Enable Cross-Premises Connectivity to Windows Azure with Forefront Threat Management Gateway (TMG) 2010
Windows Azure is Microsoft’s Infrastructure as a Service (IAAS) cloud platform. With it you can create virtual machines in the cloud running a variety of operating systems and services. Enabling seamless and transparent cross-premises network connectivity to the cloud will be vital as organizations begin to extend their on-premises datacenter to Windows Azure. Windows Azure provides support for virtual networks that can be configured to leverage IPsec site-to-site VPN to allow network-to-network connectivity, effectively allowing network engineers to bridge their on-premises LAN to their hosted cloud infrastructure. In this article I’ll demonstrate how to configure Windows Azure virtual networking and Forefront TMG site-to-site networking to achieve these goals. This article assumes that you are familiar with the Windows Azure IAAS cloud platform. If you are not, you can sign up for a free 90-day trial of Windows Azure here.
Before You Get Started
At the time of this writing, it is not possible to configure an existing Windows Azure virtual machine to use virtual networking with cross-premises connectivity retroactively. This means that, at least for now, if you want to enable this feature you must configure the virtual networking first, then build a virtual machine and assign it to the virtual network. Virtual networking is still in preview, so I expect this will change later when the feature becomes official.
Configuring Windows Azure Networking
Log in to the Windows Azure management portal here. Select Networks in the navigation menu on the left and then click the Create a Virtual Network link in the center pane.
Choose and enter a name for the Azure virtual network. Select the default option to Create a new affinity group and choose and enter a name for the Affinity Group Name.
By default, Windows Azure will define an internal network address range using the 10.0.0.0/8 private address space as defined in RFC1918. It also creates the default Subnet-1 using a /11 subnet mask (2097152 hosts). The wizard defaults to a Count view, displaying the number of addresses included in each range.
I prefer to switch to CIDR view, as shown here. In addition, I’ve chosen to change the initial settings of the default subnet by clicking on Subnet-1 and entering AzureNet0 and choosing /24 from the drop down list under Address Count/CIDR.
Since we’ll be joining this Windows Azure virtual machine to our on-premises corporate domain, enter the name and IP addresses of your corporate DNS servers here. Select the option to Configure a connection to the local network. For the Gateway Subnet enter a unique subnet from the address space you selected to use for your Windows Azure virtual network. This must be a unique subnet, and since I’ve already defined the 10.0.0.0/24 subnet I’ve selected 10.0.1.0/24 here. Finally, select the option to Specify a new local network under Local Network.
Choose and enter a name for the local network (this is your on premises network). Enter the VPN Device IP Address, which is the physical or virtual IP address assigned to the external network interface of your TMG firewall. In addition, enter the Address Space for your internal network in CIDR notation.
Once complete, select Networks in the navigation menu on the left and click AzureLab. At the bottom of the screen click Create Gateway.
The management console should now report that the gateway is being created. I’ll caution you that this process can take quite a bit of time, so be patient!
Once the gateway has been configured, make note of the Gateway IP Address. Also, at the bottom of the screen click Manage Key and copy down the shared key. You’ll need this information later when configure the site-to-site VPN on the TMG firewall.
Configuring a Windows Azure Virtual Machine
Select the option to create a Windows Azure virtual machine From Gallery. Do not select the option to Quick Create as this will not allow you to connect the virtual machine to the virtual network we just created!
Choose a Virtual Machine Operating System from the list.
Choose and enter a Virtual Machine Name, provide a password for the local administrator account, and choose the Size of the virtual machine you’d like to configure.
Choose and enter a unique DNS Name for the virtual machine. The virtual machine wizard will select the Affinity Group and Virtual Network Subnet created earlier.
For the purposes of this demonstration we will not configure an availability set.
The new Windows Azure virtual machine will appear in the management console with as status of Starting (Provisioning). As with other Windows Azure processes this can take quite a bit of time, so be patient!
Once the virtual machine provision process is complete the dashboard will provide detailed information about its status and operation. Make note of the IP address of the virtual machine, as this is the IP address you’ll be connect to over the site-to-site VPN tunnel established between the TMG firewall and Windows Azure.
Configuring TMG Site-to-Site VPN to Windows Azure
In the TMG management console, highlight the Remote Access Policy (VPN) node in the navigation tree, click Remote Sites in the center console, and then click Create VPN Site-to-Site Connection in the Tasks pane.
Choose and enter a name for the site-to-site network.
Accept the default option to use IP Security protocol (IPsec) tunnel mode.
Enter the Remote VPN gateway IP address, which is the IP address of the Windows Azure gateway noted earlier. Enter the Local VPN gateway IP address, which is the IP address assigned to the external network interface of your TMG firewall. If you have an enterprise array with Network Load Balancing enabled, enter the virtual IP address assigned to the external network.
Select the option to Use pre-shared key for authentication and enter the shared key noted earlier.
Enter the IP address range of the remote site network defined in Windows Azure. By default, the remote site gateway address is already populated. Do not remove this IP address!
The TMG Site-to-Site Connection Wizard will automatically create the required network relationship between the Internal network and the remote Windows Azure virtual network.
Since all site-to-site traffic is subject to firewall policy, an access rule must be configured to allow communication between the Internal network and the remote Windows Azure virtual network. I’ve chosen to allow all outbound traffic to make things simpler for the demonstration. Security best practices dictate that the firewall should only allow the protocols and services required between the two networks.
Review the configuration and click Finish.
Before saving the changes and applying the configuration, right-click the new remote site VPN connection to Windows Azure and choose Properties. Select the Connection tab and choose IPsec Settings.
Select the Phase I tab and change the settings to AES128, SHA1, and Group 2 (1024 bit). Accept the default to Authenticate and generate a new key every 28800 seconds.
Select the Phase II tab and change the settings to AES128 and SHA1. Select the option to Generate a new key every 102400000 seconds and disable Use Perfect Forward Secrecy (PFS).
Choose Ok, then save and apply the configuration changes.
From an elevated command prompt, enter the following command.
netsh interface ipv4 set interface external mtu=1350
Note: “External” in the above command syntax is the name of the external network interface on the TMG firewall. If you are using the default Windows names (e.g. Local Area Connection or Local Area Connection 2) or perhaps you’re using a different naming convention (e.g. Eth1, WAN, etc.) then specify that name in the command accordingly. Optionally you could also use the interface index number instead.
From a workstation located on the Internal network protected by TMG (not from the TMG console itself!) open an RDP session to the private IP address of the Windows Azure virtual machine.
Note: At this point you might be tempted to ping the IP address of the remote virtual machine. However, this will not work because the host firewall on the virtual machine is not configured to allow inbound ICMP in its default configuration.
If everything is configured correctly you should be presented with a prompt for credentials. Select the option to log in with another account and specify the administrator account and password you chose when configuring the Windows Azure virtual machine. You’ll receive a warning that The remote computer could not be authenticated due to problems with its security certificate. Choose Yes to continue logging in.
At this point we’ve successfully connected to the remote Windows Azure virtual machine through our TMG site-to-site VPN connection.
Adding this Windows Server 2012 virtual machine to Active Directory can be accomplished by executing the following command from an elevated PowerShell command prompt:
Add-Computer –DomainName richardhicks.net -Restart
Note: Before joining the domain, set the MTU size to 1350 on the Windows Azure virtual machine just as you did for the external network interface on the TMG server.
After the system restarts, we can now reach the remote Windows Azure virtual machine by its single label hostname or FQDN, as it will now be registered in our internal DNS.
Going back to the Windows Azure management console you’ll notice that the virtual machine is listed as a resource for the virtual network and data transfer statistics are also included.
With careful planning and preparation, utilizing site-to-site VPN in Forefront TMG allows network administrators to meet their goal of establishing seamless and transparent cross-premises network connectivity between their on-site datacenters and their Windows Azure cloud-based infrastructure.