Category Archives: Azure

Site to site VPN between Azure and Cisco ASA

Azure, wow isn’t it amazing? IAAS has arrived, and you can do some pretty cool stuff with azure, without worrying about licensing or hardware, beyond the size and spec of your virtual machines in their Data Centres. But that’s just the bloody problem isn’t it? it’s in their network, not yours! So, you need to set up a site to site link between Azure and your local supported device.

Click here to view a list of supported devices and their configuration instructions. This will tell you what type of VPN your equipment will support, and what you should deploy in Azure portal.

My local supported device is a Cisco ASA, which you will notice is only supported for Policy Based, not route Based VPN, so you need to start out right or you’re going to waste a lot of time deploying VPN gateways in Azure, which takes about 45 minutes. The instructions on GitHub are easy to follow and available here [.docx].

If you follow these instructions, you will get going fairly quickly, but if you have multiple subnets you want to allow to communicate with Azure you will have to make some modifications. For example, my protected wireless network should have access to Azure, because I’m going to put a domain controller on a virtual machine there, to handle DHCP (not supported!), DNS, and 802.1x authentication in a Disaster Recovery scenario.

You will need to modify your NAT like this:

first create names for the networks you want to access your azure networks:

config t
object network mgmtnet
object network wirelessnet

Then create corresponding NAT rules;

nat (inside,outside) source static mgmtnet mgmtnet destination static AzureNetworks AzureNetworks
nat (Wireless,outside) source static wirelessnet wirelessnet destination static AzureNetworks AzureNetworks

Hope this saves you a little bit of time getting multiple subnets to work on your ASA to Azure VPN, if you’re in a rush and follow the instructions a little blindly, but who does that? Not you!

Add Azure Server 2016 Nano to your Active Directory

Ok, so adding a Nano server to your on premise active directory is not as straight forward as you might like, but of course there’s no GUI so what did you expect? The process is not the same as adding server core to your domain, as it can only be managed remotely, you must first connect to the machine using winRM / PowerShell, and perform a three stage operation to join the Azure Nano machine to your domain.

Of course, you’ve already set up your site to site VPN with Azure? No – I haven’t blogged about it yet! Of course, because you’ve read my blog post about that too! It is straight forward enough though, follow the instructions provided, and check your NAT, but other than that it’s a breeze.

First you must deploy your Nano from the azure portal, I’m not going to go through this part here, most of the blogs I’ve seen on the azure portal are out of date or relate to the classic portal, and with a major server OS release having just happened I expect there will probably be more changes to the azure portal, so I’m going to leave that but for now.

Stage one: Connect to the Azure Nano Server using powershell

Open PowerShell locally and start winRM

PS C:\WINDOWS\system32> net start winrm

The Windows Remote Management (WS-Management) service is starting.

The Windows Remote Management (WS-Management) service was started successfully.

You then need to configure your trusted hosts list for winRM (more info on this here).

Set-Item WSMan:\localhost\Client\TrustedHosts -Value ""

You’ll then get a warning telling you that you are modifying the Trusted Host list – you want to click yes:

Yes, I'm using ISEYou can then actually connect to your Nano with Enter-PSSession, using the credentials you used to create the machine in Azure

Enter-PSSession -ComputerName "" -Credential WAN02ADC01PV\svradmin

And You’re IN!

Stage two: Setting things up

So you now need to change the DNS server to be one of your own domains:

netsh interface ip set dnsservers name="Ethernet" static primary

Microsoft have turned the firewall on the Nano on by default, and you will need to enable the firewall ports for file and print services to be able to transfer the file you will create in the next stage: adding it to your domain.

netsh advfirewall firewall set rule group=”File and Printer Sharing” new enable=yes

Stage thee: Joining to the domain

Ok, we’re done here for now. Over to your domain joined server, you need to use djoin , which will put the machine into AD and spit out a file for you to import into the Nano, run this command from your desktop to make your life easy, as it the file is generated in the directory it is run from! it looks a little something like this:

C:\Users\madmin\Desktop>djoin.exe /provision /domain WEARENOTHING.COM /machine WAN02ADC01PV /savefile .\WAN02ADC01PV-DOMAIN

Of course, you’ve figure out by now you’re supposed to change the red values to your own, and that is the Nano’s IP, you

Ok, now map a drive to the c$ share on the Nano,

NET USE x: "\\\c$"

create a folder on the Nano called temp, and copy the file you generated into it, then in the remote PS session, finish it off:

djoin /requestodj /loadfile c:\temp\WAN02ADC01PV-DOMAIN /windowspath c:\windows /localos

You will then see:

Loading provisioning data from the following file: [c:\temp\WAN02ADC01PV-DOMAIN].
The provisioning request completed successfully.
A reboot is required for changes to be applied.

The operation completed successfully.

You will then need to seal the deal with a remote reboot:

shutdown /r

You’re done, it is added, you can now manage it using your domain credentials, and it can be added to server manager, although I don’t believe you will be able to add role and features to it this way, but this may change, who knows.