Monday 5 June 2023

Business Central - Azure SSO Redirect Loop

 

Azure SSO Redirect Loop

I noticed an odd issue when both Business Central application servers were running at the same time, in which the Azure Single Sign-on page would constantly loop round and round after entering your credentials. If I disabled IIS and stopped the Business Central Service Instance on one of the servers, the issue went away.

In Azure, I noticed that the following setting was enabled on the Production Application Gateway, but was disabled on Test. Under Settings > Backend Settings > navServiceTierBackendHttpSettings > Cookie-based affinity.



The application gateway can use cookies to keep a user session on the same server. You can enable this feature if the client supports the use of cookies.

I enabled Cookie Based affinity for the navServiceTierBackendHttpSettings port 443 and this resolved the issue.






Monday 13 February 2023

Ditched the Cisco router for OpenWrt Dual WAN Setup

Due to the poor performance of my old POTS ADSL line, I decided to look at 4G Routers. Surprisingly, I could get over 200mbps download and around 50mbps upload!

Compared to my ADSL line of 17mbps down and 1mbps up, this significantly increased speed and performance!

I wanted to make use of my ADSL line, so I turned my Raspberry Pi into an OpenWrt router, and have it monitor both WAN connections.

If it detects the 4G connection is down by performing regular pings to 1.1.1.1, it will set the metric to a value of 1, and set the backup ADSL interface metric to 0. 

The lowest value takes precedence, and the routing table is updated accordingly setting the default WAN interface to the ADSL interface. When the 4G interface comes back online the metric value is set back to 0, and the ADSL interface metric is set back to 1.

It works really well, and with OpenWrt, you can have many packages running that provide all sorts of extra functionality like Dynamic DNS updates, Private DNS, QOS and Bandwidth monitoring!






Sunday 10 July 2022

Azure SQL PaaS Private Endpoints & DNS

So I have a SQL PaaS Server in Azure, typically you connect to it using the server name which is a domain name that resolves to a public IP address. Now we have disabled public access, so we connect to it via a Private Endpoint.

Private Endpoints link the Azure Virtual Network (vnet), and our network config is done so the routing tables send the traffic to the correct location via SD-WAN etc. Connecting to the SQL Database is done via the server name, but that resolves to a public IP, which I can’t use, due to public access being disabled.


Enabling Private Endpoints creates this private DNS alias, if public access was still enabled then this alias would not exist. So in Azure, you can have Private DNS Zones which use Azure’s own DNS servers and services. We don’t use Private DNS for the virtual network in production, we use our own DNS servers in AD.


If I do a nslookup on the server name you will see it has an alias with the zone I need to add.
When you do the nslookup for the main server name sql-server.datbase.windows.net, it resolves to the alias sql-server.privatelink.database.windows.net.


So by creating the zone in our DNS servers in AD, Azure will look at this zone and return the private IP I need of 10.X.X.X for sql-server.privatelink.database.windows.net. Now because it's an alias looking up the original server name will then eventually return my private IP.


The reason Microsoft does it this way is so if you wanted public access back again, Azure would add/remove this alias address providing you the correct IP you need.


Hope that helps.

For more information, see the original Microsoft community support post I made, along with a very useful video on Azure DNS in relation to Private Endpoints,


Monday 6 June 2022

IE Mode Microsoft Edge (Chromium) Default Policy

Edge IE Mode Microsoft Edge (Chromium) Default Policy - IE MODE

The group policy enables a feature in Edge called IE Mode, which adds legacy browser compatibility for Internet Explorer.

1.      Download the policy file from Microsoft Edge Policy Template.

2.      Extract the downloaded Policy File folder MicrosoftEdgePolicyTemplates.

Domain Controller Setup

3.      Copy msedge.admx, msedgeupdate.admx and msedgewebview2.admx file from C:\Users\{user}\Downloads\MicrosoftEdgePolicyTemplates\windows\admx to C:\Windows\PolicyDefinitions.

4.      Copy msedge.adml, msedgeupdate.adml and msedgewebview2.adml file from C:\Users\{user}\Downloads\MicrosoftEdgePolicyTemplates\windows\admx\en-US to C:\Windows\PolicyDefinitions\en-US.

5.      Open Group Policy Editor.

6.      Click User Configuration/Computer Configuration > Administrative Templates > Microsoft Edge.

7.      Double-click Configure Internet Explorer integration.

8.      Select Enabled.

9.      Under Options, set the drop-down value to Internet Explorer mode if you want the sites to open in IE mode on Microsoft Edge

Configuring the Enterprise Mode Site List policy

Configure IE mode with a separate policy for Microsoft Edge. This additional policy allows you to override the IE site list. For example, some organizations target the production site list to all users. You can then deploy the pilot site list to a small group of users using this policy.

1.     Create or reuse a Site List.

2.    Open Group Policy Editor.

3.      Click User Configuration/Computer Configuration > Administrative Templates > Microsoft Edge.

4.      Double-click Configure the Enterprise Mode Site List.

5.      Select Enabled.

6.      Under Options, type the location of the website list.

7.      Click OK or Apply to save these settings

More Info

·       https://www.youtube.com/watch?v=A2o0x9-0urE
https://docs.microsoft.com/en-us/deployedge/edge-ie-mode-site-list-manager

 

 

Sunday 31 January 2021

IP on DNS blacklist (IP on DNS Blacklist) Down (Error checking bl.spamcop.net, it contains an entry for 127.0.0.1 )

 

Our PRTG server started alerting us to the following.

IP on DNS blacklist (IP on DNS Blacklist) Down (Error checking bl.spamcop.net, it contains an entry for 127.0.0.1)

Also, emails sent from Office 365, some at not getting through.

watchdog.wmf.de gave this error:
Decision Engine classified the mail item was rejected because of IP Block (from outbound normal IP pools) -> 550 40.107.14.123 blacklisted at bl.spamcop.net

Appears  bl.spamcop.net  have not renewed their domain?

https://forum.kpn.com/e-mail-10/spamcop-net-opgeheven-levert-problemen-op-530208?postid=1229636#post1229636

This appears to be causing miss classifications of IP’s that are being blacklisted.

The server used at this time for Office 365 appears to on this backlist.

Name:    mail-eopbgr140123.outbound.protection.outlook.com

Address:  40.107.14.123

 


 


 


Tracking ID: 1ca78e52-284c-4af5-b352-1053cc27860f

Monday 4 May 2020

Home Network Setup

Being someone who love playing around with Cisco kit I decided to annoy my wife and remove the standard cheap basic router from my ISP and go full enterprise at home!

The diagram below shows the topology of my setup, the broadband line uses a Fibre Line VDSL Broadband Fibre Connection. The main ISP router is a Cisco 887VA-M which has the firewall completely locked down with only ports 443 open for SSL VPN connection into my network. I gave the local interfaces an IP from the subnet of 192.168.2.X /30. This allows two IP addresses which can be used to connect the core ISP Cisco router to my Cisco ASA Firewall, which protects in the internal network.

The local LAN runs on a different subnet, 192.168.1.X /24, which uses DHCP reserved addresses. I allocate specific IP addresses and lock down the network with firewall rules on the Cisco ASA.

The local wireless access point is a Cisco AP541N-E which uses WPA2 PSK along with MAC Address filtering to further lock down who can access the network via MAC Addresses.

If you wanted to know how the network was configured please get in touch and I can always send you snippets of the configs.

Physical setup.

Minecraft Club Brightlingsea