w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2865f2737-300x123.png 300w" sizes="(max-width: 582px) 100vw, 582px" /></p>
    <p>At the next page select the services that you want, in most cases select all “Client Access Server”,</p>
    <p id="ZkhorfF"><img class="alignnone size-full wp-image-1031 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b28e1b354b.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b28e1b354b.png 592w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b28e1b354b-300x259.png 300w" sizes="(max-width: 592px) 100vw, 592px" /></p>
    <p>Next add all the alternative names that you want to include to the certificate</p>
    <p id="YlDGuRt"><img class="alignnone size-full wp-image-1032 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2937afb28.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2937afb28.png 588w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2937afb28-300x179.png 300w" sizes="(max-width: 588px) 100vw, 588px" /></p>
    <p>fill the Organization form and select the save path</p>
    <p id="fQORogU"><img class="alignnone size-full wp-image-1033 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29920a85a.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29920a85a.png 585w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29920a85a-300x242.png 300w" sizes="(max-width: 585px) 100vw, 585px" /></p>
    <p>finally press “new” to create the certificate request</p>
    <p id="utNSVvF"><img class="alignnone size-full wp-image-1034 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29c869221.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29c869221.png 589w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b29c869221-300x256.png 300w" sizes="(max-width: 589px) 100vw, 589px" /></p>
    <p>after this at the Exchange Certificates windows of the Exchange Management Console you will see a new item that will say “Pending request”.</p>
    <p>Open the exported file with notepad and save it as “ASCII” encoding (the original is Unicode)</p>
    <p id="SZuTWJF"><img class="alignnone size-full wp-image-1035 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b03bfcb1.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b03bfcb1.png 319w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b03bfcb1-300x119.png 300w" sizes="(max-width: 319px) 100vw, 319px" /></p>
    <p>Now we need to go to our Domain’s Active Directory Certification Authority and open an elevated command prompt.</p>
    <p>Run the command:</p>
    <p>certreq.exe -submit -attrib CertificateTemplate:WebServer</p>
    <p id="UdQDUvn"><img class="alignnone size-full wp-image-1036 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b42f3883.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b42f3883.png 622w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b42f3883-300x37.png 300w" sizes="(max-width: 622px) 100vw, 622px" /></p>
    <p>It will ask you to select the request file, select the ACHII encoded file</p>
    <p id="hloRRHj"><img class="alignnone size-full wp-image-1037 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b6875e43.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b6875e43.png 504w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2b6875e43-300x105.png 300w" sizes="(max-width: 504px) 100vw, 504px" /></p>
    <p>and then select the Certification Authority</p>
    <p id="xKWCLlX"><img class="alignnone size-full wp-image-1038 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2bc027538.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2bc027538.png 371w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2bc027538-300x184.png 300w" sizes="(max-width: 371px) 100vw, 371px" /></p>
    <p>finally it will produce a cer file.</p>
    <p>Go back to the Exchange Certificates window of the Exchange Management Console, select the “pending certificate request” and press “complete pending request”. Select the cer file, select the services needed (IIS, SMTP, POP, IMAP) and the wizard will create the certificate and enable it for the services.</p>
    <p id="tWSVZDr"><img class="alignnone size-full wp-image-1039 " src="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2d1220d47.png"alt="" srcset="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2d1220d47.png 606w, http://www.e-apostolidis.gr/wp-content/uploads/2016/07/img_579b2d1220d47-300x51.png 300w" sizes="(max-width: 606px) 100vw, 606px" /></p>
    <p> </p>
    <p><a class="a2a_button_email" href="http://www.addtoany.com/add_to/email?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fexchange%2Fexchange-2010-add-local-domain-ca-certificate%2F&linkname=Exchange%202010%20%7C%20add%20local%20domain%20CA%20certificate"title="Email" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/email.png" width="16" height="16" alt="Email"/></a><a class="a2a_button_print" href="http://www.addtoany.com/add_to/print?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fexchange%2Fexchange-2010-add-local-domain-ca-certificate%2F&linkname=Exchange%202010%20%7C%20add%20local%20domain%20CA%20certificate" title="Print" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/print.png" width="16" height="16" alt="Print"/></a><a class="a2a_dd a2a_target addtoany_share_save" href="https://www.addtoany.com/share#url=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Fexchange%2Fexchange-2010-add-local-domain-ca-certificate%2F&title=Exchange%202010%20%7C%20add%20local%20domain%20CA%20certificate" id="wpa2a_2"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></p><p>The post <a rel="nofollow" href="http://www.e-apostolidis.gr/microsoft/exchange/exchange-2010-add-local-domain-ca-certificate/">Exchange 2010 | add local domain CA certificate</a> appeared first on <a rel="nofollow" href="http://www.e-apostolidis.gr">Proxima's IT Corner</a>.</p>

    <a href="http://www.e-apostolidis.gr/microsoft/exchange/exchange-2010-add-local-domain-ca-certificate/"class='bbc_url' rel='nofollow external'>Source</a>
  16. proximagr
    To move a mailbox to Exchange Online from Exchange 2013 first connect Windows PowerShell to Exchange Online with a Global Administrator:
    $UserCredential = Get-Credential
    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/-Credential $UserCredential -Authentication Basic -AllowRedirection
    Import-PSSession $Session
    Provide the on-premise administrator credential
    Then connect to the local Exchange 2013:
    Run $RemoteCredential= Get-Credential
    Start the move request
    Finally initiate the move:
    New-MoveRequest -Identity “useralias” -Remote -RemoteHostName “mail.mydomain.com” -TargetDeliveryDomain mydomain.mail.onmicrosoft.com -BadItemLimit 10000 -AcceptLargeDataLoss -RemoteCredential $RemoteCredential
    source: http://www.e-apostolidis.gr/microsoft/exchange-2013-online-grand-full-access-to-mailboxes/
  17. proximagr
    At the previous post we created an Azure Front Door to scale our web apps across Azure Regions and also publish them only through the Front Door’s URL. At this post we will create Web Application Firewall (WAF) rules, to protect our web apps. To add WAF functionality to the Front Door we need first to create WAF rules and then attach them to the Front Door
    Create the WAF Rule
    From the Azure Marketplace search for WAF and create a Web Application Firewall
    At the “Create a WAF policy” wizard select “Global WAF (Front Door) for policy, provide the subscription and resource group, give a name for the policy and select if you want it to be created enabled or disabled.
    At the next step select if the policy will prevent the action or just detect and report it. You can change this later too. You can provide a Redirect URL for rules that support redirection. The default status code is 403 but we can change it to e.g. 404. We can also add a custom response body.
    The next step is the rule. We can select one or more predefined rule sets and then customize at will.
    To customize, expand the rule set and select a rule. You can enable / disable the rule and you can change the action to Allow, Block, Lod or Redirect.
    WAF Custom Rule
    The next step is the custom rules. There’s a lot to customise here. First are the rule type settings. Select status of the rule, enabled or disabled. Select the Rule type between Match and Rate limit. If you select rate limit you will be prompt to set rate limit and threshold. The final rule tupe setting is to set the priority of the rule.

    Next is the Conditions (If this) and the action (then that).
    The condition can be Geolocation, IP address, Size or String. After selecting the Match Type the rest options are altered accordingly.

    The action can be Allow traffic, Deny traffic, Log traffic only or Redirect traffic
    For the demo I created a rule that will Deny all traffic from The Netherlands, because I can test it from an Azure VM located at the West Europe Region.
    The next step is to associate the rule to the Front Door. After that assign Tags if needed and create the rule.
    Once the Rule is ready, a “Front Door WAF policy” resource will be at the selected Resource Group.
    Inside the Front Door, at the Web application firewall section, you can review the assigned rules.
    Test 1
    From an Azure VM at West Europe Region, I tried to access the Front Door’s URL and we can see my custom 403 body text!
    Test 2
    From my Computer I tested a typical SQL Injection attack from https://www.owasp.org/index.php/Testing_for_SQL_Injection_(OTG-INPVAL-005) . Again my custom 403 page!

    The post Use Web Application Firewall (WAF) Rules with the Front Door to protect your app appeared first on Apostolidis IT Corner.

  18. proximagr
    Today I received my copy of the Lync Server Cookbook, from Packt Publications. I am one of the reviewers of the book.

    The link to the book is: https://www.packtpub.com/networking-and-servers/lync-server-2013-cookbook
  19. proximagr
    SQL Failover Cluster with AlwaysOn Availability Groups
    Πάμε τώρα για το τελευταίο κομμάτι του lab, να προσθέσουμε AlwaysOn Availability Group στο υπάρχον SQL WSFC.
    Windows Server 2012 R2 Failover Cluster with FreeNAS 9.3 (Page 1, Page 2) Microsoft SQL 2012 on Failover Cluster (Page 1, Page 2, Page 3) Add AlwaysOn AG to SQL Failover Cluster Instance (Page 1, Page 2, Page 3)

    Add AlwaysOn AG to SQL Failover Cluster Instance (Page 1)
    Για αρχή πρέπει να ενεργοποιήσουμε το “AlwaysOn High Availability” setting και στα δύο Nodes του υπάρχοντος Cluster. Εδώ να τονίσουμε πως η επιλογή υπάρχει μόνο στη Enterprise έκδοση και όχι στην Standard. Ανοίγουμε λοιπόν το SQL Server Configuration Manager / SQL Server Services / SQL Server (NAME) , δεξί click Properties και στην καρτέλα “AlwaysOn High Availability” επιλέγουμε το “Enable AlwaysOn Availability Groups”. Με το που θα πατήσουμε Apply θα μας ενημερώσει ότι η αλλαγή θα περάσει στον SQL στο επόμενο restart.

    Δεν κάνουμε restart.
    Τώρα για να γίνει η αλλαγή στο δεύτερο Node πρέπει να κάνουμε manual failover για να σηκωθεί το service της SQL. Όπως είχαμε κάνει και στο τέλος του προηγούμενου Post, όταν εγκαταστήσαμε το δεύτερο SQL Node, από το Failover Cluster Manager κάνουμε move το SQL Server Role στο δεύτερο Node. Τώρα άμα ανοίξετε το SQL Server Configuration Manager θα δείτε ότι το SQL Server service έχει γίνει stop και το SQL Server service τρέχει στο δεύτερο Node με ενεργοποιημένο με το AlwaysOn. Τέλος ξανακάνουμε move το SQL Server Role στο πρώτο Node.
    Στη συνέχεια πάμε να βάλουμε τον τρίτο server στο υπάρχον Windows Failover Cluster. Ανοίγουμε το Failover Cluster Manager από το πρώτο Node (Win2012R201 στο lab) και πατάμε Nodes / Add Node…

    Ξεκινάει ο Wizard, πατάμε το πρώτο Next και στο Select Servers επιλέγουμε τον τρίτο server (Win2012R203 στο lab) και πατάμε Next.
    Για να περάσει το verification πρέπει ο server να έχει ήδη το Failover Cluster feature, κάτι που στο lab υπάρχει από το template.

    Μιας και αυτό το Node δεν θα είναι ουσιαστικά μέρος του Failover Cluster αλλά το θέλουμε μόνο για το AlwaysOn, επιλέγουμε να μην κάνει τα validation test και να μην βάλει storage.

    Τώρα πρέπει να σιγουρεύουμε ότι δεν θα προσπαθήσει το Cluster να σηκώσει την SQL στο τρίτο Node που θα είναι για το AlwaysOn.
    Αφού προστεθεί το Node στο Cluster πρέπει να πάμε πρώτα στο Failover Cluster Manager / WSFCcomputername (sqlclus.sqllab.int για το lab), επιλέγουμε από τα Cluster Core Resources στο Server Name το computer name του sql cluster (sqlclus για το lab) και δεξί click properties.

    Πηγαίνουμε στο Advanced Policies tab και απόεπιλέγουμε το τρίτο Node, όπως στην εικόνα

    Στην συνέχεια στον SQL Server Ρόλο, δεξί click properties και να επιλέξουμε preferred owners τα δύο πρώτα Nodes μόνο.

    Το ίδιο κάνουμε και για τα δύο Cluster Disks

    Τώρα κάνουμε μια τυπική εγκατάσταση SQL Server 2012 στο τρίτο Node, με τα ίδια settings που κάναμε και για το Cluster, με τη διαφορά ότι θα κάνουμε Stand Alone Setup και όχι Cluster και πρέπει να δώσουμε διαφορετικό instance name γιατί το Default instane (MSSQLSERVER) υπάρχει στο Cluster. Επίσης δίνουμε έναν δίσκο στο Server με ίδιο γράμμα με αυτό που έχουν οι servers στο Cluster για την SQL. Στο lab είναι F:.

    Αφού ολοκληρωθεί η εγκατάσταση ενεργοποιούμε το AlwaysOn κι εδώ από το SQL Server Configuration Manager και κάνουμε restart το SQL server service.

    Συνέχεια στην επόμενη σελίδα
    Πηγή http://www.e-apostolidis.gr/%ce%b5%ce%bb%ce%bb%ce%b7%ce%bd%ce%b9%ce%ba%ce%ac/add-alwayson-ag-to-sql-failover-cluster-instance/
  20. proximagr
    <p>Happy Friday! My blog post is featured at this week’s Friday Five!</p>
    <p>Check out this week’s <a href="https://techcommunity.microsoft.com/t5/Microsoft-MVP-Award-Program-Blog/Friday-Five-Azure-free-SMTP-relay-using-Sendgrid-Power-Platform/ba-p/894274">FridayFive section of the Microsoft MVP Award Program Blog!</a> My blog post about <a href="https://www.e-apostolidis.gr/microsoft/azure-free-smtp-relay-using-sendgrid/">using SendGrid for free SMTP relay from Azure</a> is featured !!!</p>
    <p id="swHBZZB"><img class="alignnone size-full wp-image-2880 " src="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb.png"alt="" srcset="https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb.png 1239w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb-300x87.png 300w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb-768x224.png 768w, https://www.e-apostolidis.gr/wp-content/uploads/2019/10/img_5d97b481a29bb-1024x298.png 1024w" sizes="(max-width: 1239px) 100vw, 1239px" /></p>
    <p><a href="https://techcommunity.microsoft.com/t5/Microsoft-MVP-Award-Program-Blog/Friday-Five-Azure-free-SMTP-relay-using-Sendgrid-Power-Platform/ba-p/894274">https://techcommunity.microsoft.com/t5/Microsoft-MVP-Award-Program-Blog/Friday-Five-Azure-free-SMTP-relay-using-Sendgrid-Power-Platform/ba-p/894274</a></p>
    <p><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fhappy-friday-my-blog-post-featured-at-this-weeks-friday-five%2F&linkname=Happy%20Friday%21%20My%20blog%20post%20featured%20at%20this%20week%E2%80%99s%20Friday%20Five%21"title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_print" href="https://www.addtoany.com/add_to/print?linkurl=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fhappy-friday-my-blog-post-featured-at-this-weeks-friday-five%2F&linkname=Happy%20Friday%21%20My%20blog%20post%20featured%20at%20this%20week%E2%80%99s%20Friday%20Five%21" title="Print" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share#url=https%3A%2F%2Fwww.e-apostolidis.gr%2Fgeneral%2Fhappy-friday-my-blog-post-featured-at-this-weeks-friday-five%2F&title=Happy%20Friday%21%20My%20blog%20post%20featured%20at%20this%20week%E2%80%99s%20Friday%20Five%21" data-a2a-url="https://www.e-apostolidis.gr/general/happy-friday-my-blog-post-featured-at-this-weeks-friday-five/" data-a2a-title="Happy Friday! My blog post featured at this week’s Friday Five!"><img src="https://static.addtoany.com/buttons/share_save_171_16.png" alt="Share"></a></p><p>The post <a rel="nofollow" href="https://www.e-apostolidis.gr/general/happy-friday-my-blog-post-featured-at-this-weeks-friday-five/">Happy Friday! My blog post featured at this week’s Friday Five!</a> appeared first on <a rel="nofollow" href="https://www.e-apostolidis.gr">Apostolidis IT Corner</a>.</p>

    <a href="https://www.e-apostolidis.gr/general/happy-friday-my-blog-post-featured-at-this-weeks-friday-five/"class='bbc_url' rel='nofollow external'>Source</a>
  21. proximagr
    1. Check if the password is set to never expire for one user:
    Get-MSOLUser -UserPrincipalName username | Select PasswordNeverExpires
    2. Check if the password is set to never expire for all users:
    Get-MSOLUser | Select UserPrincipalName, PasswordNeverExpires
    3. Check if the password is set to never expire for a list of users:
    create a txt file listing the required users, line by line with title “username”, and save it as c:\pwdexpire.txt, like this:
    then run:
    Import-csv c:\pwdexpire.txt | for each { Get-MSOLUser -UserPrincipalName $_.username | Select PasswordNeverExpires }
    4. Set password to never expire for one user:
    Set-MsolUser -UserPrincipalName username -PasswordNeverExpires $true
    5. Set password to never expire for all users:
    Get-MSOLUser | Set-MsolUser -PasswordNeverExpires $true
    6. Set password to never expire for a list of users:
    like before create a txt list and run:
    Import-csv c:\pwdexpire.txt | for each { Set-MsolUser -UserPrincipalName $_.username -PasswordNeverExpires $true }
    7. to re-set the password to expire just replace the $true with $false (please note that is the organization’s password expiration period has passed then the user/users will be locked and you will need to reset their passwords)
    source: http://www.e-apostolidis.gr/microsoft/manage-office-365-password-expiration/
  22. proximagr
    Securely scale your Web Apps with Azure Front Door
    There is a big buzz out there about Azure Front Door.  Is it a Load Balancer? A CDN? A Traffic Manager? A Web Application Firewall ? A Reverse Proxy? An Application Gateway?
    So, what is Azure Front Door?
    Azure Front Door actually is all the above and more. It is a global service, that routes web traffic based on performance and availability. A Layer 7 multi-region load balancer with Web Application Firewall (WAF) capabilities, DDoS protection & CDN.
    Azure Front Door is the entry point, the edge, of all Microsoft’s WAN. All Microsoft services, like Office 365 & Bing, are using Azure Front Door.
    The services that Azure Front door provides are:
    Accelerate application performance Increase application availability with smart health probes URL-based routing Multi-site hosting URL redirection Session affinity SSL termination Custom Domain & certificate management Security via custom WAF rules DDoS protection URL rewrite IPv6 and HTTP/2 support At Azure Front Door documentation there is a paragraph that can help to understand the difference between Azure Front Door and other publishing / load balancing Azure solutions and where to use each.
    For pricing information, see Front Door Pricing.
    How to scale your web apps with Front Door
    Create two simple Azure Web apps. Check this guide for a simple guide on how to create Azure App Service: https://www.e-apostolidis.gr/microsoft/azure/azure-start-point-your-first-web-app/
    One at West Europe:

    and one at North Europe:

    Using FTP, I deployed an one-page html site at both regions. I change the text of both site to say “This Web Site is located at North Europe Azure Datacenter”

    and “West Europe” to the other.

    Then create a Front Door. Search for Front Door at Azure marketplace and Create one.

    This is a high level diagram of the Front Door with two Web Apps design that we will create

    The “create a Front Door” wizard will start and we can configure it step by step. First we will create a Frontend host by clicking the + at the Step 1

    At the frontend host we will create the URL that our apps will be available. I added the papostolidis.azurefd.net. of course later you can add your custom domain and add a CNAME to route the traffic to the Front Door.

    Then, at the Backend pools (Step 2), press the + to add the web apps. add a name for the backend pool, like “myapps” and press + ADD a backend to add the apps.

    Select host type, you can add app service, cloud service, storage and custom host (URL). I selected the app service.

    Select the subscription and the app service and add the correct ports for http and https traffic.
    The priority defines if the traffic will be routed to the host with the lower priority number (e.g. 1) and if that host fails will route to the next host with bigger priority number (e.g. 2). If you add the same priority to more than one host then it will follow the weight number.
    The weight number defines the percentage of requests that will be routed to each host.

    The same way add the second web app

    Finally select a path, protocol and interval for the probe that will do health checks to the app to define if it is active or not.

    The third step is to add the routing rules. At the routing rules you can specify:
    The accepted protocol, http or https. the frontend host for this rule the patterns that the route will accept, like www.e-apostolidis.gr/mysite/* or just /* ro root. Route type forward or redirect. The backend pool that this rule will direct the traffic The protocol that the traffic will be forwarded. Here we define the SSL Offload if we select HTTPs for frontend accepted protocol and HTTP for backend. URL Rewrite rules Caching, for static content caching like CDN.
    Once all steps are completed we can move on and create the Front Door

    When the Front Door is ready, we can see the URL at the Overview.

    And browse our web app using the Front Door URL:

    How to protect your web apps with Front Door
    Right now we scaled our web apps. If we use each app’s URL we can still access the app. The first security step is to lock the web apps to be accessed only through the Front Door URL.
    Checking the Azure Front Door FAQ page, https://docs.microsoft.com/en-us/azure/frontdoor/front-door-faq it lists the Front Door’s address rance.
    Front Door’s IPv4 backend IP space:
    Go to the App Service, at the Networking section, select “Configure Access Restrictions”

    Add an allow access restriction with the IP range of the Front Door.

    Automatically a Deny rule will be created for everything else.

    Add the rule to both web apps and then try to access the apps with their direct links.

    Now on, we can access the apps only by using the Front Door URL:

    This is a high level diagram after the restrictions

    At the next article, we will see how to add Web Application Firewall (WAF) Rules to Front Door, Stay Tuned!! 

    The post Securely scale your Web Apps with Azure Front Door appeared first on Apostolidis IT Corner.

  23. proximagr
    First of all, the VM must be within a virtual network to be able to add a static Private IP address
    There are two ways to set a static private IP. One is using the new Azure Portal "portal.azure.com" and one via PowerShell.
    Using the new Portal, browse a VM, select settings and then IP addresses. There at the Private IP address you can select "Static" and add the IP address.
    Using PowerShell, first connect to the Azure (details on this post), and use the following commands:
    #Test IP availability:
    Test-AzureStaticVNetIP -VNetName XXXXXXX -IPAddress
    #Set the VM that will take the static IP
    $static = Get-AzureVM -ServiceName xxxxx -Name xxxxxx
    #Set the static IP
    Set-AzureStaticVNetIP -VM $static -IPAddress xx.xx.xx.xx | Update-AzureVM
    #Check the static IP
    Get-AzureStaticVNetIP -VM $staticVM
    source: http://www.e-apostolidis.gr/microsoft/set-static-ip-to-azure-vm/
  24. proximagr
    Azure AD | Secure Web Application Publishing
    Application Publishing
    Azure Active Directory Application Proxy is a very easy and secure way for web application publishing using the extremely secure Azure AD authentication mechanism. There are a tone of features, like SSO and 2 Factor Authentication. But lets see the basic here. You have a web application that you are using internal to your network, not even https, or you have developed a web application and you want an easy and safe way to publish it without having to wary about authentication or VPN. Use the Azure AD Application Proxy following the following simple steps.
    For this example I have used a Windows Server 2016 with IIS and the SugarCRM application using the IIS Web Platform Installer. The internal link is http://appproxy01/sugarcrm/that opens the SugarCRM login page.
    Lets start
    Navigate to Azure Portal and go to Azure Active Directory. Mind that Azure Active Directory Basic or Premium license is required. You can start a trial Azure AD Premium or Enterprise Mobility Suite E3 that includes Azure AD Premium.
    Fist of all you need to enable Application proxy. Select Enterprise applications –> Application proxy and click Enable & Download the connector clicking the “Connector” link.

    Next, install the connector to the web server or to an other domain member server. It requires Windows Server 2012 R2.

    At the installation process it will ask to login with an Azure AD account that has access to publish applications.
    Once installed, Run the Connector Troubleshooter to verify that the connector will run properly.

    After the successful installation,back to the Azure Portal the server FQDN and the Public IP will appear under the Default Connector.

    Now it is time to publish the application. Go to “All applications” –> +ADD –> On-premises application.

    Give a name, the internal Url that is used to access the application at your local network and press Add. Note the External URL.

    The next step is to assign users. Following the quick steps, press “Assign a user for testing”

    an add at least a user and you are ready to test the application.
    Now lets test the published application
    Open your favorite browser and navigate the the External URL. You will be navigated to the Microsoft online service logon page. Once authenticated with your Azure AD account the SugarCRM login page will be served.

    This is the simplest way to publish a web application without having to wary for Authentication and Security.
    Of course if the application supports active directory authentication then it is very easy to setup SSO, but we will analyze that at the next post.
  25. proximagr
    <p>Lets say you have an Office 365 account and cloud only users with mailboxes and now you decide that you want to sync it and match the Office 365 users with your Active Directory users.</p>
    <p>I prepared a lab with one DC and I created a trial Office 365 E3 account with custom domain. I created users with the same username to both. At Active Directory I set the UPN to match the Office 365 user name and also added the email address.</p>
    <p>Next I enabled directory synchronization from Office 365 and installed Azure AD Connect to DC2. After the initial sync i got this error:</p>
    <p><em>Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [Mail test1@xxxxx.gr;].</em></p>
    <p>I realized that Office 365 could not map the users, it was trying to create new. So there must be an attribute that needs correction. The solution came form the following blog:</p>
    <p>and specifically at the “manual match method” section:</p>
    <p><em>In order to match the user with the cloud user you have to set the Immutable ID of onPremise Active Directory user’s ObjectGUID to the immutableID value of the Office365 user.</em><br /><em>To retrieve the ObjectGUID you can use the following command:</em></p>
    <p><em>Ldifde –d “CN=xxx…,OU=xxx,DC=xxxx,DC=xx” –f c:tempexportuser1.txt</em></p>
    <p><em>“CN=xxx…,OU=xxx,DC=xxxx,DC=xx” is the distinguished name of the user. You can use ADSIEdit or the AD Users & Computer (attribute editor) to find this value</em></p>
    <p><em>In the Textfile exportuser1.txt look for the ObjectGUID. You will find a string like z2Xbu0xFTUapOeDqHRTN1A==</em></p>
    <p><em>Then connect to Windows Azure Active Director and use the command</em></p>
    <p><em>set-MsolUser -UserPrincipalName user1.surname1@customerdomain.com -ImmutableId z2Xbu0xFTUapOeDqHRTN1A==</em></p>
    <p>After that I just forced a delta sync “Start-ADSyncSyncCycle -PolicyType Delta” , the sync was successful and the users in Office 365 changed from “In Clout” to “Synced with Active Directory”</p>
    <p> </p>
    <p><a href="http://www.e-apostolidis.gr/wp-content/uploads/2016/07/How-to-Map-OnPrem-Active-Directory-users-to-existing-Office365-Users.pdf">Howto Map OnPrem Active Directory users to existing Office365 Users</a></p>
    <p>source: http://blogs.4ward.it/how-to-map-onprem-active-directory-users-to-existing-office365-users/</p>
    <p><a class="a2a_button_email" href="http://www.addtoany.com/add_to/email?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Foffice-365%2Fmatch-onprem-active-directory-users-existing-office365-users%2F&linkname=Match%20OnPrem%20Active%20Directory%20users%20to%20existing%20Office365%20Users"title="Email" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/email.png" width="16" height="16" alt="Email"/></a><a class="a2a_button_print" href="http://www.addtoany.com/add_to/print?linkurl=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Foffice-365%2Fmatch-onprem-active-directory-users-existing-office365-users%2F&linkname=Match%20OnPrem%20Active%20Directory%20users%20to%20existing%20Office365%20Users" title="Print" rel="nofollow" target="_blank"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/icons/print.png" width="16" height="16" alt="Print"/></a><a class="a2a_dd a2a_target addtoany_share_save" href="https://www.addtoany.com/share#url=http%3A%2F%2Fwww.e-apostolidis.gr%2Fmicrosoft%2Foffice-365%2Fmatch-onprem-active-directory-users-existing-office365-users%2F&title=Match%20OnPrem%20Active%20Directory%20users%20to%20existing%20Office365%20Users" id="wpa2a_6"><img src="http://www.e-apostolidis.gr/wp-content/plugins/add-to-any/share_save_171_16.png" width="171" height="16" alt="Share"/></a></p><p>The post <a rel="nofollow" href="http://www.e-apostolidis.gr/microsoft/office-365/match-onprem-active-directory-users-existing-office365-users/">Match OnPrem Active Directory users to existing Office365 Users</a> appeared first on <a rel="nofollow" href="http://www.e-apostolidis.gr">Proxima's IT Corner</a>.</p>

    <a href="http://www.e-apostolidis.gr/microsoft/office-365/match-onprem-active-directory-users-existing-office365-users/"class='bbc_url' rel='nofollow external'>Source</a>
  • Create New...