Network Security Groups - Internet
Hello,
I am implementing NSGs in an Azure environment. When i apply a Deny Any Internet on the Domain controller Subnet (2 DC), i am not able to login with RD Web access anymore (DMZ has internet allowed). After the Deny Any Internet is an Allow Any Any applied.
Internet-outbound Deny Internet
AllowAny-outbound Any Any
Can a domain controller still be a Azure DNS server with these rules up? Since the DC needs to contact the Azure DNS.
Hi,
It seems like this issue is more related to Microsoft Azure Virtual Networking, I will move this thread to Microsoft Azure Virtual Networking Forum for a better help.
Thank you for your understanding.
Best Regards,
Jambor
We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
Click
HERE to participate the survey.
Similar Messages
-
Network Security Groups REST API
HI,
according to this link:
http://azure.microsoft.com/blog/2014/11/04/network-security-groups/
Network Security groups is currently exposed only through power shell and REST API.
I can't find any REST API documentations.
any idea?Hi,
You are correct. There is no offical article related to Network Security Group with REST API as Network Security Group is a new feature. I will report it to the related team and hope the related articles would be published quickly. In addition, you can also
submit your requirement in Azure feedback:
http://feedback.azure.com/forums/34192--general-feedback
Apprecite your patience.
Best regards,
Susie
Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected] -
NOOB Question Network Security Groups
It appears I need to use Powershell to create NSG's etc so stupid question is where do I run the powershell to create the NSG from the command "New-AzureNetworkSecurityGroupNew-AzureNetworkSecurityGroup"
on a particular VM within Azure?Hi,
You could install Azure PowerShell in your Azure VM or in your Local Machine as well.
Please refer the following link to install PowerShell:
http://azure.microsoft.com/en-in/documentation/articles/powershell-install-configure/
I ran the following command in my Local Machine to create a Network Security Group and it worked successfully:
New-AzureNetworkSecurityGroup-Name"******"-Location"******"-Label"*******"
Regards,
Malar. -
Docs for NSG (Network Security Groups) Powershell cmds
Is there a max length or other restrictions on the -Name used for New-AzureNetworkSecurityGroup?
Or for the rules, via Set-AzureNetworkSecurityRule?Hi Darian,
Currently I would suggest using < 50 chars, we are working on fixing the length problem.
Also, please be advised the name:
1. must start with a letter or underscore
2. must not contain \, /, :, *, ?, ", <, >,|, `, ', ^, %, #
3. must not end with whitespace or .
Hope this helps.
Regards,
Malar. -
I cannot get my iMac with built-in airport wi-fi to allow internet connections to Nook and PS3. The devices access the network, but internet connection fails. Internet sharing is enabled, network security (WEP, WPA) is disabled. What to check next?
On an additional note, I've purchased a wireless router and everything connected on the first attempt. It just vexes me that the built-in wireless isn't working as a router. Is this another example of "Mac only plays with Mac"?
-
How do I setup a secure wireless AirPort network that allows internet shari
Hi everyone,
I'm trying to setup internet sharing over a wireless Airport network between my flatmate's iMac and my G4 Powerbook. We both have Norton Confidential installed, which includes a Firewall feature, which may be making this more difficult.
I thought I understood the basics of setting up secure Airport network, and the basics of Internet sharing. But with all the variations I've tried, I've only ever managed to create a secure network that won't share internet, or a network that shares internet but doesn't seem to be password protected. I never seem to get all three, and I can't figure out why.
From startup/login on both machines, what are the steps I need to follow?
Many thanks,
AndrewYou enable wireless security on the base station, by using the AirPort Utility. You basically have four choices: None, WEP, WPA, or WPA2. (Note: These are in order of least to most security.)
Here are the basic steps:
AirPort Extreme Base Station Setup (AEBSn) - Wireless Encryption
Setup the AEBSn
Either connect to the AEBSn's wireless network or temporarily connect your computer directly (using an Ethernet cable) to one of the LAN ports of the AEBSn, and then, using the AirPort Utility in Manual Mode, check these settings:
AirPort - Wireless
o Wireless Security: <None | WEP (Transitional Security Network) | <b>WPA/WPA2 Personal | WPA2 Personal>
o Wireless Password: <enter your desired password>
o Verify Password: <reenter your desired password> -
Create different network share shortcut in desktop for different security groups using GPO
Hi,
I have an OU named TECH that contains two different security groups ENG and PRESS.
When users in ENG group logs in desktop should show a network share \\server1\eng-share and
when users in PRESS group logs in desktop should show a network share \\server1\press-share.
How to create a GPO for this ?
regards, FaisalYou could use group policy preferences shortcuts. You would create a shortcut to each of these shares and then use Item Level Targeting. The target would point to the security group needed.
If my answer helped you, check out my blog:
DeployHappiness. Subscribe by
RSS or
email. -
Which network security do i choose for my new IPhone 5 If I have cable internet and an airport wireless router?
You should choose WPA2 Personal (AES).
See this Apple doc for more info -> iOS: Recommended settings for Wi-Fi routers and access points -
Security Group Creation in Specific OU and Create Network Share For the Security Group
Hi,
We would really want to create a PowerShell script that creates a specific Security Group within a selected Organisation Unit.
Brief Scenario;
We have created several Organisation Units. Each Organisation Unit contains another Organisation Unit called users.
+OU=Netherlands
++OU=Company A
+++OU=users
++OU=Company B
+++OU=users
And so forth.
If we run the PowerShell script it should create a list of all the Companies in container Netherlands. After the list is created it creates an output like 1. Company A; 2. Company B. (Forearch ..)
The script asks for user input where to create the Security Group. If user selects option 2, a security group Called "Company B" is being created. All the users located in the Organisation Unit users within Company B are joined to that group. (Sets
option 2 as a value like Security Group = "$Company B", create Security Group "Universal, Global (option), and get all users from container users and join them)
Then without user interaction a share is being created. Granting Domain Administrators full access and the Security Group which has just been created.
Is somebody able to help me with this kind of script?
Thank you in advance,
With kind regards,
Danny LocorotondoAlready gathered some information. Have this as a result. Now I need to figure out how to put the results into a list, so the user can select the group. As far as now I am stuck.
Import-Module ActiveDirectory
Function SelectCollectionRelease
[CmdletBinding()]
Param
[Parameter(Mandatory=$true,
Position=0,
HelpMessage='Enter the Release of the Collection. By example: Alfa,Beta or Charlie')]
$CollectionRelease
IF(!$CollectionRelease)
write-host "`n You did not select a proper Collection Release" -foregroundcolor "red"
SelectCollectionRelease
Elseif($CollectionRelease)
[string] $OUPath = "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local"
if (!([adsi]::Exists("LDAP://$OUPath")))
write-host "`n Collection Release does not exists" -foregroundcolor "red"
SelectCollectionRelease
else
write-host "`n Collection Release exists." -foregroundcolor "green"
write-host "`n Selected $OUPath ..." -foregroundcolor "yellow"
Get-ADGroup -SearchBase "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local" -filter {GroupCategory -eq "Security"} | Format-List -Property Name
Else
//$SecurityGroup = Get-ADGroup -SearchBase "OU=$CollectionRelease,OU=VDI,OU=carsystems,DC=carsysdev,DC=local" -filter {GroupCategory -eq "Security"} -and (ObjectClass -eq "user")
SelectCollectionRelease -
How do I access a network camera from internet via 501
Please understand that I am nowhere near being a network guru and I'm even farther away from being a PIX guru.
I have a 501 PIX between my home network and the outside internet. The PIX is connected to a cable modem and pretty much keeps the same DHCP IP address as assigned by the ISP. I have an AXIS 207 IP camera connected to my home network on IP 192.168.1.11. For the sake of illustration say the address assigned by my cable ISP is 123.123.123.1.
What I need to do is to access the camera from the internet. To do that I suppose I need to add some instructions to the PIX configuration but I don't know where to start...I have never even thought about communicating with devices on my home network through the internet. Can someone please provide some pointers or better yet the commands I need to add. The next question is how do I access the camera assuming the PIX is all set up. I don't think I use the camera's address and I don't know how the ISP address would get to a specific device such as the camera - maybe appending a port number or whatever to the IP address I type when trying to access the camera from the internet?
The way the camera works on the internal network is you type in it's IP address in a browser window and the camera opens up a web page just like any url and the video is streamed to a window in the web page.
I hope I've provided enough info to understand what I'm trying to do and I would be most appreciative for any help.
thanksI tried installing the commands as provided but am running into issues. Here are the error messages:
pixfirewall(config)# nat (inside) 1 0.0.0.0
ERROR: Duplicate NAT entry
ERROR: fail to insert nat entry
pixfirewall(config)# global (outside) 1 xxx.xxx.114.55
ERROR: xxx.xxx.114.55-xxx.xxx.114.55 overlaps with outside interface address
pixfirewall(config)#
And here is a copy of my current configuration (including the code prior to entering the changes and the successful changes). Any Idea what needs to be done to fix things?
thanks
Building configuration...
: Saved
PIX Version 6.3(5)
interface ethernet0 auto
interface ethernet1 100full
nameif ethernet0 outside security0
nameif ethernet1 inside security100
enable password xxx
passwd xxx
hostname pixfirewall
domain-name ciscopix.com
clock timezone CST -6
clock summer-time CDT recurring
fixup protocol dns maximum-length 512
fixup protocol ftp 21
fixup protocol h323 h225 1720
fixup protocol h323 ras 1718-1719
fixup protocol http 80
fixup protocol rsh 514
fixup protocol rtsp 554
fixup protocol sip 5060
fixup protocol sip udp 5060
fixup protocol skinny 2000
fixup protocol smtp 25
fixup protocol sqlnet 1521
fixup protocol tftp 69
names
access-list 100 permit icmp any any echo-reply
access-list 100 permit icmp any any time-exceeded
access-list 100 permit icmp any any unreachable
access-list inbound permit tcp any host xxx.xxx.114.55 eq www
pager lines 24
logging timestamp
logging trap informational
logging host inside 192.168.1.3
icmp deny any echo outside
mtu outside 1500
mtu inside 1500
ip address outside dhcp setroute
ip address inside 192.168.1.1 255.255.255.0
ip audit info action alarm
ip audit attack action alarm
pdm location 192.168.1.3 255.255.255.255 inside
pdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0 0 0
static (inside,outside) tcp xxx.xxx.114.55 www 192.168.1.11 www netmask 255.255.255.255 0 0
access-group inbound in interface outside
timeout xlate 0:05:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 rpc 0:10:00 h225 1:00:00
timeout h323 0:05:00 mgcp 0:05:00 sip 0:30:00 sip_media 0:02:00
timeout sip-disconnect 0:02:00 sip-invite 0:03:00
timeout uauth 0:05:00 absolute
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server RADIUS protocol radius
aaa-server RADIUS max-failed-attempts 3
aaa-server RADIUS deadtime 10
aaa-server LOCAL protocol local
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server community public
no snmp-server enable traps
floodguard enable
telnet 192.168.1.0 255.255.255.0 inside
telnet timeout 15
ssh timeout 5
console timeout 0
dhcpd address 192.168.1.6-192.168.1.10 inside
dhcpd dns 207.69.188.171 207.69.188.172
dhcpd lease 3600
dhcpd ping_timeout 750
dhcpd auto_config outside
dhcpd enable inside
username administrator password xxx privilege 15
terminal width 80
Cryptochecksum:xxx
: end
[OK] -
"Network disabled because Internet connection is slow"
I have both a Samsung Galaxy S3 and a new Samsung Tab 3. After a recent software upgrade, I was having connectivity issues to wireless routers. The message I got when connecting to a secure wireless network was "Network disabled because Internet connection is slow". I determined that I had no issues with either my phone or tablet on either an unsecure router (WiFi hotspot), or with any older router that broadcast WPA2 personal with either aes OR tkip security. I do have a problem with connecting to any new router that broadcasts BOTH aes and tkip at the same time. When I change the routers under my control to broadcast only aes or tkip, then I can immediately connect both my phone and tablet to the router. There are obviously a lot of routers over which I have no control, so this needs to be fixed. I am pretty sure that there is a problem with the latest Android software upgrade in this regard
I am having the same problem with my Galaxy 3S since the upgrade. Have searched for settings, etc. but haven't found anything I can control. My home network is getting 54.4 down and 5.7 up! Have had this issue nearly everywhere I am connected.
I think it needs a fix - noticed today that Verizon has doubled my DATA for free. May need it if this continues. -
How to setup the guest network just access internet only (not touch in internal server)
I had setup the AirPort Extreme in basic and guest network, but observed the guest can access to our server currently, for the security issue, we can setup the guest network to access internet only? pleae advice and thanks
By default, a properly configured Guest network on the AirPort Extreme only allows network clients to access the Internet. No access to the "main" network's resources should be available.
This is assuming that the AirPort Extreme is the only or "main" router in your current network configuration. -
Network security:LAN manager authentication level setting on GPO
Hi,
We have a requirement from project team to change the one of the security setting on default domain policy for all computers in domain. Below are the security setting which we need to modify.
computer configuration-->windows settings-->security settings-->local policies-->security options-->
Network security: LAN manager authentication level
this setting need to be changed to - Send LM & NTLM - use NTLMv2 session security if negotiated.
The project team facing issue with Apache web server and they found the solution on below link.(we have tested this by changing local group policy and this solution works as expected)
https://www.sysaid.com/Sysforums/posts/list/9065.page
We need to know what is the impact after enabling this on domain computers.
Need help on this to go-head on this.Hi,
you have a weaker domain security overall. "
LM Hash Generation
The algorithm introduces several weaknesses that attackers can exploit. First, all lowercase characters are set to uppercase, reducing the number of possible characters. Second, it splits a long, strong, password into two seven-character chunks.
Both the LM and NTLM protocols operate essentially the same way; the only difference is the password hash.
REF: The Most Misunderstood Windows Security Setting of All Time
This post is provided AS IS with no warranties or guarantees, and confers no rights.
~~~
Questo post non fornisce garanzie e non conferisce diritti -
Security Groups not being discovered / Talking a long time to be discovered
Hi All.
When creating user collections i am creating the majority of them with a membership rule that links directly to a discovered Security Group, so in order for this to happen the security group has to first be discovered by Security Group Discovery Method.
Ok, what i am seeing is that it is taking a long time, very long time for the security group to appear. At the moment a security group that i am waiting on was created more then 24hours ago and has still not appeared in the All User Groups collection.
Now this has got me thinking, some of these security groups are created and will not be populated with users from active directory so it is basically an empty security group, the security group that im waiting on to be discovered is empty also...
So my question... if a security group has no members, does this stop it from being discovered / appearing in All Users Groups collection ?
If this answer is 'no' then i got to ask some more questions as to what is causing this severe lag in my discovery :-(Hi Jason,
been trawling the internet and found this.... its dated 2010 so must be referring to SCCM 2007, but could still be relevant.. ???
5. Active Directory User Discovery
It discovers the following:
User name
Unique user name (includes domain name)
Active Directory domain
Active Directory container name
User groups (except empty groups)
http://systemcentersupport.blogspot.co.uk/2010/01/discovery-methods-do-what.html
(just added a user to my 'empty' security group - see what happens) -
NSX Security Groups in vRA 6.2
Hi community,
We have our Test vRA environment up and running. I have got an external vCO and have NSX, vRAC, vCenter plugins all configured. I have vSphere and vCO Endpoint which are working fine with deployment of VMs. We have NSX installed in the environment and I have the "Specify Network and Security Platform" part configured too.
We are not using the full blown NSX here. Only the Distributed Firewall piece with the Security Policies and Security Groups is planned. However I don't get to see Security Groups under reservations. The data collection shows that NSX inventory collection is successful. Below is the error I see in the vCO server logs. Anyone facing similar issues?
[SCRIPTING_LOG] [Create NSX endpoint/Manage SSL certificates (5/14/15 07:51:54)] Provided url is invalid 'https://vc2004.mycompany.com'
2015-05-14 07:55:51.256-0400 [WorkflowExecutorPool-Thread-1342] ERROR {[email protected]:Create NSX endpoint:8a16949f4c563ecd014d5247ddcb1f6a:0513028f-4d48-49f0-bd04-032b2ee722d7:[0513028f-4d48-49f0-bd04-032b2ee722d7]} [SCRIPTING_LOG] [Create NSX endpoint/Manage SSL certificates (5/14/15 07:55:51)] Provided url is invalid 'https://vc2004.mycompany.com'
2015-05-14 08:02:32.504-0400 [vcoSystemTaskScheduler-2]
In the vCO Workflow log I see this..
[2015-05-21 15:32:43.702] [I] url: https://10.10.10.10
[2015-05-21 15:32:43.702] [I] ReferenceError: "RESTHostValidator" is not defined.
[2015-05-21 15:32:43.703] [E] Provided url is invalid 'https://10.10.10.10'
[2015-05-21 15:32:43.703] [I] TypeError: Cannot call method "getCertificateInfo" of null
The vco workflow completes every time it runs but silently throws the above exception in the workflow log window.
Any help is greatly appreciated.
Regards,
VMSavvyHi community,
We have our Test vRA environment up and running. I have got an external vCO and have NSX, vRAC, vCenter plugins all configured. I have vSphere and vCO Endpoint which are working fine with deployment of VMs. We have NSX installed in the environment and I have the "Specify Network and Security Platform" part configured too.
We are not using the full blown NSX here. Only the Distributed Firewall piece with the Security Policies and Security Groups is planned. However I don't get to see Security Groups under reservations. The data collection shows that NSX inventory collection is successful. Below is the error I see in the vCO server logs. Anyone facing similar issues?
[SCRIPTING_LOG] [Create NSX endpoint/Manage SSL certificates (5/14/15 07:51:54)] Provided url is invalid 'https://vc2004.mycompany.com'
2015-05-14 07:55:51.256-0400 [WorkflowExecutorPool-Thread-1342] ERROR {[email protected]:Create NSX endpoint:8a16949f4c563ecd014d5247ddcb1f6a:0513028f-4d48-49f0-bd04-032b2ee722d7:[0513028f-4d48-49f0-bd04-032b2ee722d7]} [SCRIPTING_LOG] [Create NSX endpoint/Manage SSL certificates (5/14/15 07:55:51)] Provided url is invalid 'https://vc2004.mycompany.com'
2015-05-14 08:02:32.504-0400 [vcoSystemTaskScheduler-2]
In the vCO Workflow log I see this..
[2015-05-21 15:32:43.702] [I] url: https://10.10.10.10
[2015-05-21 15:32:43.702] [I] ReferenceError: "RESTHostValidator" is not defined.
[2015-05-21 15:32:43.703] [E] Provided url is invalid 'https://10.10.10.10'
[2015-05-21 15:32:43.703] [I] TypeError: Cannot call method "getCertificateInfo" of null
The vco workflow completes every time it runs but silently throws the above exception in the workflow log window.
Any help is greatly appreciated.
Regards,
VMSavvy
Maybe you are looking for
-
Is it possible to recover individual files from my Macbook Pro's HD even if it won't boot?
Recently, my Macbook Pro would slow down longer than usual as I was performing menial tasks, like internet surfing, and so I tried to clear the memory by restarting it. It only went up to a white screen from there, and when I turned it off by holding
-
Unable to rename white folders
I'm unable to rename the white folders of an IMAP account. I can rename white folders "On My Mac" and I can rename all blue folders. I just can't rename the white folders of an IMAP account. I get the following error: Error The IMAP command "RENAME"
-
Based on the suggestions in the KT4 Ultra FAQ thread, I've spent many hours with WPCREDIT and WPCRSET, mainly to my satisfaction. The question I have is this: Since the primary purpose of the BIOS is to populate the PCI registers, I'm wondering if t
-
Module pool screen modification
Hi, I have developed a screen. In that, the listbox gets filled up with some values for eg. customer. after user selects the customer from the listbox, the label field should get the customer name after pressing enter key. how to do it? rgrds Madhuri
-
Photo booth gone..
Hey, Uh i made a desktop icon for photo booth and when i didnt want it anymore i put it in the trash and i deleted the whole thing. i dont have time machine and i already checked the finder for it but its completely erased. Is there anything i can do