Help
RSS
API
Feed
Maltego
Contact
Domain > blog.ittoby.com
×
More information on this domain is in
AlienVault OTX
Is this malicious?
Yes
No
DNS Resolutions
Date
IP Address
2014-09-01
64.233.182.121
(
ClassC
)
2014-10-14
64.233.164.121
(
ClassC
)
2015-02-20
74.125.202.121
(
ClassC
)
2015-06-02
64.233.191.121
(
ClassC
)
2016-03-22
173.194.69.121
(
ClassC
)
2024-08-10
142.251.215.243
(
ClassC
)
Port 80
HTTP/1.1 301 Moved PermanentlyLocation: https://blog.ittoby.com/Content-Type: text/html; charsetUTF-8Date: Sat, 10 Aug 2024 18:06:27 GMTExpires: Sat, 10 Aug 2024 18:06:27 GMTCache-Control: private, max-age0X-Content-Type-Options: nosniffX-Frame-Options: SAMEORIGINContent-Security-Policy: frame-ancestors selfX-XSS-Protection: 1; modeblockServer: GSEAccept-Ranges: noneVary: Accept-EncodingTransfer-Encoding: chunked HTML>HEAD>TITLE>Moved Permanently/TITLE>/HEAD>BODY BGCOLOR#FFFFFF TEXT#000000>!-- GSE Default Error -->H1>Moved Permanently/H1>The document has moved A HREFhttps://blog.ittoby.com/>here/A>./BODY>/HTML>
Port 443
HTTP/1.1 200 OKContent-Type: text/html; charsetUTF-8Expires: Sat, 10 Aug 2024 18:06:27 GMTDate: Sat, 10 Aug 2024 18:06:27 GMTCache-Control: private, max-age0Last-Modified: Thu, 18 Jul 2024 11:37:39 GMTX-Content-Type-Options: nosniffX-XSS-Protection: 1; modeblockServer: GSEAccept-Ranges: noneVary: Accept-EncodingTransfer-Encoding: chunked !DOCTYPE html>html classv2 dirltr langen>head>link hrefhttps://www.blogger.com/static/v1/widgets/3566091532-css_bundle_v2.css relstylesheet typetext/css/>meta contentwidth1100 nameviewport/>meta contenttext/html; charsetUTF-8 http-equivContent-Type/>meta contentblogger namegenerator/>link hrefhttps://blog.ittoby.com/favicon.ico relicon typeimage/x-icon/>link hrefhttps://blog.ittoby.com/ relcanonical/>link relalternate typeapplication/atom+xml titleitToby - Atom hrefhttps://blog.ittoby.com/feeds/posts/default />link relalternate typeapplication/rss+xml titleitToby - RSS hrefhttps://blog.ittoby.com/feeds/posts/default?altrss />link relservice.post typeapplication/atom+xml titleitToby - Atom hrefhttps://www.blogger.com/feeds/5458589696790815336/posts/default />link relme hrefhttps://www.blogger.com/profile/11479868060801724272 />!--Cant find substitution for tag blog.ieCssRetrofitLinks-->meta contenthttps://blog.ittoby.com/ propertyog:url/>meta contentitToby propertyog:title/>meta contentBecause if I don't write it down I might forget it. propertyog:description/>title>itToby/title>style idpage-skin-1 typetext/css>!--/*-----------------------------------------------Blogger Template StyleName: SimpleDesigner: BloggerURL: www.blogger.com----------------------------------------------- *//* Content----------------------------------------------- */body {font: normal normal 12px Trebuchet MS, Trebuchet, sans-serif;color: #666666;background: #90c1e3 none repeat scroll top left;padding: 0 0 0 0;}html body .region-inner {min-width: 0;max-width: 100%;width: auto;}h2 {font-size: 22px;}a:link {text-decoration:none;color: #2288bb;}a:visited {text-decoration:none;color: #888888;}a:hover {text-decoration:underline;color: #33aaff;}.body-fauxcolumn-outer .fauxcolumn-inner {background: transparent none repeat scroll top left;_background-image: none;}.body-fauxcolumn-outer .cap-top {position: absolute;z-index: 1;height: 400px;width: 100%;}.body-fauxcolumn-outer .cap-top .cap-left {width: 100%;background: transparent none repeat-x scroll top left;_background-image: none;}.content-outer {-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .15);-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .15);-goog-ms-box-shadow: 0 0 0 #333333;box-shadow: 0 0 0 rgba(0, 0, 0, .15);margin-bottom: 1px;}.content-inner {padding: 10px 40px;}.content-inner {background-color: #ffffff;}/* Header----------------------------------------------- */.header-outer {background: transparent none repeat-x scroll 0 -400px;_background-image: none;}.Header h1 {font: normal bold 55px Courier New, Courier, FreeMono, monospace;color: #000000;text-shadow: 0 0 0 rgba(0, 0, 0, .2);}.Header h1 a {color: #000000;}.Header .description {font-size: 18px;color: #444444;}.header-inner .Header .titlewrapper {padding: 22px 0;}.header-inner .Header .descriptionwrapper {padding: 0 0;}/* Tabs----------------------------------------------- */.tabs-inner .section:first-child {border-top: 0 solid #dddddd;}.tabs-inner .section:first-child ul {margin-top: -1px;border-top: 1px solid #dddddd;border-left: 1px solid #dddddd;border-right: 1px solid #dddddd;}.tabs-inner .widget ul {background: transparent none repeat-x scroll 0 -800px;_background-image: none;border-bottom: 1px solid #dddddd;margin-top: 0;margin-left: -30px;margin-right: -30px;}.tabs-inner .widget li a {display: inline-block;padding: .6em 1em;font: normal normal 12px Trebuchet MS, Trebuchet, sans-serif;color: #000000;border-left: 1px solid #ffffff;border-right: 1px solid #dddddd;}.tabs-inner .widget li:first-child a {border-left: none;}.tabs-inner .widget li.selected a, .tabs-inner .widget li a:hover {color: #000000;background-color: #eeeeee;text-decoration: none;}/* Columns----------------------------------------------- */.main-outer {border-top: 0 solid transparent;}.fauxcolumn-left-outer .fauxcolumn-inner {border-right: 1px solid transparent;}.fauxcolumn-right-outer .fauxcolumn-inner {border-left: 1px solid transparent;}/* Headings----------------------------------------------- */div.widget > h2,div.widget h2.title {margin: 0 0 1em 0;font: normal bold 11px Trebuchet MS,Trebuchet,Verdana,sans-serif;color: #000000;}/* Widgets----------------------------------------------- */.widget .zippy {color: #999999;text-shadow: 2px 2px 1px rgba(0, 0, 0, .1);}.widget .popular-posts ul {list-style: none;}/* Posts----------------------------------------------- */h2.date-header {font: normal bold 11px Arial, Tahoma, Helvetica, FreeSans, sans-serif;}.date-header span {background-color: #bbbbbb;color: #ffffff;padding: 0.4em;letter-spacing: 3px;margin: inherit;}.main-inner {padding-top: 35px;padding-bottom: 65px;}.main-inner .column-center-inner {padding: 0 0;}.main-inner .column-center-inner .section {margin: 0 1em;}.post {margin: 0 0 45px 0;}h3.post-title, .comments h4 {font: normal normal 22px Trebuchet MS,Trebuchet,Verdana,sans-serif;margin: .75em 0 0;}.post-body {font-size: 110%;line-height: 1.4;position: relative;}.post-body img, .post-body .tr-caption-container, .Profile img, .Image img,.BlogList .item-thumbnail img {padding: 2px;background: #ffffff;border: 1px solid #eeeeee;-moz-box-shadow: 1px 1px 5px rgba(0, 0, 0, .1);-webkit-box-shadow: 1px 1px 5px rgba(0, 0, 0, .1);box-shadow: 1px 1px 5px rgba(0, 0, 0, .1);}.post-body img, .post-body .tr-caption-container {padding: 5px;}.post-body .tr-caption-container {color: #666666;}.post-body .tr-caption-container img {padding: 0;background: transparent;border: none;-moz-box-shadow: 0 0 0 rgba(0, 0, 0, .1);-webkit-box-shadow: 0 0 0 rgba(0, 0, 0, .1);box-shadow: 0 0 0 rgba(0, 0, 0, .1);}.post-header {margin: 0 0 1.5em;line-height: 1.6;font-size: 90%;}.post-footer {margin: 20px -2px 0;padding: 5px 10px;color: #666666;background-color: #eeeeee;border-bottom: 1px solid #eeeeee;line-height: 1.6;font-size: 90%;}#comments .comment-author {padding-top: 1.5em;border-top: 1px solid transparent;background-position: 0 1.5em;}#comments .comment-author:first-child {padding-top: 0;border-top: none;}.avatar-image-container {margin: .2em 0 0;}#comments .avatar-image-container img {border: 1px solid #eeeeee;}/* Comments----------------------------------------------- */.comments .comments-content .icon.blog-author {background-repeat: no-repeat;background-image: url(data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAABIAAAASCAYAAABWzo5XAAAAAXNSR0IArs4c6QAAAAZiS0dEAP8A/wD/oL2nkwAAAAlwSFlzAAALEgAACxIB0t1+/AAAAAd0SU1FB9sLFwMeCjjhcOMAAAD+SURBVDjLtZSvTgNBEIe/WRRnm3U8RC1neQdsm1zSBIU9VVF1FkUguQQsD9ITmD7ECZIJSE4OZo9stoVjC/zc7ky+zH9hXwVwDpTAWWLrgS3QAe8AZgaAJI5zYAmc8r0G4AHYHQKVwII8PZrZFsBFkeRCABYiMh9BRUhnSkPTNCtVXYXURi1FpBDgArj8QU1eVXUzfnjv7yP7kwu1mYrkWlU33vs1QNu2qU8pwN0UpKoqokjWwCztrMuBhEhmh8bD5UDqur75asbcX0BGUB9/HAMB+r32hznJgXy2v0sGLBcyAJ1EK3LFcbo1s91JeLwAbwGYu7TP/3ZGfnXYPgAVNngtqatUNgAAAABJRU5ErkJggg);}.comments .comments-content .loadmore a {border-top: 1px solid #999999;border-bottom: 1px solid #999999;}.comments .comment-thread.inline-thread {background-color: #eeeeee;}.comments .continue {border-top: 2px solid #999999;}/* Accents---------------------------------------------- */.section-columns td.columns-cell {border-left: 1px solid transparent;}.blog-pager {background: transparent url(//www.blogblog.com/1kt/simple/paging_dot.png) repeat-x scroll top center;}.blog-pager-older-link, .home-link,.blog-pager-newer-link {background-color: #ffffff;padding: 5px;}.footer-outer {border-top: 1px dashed #bbbbbb;}/* Mobile----------------------------------------------- */body.mobile {background-size: auto;}.mobile .body-fauxcolumn-outer {background: transparent none repeat scroll top left;}.mobile .body-fauxcolumn-outer .cap-top {background-size: 100% auto;}.mobile .content-outer {-webkit-box-shadow: 0 0 3px rgba(0, 0, 0, .15);box-shadow: 0 0 3px rgba(0, 0, 0, .15);}.mobile .tabs-inner .widget ul {margin-left: 0;margin-right: 0;}.mobile .post {margin: 0;}.mobile .main-inner .column-center-inner .section {margin: 0;}.mobile .date-header span {padding: 0.1em 10px;margin: 0 -10px;}.mobile h3.post-title {margin: 0;}.mobile .blog-pager {background: transparent none no-repeat scroll top center;}.mobile .footer-outer {border-top: none;}.mobile .main-inner, .mobile .footer-inner {background-color: #ffffff;}.mobile-index-contents {color: #666666;}.mobile-link-button {background-color: #2288bb;}.mobile-link-button a:link, .mobile-link-button a:visited {color: #ffffff;}.mobile .tabs-inner .section:first-child {border-top: none;}.mobile .tabs-inner .PageList .widget-content {background-color: #eeeeee;color: #000000;border-top: 1px solid #dddddd;border-bottom: 1px solid #dddddd;}.mobile .tabs-inner .PageList .widget-content .pagelist-arrow {border-left: 1px solid #dddddd;}-->/style>style idtemplate-skin-1 typetext/css>!--body {min-width: 1080px;}.content-outer, .content-fauxcolumn-outer, .region-inner {min-width: 1080px;max-width: 1080px;_width: 1080px;}.main-inner .columns {padding-left: 0;padding-right: 250px;}.main-inner .fauxcolumn-center-outer {left: 0;right: 250px;/* IE6 does not respect left and right together */_width: expression(this.parentNode.offsetWidth -parseInt(0) -parseInt(250px) + px);}.main-inner .fauxcolumn-left-outer {width: 0;}.main-inner .fauxcolumn-right-outer {width: 250px;}.main-inner .column-left-outer {width: 0;right: 100%;margin-left: -0;}.main-inner .column-right-outer {width: 250px;margin-right: -250px;}#layout {min-width: 0;}#layout .content-outer {min-width: 0;width: 800px;}#layout .region-inner {min-width: 0;width: auto;}body#layout div.add_widget {padding: 8px;}body#layout div.add_widget a {margin-left: 32px;}-->/style>link hrefhttps://www.blogger.com/dyn-css/authorization.css?targetBlogID5458589696790815336&zx5308c773-91f5-4935-abb4-0054a1a0d6af medianone onloadif(media!'all')media'all' relstylesheet/>noscript>link hrefhttps://www.blogger.com/dyn-css/authorization.css?targetBlogID5458589696790815336&zx5308c773-91f5-4935-abb4-0054a1a0d6af relstylesheet/>/noscript>meta namegoogle-adsense-platform-account contentca-host-pub-1556223355139109/>meta namegoogle-adsense-platform-domain contentblogspot.com/>/head>body classloading variant-simplysimple>div classnavbar no-items section idnavbar nameNavbar>/div>div itemscopeitemscope itemtypehttp://schema.org/Blog styledisplay: none;>meta contentitToby itempropname/>/div>div classbody-fauxcolumns>div classfauxcolumn-outer body-fauxcolumn-outer>div classcap-top>div classcap-left>/div>div classcap-right>/div>/div>div classfauxborder-left>div classfauxborder-right>/div>div classfauxcolumn-inner>/div>/div>div classcap-bottom>div classcap-left>/div>div classcap-right>/div>/div>/div>/div>div classcontent>div classcontent-fauxcolumns>div classfauxcolumn-outer content-fauxcolumn-outer>div classcap-top>div classcap-left>/div>div classcap-right>/div>/div>div classfauxborder-left>div classfauxborder-right>/div>div classfauxcolumn-inner>/div>/div>div classcap-bottom>div classcap-left>/div>div classcap-right>/div>/div>/div>/div>div classcontent-outer>div classcontent-cap-top cap-top>div classcap-left>/div>div classcap-right>/div>/div>div classfauxborder-left content-fauxborder-left>div classfauxborder-right content-fauxborder-right>/div>div classcontent-inner>header>div classheader-outer>div classheader-cap-top cap-top>div classcap-left>/div>div classcap-right>/div>/div>div classfauxborder-left header-fauxborder-left>div classfauxborder-right header-fauxborder-right>/div>div classregion-inner header-inner>div classheader section idheader nameHeader>div classwidget Header data-version1 idHeader1>div idheader-inner>div classtitlewrapper>h1 classtitle>itToby/h1>/div>div classdescriptionwrapper>p classdescription>span>Because if I dont write it down I might forget it./span>/p>/div>/div>/div>/div>/div>/div>div classheader-cap-bottom cap-bottom>div classcap-left>/div>div classcap-right>/div>/div>/div>/header>div classtabs-outer>div classtabs-cap-top cap-top>div classcap-left>/div>div classcap-right>/div>/div>div classfauxborder-left tabs-fauxborder-left>div classfauxborder-right tabs-fauxborder-right>/div>div classregion-inner tabs-inner>div classtabs no-items section idcrosscol nameCross-Column>/div>div classtabs no-items section idcrosscol-overflow nameCross-Column 2>/div>/div>/div>div classtabs-cap-bottom cap-bottom>div classcap-left>/div>div classcap-right>/div>/div>/div>div classmain-outer>div classmain-cap-top cap-top>div classcap-left>/div>div classcap-right>/div>/div>div classfauxborder-left main-fauxborder-left>div classfauxborder-right main-fauxborder-right>/div>div classregion-inner main-inner>div classcolumns fauxcolumns>div classfauxcolumn-outer fauxcolumn-center-outer>div classcap-top>div classcap-left>/div>div classcap-right>/div>/div>div classfauxborder-left>div classfauxborder-right>/div>div classfauxcolumn-inner>/div>/div>div classcap-bottom>div classcap-left>/div>div classcap-right>/div>/div>/div>div classfauxcolumn-outer fauxcolumn-left-outer>div classcap-top>div classcap-left>/div>div classcap-right>/div>/div>div classfauxborder-left>div classfauxborder-right>/div>div classfauxcolumn-inner>/div>/div>div classcap-bottom>div classcap-left>/div>div classcap-right>/div>/div>/div>div classfauxcolumn-outer fauxcolumn-right-outer>div classcap-top>div classcap-left>/div>div classcap-right>/div>/div>div classfauxborder-left>div classfauxborder-right>/div>div classfauxcolumn-inner>/div>/div>div classcap-bottom>div classcap-left>/div>div classcap-right>/div>/div>/div>!-- corrects IE6 width calculation -->div classcolumns-inner>div classcolumn-center-outer>div classcolumn-center-inner>div classmain section idmain nameMain>div classwidget Blog data-version1 idBlog1>div classblog-posts hfeed> div classdate-outer> h2 classdate-header>span>Friday, June 23, 2017/span>/h2> div classdate-posts> div classpost-outer>div classpost hentry uncustomized-post-template itempropblogPost itemscopeitemscope itemtypehttp://schema.org/BlogPosting>meta contenthttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj85WfMuz8lax1ZFKO0w71mrqChZnlrMhmrz__esp4BOnmi3POI2z5heloZZRL23Gx9QBa3J97tKFGO1Xu9bgVC-pcbKVh4TFk3ypHHOT6cop7smSliK0ipZK2_2MwZwt9LqTpifMpS6bw/s640/ed209CroppedMod.jpg itempropimage_url/>meta content5458589696790815336 itempropblogId/>meta content7230289463057910192 itemproppostId/>a name7230289463057910192>/a>h3 classpost-title entry-title itempropname>a hrefhttps://blog.ittoby.com/2017/06/automating-service-principal-setup-in.html>Automating Service Principal Setup in Azure Active Directory/a>/h3>div classpost-header>div classpost-header-line-1>/div>/div>div classpost-body entry-content idpost-body-7230289463057910192 itempropdescription articleBody> p>When automating tasks in Azure, youll often need a service principal. Setting these up using the UI feels like driving my car to the mailbox. Lets automate this. br> br> /p> table classtr-caption-container stylemargin-left: auto; margin-right: auto; text-align: center; cellspacing0 cellpadding0 aligncenter> tbody> tr> td styletext-align: center;>a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj85WfMuz8lax1ZFKO0w71mrqChZnlrMhmrz__esp4BOnmi3POI2z5heloZZRL23Gx9QBa3J97tKFGO1Xu9bgVC-pcbKVh4TFk3ypHHOT6cop7smSliK0ipZK2_2MwZwt9LqTpifMpS6bw/s1600/ed209CroppedMod.jpg imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 data-original-height255 data-original-width692 height235 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj85WfMuz8lax1ZFKO0w71mrqChZnlrMhmrz__esp4BOnmi3POI2z5heloZZRL23Gx9QBa3J97tKFGO1Xu9bgVC-pcbKVh4TFk3ypHHOT6cop7smSliK0ipZK2_2MwZwt9LqTpifMpS6bw/s640/ed209CroppedMod.jpg width640>/a>/td> /tr> tr> td classtr-caption styletext-align: center;>The final product when we finish automating everything./td> /tr> /tbody> /table> br> h3>Terms Bingo/h3> br> Before getting into the article lets get a couple basic terms out of the way first:br> ul> li>strong>a target_blank hrefhttps://en.wikipedia.org/wiki/Active_Directory>Active Directory/a> (AD)/strong>: Microsofts on-premises solution for managing users, computers, etc. introduced in Windows 2000. /li> li>strong>a target_blank hrefhttps://docs.microsoft.com/en-us/azure/active-directory/active-directory-whatis>Azure Active Directory/a> (AAD)/strong>: Microsofts cloud solution for managing users, applications, and more. Hosted on Microsofts Azure platform, this can integrate with on-premises Active Directory if desired, but is not required. strong>br> /strong>/li> li>strong>(AAD) Tenant/strong>: An instance of Azure Active Directory for a customer is called a tenant. Most customers will have one tenant, but larger organizations may have multiple for varying reasons. /li> /ul> h3>strong>A Service Principal?/strong>/h3> br> In the Active Directory world, automated tasks are performed by a target_blank hrefhttps://technet.microsoft.com/en-us/library/dn617203%28vws.11%29.aspx>service accounts/a>, be they traditional dedicated accounts or (group) managed service accounts. The key to securely performing these tasks is ensuring that unique security principals are used for each task, ensuring they have only the amount of access they need to perform the task in question, and that theyre monitored proactively. br> br> Azure Active Directory does not have the concept of service accounts, but there is a functional equivalent: a target_blank hrefhttps://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-application-objects>Service Principals/a>. Service principals are comprised of: br> ul> li>strong>Azure Active Directory Registered Application: /strong>Registering an application in AAD is a way to then grant permissions (using a Service Principal) to that application within Azure and/or Azure Active Directory. This can be an application hosted in Azure, externally, or in our case, an automation task of another nature. An AAD registered application can also be used by other tenants (with a Service Principal on their side), but as were talking about automating our own tasks that is outside the scope of this article. /li> li>strong>The Service Principal itself: /strong>The service principal is an association with an AAD Application that allows for granting of permissions within that tenant. In our case well be discussing AAD registered apps and service principals in a 1:1 ratio. /li> /ul> br> h3>Azure Entitlement Domains/h3> br> To facilitate the a target_blank hrefhttps://en.wikipedia.org/wiki/Principle_of_least_privilege>principle of least privilege/a>, we need to understand the a target_blank hrefhttps://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure>levels of granularity/a> by which permissions are assigned in Azure. There are three levels rights can be assigned at: br> ul> li>strong>Subscription: /strong>One can grant a service principal, user, or other object access at an entire subscription level. There are very few cases where doing so would adhere to the principle of least privilege, so dont do this unless you have no option. /li> li>strong>Resource Group: /strong>A resource group is a logical grouping of Azure resources. Depending on how you split your resource groups, this is likely a common place to assign privileges. /li> li>strong>Object: /strong>Privileges can be assigned on a per-object basis as well, but managing security on a per-object basis is very complex and usually only done when absolutely necessary from a security perspective. /li> /ul> br> table classtr-caption-container stylemargin-left: auto; margin-right: auto; text-align: center; cellspacing0 cellpadding0 aligncenter> tbody> tr> td styletext-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBM4mpJGnqq_4_bB8dMuWTFAYeNDbdN3mXeak7C95suvmZeS_ShCofIPEUXbmDW0kDqju2WueheetVTR7I8jUacFxaaAdV0CKAkfr87ZTqCVG0mQZ2ahvO2iOyDQ3X0DK7a0oOjNYM1do/s1600/PaulBlart_2.jpg imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 data-original-height289 data-original-width667 height172 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBM4mpJGnqq_4_bB8dMuWTFAYeNDbdN3mXeak7C95suvmZeS_ShCofIPEUXbmDW0kDqju2WueheetVTR7I8jUacFxaaAdV0CKAkfr87ZTqCVG0mQZ2ahvO2iOyDQ3X0DK7a0oOjNYM1do/s400/PaulBlart_2.jpg width400>/a>/td> /tr> tr> td classtr-caption styletext-align: center;>Sorry son, your RBAC doesnt give you access to the keyvault./td> /tr> /tbody> /table> h3>Usage Examples/h3> br> So when would we use a service principal? Here are a couple examples: br> br> ul> li>strong>Webjobs that interact with other resources: /strong>If you have a target_blank hrefhttps://docs.microsoft.com/en-us/azure/app-service-web/web-sites-create-web-jobs>webjobs/a> that interact with other resources in your subscription you may choose to use a service principal to access those resources. An excellent example of this is the a target_blank hrefhttps://www.siteextensions.net/packages/letsencrypt/>Lets Encrypt! web app extension/a>.br> /li> li>strong>Automated Tasks: /strong>Azure automation and/or external jobs running against Azure can leverage service principals to authenticate and perform their work. Code deployment platforms such as OctopusDeploy and VSTS are perfect examples. /li> /ul> br> h3>Let Us Do This/h3> h5>And by this I mean the point of the article./h5> br> To make quick work of this from an automation perspective, well make a quick PowerShell function we can re-use in other scripts. The main PowerShell cmdlets well be leveraging are: br> br> ul> li> a target_blank hrefhttps://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermadapplication>New-AzureRmADApplication/a>/li> li>a target_blank hrefhttps://docs.microsoft.com/en-us/powershell/module/azurerm.resources/new-azurermadserviceprincipal>New-AzureRMADServicePrincipal/a>/li> /ul> p>Just running these two commands is easy enough, but thats not all that useful from an automation perspective where we want to automate multiple operations that rely on the creation or existence of a service principal. To that end, well make a function that can accept a desired service principal name, check to see if it exists & create it if not. This function will output an object with all the necessary information for further use. Well also generate a password if one isnt specified and report status regarding if the service principal already existed or not.Well return everything in an object so our scripts can take appropriate actions for all possible scenarios. /p> br> p>strong>Critical Note:/strong> The code below contains reference to a function that is not included, so before copying/pasting please read at least the strong>Note/strong> sections in the code discussion below. /p> strong> Update 1/2018: /strong>AzureRM 5.0 cmdlets require a securestring for New-AzureRmADApplication whereas it was not supported previously. br> br> p>a target_blank hrefhttps://www.youtube.com/watch?vDqNG_SrSa4o>HERE COMES ANOTHER SCRIPT!/a>/p> pre stylebackground: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;>codestylecolor: black; word-wrap: normal;>################################################################################# Register-AzureServicePrincipal# Given the correct input, does one of the following: # 1> checks for existence of application registration# 2> checks to see if the app is registered as a service principal# 3> if neither of those is true, creates the app and service principal# > outputs an object with all details possible. If the app already exists the # password will be null because we cant look it up. # INPUT: servicePrincipalName, the displayname of the desired App/ServicePrincipal and the desired password.# The password field is optional and if omitted a 30 character random password will be generated and returned. # OUTPUT: an object containing the following NoteProperties# > ClientID: the GUID representing the application ID# > ServicePrincipalID: the GUID representing the Service Principal association# > SPNNames: The service principal names of the SP# > ServicePrincipalPassword: A securestring of the Application Password. NOTE: This will be NULL if the app is already registered in AD as we cannot retrieve it.# > ServicePrincipalAlreadyExists: boolean to indicate if the sp already existed or not# USAGE NOTES: Assumes already logged into Azure with proper permissions and that the desired subscription is selected. Function Register-AzureServicePrincipal{ param( # The name for the service principal. We wont make this mandatory to allow for manual entry mode with guidance. Obviously it needs to be specified for automation. string$servicePrincipalName, # the password if you choose to specify it, otherwise the script will generate one for you. string$servicePrincipalPassword ) # Set the regex for the input validation on the SPN $SPNNamingStandard^--z{5,40}$ Write-Host Provisioning AzureAD App/Service Principal Write-Warning The account operating this script MUST have the role Subscription Admin or Owner in the desired subscription $ErrorActionPreference Stop # Error handing is not yet sufficient; try/catch the stuff below! if (!$servicePrincipalName){ do { Write-Host SPN naming standard is (in RegEx): $SPNNamingStandard $servicePrincipalNameRead-Host Service Principal Name not specified on startup; Please enter desired name or type GUID and press enter for a guid based random name if ($servicePrincipalName -eq GUID){ $guid(guid::NewGuid()).toString() $servicePrincipalNameSPN-$guid } } until ($servicePrincipalName -match $SPNNamingStandard) } # handle command line specification of GUID if ($servicePrincipalName -eq GUID){ $guid(guid::NewGuid()).toString() $servicePrincipalNameSPN-$guid } # set URL and IdentifierUris $homePage http:// + $servicePrincipalName $identifierUri $homePage Write-Host Desired Service Principal Name is $servicePrincipalName `n # Now we need to determine if 1> the Application exists and 2> if it has been registered as a service principal. This will guide our execution through the end of the function. $appExistsGet-AzureRmADApplication -DisplayNameStartWith $servicePrincipalName -ErrorAction SilentlyContinue # check for SPN only if app exists. SPN cant exist without app so no reason to check if not. if ($appExists){$spnExistsGet-AzureRmADServicePrincipal | Where-Object {$_.ApplicationId -eq $appExists.ApplicationId} -ErrorAction SilentlyContinue} # we only need a password if the app hasnt been created yet. if (!$appExists){ # Generate a password if needed if (!$servicePrincipalPassword){ $servicePrincipalPasswordNew-RandomPassword -passwordLength 40 } # NOTE! We had a convertto-securestring here but as it turns out new-azurermadapplication doesnt take a securestring, only a string # NOTEUPDATE! AzureRM 5.0 and higher requires a securestring (yay!) This has been updated but notes left here for reference. $servicePrincipalPasswordConvertTo-SecureString $servicePrincipalPassword -AsPlainText -Force } # we set this to NULL as a valid return as the appID already exists and we cant lookup the password from here else {$servicePrincipalPassword$null} # Create the App if it wasnt already if (!$appExists){ $azureADApplicationNew-AzureRmADApplication -DisplayName $servicePrincipalName -HomePage $homePage -IdentifierUris $identifierUri -Password $servicePrincipalPassword Write-Host Azure AAD Application creation completed successfully } # if it already exists well just redirect the variable else{$azureADApplication$appExists} $appID$azureADApplication.ApplicationId # Create new SPN if needed if (!$spnExists){ $spnNew-AzureRmADServicePrincipal -ApplicationId $appId Write-Host SPN creation completed successfully } else{$spn$spnExists} $spnNames$spn.ServicePrincipalNames # Create object to store information. $outputObjectNew-Object -TypeName PSObject $outputObject | Add-Member -MemberType NoteProperty -Name ServicePrincipalName -Value $servicePrincipalName $outputObject | Add-Member -MemberType NoteProperty -Name ClientID -Value $appID $outputObject | Add-Member -MemberType NoteProperty -Name ServicePrincipalID -Value $spn.Id $outputObject | Add-Member -MemberType NoteProperty -Name SPNNames -Value $spnNames $outputObject | Add-Member -MemberType NoteProperty -Name ServicePrincipalPassword -Value $servicePrincipalPassword if ($appExists -and $spnexists){$outputObject | Add-Member -MemberType NoteProperty -Name ServicePrincipalAlreadyExists -Value $true} else {$outputObject | Add-Member -MemberType NoteProperty -Name ServicePrincipalAlreadyExists -Value $false} return $outputObject}################################################################################/code>/pre> br> h4>Discussion/h4> pre stylebackground: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;>codestylecolor: black; word-wrap: normal;> param( # The name for the service principal. string$servicePrincipalName, # the password if you choose to specify it, otherwise the script will generate one for you. string$servicePrincipalPassword )/code>/pre> p>This is where the input to the function is defined; as youll see below the password is optional, but the servicePrincipalName is mandatory. I dont mark the parameter as mandatory in the parameter definition to facilitate interactive use of this script. Feel free to change add em>mandatory$true /em>if desired. /p> p>While it would be logical to useem> securestring/em> for the servicePrincipalPassword, the PowerShell cmdlet were going to use downstream only supports regular strings at this time. /p> p>/p> h5>A quick note on interactive vs. non-interactive scripts/h5> p>While the goal of automation should be running tasks headless, thus fully non-interactive, there are some scenarios where facilitating both non-interactive and interactive running can be very useful. In some cases when acting as a consultant I will allow for full non-interactive running of automation scripts so the customer can walk through each option guided once to understand the context of the options available to them. At the end of script execution, I echo out what the equivalent command line would be to the console if it were run entirely headless. This scenario does require a bit more control flow logic, mainly using an additional parameter to specify were in a headless scenario and error out quickly prior to execution when running in those scenarios. This also allows for use of code snippets (mainly functions) on a day-to-day basis as well as in dedicated automation framework. /p> br> pre stylebackground: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;>codestylecolor: black; word-wrap: normal;> # Set the regex for the input validation on the SPN $SPNNamingStandard^--z{5,40}$ Write-Host Provisioning AzureAD App/Service Principal Write-Warning The account operating this script MUST have the role Subscription Admin or Owner in the desired subscription $ErrorActionPreference Stop # Error handing is not yet sufficient, try/catch the stuff below! if (!$servicePrincipalName){ do { Write-Host Write-Host SPN naming standard is (in RegEx): $SPNNamingStandard $servicePrincipalNameRead-Host Service Principal Name not specified on startup; Please enter desired name or type GUID and press enter for a guid based random name if ($servicePrincipalName -eq GUID){ $guid(guid::NewGuid()).toString() $servicePrincipalNameSPN-$guid } } until ($servicePrincipalName -match $SPNNamingStandard) }/code>/pre>$SPNNamingStandard and the following logic is if you want to use a RegEx to ensure interactive input is validated. Change this expression to meet your needs or return the entire section if you dont want to facilitate interactive running. Limited time bonus offer, a target_blank hrefhttps://regex101.com/>heres a link/a> to my favorite regular expression evaluation site!br> br> strong>Note/strong>: As the script warns, the credential used to create the Application ID/Service Principal must have the role Subscription Admin or Owner to perform the provisioning actions. br> br> pre stylebackground: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;>codestylecolor: black; word-wrap: normal;> # handle command line specification of GUID if ($servicePrincipalName -eq GUID){ $guid(guid::NewGuid()).toString() $servicePrincipalNameSPN-$guid }/code>/pre>This little trick allows the specification of GUID (i.e. em>Register-AzureServicePrincipal -$servicePrincipalName GUID/em>) to tell our function to generate a GUID for the name. At the end you see Im pre-pending a SPN- to the GUID to ensure the programmatically generated ApplicationIDs/SPNs stand out. br> br> pre stylebackground: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;>codestylecolor: black; word-wrap: normal;> # set URL and IdentifierUris $homePage http:// + $servicePrincipalName $identifierUri $homePage Write-Host Desired Service Principal Name is $servicePrincipalName `n/code>/pre> p>Homepage and IdentifierURI settings for a service principal that were using in the aforementioned capacity dont matter, but they do need to be set, so we base them on the SP name itself an move on. br> /p> strong> Update 1/2018: /strong>AzureRM 5.0 cmdlets require a securestring for New-AzureRmADApplication whereas it was not supported previously. br> pre stylebackground: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;>codestylecolor: black; word-wrap: normal;> # Now we need to determine if 1> the Application exisists and 2> if it has been registered as a service principal. This will guide our execution through the end of the function. $appExistsGet-AzureRmADApplication -DisplayNameStartWith $servicePrincipalName -ErrorAction SilentlyContinue # check for SPN only if app exists. SPN cant exist without app so no reason to check if not. if ($appExists){$spnExistsGet-AzureRmADServicePrincipal | Where-Object {$_.ApplicationId -eq $appExists.ApplicationId} -ErrorAction SilentlyContinue} # we only need a password if the app hasnt been created yet. if (!$appExists){ # Generate a password if needed if (!$servicePrincipalPassword){ $servicePrincipalPasswordNew-RandomPassword -passwordLength 40 } # NOTE! We had a convertto-securestring here but as it turns out new-azurermadapplication doesnt take a securestring, only a string # NOTEUPDATE! AzureRM 5.0 and higher requires a securestring (yay!) This has been updated but notes left here for reference. $servicePrincipalPasswordConvertTo-SecureString $servicePrincipalPassword -AsPlainText -Force } # we set this to NULL as a valid return as the appID already exists and we cant lookup the password from here else {$servicePrincipalPassword$null}/code>/pre> This code allows us to insert this function into a workstream regardless of if the Application ID and service principal already exist. If they do, we get all the information we can but set the password to $null since we cant look it up. As youll see below we also add another noteproperty to inform the caller explicitly that the AppID/service principal already existed. br> br> strong>Note/strong>: This script block contains reference to another function that I have not provided, em>New-RandomPassword/em>. Youll need to provide your own function that generates a password and call it here or specify the desired password when calling the function explicitly. Perhaps Ill write another post in the future to cover generating a random password in PowerShell. br> pre stylebackground: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;>codestylecolor: black; word-wrap: normal;> # Create the App if it wasnt already if (!$appExists){ $azureADApplicationNew-AzureRmADApplication -DisplayName $servicePrincipalName -HomePage $homePage -IdentifierUris $identifierUri -Password $servicePrincipalPassword Write-Host Azure AAD Application creation completed successfully } # if it already exists well just redirect the variable else{$azureADApplication$appExists} $appID$azureADApplication.ApplicationId # Create new SPN if needed if (!$spnExists){ $spnNew-AzureRmADServicePrincipal -ApplicationId $appId Write-Host SPN creation completed successfully } else{$spn$spnExists} $spnNames$spn.ServicePrincipalNames/code>/pre>Now we do the actual creation of the Application ID and service principal if necessary. Notice that if they already existed we set the downstream variables to relay to the user. This section could be improved with additional error handling if desired. br> br> pre stylebackground: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;>codestylecolor: black; word-wrap: normal;> # Create object to store information. $outputObjectNew-Object -TypeName PSObject $outputObject | Add-Member -MemberType NoteProperty -Name ServicePrincipalName -Value $servicePrincipalName $outputObject | Add-Member -MemberType NoteProperty -Name ClientID -Value $appID $outputObject | Add-Member -MemberType NoteProperty -Name ServicePrincipalID -Value $spn.Id $outputObject | Add-Member -MemberType NoteProperty -Name SPNNames -Value $spnNames $outputObject | Add-Member -MemberType NoteProperty -Name ServicePrincipalPassword -Value $servicePrincipalPassword if ($appExists -and $spnexists){$outputObject | Add-Member -MemberType NoteProperty -Name ServicePrincipalAlreadyExists -Value $true} else {$outputObject | Add-Member -MemberType NoteProperty -Name ServicePrincipalAlreadyExists -Value $false} return $outputObject/code>/pre>Now well create our output object. This gives us everything we might want to know (and probably more) for our consuming processes. Heres what our object looks like: br> ul> li>$output.ServicePrincipalName(Suprise!!!) The service principal name/li> li>$ouput.ClientIDThe client ID (appID) is one of the critical pieces of info for downstream applications. This is what youll specify when authenticating later (think of it as your user ID). /li> li>$output.ServicePrincipalIDThe SP ID, though not used in any capacity directly that Ive seen yet short of programmatically referencing it when deleting, etc. /li> li>$output.SPNNamesThe reference names of the service principal. These would be used by third party apps, but in most cases Im addressing with this article theyll go unused. /li> li>$output.ServicePrincipalPasswordKeep it secret! Keep it safe! This is a clear text copy of the password associated with this service principal. Obviously this is the other key piece of information youll need as a takeaway. The prudent next step would be to check this into a Azure Keyvault or something similar, but thats for another article... /li> li>$output.ServicePrincipalAlreadyExistsem>$true/em> or em>$false/em>, this is also critical for downstream processing. If $true, youll know that this is newly created and the password is contained in the object meaning youll need to scrape and store/use that accordingly. If $false it means you can look up the ID by the name if needed, but you better have the password stored somewhere else as we cant look it up now. Either way you have two clear courses of action. While we could have relied on the password being $null, I added this property to definitively set it one way or the other to account for any unknown circumstances due to upstream changes down the road. /li> /ul> p>strong>Note/strong>: Make sure you both store the password for the newly created service principal as you strong>wont be able to retrieve it/strong> in the future. Also, make sure your session or variables are cleared after running as the password exists in clear text in memory. /p> p>strong>Update/Note 2/strong>: By default, this password is only good strong>for one year/strong>, and will expire after that time making it impossible to use the SPN. To manage the password on an existing object, youll need to use the strong>Get/Remove/New-AzureAdApplicationPasswordCredential /strong>cmdlets in the strong>AzureAD/strong> module (not AzureRM). meta charsetutf-8> /p> br> p>/p> h3>Bringing it Home/h3> br> Now that weve created the function, lets use it to create a principal and give it access to a resource group: br> pre stylebackground: #f0f0f0; border: 1px dashed #CCCCCC; color: black; font-family: arial; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding: 0px; text-align: left; width: 99%;>codestylecolor: black; word-wrap: normal;>$spnOutputRegister-AzureServicePrincipal -servicePrincipalName <myPrincipalName> -servicePrincipalPassword <myPassword>New-AzureRmRoleAssignment -ObjectId ($spnOutput.ServicePrincipalID.toString()) -RoleDefinitionName Contributor -ResourceGroupName <myResourceGroup>/code>/pre>This will use our function to create a service principal and give it contributor level access to <myResourceGroup>. If you have multiple environments in your subscription you should create a principal for each and restrict access to resource group(s) associated with each environment. I also recommend splitting production into a separate subscription; the entire reasons behind that are a story for another article...br> br> h3>Did it Work? br> /h3> br> If you would like to manually check your work, you can find it in the a target_blank hrefhttps://portal.azure.com/>Azure portal/a> by navigating to the hamburger menu -> More Services -> Azure Active Directory -> App Registrations. br> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhocv7rCNxZehK8FazFQQX8NLH0iKJ5Jh7O47u3aUPi0LXH6yWi3dQQGDAuDteCCJlMWuf6Zg2gzjgyikLh0wpTbsfnMnTYIVHTD4euL1efDI9hoo_C3-uM7rQB4Hwjwcs2YdH_MTC6Ews/s1600/Screen+Shot+2017-06-23+at+4.19.15+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 data-original-height740 data-original-width1248 height235 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhocv7rCNxZehK8FazFQQX8NLH0iKJ5Jh7O47u3aUPi0LXH6yWi3dQQGDAuDteCCJlMWuf6Zg2gzjgyikLh0wpTbsfnMnTYIVHTD4euL1efDI9hoo_C3-uM7rQB4Hwjwcs2YdH_MTC6Ews/s400/Screen+Shot+2017-06-23+at+4.19.15+PM.png width400>/a>/div> div classseparator styleclear: both; text-align: center;> /div> br> br> There you should see your newly created app. br> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdsixo90o6YQk7Bk2UB5Kz39lw747IZVmdvfFmi70ZHdAzepu5OOrjeoPfi_4tQhheCj5Rsvg-0Fc-u4nmtnSqYhyphenhyphen10gANtZzxpxhEANwAOCcQ78uN30PovyjfKCcIh0SZ_y849ilZbzY/s1600/Screen+Shot+2017-06-23+at+4.23.15+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 data-original-height786 data-original-width1470 height213 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdsixo90o6YQk7Bk2UB5Kz39lw747IZVmdvfFmi70ZHdAzepu5OOrjeoPfi_4tQhheCj5Rsvg-0Fc-u4nmtnSqYhyphenhyphen10gANtZzxpxhEANwAOCcQ78uN30PovyjfKCcIh0SZ_y849ilZbzY/s400/Screen+Shot+2017-06-23+at+4.23.15+PM.png width400>/a>/div> br> You can also check the role based access controls on your resource group or whatever object you applied the permissions to. br> br> table classtr-caption-container stylemargin-left: auto; margin-right: auto; text-align: center; cellspacing0 cellpadding0 aligncenter> tbody> tr> td styletext-align: center;>a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDhEDphGAsB0zLf3P4qzMgc_6lDf2tbTDK44TckM3QS_sjrV3iJglBCFMWgwQk-05oQe5j_ZvgfXmGzjlIn7m8x7AQnayI67J7MEGEvjzcMZ7NuDWev5Fd0XsWq3g6hkzsvTnuoVK7YxQ/s1600/Screen+Shot+2017-06-23+at+4.35.06+PM.png imageanchor1 stylemargin-left: auto; margin-right: auto;>img border0 data-original-height904 data-original-width1328 height271 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhDhEDphGAsB0zLf3P4qzMgc_6lDf2tbTDK44TckM3QS_sjrV3iJglBCFMWgwQk-05oQe5j_ZvgfXmGzjlIn7m8x7AQnayI67J7MEGEvjzcMZ7NuDWev5Fd0XsWq3g6hkzsvTnuoVK7YxQ/s400/Screen+Shot+2017-06-23+at+4.35.06+PM.png width400>/a>/td> /tr> tr> td classtr-caption styletext-align: center;>Only the chosen shall access Nachos Deathstar./td> /tr> /tbody> /table> br> br> h3>In Conclusion/h3> br> The Azure model of auth/auth management is sound, but adherence to long standing security design principles requires a bit of effort. Hopefully this article will assist you in doing so. Please leave any comments/criticism/coffee donations below. br> p>/p> br> h3>References/h3> p>a target_blank hrefhttps://docs.microsoft.com/en-us/azure/active-directory/develop/active-directory-application-objects>Microsoft: Application and service principal objects in Azure Active Directory (Great article on the differences between an AppID vs a service principal)/a>/p> p>a target_blank hrefhttps://docs.microsoft.com/en-us/azure/active-directory/role-based-access-control-configure>Microsoft: Role based access in Azure/a>/p>div styleclear: both;>/div>/div>div classpost-footer>div classpost-footer-line post-footer-line-1>span classpost-author vcard>Posted byspan classfn itempropauthor itemscopeitemscope itemtypehttp://schema.org/Person>meta contenthttps://www.blogger.com/profile/11479868060801724272 itempropurl/>a classg-profile hrefhttps://www.blogger.com/profile/11479868060801724272 relauthor titleauthor profile>span itempropname>Toby Meyer/span>/a>/span>/span>span classpost-timestamp>atmeta contenthttps://blog.ittoby.com/2017/06/automating-service-principal-setup-in.html itempropurl/>a classtimestamp-link hrefhttps://blog.ittoby.com/2017/06/automating-service-principal-setup-in.html relbookmark titlepermanent link>abbr classpublished itempropdatePublished title2017-06-23T21:02:00-05:00>9:02 PM/abbr>/a>/span>span classpost-comment-link>a classcomment-link hrefhttps://www.blogger.com/comment/fullpage/post/5458589696790815336/7230289463057910192 onclick>3 comments: /a>/span>span classpost-icons>span classitem-control blog-admin pid-649803412>a hrefhttps://www.blogger.com/post-edit.g?blogID5458589696790815336&postID7230289463057910192&frompencil titleEdit Post>img alt classicon-action height18 srchttps://resources.blogblog.com/img/icon18_edit_allbkg.gif width18/>/a>/span>/span>div classpost-share-buttons goog-inline-block>a classgoog-inline-block share-button sb-email hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID7230289463057910192&targetemail target_blank titleEmail This>span classshare-button-link-text>Email This/span>/a>a classgoog-inline-block share-button sb-blog hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID7230289463057910192&targetblog onclickwindow.open(this.href, _blank, height270,width475); return false; target_blank titleBlogThis!>span classshare-button-link-text>BlogThis!/span>/a>a classgoog-inline-block share-button sb-twitter hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID7230289463057910192&targettwitter target_blank titleShare to Twitter>span classshare-button-link-text>Share to Twitter/span>/a>a classgoog-inline-block share-button sb-facebook hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID7230289463057910192&targetfacebook onclickwindow.open(this.href, _blank, height430,width640); return false; target_blank titleShare to Facebook>span classshare-button-link-text>Share to Facebook/span>/a>a classgoog-inline-block share-button sb-pinterest hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID7230289463057910192&targetpinterest target_blank titleShare to Pinterest>span classshare-button-link-text>Share to Pinterest/span>/a>/div>/div>div classpost-footer-line post-footer-line-2>span classpost-labels>Labels:a hrefhttps://blog.ittoby.com/search/label/automation reltag>automation/a>,a hrefhttps://blog.ittoby.com/search/label/Azure reltag>Azure/a>,a hrefhttps://blog.ittoby.com/search/label/Powershell reltag>Powershell/a>,a hrefhttps://blog.ittoby.com/search/label/Security reltag>Security/a>/span>/div>div classpost-footer-line post-footer-line-3>span classpost-location>/span>/div>/div>/div>/div> /div>/div> div classdate-outer> h2 classdate-header>span>Sunday, February 5, 2017/span>/h2> div classdate-posts> div classpost-outer>div classpost hentry uncustomized-post-template itempropblogPost itemscopeitemscope itemtypehttp://schema.org/BlogPosting>meta contenthttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyJGVldOWpLct0AYi0T56nVlI8f7bPjcVjiNsDYjvR_cHrkyb2-yQptydvzkid1sdO3bGApT1Lwn5tpbdR6HMGYP7QNkQmSOBZmXQdSfYizPsYn0rhoGvYoCzXAJXrU9B0VEl4AVuF6ms/s400/sothere.jpg itempropimage_url/>meta content5458589696790815336 itempropblogId/>meta content1813181033650471417 itemproppostId/>a name1813181033650471417>/a>h3 classpost-title entry-title itempropname>a hrefhttps://blog.ittoby.com/2017/02/hyperv-live-migration-changes-in.html>HyperV Live Migration Changes in Windows Server 2016/a>/h3>div classpost-header>div classpost-header-line-1>/div>/div>div classpost-body entry-content idpost-body-1813181033650471417 itempropdescription articleBody>p> /p> p>After upgrading my lab servers to Windows Server 2016, I had an “interesting” (ask a Minnesotan what that means) weekend troubleshooting Hyper-V Live Migration, finally finding that there has been a major change in the way virtual machine migration works, and a couple gotchas. In an effort to save others the same trouble, I’ll discuss them here. /p> table classtr-caption-container styletext-align: center; margin-left: auto; margin-right: auto cellspacing0 cellpadding0 aligncenter> tbody> tr> td styletext-align: center>a stylemargin-left: auto; margin-right: auto hrefhttps://www.flickr.com/photos/141305295@N05/28181996014/ imageanchor1>img border0 height265 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgyJGVldOWpLct0AYi0T56nVlI8f7bPjcVjiNsDYjvR_cHrkyb2-yQptydvzkid1sdO3bGApT1Lwn5tpbdR6HMGYP7QNkQmSOBZmXQdSfYizPsYn0rhoGvYoCzXAJXrU9B0VEl4AVuF6ms/s400/sothere.jpg width400>/a>/td>/tr> tr> td classtr-caption styletext-align: center>Image From a hrefhttps://www.flickr.com/photos/141305295@N05/28181996014/>Polarstein on Flickr/a>/td>/tr>/tbody>/table> div classseparator styletext-align: center; clear: both>/div>br> h3>Kerberos Constrained Delegation, 0x8009030E, and You(r Network Service Account)/h3> p>“em>No credentials are available in the security package/em>”, Event ID 20306. Under previous circumstances, this would have indicated that you didn’t have constrained delegation set up correctly as outlined in numerous other articles on the internet, but due to an underlying change the correct configuration is now different. /p> p>Previously, failover would be set up as outlined in articles such as a hrefhttps://blogs.technet.microsoft.com/matthts/2012/06/10/configuring-kerberos-constrained-delegation-for-hyper-v-management/>this/a>, with each HyperV host set up to allow constrained delegation over the Kerberos protocol only. /p> p> div classseparator styletext-align: center; clear: both>a stylemargin-left: 1em; margin-right: 1em hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuDle3OluLzIBLpm0BjmTLsBRpYo1u-z846fG2tuhM9bbdU4JKl-dkrl59WSHyqRI34Pc5bqlCMKfIpN0I5RiGz6fDoXvnZ3Yt0Vsq3XizO0aEK5qetUqGTDn9TyzlGC96AzlRDZude1g/s1600/2017-02-04+23_56_05-Active+Directory+Users+and+Computers.png imageanchor1>img border0 height400 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuDle3OluLzIBLpm0BjmTLsBRpYo1u-z846fG2tuhM9bbdU4JKl-dkrl59WSHyqRI34Pc5bqlCMKfIpN0I5RiGz6fDoXvnZ3Yt0Vsq3XizO0aEK5qetUqGTDn9TyzlGC96AzlRDZude1g/s400/2017-02-04+23_56_05-Active+Directory+Users+and+Computers.png width343>/a>/div>br> p>Starting in server 2016, the delegation must be set up to allow delegation over strong>any /strong>protocol as displayed here: /p> p> div classseparator styletext-align: center; clear: both>a stylemargin-left: 1em; margin-right: 1em hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVnrQwbhaVSkBQuG8dfeHBiqfjeC3b52VWfLOhC_5yse7BzuGHbFj97ae6XBggBo9i_UCF9k3Ni_LsgDBoXX-1x9mBdHCz78V-9F1hmbxGX-lUJTiM3sJ90nTmscoCIA2kbD2GTVNugu0/s1600/2017-02-04+23_56_32-KERMIT+Properties.png imageanchor1>img border0 height400 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiVnrQwbhaVSkBQuG8dfeHBiqfjeC3b52VWfLOhC_5yse7BzuGHbFj97ae6XBggBo9i_UCF9k3Ni_LsgDBoXX-1x9mBdHCz78V-9F1hmbxGX-lUJTiM3sJ90nTmscoCIA2kbD2GTVNugu0/s400/2017-02-04+23_56_32-KERMIT+Properties.png width343>/a>/div>br> p>The reason for this is that 2016 has changed the a hrefhttps://msdn.microsoft.com/en-us/library/cc136992(vvs.85).aspx>WMI provider/a> used to a a hrefhttps://msdn.microsoft.com/en-us/library/hh850319(vvs.85).aspx>new version/a>, which relies on a hrefhttps://msdn.microsoft.com/en-us/library/aa384426(vvs.85).aspx>WinRM/a> to execute remote procedures rather than DCOM. WinRM, running as the Network Service, cannot access the Kerberos service ticket obtained to perform the action. By allowing any protocol, a “a hrefhttps://blogs.msdn.microsoft.com/winsdk/2015/08/28/logon-as-a-user-without-a-password/>S4U/a>” logon is sufficient to authenticate the request. While this setting is somewhat less secure, the point is made by the Team PM (published a few days ago, link below) that sensitive (privileged) accounts in any domain should have the “a hrefhttps://blogs.technet.microsoft.com/poshchap/2015/05/01/security-focus-analysing-account-is-sensitive-and-cannot-be-delegated-for-privileged-accounts/>Account is sensitive and cannot be delegated/a>” flag enabled to mitigate delegation risk./p> h3>NIC Teaming, 0x8007274C/0x80072741, and You(r Service Startup Problem)/h3> p>This may impact 2012/R2 as well, though for some reason it only bit me on 2016. If using a hrefhttps://technet.microsoft.com/en-us/windows-server-docs/networking/technologies/nic-teaming/nic-teaming>NIC teaming/a> on your host for your failover network, the interface may not be available when the Virtual Machine Management Service (VMMS) attempts to start on bootup. This condition will result in the service not opening the port (6600) on the server, which makes it impossible to failover virtual machines. To fix this, change the service startup type from “em>Automatic/em>” to “em>Automatic(Delayed Start)/em>”. With PowerShell as our weapon of choice (hey nano server!) this is a two-step process: /p>pre stylefont-size: 12px; overflow: auto; border-top: #cccccc 1px dashed; height: auto; font-family: arial; border-right: #cccccc 1px dashed; width: 99%; background: #f0f0f0; border-bottom: #cccccc 1px dashed; color: black; padding-bottom: 0px; text-align: left; padding-top: 0px; padding-left: 0px; border-left: #cccccc 1px dashed; line-height: 20px; padding-right: 0px>code styleword-wrap: normal; color: black>Set-Service –Name vmms –StartupType AutomaticSet-ItemProperty -Path Registry::HKLM\System\CurrentControlSet\Services\vmms -Name DelayedAutoStart -Value 1 -Type DWORD/code>/pre>p>The service type should already be automatic, but we’ll re-assert that here to be sure. This will only delay service (and thus VM) startup by a small bit, but ensure that the adapter is available when it does. /p>h3>EventID 21024, Failed at Migration Source, and You(r Crazy, Still Unexplained Error)/h3>p>This is an odd one I can’t fully explain, but I’m including it in the hopes it may save others some time. On 2 of the 3 hosts, I had the following error preventing live migration after full 2016 setup: /p>p>em>Virtual machine migration operation for VMNAME failed at migration source VMHOST. (Virtual machine ID GUID-GOES-HERE)/em>/p>p>This error message was not accompanied by any supporting information whatsoever. After numerous network captures and log combing, I found evidence of something slightly off with domain membership. In both cases the host was able to process group policy for the computer object, but never for any logged on users. This led me to attempt strong>leaving and re-joining the domain/strong>, which in all cases remediated the problem. Note that when doing so you will need to delete the computer account prior to re-joining, then set up the constrained delegation as outlined above for each host again. /p>p>I wish I had more information about the root cause of this issue, but with it fixed I’m moving on. /p>h3>In Closing/h3>p>The upgrades to my lab didn’t go as smoothly as I would like, but I’m glad to have these issues out of the way to make for smoother efforts with production efforts. Hopefully this information will help you as well!/p>h3>Additional References/h3>p>a hrefhttps://blogs.technet.microsoft.com/virtualization/2017/02/01/live-migration-via-constrained-delegation-with-kerberos-in-windows-server-2016/>Microsoft Virtualization Blog: Live Migration via Constrained Delegation with Kerberos in Windows Server 2016/a>/p>p>a hrefhttps://blogs.technet.microsoft.com/roplatforms/2012/10/16/shared-nothing-migration-fails-0x8007274c/>Microsoft GTCS Romania EPS: Shared Nothing Migration Fails/a>/p>p>a hrefhttps://blogs.msdn.microsoft.com/canberrapfe/2012/01/01/kerberos-troubleshooting/>Canberra PFE Team Blog: Kerberos Troubleshooting/a>/p>p>a hrefhttps://www.youtube.com/watch?vSkgTxQm9DWM>Nyan Cat: 10 Hours 4k UHD For Endless Kerberos Packet Caps and Analysis!/a>/p>div styleclear: both;>/div>/div>div classpost-footer>div classpost-footer-line post-footer-line-1>span classpost-author vcard>Posted byspan classfn itempropauthor itemscopeitemscope itemtypehttp://schema.org/Person>meta contenthttps://www.blogger.com/profile/11479868060801724272 itempropurl/>a classg-profile hrefhttps://www.blogger.com/profile/11479868060801724272 relauthor titleauthor profile>span itempropname>Toby Meyer/span>/a>/span>/span>span classpost-timestamp>atmeta contenthttps://blog.ittoby.com/2017/02/hyperv-live-migration-changes-in.html itempropurl/>a classtimestamp-link hrefhttps://blog.ittoby.com/2017/02/hyperv-live-migration-changes-in.html relbookmark titlepermanent link>abbr classpublished itempropdatePublished title2017-02-05T11:39:00-06:00>11:39 AM/abbr>/a>/span>span classpost-comment-link>a classcomment-link hrefhttps://www.blogger.com/comment/fullpage/post/5458589696790815336/1813181033650471417 onclick>2 comments: /a>/span>span classpost-icons>span classitem-control blog-admin pid-649803412>a hrefhttps://www.blogger.com/post-edit.g?blogID5458589696790815336&postID1813181033650471417&frompencil titleEdit Post>img alt classicon-action height18 srchttps://resources.blogblog.com/img/icon18_edit_allbkg.gif width18/>/a>/span>/span>div classpost-share-buttons goog-inline-block>a classgoog-inline-block share-button sb-email hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID1813181033650471417&targetemail target_blank titleEmail This>span classshare-button-link-text>Email This/span>/a>a classgoog-inline-block share-button sb-blog hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID1813181033650471417&targetblog onclickwindow.open(this.href, _blank, height270,width475); return false; target_blank titleBlogThis!>span classshare-button-link-text>BlogThis!/span>/a>a classgoog-inline-block share-button sb-twitter hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID1813181033650471417&targettwitter target_blank titleShare to Twitter>span classshare-button-link-text>Share to Twitter/span>/a>a classgoog-inline-block share-button sb-facebook hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID1813181033650471417&targetfacebook onclickwindow.open(this.href, _blank, height430,width640); return false; target_blank titleShare to Facebook>span classshare-button-link-text>Share to Facebook/span>/a>a classgoog-inline-block share-button sb-pinterest hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID1813181033650471417&targetpinterest target_blank titleShare to Pinterest>span classshare-button-link-text>Share to Pinterest/span>/a>/div>/div>div classpost-footer-line post-footer-line-2>span classpost-labels>Labels:a hrefhttps://blog.ittoby.com/search/label/Active%20Directory reltag>Active Directory/a>,a hrefhttps://blog.ittoby.com/search/label/Hyper-V reltag>Hyper-V/a>,a hrefhttps://blog.ittoby.com/search/label/virtualization reltag>virtualization/a>,a hrefhttps://blog.ittoby.com/search/label/Widows%202012 reltag>Widows 2012/a>,a hrefhttps://blog.ittoby.com/search/label/Windows%202016 reltag>Windows 2016/a>/span>/div>div classpost-footer-line post-footer-line-3>span classpost-location>/span>/div>/div>/div>/div> /div>/div> div classdate-outer> h2 classdate-header>span>Thursday, October 27, 2016/span>/h2> div classdate-posts> div classpost-outer>div classpost hentry uncustomized-post-template itempropblogPost itemscopeitemscope itemtypehttp://schema.org/BlogPosting>meta contenthttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaQyca3bcqGEO_Qbhk1Y8ndZpAuwj9Qvyrt7JAgbk_pSl48JzenxLkluXkb0igmPPHPh6xpddw0Wcuw2nIUmOTaXTxWP_CT2QX4DQC3e8fkNVTPjoLbWrT1MhDyiLRX0rA2thIJsegPgE/s640/tunnel.jpg itempropimage_url/>meta content5458589696790815336 itempropblogId/>meta content4169875558764263356 itemproppostId/>a name4169875558764263356>/a>h3 classpost-title entry-title itempropname>a hrefhttps://blog.ittoby.com/2016/10/tunnel-to-cloud-pfsense-to-azure-site.html>Tunnel to the Cloud: Azure Site to Site IPsec Connection/a>/h3>div classpost-header>div classpost-header-line-1>/div>/div>div classpost-body entry-content idpost-body-4169875558764263356 itempropdescription articleBody> p>Do you have multi-continent datacenters with gobs of bandwidth, IOps, and processing capability? No? I can help get you part of the way there... a network presence in one. br> br> /p> table classtr-caption-container stylemargin-left: auto; margin-right: auto; text-align: center; cellspacing0 cellpadding0 aligncenter> tbody> tr> td styletext-align: center;>a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaQyca3bcqGEO_Qbhk1Y8ndZpAuwj9Qvyrt7JAgbk_pSl48JzenxLkluXkb0igmPPHPh6xpddw0Wcuw2nIUmOTaXTxWP_CT2QX4DQC3e8fkNVTPjoLbWrT1MhDyiLRX0rA2thIJsegPgE/s1600/tunnel.jpg imageanchor1 stylemargin-left: auto; margin-right: auto;>img border0 height248 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjaQyca3bcqGEO_Qbhk1Y8ndZpAuwj9Qvyrt7JAgbk_pSl48JzenxLkluXkb0igmPPHPh6xpddw0Wcuw2nIUmOTaXTxWP_CT2QX4DQC3e8fkNVTPjoLbWrT1MhDyiLRX0rA2thIJsegPgE/s640/tunnel.jpg width640>/a>/td> /tr> tr> td classtr-caption styletext-align: center;>A tunnel./td> /tr> /tbody> /table> br> h3>A Site to Site Connection?/h3> br> Its easier to think of this as an extension to your network into another datacenter over the internet. Using a target_blank hrefhttps://en.wikipedia.org/wiki/IPsec>IPsec/a> we can provide a relatively (comments at the end) secure, direct connection between on on-premises datacenter and a target_blank hrefhttps://portal.azure.com>Azure/a> hosted resources by encrypting the traffic that flows between the two. What do I mean by: br> ul> li>strong>Secure: /strong>IPsec tunnels all your traffic so it is encrypted over the internet; in reality, this is really more secure rather than definitively secure, as the effective security depends highly on implementation specifics. /li> li>strong>Direct: /strong>Your router (played by pfSense in this case) will recognize the Azure site as another routable network within the boundaries of your own, enabling you to talk to Azure resources as if they were in your own datacenter. /li> /ul> p>While Ill be using pfSense for the initiator side as it exposes the options in the most clear way Ive found, this article will also bestrong> useful for non-pfSense /strong>devices since we discuss the details of the IPsec tunnel; the information here should be applicable to any IPsec solution. strong>Update 1/2017/strong>: Ive personally tested on various Cisco, Sonicwall, and pFsense equipment, and Microsoft has added some great documentation about overall device support a hrefhttps://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices>here/a>. /p> p>Note: this works for Amazon Web Services (a target_blank hrefhttps://aws.amazon.com/>AWS/a>) as well but is slightly more complex. Fortunately pfSense includes a a target_blank hrefhttps://forum.pfsense.org/index.php?topic81113.0>wizard/a> that works, but takes a lot of the fun out of it as it strips you of understanding how it works. In addition the wizard is necessary because of how Amazon does a target_blank hrefhttps://en.wikipedia.org/wiki/Amazon_Virtual_Private_Cloud>VPC/a> routing, whereas Azure is a bit more straightforward./p> With that, lets get to it! br> h3>Pre-Requisites/h3> ul> li>strong>pfSense firewall(s)/strong>: The steps in this article were performed on a pair of HA SG-4860 firewalls running pfSense 2.32p1./li> li>strong>Microsoft Azure account/strong> with adequate permissions: Well be performing our actions using the new a hrefhttps://portal.azure.com>portal/a> based on strong>Azure Resource Manager/strong> (a hrefhttp://rickrainey.com/2016/01/19/an-introduction-to-the-azure-resource-manager-arm/>ARM/a> or AzureRM). /li> li>strong>AzureRM PowerShell Cmdlets installed/strong>: On Win10/Server 2016 this can be accomplished with em>Install-Module AzureRM; /em>for more info see a hrefhttps://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/>this post/a>./li> /ul> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtX0h_YQTYXfvi85Mo3bhS-QHa9ztD1CGboswHqexBIn0LP9ffkcuoLGTEUiU3TNa7bQOTBF_kaoesKKAjma-_FPcg4X_8hAzbFxWC9H3Tqx7qsNQZLp1FV2OPpJAwNBERtwCsjq8Cm5g/s1600/2016-10-03+13_11_43-Administrator_+Windows+PowerShell.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height187 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtX0h_YQTYXfvi85Mo3bhS-QHa9ztD1CGboswHqexBIn0LP9ffkcuoLGTEUiU3TNa7bQOTBF_kaoesKKAjma-_FPcg4X_8hAzbFxWC9H3Tqx7qsNQZLp1FV2OPpJAwNBERtwCsjq8Cm5g/s640/2016-10-03+13_11_43-Administrator_+Windows+PowerShell.png width640>/a>/div> br> h3>Configure Azure IPSec Endpoint/h3> Before we set up and initiate the connection from pfSense, we need to set up our endpoint in Azure. To do so, well create the following objects: br> ul> li>A Resource Group/li> li>A Public IP Address/li> li>A Virtual Network/li> li>A Gateway Subnet/li> li>A Virtual Network Gateway/li> li>A Local Network Gateway with a Connection/li> /ul> h4>Resource Group/h4> A em>Resource Group/em> is a logical grouping of Azure em>Resources/em>. This logical group allows for easy organization and clearer billing reports. We wont get too much into concepts and naming standards here other than to say groups should be logically tied with similar lifecycle expectancies and you should be strong>consistent/strong>. For more information, see a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/resource-group-overview/#resource-groups>this Azure article/a>. br> br> strong>Note/strong>: Well be doing most of our steps in the web portal, but this whole process is much more efficient with PowerShell. br> br> Lets go!br> ol> li>Open and log into the ARM Azure Portal at a target_blank hrefhttps://portal.azure.com>portal.azure.com/a>; ensure youre working with the a target_blank hrefhttps://channel9.msdn.com/Events/Ignite/2015/BRK2454>subscription/a> you intend to use. /li> li>Navigate to em>Resource Groups/em>./li> li>Click em>Add/em> and type a name for your resource group, select the subscription, and resource group location. Note: The resource group location has no bearing on where youll be connecting to as its just a location the metadata is stored. /li> li>Click em>Save/em>./li> /ol> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglmpARoV2lakHTSxtTyQe8Uj-DXFuFnvJBwnT7bwg8d7towlpL3tS8CKgaAlG7MOyvg_DA7e3Wt2M4jp6uBWj-RIqKMu2IH_uoUCkvT_iO4WxSga3NIglTjf1BS3ZXlmW11-rznIAoFCI/s1600/Screen+Shot+2016-10-08+at+10.22.54+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height206 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglmpARoV2lakHTSxtTyQe8Uj-DXFuFnvJBwnT7bwg8d7towlpL3tS8CKgaAlG7MOyvg_DA7e3Wt2M4jp6uBWj-RIqKMu2IH_uoUCkvT_iO4WxSga3NIglTjf1BS3ZXlmW11-rznIAoFCI/s320/Screen+Shot+2016-10-08+at+10.22.54+PM.png width320>/a>/div> br> br> ol> /ol> h4>Public IP Address/h4> While we could do the IP at the time we make the Virtual Network Gateway, well take care of it now to ensure its provisioned prior to getting to that step and to discuss the IP details. br> ol> li>Navigate to em>Public IP addresses./em>/li> li>Click em>Add/em> and populate the following: /li> ul> li>em>Name/em>: Select a name leveraging consistent naming standards. /li> li>em>IP address/em> em>assignment/em>: Select em>Dynamic/em>. I know what youre saying.. youre saying but Toby, Im not saying anything, and what Im saying is it seems this should be static. Unfortunately if we make a static IP well be greeted later with the following: br> br> table classtr-caption-container stylemargin-left: auto; margin-right: auto; text-align: center; cellspacing0 cellpadding0 aligncenter> tbody> tr> td styletext-align: center;>a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqiV_t9-m86yBYqENck5pkB_9YW2GMRmshlGdlE_CnTcQd7llGnZYKAAmzsh3TQ_92Yq-GecBzDYVi8vSQfCdxdcgp4Eycm5WdBCAw_txK7Y1RJvLQudSvMbOxRxBhPHEK4wmIU2jUuOM/s1600/2016-10-25+21_45_56-Window.png imageanchor1 stylemargin-left: auto; margin-right: auto;>img border0 height93 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqiV_t9-m86yBYqENck5pkB_9YW2GMRmshlGdlE_CnTcQd7llGnZYKAAmzsh3TQ_92Yq-GecBzDYVi8vSQfCdxdcgp4Eycm5WdBCAw_txK7Y1RJvLQudSvMbOxRxBhPHEK4wmIU2jUuOM/s400/2016-10-25+21_45_56-Window.png width400>/a>/td> /tr> tr> td classtr-caption styletext-align: center;>Why Azure, WHY?!/td> /tr> /tbody> /table> br> Now Ive been running a tunnel straight for almost a month thus far and my dynamic IP has not shifted on me; I suspect it will behave the same as IPs for other resources and stay static so long as it is used. If this does change, youll need to change the info in the Phase 1 and 2 setup of the tunnel on the pfSense side as outlined below. For the record, as of the writing of this article the pricing of IPs in Azure is a bit odd; dynamic IPs and static IPs beyond the first 5 in any region are charged the same (pretty trivial), while the first 5 static in a region are free. See a target_blank hrefhttps://azure.microsoft.com/en-us/pricing/details/ip-addresses/>here/a> for more info./li> li>em>Idle Timeout/em>: The default of 4 minutes should be fine here. /li> li>em>DNS Name Label/em>: Optionally, specify a DNS alias here, though we will not reference it again in this guide as Im not addressing DNS issues associated with IPsec at this time. /li> li>em>Subscription/em>: Select your subscription./li> li>em>Resource Group/em>: Click the resource group we created in the last step. /li> li>em>Location/em>: The IP is our IPsec target, so select a location close to your local network connection. The a target_blank hrefhttp://azurespeedtest.azurewebsites.net/>Azure Speed Test/a> comes in quite handy here./li> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9AXW13Q7XcLRrqX9_4St7uhUY7KJ0Johp9vnFgQ2_OHBLIM47hmmMO_VNmfkEXTCraJSXbrrULKHrqhkQJZ23ijE5WwE2aTZmxcQPLlrz95BjGd7e2D4zmFafQ5SOsIcdFhovuHT9Q78/s1600/2016-10-25+21_48_47-Jump+List+for+File+Explorer.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height640 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh9AXW13Q7XcLRrqX9_4St7uhUY7KJ0Johp9vnFgQ2_OHBLIM47hmmMO_VNmfkEXTCraJSXbrrULKHrqhkQJZ23ijE5WwE2aTZmxcQPLlrz95BjGd7e2D4zmFafQ5SOsIcdFhovuHT9Q78/s640/2016-10-25+21_48_47-Jump+List+for+File+Explorer.png width508>/a>/div> br> /ul> li>Click em>Create/em>. This provisioning will take a few minutes minutes as Azure re-arranges its a target_blank hrefhttps://en.wikipedia.org/wiki/Software-defined_networking>SDN/a> infrastructure to give you an IP. /li> br> table classtr-caption-container stylemargin-left: auto; margin-right: auto; text-align: center; cellspacing0 cellpadding0 aligncenter> tbody> tr> td styletext-align: center;>a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhultiR1KJXLhyphenhyphencHTI-h_BWBvZaIlTrOjJ08zg-4c_PnPP7Gx1dWZO9Yvipry0WTzfLegC04gvJ4V8AFhQaTMx34YJk395-n2ZwQ_Ymq8TGmvHlB4B4Uok4vplh_b-i6Sb1_JyfGjGd1Es/s1600/Screen+Shot+2016-10-25+at+9.29.23+AM.png imageanchor1 stylemargin-left: auto; margin-right: auto;>img border0 height67 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhultiR1KJXLhyphenhyphencHTI-h_BWBvZaIlTrOjJ08zg-4c_PnPP7Gx1dWZO9Yvipry0WTzfLegC04gvJ4V8AFhQaTMx34YJk395-n2ZwQ_Ymq8TGmvHlB4B4Uok4vplh_b-i6Sb1_JyfGjGd1Es/s400/Screen+Shot+2016-10-25+at+9.29.23+AM.png width400>/a>/td> /tr> tr> td classtr-caption styletext-align: center;>What a successful deployment looks like!/td> /tr> /tbody> /table> br> /ol> h4>Virtual Network/Subnet/Gateway Subnet/h4> A em>a hrefhttps://azure.microsoft.com/en-us/documentation/articles/virtual-networks-overview/>Virtual Network/a>/em> is a network space within Azure that you can carve up and protect (firewall) to suit your needs. Were required to make one subnet, and well create our gateway subnet (landing point) as well. If this is your first foray into virtual networks on Azure you may want to take a step back and a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/virtual-network-vnet-plan-design-arm/>consider your design/a> before proceeding. Oh, youre back already? Lets go. br> ol> li>Navigate to em>Virtual Networks/em>. /li> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4YHFCZtWMMV0V9Cl6sUyH_L5V6hupjOHFhqNOCuwhpV0x7qGOVGy-zvfjNXXVP7nSCYZNX-MzAsTszQ2eiEt6rATAoXykMhuRDJ3xwl5wfS9MQPzJ0IVR4Ikuzwfnst2_Wh1Iub2Z9JQ/s1600/Screen+Shot+2016-10-08+at+10.25.29+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height80 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg4YHFCZtWMMV0V9Cl6sUyH_L5V6hupjOHFhqNOCuwhpV0x7qGOVGy-zvfjNXXVP7nSCYZNX-MzAsTszQ2eiEt6rATAoXykMhuRDJ3xwl5wfS9MQPzJ0IVR4Ikuzwfnst2_Wh1Iub2Z9JQ/s320/Screen+Shot+2016-10-08+at+10.25.29+PM.png width320>/a>/div> br> li>Click em>Add/em> and supply the following: /li> ol> /ol> ul> li>em>Name/em>: Type a name for your Virtual Network; you should follow the naming standards as discussed above./li> li>em>Address Space/em>: This is the overall space for your logical network within Azure. You can create more granular subnets within this space at any time, so erring on the side of a large subnet would be wise. If youre unsure, use 10.1.0.0/16./li> li>em>Subnet Name/em>: Youre required to create one subnet within your virtual network off the bat. You need to name it here and ensure you use a consistent and meaningful naming standard. /li> li>em>Subnet Address Range/em>: Specify a subnet range within your virtual network. This wont be used by our IPsec connection directly, but we will use it later as a target for testing. If unsure, use 10.1.10.0/24. /li> li>em>Subscription/em>: Select your desired subscription. /li> li>em>Resource Group/em>: Select Use Existing and select the resource group we created earlier. /li> li>em>Location/em>: Select the same location used for the IP above. /li> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDpY3CrV6Tcq9-sEIFkzXwNAAwoDiqPeOgltym4WZ4-DDNYP9M3YXULJmpN71bg4oER06Ux65skAgEosmBSLw4XQ8saREWAfyeYX7lY4PtX4Eb3xCd4OBZM5-yCRBp8gFHUjLZ1JpigNo/s1600/Screen+Shot+2016-10-08+at+10.49.33+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height400 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjDpY3CrV6Tcq9-sEIFkzXwNAAwoDiqPeOgltym4WZ4-DDNYP9M3YXULJmpN71bg4oER06Ux65skAgEosmBSLw4XQ8saREWAfyeYX7lY4PtX4Eb3xCd4OBZM5-yCRBp8gFHUjLZ1JpigNo/s400/Screen+Shot+2016-10-08+at+10.49.33+PM.png width272>/a>/div> br> /ul> ol> /ol> li>After the Virtual Network has been created (use the refresh key if necessary), click it to navigate to the next pane, and then click em>Subnets/em>. /li>br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqW0ohnn_3nKhjGaJjE_FdaQlO3qxmABq3Hhz0EL4SDV_vlqV_5amqGz3g2efiISJYcwquXAAX_n9LyyEEBIIWY_zFFdggPL2hBsWPBNclZFKwwH8tNCoExG661hai57d2FDeEEeZQTDE/s1600/Screen+Shot+2016-10-08+at+10.50.40+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height339 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqW0ohnn_3nKhjGaJjE_FdaQlO3qxmABq3Hhz0EL4SDV_vlqV_5amqGz3g2efiISJYcwquXAAX_n9LyyEEBIIWY_zFFdggPL2hBsWPBNclZFKwwH8tNCoExG661hai57d2FDeEEeZQTDE/s640/Screen+Shot+2016-10-08+at+10.50.40+PM.png width640>/a>/div> br> li>On the next pane, click em>+ Gateway Subnet/em>. And specify a subnet in em>Address Range/em>. This subnet needs to be different than the one we created earlier and should strong>not/strong> be used for non-network resources, but rather as an ingress point to your Virtual Network. If unsure, use 10.1.0.0/24./li> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCgEzUd_3ZtkKcIfVCoI9cdG6xvTq-mnZxchLrFaf3cymjXnDvP9ug1U2tNBIZW549A09SCQ841BZcm-NMEYEMfkZsAl2HvDAFshdBj3agkvb7EgHecZGNNP33g4WVF4rck8Z6O_3jiQI/s1600/Screen+Shot+2016-10-08+at+10.52.18+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height281 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjCgEzUd_3ZtkKcIfVCoI9cdG6xvTq-mnZxchLrFaf3cymjXnDvP9ug1U2tNBIZW549A09SCQ841BZcm-NMEYEMfkZsAl2HvDAFshdBj3agkvb7EgHecZGNNP33g4WVF4rck8Z6O_3jiQI/s640/Screen+Shot+2016-10-08+at+10.52.18+PM.png width640>/a>/div> br> /ol> h4>Virtual Network Gateway/h4> The a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpngateways/>Virtual Network Gateway/a> is our configuration element that facilitates the IPsec tunnel. Microsoft refers to this as a VPN gateway (as opposed to a hrefhttps://azure.microsoft.com/en-us/documentation/articles/expressroute-introduction/>Express Route/a>). There are three different VPN gateway SKUs; well be doing the Standard offering (of Basic, Standard, High-Performance). Its worth having a read about the differences a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-gateway-settings/#gwsku>here/a>. br> ol> li>Navigate to em>Virtual Network Gateways/em>./li> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW4hFYCj4XEUUrBbY1bwRloPJm10aoDAlyfFMvN6Hd79V2eWxCYeJJBh9xc63RoXLpMqZaXGZ8zahx-AhjejaUGHJ4hZe5ZTQsRCRY0eQVaHRRk82tCQAIbq_9wKhnTsHXv0LavDyU3Po/s1600/Screen+Shot+2016-10-08+at+11.05.13+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height69 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgW4hFYCj4XEUUrBbY1bwRloPJm10aoDAlyfFMvN6Hd79V2eWxCYeJJBh9xc63RoXLpMqZaXGZ8zahx-AhjejaUGHJ4hZe5ZTQsRCRY0eQVaHRRk82tCQAIbq_9wKhnTsHXv0LavDyU3Po/s200/Screen+Shot+2016-10-08+at+11.05.13+PM.png width200>/a>/div> br> li>Click em>Add/em> and supply the following: /li> ul> li>em>Name/em>: Again, follow consistent naming standards. /li> li>em>Gateway Type/em>: Select em>VPN/em>./li> li>em>VPN type: /em>Select em>Route-Based/em> (packets routed by routing table) in this case; it would be advisable to familiarize yourself with the difference between route and policy a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-vpn-faq/#gateways>here/a>. Note that policy requires IKEv1, so if you need to use it note the settings will be quite a bit different. /li> li>em>SKU/em>: strong>Update 1/2018: /strong>The SKU selection is now VpnGw<x> or Basic. Note you strong>cannot /strong>change a basic VNG to the higher tier (VpnGwX) or vice versa at a later time. For more information see a hrefhttps://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpngateways#gwsku>this/a> article. /li> li>em>Virtual Network/em>: Select the virtual network we created in the last step. /li> li>em>Public IP address: /em>Select the IP address we created earlier./li> /ul> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgByupM_hxWI9ZQP226XMpa_mH212hdwEKraJM7vuMbwARMQ1vRZUMRHQ1T7r3XeyB95A8kjuJ-hZGybTk1X9WxTD_I_uz6mWsS8RUvJnkAiL18zeB-oPjwhaDwbfK0Qp_1GQNlnZpy8D0/s1600/Screen+Shot+2016-10-08+at+11.09.27+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height640 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgByupM_hxWI9ZQP226XMpa_mH212hdwEKraJM7vuMbwARMQ1vRZUMRHQ1T7r3XeyB95A8kjuJ-hZGybTk1X9WxTD_I_uz6mWsS8RUvJnkAiL18zeB-oPjwhaDwbfK0Qp_1GQNlnZpy8D0/s640/Screen+Shot+2016-10-08+at+11.09.27+PM.png width258>/a>/div> br> li>Click em>Create/em>. /li> /ol> p> strong>Note:/strong> This step may take up to 45 minutes to complete provisioning. Ive tracked 8 of these and its averaging almost 40 minutes per regardless of if you pre-provision the IP or not. You may want to consider skipping ahead to the pfSense section for a bit and coming back here. /p> br> h4>Local Network Gateway/Connection/h4> br> A Local Network Gateway is the specification of our local IP and networks you would like to route over the tunnel. br> br> This actually works fine with a dynamic IP if that is your scenario, but well cover the details of that later.br> ol> li>Navigate to em>Local Network Gateways/em>./li> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisN_qdFQwCP4scgITFfqw-bviX9j3R1WZHQaps-1pW59SREK-0OaREiOsAqksaEaU4VmjN1KZmtfB0v2AKIP4x5RFwDkfTBCt9ASfm9RIn1_AMich80Lu-sEcwlzgbtSbJgCM5f3xv7mM/s1600/Screen+Shot+2016-10-09+at+9.19.12+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height63 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEisN_qdFQwCP4scgITFfqw-bviX9j3R1WZHQaps-1pW59SREK-0OaREiOsAqksaEaU4VmjN1KZmtfB0v2AKIP4x5RFwDkfTBCt9ASfm9RIn1_AMich80Lu-sEcwlzgbtSbJgCM5f3xv7mM/s200/Screen+Shot+2016-10-09+at+9.19.12+PM.png width200>/a>/div> br> li>Click em>Add/em> and supply the following: /li> ul> li>em>Name/em>: Naming? Standards? Consistent? Yeah!/li> li>em>IP Address/em>: Enter the public IP address of your device that will instantiate the tunnel. /li> li>em>Address Space/em>: This is where you enter the CIDR notation of the local networks you would like to route over the tunnel... for example, if you would like to route 192.168.1.x over the tunnel, then enter 192.168.1.0/24/li> li>em>Subscription/em>: Enter your desired subscription. /li> li>em>Resource Group/em>: Select our resource group we created above. /li> li>em>Location/em>: For consistency, select the same location as you have selected above. /li> li>strong>Update 1/2018/strong>: You can configure BGP settings here now as well, cool eh?/li> /ul> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghtIwRJsAAB0dHcTHcshaXd3Ucgb_QGZXLI1C2eUXzsdLzKxdabQzXEyfB_CuKhsc-iRbUOV7x5rASdtdAB6sCYDgS4xXbq-HIv0VYSpg4C1uvIq-2klZVl62LEWwZsEuM41VJKq9KSbA/s1600/Screen+Shot+2016-10-09+at+9.23.45+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height400 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghtIwRJsAAB0dHcTHcshaXd3Ucgb_QGZXLI1C2eUXzsdLzKxdabQzXEyfB_CuKhsc-iRbUOV7x5rASdtdAB6sCYDgS4xXbq-HIv0VYSpg4C1uvIq-2klZVl62LEWwZsEuM41VJKq9KSbA/s400/Screen+Shot+2016-10-09+at+9.23.45+PM.png width382>/a>/div> br> li>Click em>Create/em>./li> li>After provisioning, (you may need to hit refresh) click your newly created Local Network Gateway and click em>Connections/em>./li> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgacMjkdLbOHqAW9LXcCdUNDeRSaq-MkiIkaUi_h-NjS5F3ebhNW3yBALw760BHZpasVHURpxC8y39bQ1Bz9H5a1Bh9MrOU-e_izbCffBjaaPyefAHd1pFChYuABk8Tky2lgJ04avOvXxk/s1600/Screen+Shot+2016-10-09+at+9.25.36+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height376 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgacMjkdLbOHqAW9LXcCdUNDeRSaq-MkiIkaUi_h-NjS5F3ebhNW3yBALw760BHZpasVHURpxC8y39bQ1Bz9H5a1Bh9MrOU-e_izbCffBjaaPyefAHd1pFChYuABk8Tky2lgJ04avOvXxk/s640/Screen+Shot+2016-10-09+at+9.25.36+PM.png width640>/a>/div> br> li>On the newly expanded pane, click em>Add/em> and supply the following: /li> ul> li>em>Name/em>: You know the drill by now. /li> li>em>Connection type/em>: This should be fixed to Site to Site (IPsec)/li> li>em>Virtual Network Gateway/em>: Enter the Virtual Network Gateway we entered in the step above. /li> li>em>Shared Key/em>: Specify a unique, randomly generated passphrase comprised of alphanumeric characters. Some devices have issues with special characters, hence the omission of. I recommend using at least 30 characters; since it has no impact on tunnel performance I personally use at least 60 characters for each key. Youll need to specify this key on your local side as well. /li> li>em>Subscription/em>: This should be hard coded to the same subscription as the LNG. /li> li>em>Resource Group/em>: This also should be locked to the same resource group as the LNG. /li> li>em>Location/em>: Locked to that of the LNG. /li> /ul> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs-u-EZTC2u2Sxdy1sC8hZV7xczA9-skajftCeHro-cXk2hXheEKqtYiIXofSBE5bRl32Nt4ukOsi-shDsubw5zDejeL0riv7lebsutvpzWSHG3tiU1K6RUkmQwNwoGtDiaTOxTb6KY94/s1600/Screen+Shot+2016-10-09+at+9.35.36+PM.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height640 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs-u-EZTC2u2Sxdy1sC8hZV7xczA9-skajftCeHro-cXk2hXheEKqtYiIXofSBE5bRl32Nt4ukOsi-shDsubw5zDejeL0riv7lebsutvpzWSHG3tiU1K6RUkmQwNwoGtDiaTOxTb6KY94/s640/Screen+Shot+2016-10-09+at+9.35.36+PM.png width249>/a>/div> br> li>Click em>OK/em>. /li> /ol> h3>Configure pfSense/h3> br> Now well set up the IPsec initiator connection on your pfSense firewall(s). br> br> h4>Phase 1 Setup/h4> ol> li>Login to the firewall and navigate to em>VPN->IPsec/em>/li> li>Click em>Add/em> and specify the following:/li> ul> li>em>Key Exchange Version: Auto/em>/li> li>em>Internet Protocol: IPv4/em>/li> li>em>Interface/em>: Select the WAN interface from which you would like to instantiate the connection/li> li>em>Remote Gateway: /em>Enter the Azure public IP address created in the Public IP Address section above/li> li>em>Description: /em>Whatever you would like; maybe troll your firewall team with a message here for fun times. /li> li>em>Authentication Method: Mutual PSK/em>/li> li>em>Negotiation Mode: Main /em>strong>Note/strong>: Do not use Aggressive mode as the hash of the PSK is sent over the internet in clear text. /li> li>em>My Identifier/em>: If the WAN interface selected above holds your public IP address, you can select em>My IP Address/em>. If that interface lies behind another edge device that holds the public IP, youll need to select em>IP Address/em> and specify your external IP. /li> li>em>Peer Identifier: Peer IP Address/em>/li> li>em>Pre-Shared Key: /em>Enter the same Pre-Shared Key used in the Azure connection specification above. /li> li>em>Encryption Algorithm/em>: The strongest available in Azure is em>AES 256/em> bit, so preferably specify that. For more information on supported features in Azure, see the References section below. /li> li>em>Hashing Algorithm: /em>The best we can do here is em>SHA256/em>, so lets go with that. /li> li>em>DH Group/em>: em>2(1024 bit)/em>/li> li>em>Lifetime (seconds): 10800/em>/li> li>em>Disable Rekey: Unchecked/em>/li> li>em>Responder Only: Unchecked/em>/li> li>em>NAT Traversal: Auto /em>(Even in NAT scenarios Auto usually works)/li> li>em>Dead Peer Detection: Checked/em>/li> li>em>Delay: 10/em>/li> li>em>Max Failures: 5/em>/li> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsIc7I40C-nXxAFnn4rUHsW-OOt3gheGpl8u3ovEUNzlyfTG6S-gBWaOtiFwU2HL4f_nDG3XE2DGnEFKqlMb5Adk2lAsqyjadGCnlCKWwff_VPPDwCrbWms62zBrLnuNqZl6swTXboMbk/s1600/2016-10-25+16_15_43-scooter.truckchase.lan+-+VPN_+IPsec_+Tunnels_+Edit+Phase+1+-+Chromium.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height640 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjsIc7I40C-nXxAFnn4rUHsW-OOt3gheGpl8u3ovEUNzlyfTG6S-gBWaOtiFwU2HL4f_nDG3XE2DGnEFKqlMb5Adk2lAsqyjadGCnlCKWwff_VPPDwCrbWms62zBrLnuNqZl6swTXboMbk/s640/2016-10-25+16_15_43-scooter.truckchase.lan+-+VPN_+IPsec_+Tunnels_+Edit+Phase+1+-+Chromium.png width496>/a>/div> br> /ul> li>Click em>Save/em> to return to the em>VPN->IPsec/em> menu. /li> li>Since we dont want to use this yet, click em>Disable/em> in front of the new tunnel definition and then em>Apply Changes/em>./li> /ol> h4>Phase 2 Setup/h4> ol> li>Under our newly created tunnel definition, click em>Show Phase 2 Entries/em>/li> li>Click em>Add P2/em> and supply the following information: /li> ul> li>em>Disabled: Unchecked/em>/li> li>em>Mode: Tunnel IPv4/em>/li> li>em>Local Network: /em>Select em>Network/em> and specify the same network range(s) that you specified during the set up of the local network gateway on Azure using CIDR notation, i.e. 192.168.1.0/24. This specifies which local network(s) you would like to route through the tunnel. /li> li>em>NAT/BINAT translation: None /em>; strong>Note: /strong>even in scenarios where your pfSense device is using NAT behind an upstream router, this should not be necessary. NAT-T will take care of that scenario. /li> li>em>Remote Network/em>: Select em>Network/em> and specify the same network range(s) that you specified during the set up of the target virtual network in Azure using CIDR notation, i.e. 10.1.0.0/16. This specifies the remote network(s) present in Azure. /li> li>em>Description: /em>Put something here to help you remember what all this fun stuff is about. /li> li>em>Protocol: ESP/em>/li> li>em>Encryption Algorithms/em>: Check only em>AES/em> and em>256 bits/em>. /li> li>em>Hash Algorithms: /em>Unfortunately Azure a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/>only supports/a> em>SHA1/em> at this time. strong>Update 1/2017: /strong>SHA256 supported now, use that! /li> li>em>PFS Key Group/em>: a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/>Azure documentation/a> states that a target_blank hrefhttps://tools.ietf.org/html/rfc2412>PFS/a> groups are only supported when Azure acts as responder, and in this case it is being set up as the initiator. Oddly, Ive actually had luck specifying DH Group 14, but there is no guarantee that will work. Im going to stick with it but for this by the book exercise youll need to select em>off/em>. strong>Note/strong>: Because of this setting and the prior Hash Algorithm setting, I do not consider this tunnel secure against state-level or similarly equipped actors. If that is a concern you may wish to investigate alternatives. In less extreme cases, however, this can be considered relatively secure.strong> Update 1/2017: /strong>The compatibility has been improved here as well; match your Encryption/Auth with the right group using the table a hrefhttps://docs.microsoft.com/en-us/azure/vpn-gateway/vpn-gateway-about-vpn-devices#ipsec>here/a>. /li> li>em>Lifetime: 3600/em>/li> li>em>Automatically ping host: blank/em>/li> br> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEj5v2O8eBTZbPZSj_hDsPQa7GEF3I5Bp2-aoqGaJ4xAVn2jYy15CXksznjh5dpOQXMbvh0MyRPxHNy0xmzjuLakQQgzg7eDkhRBsV3tEXCqs-udUI8D-iZSz8nmB-TzjIoelgaObm0Jk/s1600/2016-10-25+16_19_06-scooter.truckchase.lan+-+VPN_+IPsec_+Tunnels_+Edit+Phase+2+-+Chromium.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height640 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEj5v2O8eBTZbPZSj_hDsPQa7GEF3I5Bp2-aoqGaJ4xAVn2jYy15CXksznjh5dpOQXMbvh0MyRPxHNy0xmzjuLakQQgzg7eDkhRBsV3tEXCqs-udUI8D-iZSz8nmB-TzjIoelgaObm0Jk/s640/2016-10-25+16_19_06-scooter.truckchase.lan+-+VPN_+IPsec_+Tunnels_+Edit+Phase+2+-+Chromium.png width602>/a>/div> br> /ul> li>Click Save. /li> /ol> strong>Note: em>/em>/strong>Depending on your configuration it may be necessary to navigate to em>VPN->IPsec->Advanced Settings/em> and check em>Enable Maximum MSS/em>, then specify em>1350/em>. If you get packet loss with large packets this setting may be needed.br> br> h4>Firewall Rules/h4> p>Now that our tunnel is set up we have to create local firewall rules that allow for traffic to pass. First well create a network alias for the Azure side network and then well make a rule to allow out Azure based traffic to pass here. /p> ol> li>Navigate to em>Firewall->Aliases/em> /li> li>Click em>Add/em> and supply the following:/li> ul> li>em>Name:/em> Supply something that explains this network is to represent the Azure side of the tunnel; only alphanumeric and _ are allowed. /li> li>em>Description/em>: Enter full description here; there are no special character limitations. /li> li>em>Type/em>: em>Network(s)/em>/li> li>em>Network(s): /em>Enter the CIDR notation of the network you created for your Virtual Network in Azure. If you followed the example addresses in this article, that would be 10.1.0.0/16. /li> /ul> li>Click em>Save/em> and then em>Apply Changes/em>. /li> li>Navigate to em>Firewall->Rules->IPsec/em>. /li> li>Click em>Add -^/em> and supply the following: /li> ul> li>em>Action/em>: em>Pass/em>/li> li>em>Disable this rule: Unchecked/em>/li> li>em>Interface/em>: em>IPsec/em>/li> li>em>Address Family/em>: em>IPv4/em>/li> li>em>Protocol/em>: em>Any/em> strong>Discussion: /strong>Feel free to limit the traffic that goes through the tunnel if you like. In this example Im allowing all traffic through. /li> li>em>Source/em>: em>Single host or alias/em> and then specify the Azure network alias you created in step 2. /li> li>em>Destination/em>: This needs to be the local network(s) to which you would like to allow traffic. You can either do em>network/em> with a CIDR notation or specify the entire network represented by an interface on the firewall. strong>Note/strong>: if you have multiple networks youll need a rule for each, so repeat the last couple steps for each. /li> li>em>Log: Unchecked/em>; keep in mind that should you need to troubleshoot temporarily logging traffic using this rule can be very useful. /li> li>em>Description/em>: Its a description, so lets do that!/li> li>No advanced options necessary unless you would like to do so. /li> /ul> li>Click em>Save/em> and then em>Apply Changes/em>. /li> /ol> div classseparator styleclear: both; text-align: center;> a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKAjGyZrFJiMQbhhsaJIQOR6AVvYNVMB3AnpvAjVrDj7CviIISiKGChmIV0IhTdExsJcuJMGVwfXHKxm7ePJI5paPWwST_xLHwYXHIrTKi7EfjzFI9UCSn8LJlwBIXg5i4JheIJkAIJYM/s1600/2016-10-10+14_18_40-Window.png imageanchor1 stylemargin-left: 1em; margin-right: 1em;>img border0 height259 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhKAjGyZrFJiMQbhhsaJIQOR6AVvYNVMB3AnpvAjVrDj7CviIISiKGChmIV0IhTdExsJcuJMGVwfXHKxm7ePJI5paPWwST_xLHwYXHIrTKi7EfjzFI9UCSn8LJlwBIXg5i4JheIJkAIJYM/s640/2016-10-10+14_18_40-Window.png width640>/a>/div> br> br> ol> /ol> As long as you have a blanket egress traffic rule we should now be able to route traffic over the tunnel. If you do not I expect you are aware of how to make a more specific rule to suit your needs. h4>A Note on NAT-T and Upstream Routers/h4> If your pfSense device is behind another upstream router, you may need some changes to facilitate the port switchover after initialization. If this matches your configuration, consider that you may need the following on the upstream router: br> ul> li>A firewall rule that allows strong>UDP port 4500/strong> into your pfSense device(s). /li> li>A NAT port mapping rule that forwards strong>UDP port 4500/strong> to your pfSense device(s). /li> /ul> p>Try without first; some devices are aware enough of the switch to 4500 to perform the transition without rules, but if it does not work consult the documentation for the device in question. /p> br> h3>Enable and Test/h3> There are several ways to test our connection; in this case Ill be pinging a VM host in Azure assigned to the same virtual network that this tunnel is connecting to. We wont go through the provisioning of that; should you need to refer to a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/virtual-machines-windows-hero-tutorial/>this basic guide/a> and ensure you place the VM in your target virtual network and initially created subnet (10.1.10.x in the example above). br> br> table classtr-caption-container stylemargin-left: auto; margin-right: auto; text-align: center; cellspacing0 cellpadding0 aligncenter> tbody> tr> td styletext-align: center;>a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqzlMXveSpCkkRy1KFCMOgaRiSixM7HRY61ZLwg4RyXCVtWVtolN-358nj3vccY6KF6gmQkomZnOs8-73YAxHS6AFniyx21B2NfuqUNzkFiYAsoAKHSl1swTk6d1aHtd89CjmPnBl-wr8/s1600/2016-10-25+23_57_27-Zoom+Player.png imageanchor1 stylemargin-left: auto; margin-right: auto;>img border0 height226 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqzlMXveSpCkkRy1KFCMOgaRiSixM7HRY61ZLwg4RyXCVtWVtolN-358nj3vccY6KF6gmQkomZnOs8-73YAxHS6AFniyx21B2NfuqUNzkFiYAsoAKHSl1swTk6d1aHtd89CjmPnBl-wr8/s640/2016-10-25+23_57_27-Zoom+Player.png width640>/a>/td> /tr> tr> td classtr-caption styletext-align: center;>Were about to go into a tunnel... a long one. /td> /tr> /tbody> /table> br> h4>Preparing Your Target/h4> ul> li>Ensure your VM is up and provisioned in the correct target virtual network. /li> li>Since you cant put anything in the gateway subnet (correctly) this would be a good opportunity to put the VM in the subnet you were forced to create when creating the virtual network in the first place. Check/change em>VM->Network interfaces->Details->Settings->IP Configurations/em>/li> li>Get the private IP address from em>VM->Network interfaces. /em>It should be 10.1.10.x if youre following the example addresses in this article. /li> li>Make sure your VM is pingable! If you have instituted a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/>Network Security Groups/a> that would inhibit access youll need to modify them, though this should work by default since were tunneled in. Make sure the firewall on the VM allows for incoming ICMP requests as well; on Win 2012 and higher em>set-netfirewallrule -DisplayName File and Printer Sharing (Echo Request - ICMPv4-In) -Enabled True/em> will take care of you. /li> /ul> h4>Bring Up The Tunnel/h4> ol> li>In the pfSense interface, navigate to em>VPN->IPsec/em>. /li> li>In front of our new tunnel, click em>Enable/em> then em>Apply/em> toward the top. /li> li>Check tunnel status under em>Status->IPsec/em>. The tunnel should come up automatically in about a minute. If there is trouble you can check the em>Status->System Logs->IPsec/em> section for more details. /li> /ol> h4>Check Tunnel Status in Azure & Ping Dat VM!/h4> p>For this portion well use PowerShell; ensure you have the Azure ARM cmdlets installed. If not, give em>install-module AzureRM /em>a shot from an elevated PowerShell prompt. /p> ol> li>Login to your account: em>Login-AzureRmAccount/em>/li> li>Look at your subscriptions and grab the name of the target sub: em>Get-AzureRmSubscription/em>/li> li>Change to your correct subscription: em>Select-AzureRmSubscription -SubscriptionName <subscription name>/em>/li> li>Check the status: em>Get-AzureRmVirtualNetworkGatewayConnection -name <Local Gateway Connection> -ResourceGroupName <Name of Resourcegroup to which it belongs>/em>/li> li>On the output pane, check the em>ConnectionStatus/em> property. It should be em>Connected/em>. /li> /ol> p>The Get-AzureRmVirtualNetworkGatewayConnection has a series of other interesting properties as well, including EgressBytesTransferred and IngressBytesTransferred./p> p>Now proceed to ping your VM by the strong>private /strong>IP listed in Azure. As long as everything is configured correctly you should receive a response!/p> br> h3>Cost/h3> VPN Tunnels are subject to a costs from a few different categories: br> ul> li>a target_blank hrefhttps://azure.microsoft.com/en-us/pricing/details/vpn-gateway/>VPN Gateway Pricing/a>: This is an hourly cost incurred strong>while the tunnel is available/strong>, not necessarily used. This means once its provisioned you will incur charges at the hourly rate. As of the writing the standard performance level that well be using is billed at $0.19/hr in the US. If you have multiple Virtual Networks you will also be subject to a fee for outgoing traffic destined for another VNet. This rate depends on the zone and varies between $.035 and $.16 per GB. Data outbound to your site is charged at the standard data transfer rates (below) and inbound data is free. strong>Update 1/2017/strong>: Updated pricing for the new tiers can be found a hrefhttps://azure.microsoft.com/en-us/pricing/details/vpn-gateway/>here/a>. br> /li> li>a target_blank hrefhttps://azure.microsoft.com/en-us/pricing/details/bandwidth/>Data Transfer Rates/a>: This depends on your level of utilization. The first 5GB of outgoing/month is free and the prices are set on a curve thereafter. br> /li> li>a target_blank hrefhttps://azure.microsoft.com/en-us/pricing/details/virtual-network/>Virtual Network Pricing/a>: VNets are free; you can have up to 50 VNets per subscription across all regions. br> /li> li>a target_blank hrefhttps://azure.microsoft.com/en-us/pricing/details/ip-addresses/>IP Addresses/a>: Youll be using at least one IP address. The first 5 static in a given region are free, additional and dynamic are charged at a rate of $.004/hr. /li> /ul> p>Overall the cost of a standard class data tunnel each month for a single IP address, no additional support, and strong>without including outgoing bandwidth/strong>, is about $140/month. br> /p> p>strong>Note/strong>: Costs as of 10/26/2016, subject to change. Up to date pricing information is available a target_blank hrefhttps://azure.microsoft.com/en-us/pricing/>here/a>./p> br> h3>Dynamic IP? Changing Your IP Address/h3> There is no reason that this IPsec tunnel will not work without a dnymic IP, but each time the IP changes youll need to take a series of steps to restore tunnel functionality. These are: br> ol> li>In Azure, the local network gateway specifies your IP, change it under em>Local network gateway-><NAME>->Configuration->IP address/em>. /li> li>In pfSense, the Phase 1 tunnel definition under em>My identifier/em> needs to reflect your current external IP address./li> li>If there are any implications on upstream routers youll need to handle that as well. /li> /ol> p>After taking care of these you will need to restart the tunnel. This could all be automated with PowerShell and SSH if you like, but I wont be covering that here./p> p>strong>Update 1/2017: /strong>FWIW, over the last year none of my clients have had their IP rotate for an active tunnel. /p> br> h3>A Note on Effective Security/h3> As mentioned earlier, this set up does have a couple security issues; the impact of which I would like to discuss briefly. Without an optimal security configuration, including the support of Perfect Forward Secrecy, this tunnel may not be strong enough to stand up to attacks of a state-sponsored actor over a long period of time. Because of that I cannot recommend this solution if your traffic may be subject to that level of attack, for example traffic facilitating substantial financial transaction activity. strong>Update 1/2017/strong>: As noted above, this situation has improved with the support of PFS and SHA256 for authentication. br> br> With that said, this tunnel is still (for better or worse) more secure than the configuration I have seen at many clients, and should be suitable for most traffic. It also performs very well; added latency between my modestly equipped pfSense devices and Azure is trivial. br> br> table classtr-caption-container stylemargin-left: auto; margin-right: auto; text-align: center; cellspacing0 cellpadding0 aligncenter> tbody> tr> td styletext-align: center;>a hrefhttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKHhfsTfK7TItRUee7N6rwvP8iwyOCY02hOt6hvKbCyM81jcVCROaX_Yk-xazW1P6QxyrYv3ALIqMUViZsAiIE6GkEhryW2ollJDvYPrIJ2GorJTz6F8gvP4MCEM8SR5qMZ2J9tzNrHgE/s1600/2001-image-1.jpg imageanchor1 stylemargin-left: auto; margin-right: auto;>img border0 height320 srchttps://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKHhfsTfK7TItRUee7N6rwvP8iwyOCY02hOt6hvKbCyM81jcVCROaX_Yk-xazW1P6QxyrYv3ALIqMUViZsAiIE6GkEhryW2ollJDvYPrIJ2GorJTz6F8gvP4MCEM8SR5qMZ2J9tzNrHgE/s640/2001-image-1.jpg width640>/a>/td> /tr> tr> td classtr-caption styletext-align: center;>For science!/td> /tr> /tbody> /table> br> h3>References/h3> br> h4> Azure/h4> a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/virtual-networks-overview/>Microsoft: Azure Virtual Network Overview/a>br> a target_blank hrefhttps://msdn.microsoft.com/en-us/library/mt125356.aspx>Microsoft: Azure Resource Manager Cmdlets/a> (PowerShell)br> a hrefhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-howto-site-to-site-resource-manager-portal/>Microsoft: Create a VNet with a Site-to-Site connection using the Azure portal/a>br> a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-create-site-to-site-rm-powershell/>Microsoft: Create a VNet with a Site-to-Site connection using PowerShell/a>br> a target_blank hrefhttp://www.buchatech.com/2016/09/azure-site-to-site-vpn-setup-azure-resource-manager/>Steve Buchanan: Azure & RRAS Site to Site VPN Setup (Azure Resource Manager)/a>br> a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/virtual-networks-nsg/>Microsoft: What is a Network Security Group?/a>br> a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-vpn-faq/>Microsoft: VPN Gateway FAQ/a>br> a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpngateways>span stylecolor: #0000ee;>Microsoft: About VPN Gateway/span>/a>br> a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/powershell-install-configure/>Microsoft: How to install and configure Azure PowerShell/a>br> a target_blank hrefhttps://azure.microsoft.com/en-us/documentation/articles/vpn-gateway-about-vpn-devices/>Microsoft: About VPN Devices for Site-to-Site VPN Gateway Connections/a> (Critical article; contains IPsec specs of Azure side)br> br> h4>pfSense/h4> a target_blank hrefhttps://doc.pfsense.org/index.php/Routing_internet_traffic_through_a_site-to-site_IPsec_tunnel>pfSense Doco: Routing internet traffic through a site-to-site IPsec tunnel/a>br> a target_blank hrefhttps://doc.pfsense.org/index.php/VPN_Capability_IPsec>pfSense Doco: VPN Capability IPsec/a>br> br> h4>IPsec/h4> a target_blank hrefhttps://tools.ietf.org/html/rfc2412>PFS RFC/a>br> a target_blank hrefhttps://wiki.strongswan.org/projects/strongswan/wiki/SecurityRecommendations>strongSwan Wiki: Security recommendations/a> br> a target_blank hrefhttps://blog.webernetz.net/2015/01/19/considerations-about-ipsec-pre-shared-keys-psks/>Johannes Webber: Considerations About IPsec Pre-Shared Keys/a>br> a target_blank hrefhttps://supportforums.cisco.com/document/64281/how-does-nat-t-work-ipsec>Cisco Support: How Does NAT-T Work With IPsec/a> (Only needed if behind NAT)br>div styleclear: both;>/div>/div>div classpost-footer>div classpost-footer-line post-footer-line-1>span classpost-author vcard>Posted byspan classfn itempropauthor itemscopeitemscope itemtypehttp://schema.org/Person>meta contenthttps://www.blogger.com/profile/11479868060801724272 itempropurl/>a classg-profile hrefhttps://www.blogger.com/profile/11479868060801724272 relauthor titleauthor profile>span itempropname>Toby Meyer/span>/a>/span>/span>span classpost-timestamp>atmeta contenthttps://blog.ittoby.com/2016/10/tunnel-to-cloud-pfsense-to-azure-site.html itempropurl/>a classtimestamp-link hrefhttps://blog.ittoby.com/2016/10/tunnel-to-cloud-pfsense-to-azure-site.html relbookmark titlepermanent link>abbr classpublished itempropdatePublished title2016-10-27T14:14:00-05:00>2:14 PM/abbr>/a>/span>span classpost-comment-link>a classcomment-link hrefhttps://www.blogger.com/comment/fullpage/post/5458589696790815336/4169875558764263356 onclick>3 comments: /a>/span>span classpost-icons>span classitem-control blog-admin pid-649803412>a hrefhttps://www.blogger.com/post-edit.g?blogID5458589696790815336&postID4169875558764263356&frompencil titleEdit Post>img alt classicon-action height18 srchttps://resources.blogblog.com/img/icon18_edit_allbkg.gif width18/>/a>/span>/span>div classpost-share-buttons goog-inline-block>a classgoog-inline-block share-button sb-email hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID4169875558764263356&targetemail target_blank titleEmail This>span classshare-button-link-text>Email This/span>/a>a classgoog-inline-block share-button sb-blog hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID4169875558764263356&targetblog onclickwindow.open(this.href, _blank, height270,width475); return false; target_blank titleBlogThis!>span classshare-button-link-text>BlogThis!/span>/a>a classgoog-inline-block share-button sb-twitter hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID4169875558764263356&targettwitter target_blank titleShare to Twitter>span classshare-button-link-text>Share to Twitter/span>/a>a classgoog-inline-block share-button sb-facebook hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID4169875558764263356&targetfacebook onclickwindow.open(this.href, _blank, height430,width640); return false; target_blank titleShare to Facebook>span classshare-button-link-text>Share to Facebook/span>/a>a classgoog-inline-block share-button sb-pinterest hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID4169875558764263356&targetpinterest target_blank titleShare to Pinterest>span classshare-button-link-text>Share to Pinterest/span>/a>/div>/div>div classpost-footer-line post-footer-line-2>span classpost-labels>Labels:a hrefhttps://blog.ittoby.com/search/label/Azure reltag>Azure/a>,a hrefhttps://blog.ittoby.com/search/label/cloud reltag>cloud/a>,a hrefhttps://blog.ittoby.com/search/label/firewall reltag>firewall/a>,a hrefhttps://blog.ittoby.com/search/label/freebsd reltag>freebsd/a>,a hrefhttps://blog.ittoby.com/search/label/infosec reltag>infosec/a>,a hrefhttps://blog.ittoby.com/search/label/ipsec reltag>ipsec/a>,a hrefhttps://blog.ittoby.com/search/label/networking reltag>networking/a>,a hrefhttps://blog.ittoby.com/search/label/pfsense reltag>pfsense/a>,a hrefhttps://blog.ittoby.com/search/label/Powershell reltag>Powershell/a>,a hrefhttps://blog.ittoby.com/search/label/routing reltag>routing/a>,a hrefhttps://blog.ittoby.com/search/label/Security reltag>Security/a>/span>/div>div classpost-footer-line post-footer-line-3>span classpost-location>/span>/div>/div>/div>/div> /div>/div> div classdate-outer> h2 classdate-header>span>Tuesday, April 19, 2016/span>/h2> div classdate-posts> div classpost-outer>div classpost hentry uncustomized-post-template itempropblogPost itemscopeitemscope itemtypehttp://schema.org/BlogPosting>meta contenthttps://lh3.googleusercontent.com/-Q3MzKKhaCjc/Vy12KYCFQjI/AAAAAAAAJHQ/bbEPnlpADQo/RaspChef_Big_thumb%25255B10%25255D.jpg?imgmax800 itempropimage_url/>meta content5458589696790815336 itempropblogId/>meta content6925285669746901707 itemproppostId/>a name6925285669746901707>/a>h3 classpost-title entry-title itempropname>a hrefhttps://blog.ittoby.com/2016/04/installing-chef-on-raspberry-pi-23.html>Installing Chef on A Raspberry Pi 2/3/a>/h3>div classpost-header>div classpost-header-line-1>/div>/div>div classpost-body entry-content idpost-body-6925285669746901707 itempropdescription articleBody>br />h3>Introduction/h3>So you’ve got 1,103 Raspberry Pis that you need to manage. Two things: br />ol>li>Why? /li>li>Wanna hang out Saturday? No? You’re busy managing all your mini computers manually? I can help you with that! /li>/ol>a hrefhttps://lh3.googleusercontent.com/-NWzdkcOzCSM/Vy12J1uFr1I/AAAAAAAAJHM/WPTUVnocXMc/s1600-h/RaspChef_Big%25255B14%25255D.jpg>img altRaspChef_Big height216 srchttps://lh3.googleusercontent.com/-Q3MzKKhaCjc/Vy12KYCFQjI/AAAAAAAAJHQ/bbEPnlpADQo/RaspChef_Big_thumb%25255B10%25255D.jpg?imgmax800 styledisplay: block; float: none; margin-left: auto; margin-right: auto; titleRaspChef_Big width620 />/a>br />h3>Scope/h3>In this article we’ll cover installing and configuring the a hrefhttps://www.chef.io/chef/>Chef/a> version 12 client on a Raspberry Pi. This has been tested on Raspberry Pi versions 2 and 3; in theory it should work on a 1 as well, albeit slowly. br />h3>Assumptions/h3>ul>li>Raspberry Pi with Rasbian, a hrefhttps://blog.hypriot.com/>Hypriot/a>, or similar build with connections to interwebs /li>li>Chef server/org you would like to point clients to /li>li>Chef workstation capable of bootstrapping clients; if needed see a hrefhttps://www.digitalocean.com/community/tutorials/how-to-set-up-a-chef-12-configuration-management-system-on-ubuntu-14-04-servers>this/a> excellent article by Digital Ocean. /li>/ul>h3>Execution/h3>The main point of this article is really the installation of a hrefhttps://www.ruby-lang.org/en/>Ruby/a>, which is the foundation on which Chef is based. Because the Ruby package in the Rasbian locations is out of date (2.1 as of this writing) we need to compile our own from source. Chef 12 a hrefhttps://docs.chef.io/chef_system_requirements.html>requires Ruby 2.0 or greater/a>, but a hrefhttps://rack.github.io/>Rack/a>, which is installed with Chef, requires 2.2.2. b>UPDATE 7/9/2017/b>: Ruby 2.4 or newer is now needed to continue successfully. Thanks Mike (from comments below)!br />h4>Step 1: Install Ruby/h4>Clearly this should be scripted for optimal efficiency, but for learning purposes we’ll do it step by step to see exactly what is going on first hand. Log onto your Raspi via SSH and execute the following: br />ol>li>Most commands we’ll be executing require root, so let’s elevate our session: pre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>sudo su/code>/pre>Where i>a hrefhttps://www.sudo.ws/intro.html>sudo/a>/i> super user do and i>a hrefhttps://en.wikipedia.org/wiki/Su_%28Unix%29>su/a>/i> super user; using root privs to assume root identity. br />br />/li>li>Pull the newest package lists from configured repositories to ensure we get the newest packages: pre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>apt-get update/code>/pre>a hrefhttps://lh3.googleusercontent.com/-8OAmTRCfGpE/Vy7G2aAPgQI/AAAAAAAAJJo/q04vC8v58Zo/s1600-h/2016-05-07%25252000_03_01-_home_toby_%25255B7%25255D.png>img alt2016-05-07 00_03_01-_home_toby_ border0 height192 srchttps://lh3.googleusercontent.com/-8Z3XbI1_in4/Vy7G3dB-JMI/AAAAAAAAJJs/8uhOVEQuTxw/2016-05-07%25252000_03_01-_home_toby__thumb%25255B5%25255D.png?imgmax800 stylebackground-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px; title2016-05-07 00_03_01-_home_toby_ width397 />/a>br />/li>li>Install pre-requisites for Ruby: a hrefhttps://gcc.gnu.org/>gcc/a>, a hrefhttps://www.gnu.org/software/make/>make/a>, and a hrefhttps://packages.debian.org/jessie/libssl-dev>libssl-dev/a> with their dependencies. pre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>apt-get install gcc make libssl-dev/code>/pre>a hrefhttps://lh3.googleusercontent.com/-RzOOVHQgn3U/Vy7G34mRFhI/AAAAAAAAJJ0/cH5-xWt37-A/s1600-h/2016-05-07%25252000_06_47-_home_toby_%25255B4%25255D.png>img alt2016-05-07 00_06_47-_home_toby_ border0 height203 srchttps://lh3.googleusercontent.com/-5OZhiwBz5cA/Vy7G4dU7g1I/AAAAAAAAJJ4/6x1ri33sKfg/2016-05-07%25252000_06_47-_home_toby__thumb%25255B2%25255D.png?imgmax800 stylebackground-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px; title2016-05-07 00_06_47-_home_toby_ width356 />/a>br />b>Note/b>: On some distros, such as Raspbian, gcc and make are installed by default. It wont hurt to include the in the command line none the less, and including it here will cover most distros. br />br />/li>li>Download the Ruby source to the /usr/src directory:pre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>cd /usr/srcwget https://cache.ruby-lang.org/pub/ruby/2.2/ruby-2.2.5.tar.gz/code>/pre>b>Note/b>: 2.2.5 is the newest 2.2 version at the time of this writing, but you should make sure there isnt a newer version avialable. Check the Ruby page a hrefhttps://www.ruby-lang.org/en/downloads/>here/a>.br />br />/li>li>Extract the source & navigate to the directory (b>Make sure you update filenames/directory names for differing versions/b>):pre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>tar -xvzf ruby-2.2.5.tar.gzcd ruby-2.2.5/code>/pre>/li>li>Prepare to compile with a hrefhttps://en.wikipedia.org/wiki/Configure_script>configure/a>, omitting unnecessary components: pre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>./configure --enable-shared --disable-install-doc --disable-install-rdoc --disable-install-capi/code>/pre>a hrefhttps://lh3.googleusercontent.com/-zlUPihpvKis/Vy7G4nNRH5I/AAAAAAAAJJ8/E_3MEoab3wo/s1600-h/2016-05-07%25252000_12_03-_home_toby_%25255B4%25255D.png>img alt2016-05-07 00_12_03-_home_toby_ border0 height120 srchttps://lh3.googleusercontent.com/-Sqy1PjNhhno/Vy7G5I_l9nI/AAAAAAAAJKA/p5G1iWCE7GE/2016-05-07%25252000_12_03-_home_toby__thumb%25255B2%25255D.png?imgmax800 stylebackground-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px; title2016-05-07 00_12_03-_home_toby_ width482 />/a>br />b>Note/b>: This will take between 2 and 10 minutes depending on which Pi and the speed of your SD card.br />br />/li>li>Compile it using a hrefhttps://www.gnu.org/software/make/manual/make.html>make/a>!pre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>make -j4 ; make install/code>/pre>a hrefhttps://lh3.googleusercontent.com/-MXcUO3PNDvI/Vy7G5Vu3K_I/AAAAAAAAJKE/ftqUVYQcU1c/s1600-h/2016-05-07%25252015_28_19-Window%25255B7%25255D.png>img alt2016-05-07 15_28_19-Window border0 height74 srchttps://lh3.googleusercontent.com/-Q0uX2YDWdm0/Vy7G51EhheI/AAAAAAAAJKI/meYxH8PJv84/2016-05-07%25252015_28_19-Window_thumb%25255B3%25255D.png?imgmax800 stylebackground-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px; title2016-05-07 15_28_19-Window width520 />/a>br />b>Note/b>: make -j4 will multi-thread the execution, using each of the Raspis processors. This will take between 15 and 30 minutes depending on your Pi and SD card./li>/ol>a hrefhttps://lh3.googleusercontent.com/-QvYcUGb8OIU/Vy7FbelLxzI/AAAAAAAAJJM/0r_1jGM_Z2o/s1600-h/hot_hot_hot%25255B20%25255D.jpg>img althot_hot_hot border0 height267 srchttps://lh3.googleusercontent.com/-G0ETHXWI6kI/Vy7Fb5Ra-dI/AAAAAAAAJJQ/rALhW7G_VCs/hot_hot_hot_thumb%25255B18%25255D.jpg?imgmax800 stylebackground-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px; titlehot_hot_hot width519 />/a>br />h4>Step 2: Install Chef/h4>Now we’ll use the a hrefhttps://guides.rubygems.org/command-reference/#gem-install>gem install/a> command to get Chef br />ol>li>Execute i>gem install chef /i>as root (sudo if not). pre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>gem install chef/code>/pre>b>Note/b>: This will take between 5 and 25 minutes depending on which Pi, SD card, and network connection. br />br />a hrefhttps://lh3.googleusercontent.com/-gmWd0W2e3CA/Vy7G6AdE1fI/AAAAAAAAJKM/dPeL_59HTY4/s1600-h/2016-05-07%25252016_44_05-Window%25255B4%25255D.png>img alt2016-05-07 16_44_05-Window border0 height141 srchttps://lh3.googleusercontent.com/-GZV1jqlei2o/Vy7G6rf_XjI/AAAAAAAAJKQ/ekkbPBSGBIw/2016-05-07%25252016_44_05-Window_thumb%25255B2%25255D.png?imgmax800 stylebackground-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px; title2016-05-07 16_44_05-Window width564 />/a>br />/li>li>Relinquish root privileges as they are no longer needed. This should only exit the root session and not the SSH session itself. If you’re logged in directly as root ignore this, but don’t do that next time! pre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>exit/code>/pre>/li>li>Test the install to ensure it workedpre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>chef-client --version/code>/pre>a hrefhttps://lh3.googleusercontent.com/-HPpEmKOzbws/Vy7G7Ob3iwI/AAAAAAAAJKU/tDTakHdvwao/s1600-h/2016-05-07%25252016_46_29-Window%25255B7%25255D.png>img alt2016-05-07 16_46_29-Window border0 height49 srchttps://lh3.googleusercontent.com/-kGKl-dU6WfM/Vy7G7ZMem2I/AAAAAAAAJKY/uyjcG5lTaWk/2016-05-07%25252016_46_29-Window_thumb%25255B5%25255D.png?imgmax800 stylebackground-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px; title2016-05-07 16_46_29-Window width516 />/a>/li>/ol>h4>Step 3: Configure Chef/h4>For this step move to your Chef workstation and logon using your account that is configured to manage your organization. br />ol>li>Use the knife command to boostrap the newly installed clientpre stylebackground: #f0f0f0; border-bottom: #cccccc 1px dashed; border-left: #cccccc 1px dashed; border-right: #cccccc 1px dashed; border-top: #cccccc 1px dashed; color: black; font-family: "arial"; font-size: 12px; height: auto; line-height: 20px; overflow: auto; padding-bottom: 0px; padding-left: 0px; padding-right: 0px; padding-top: 0px; text-align: left; width: 99%;>code stylecolor: black; word-wrap: normal;>knife bootstrap rasdock02.truckchase.lan -N rasdock02.truckchase.lan -x {user} -P {password}/code>/pre>b>Where/b>: {user} is a user on the target platform with root privs and {password} is the password for that account. br />br />b>Note/b>: It is normal to see errors on the first portion on the bootstrap since the Chef ARM client will not be found in the Chef repo, but the second phase should work utilizing the client we just installed.br />br />a hrefhttps://lh3.googleusercontent.com/-EN_T8Ye4xJM/Vy7G7xHDr7I/AAAAAAAAJKc/RLIylGBSM34/s1600-h/2016-05-07%25252016_50_56-Window%25255B6%25255D.png>img alt2016-05-07 16_50_56-Window border0 height385 srchttps://lh3.googleusercontent.com/-0VpXwqY_CcU/Vy7G8a2NbKI/AAAAAAAAJKg/83oCOL6SJyI/2016-05-07%25252016_50_56-Window_thumb%25255B4%25255D.png?imgmax800 stylebackground-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px; title2016-05-07 16_50_56-Window width527 />/a>/li>/ol>br />That’s it! For further verification you can check against the Chef server using your workstation (i>knife client show {node name}/i>) or even better yet, use a hrefhttps://docs.chef.io/manage.html>Chef Manage/a> if you have it available. br />br />a hrefhttps://lh3.googleusercontent.com/-YoRj47s11Rc/Vy7G8wLferI/AAAAAAAAJKk/Rq4MX1bJNnU/s1600-h/2016-05-07%25252016_53_23-Chef%252520Manage%25255B5%25255D.png>img alt2016-05-07 16_53_23-Chef Manage border0 height219 srchttps://lh3.googleusercontent.com/-G9dks4HU5Zs/Vy7G9TkQfjI/AAAAAAAAJKo/dQF_-Yun43E/2016-05-07%25252016_53_23-Chef%252520Manage_thumb%25255B3%25255D.png?imgmax800 stylebackground-image: none; border-bottom-width: 0px; border-left-width: 0px; border-right-width: 0px; border-top-width: 0px; display: block; float: none; margin-left: auto; margin-right: auto; padding-left: 0px; padding-right: 0px; padding-top: 0px; title2016-05-07 16_53_23-Chef Manage width611 />/a>br />h4>References/h4>li>a hrefhttps://docs.chef.io/>Chef Documentation/a> /li>li>a hrefhttps://ruby-doc.org/>Ruby Documentation/a>/li>/ul>div styleclear: both;>/div>/div>div classpost-footer>div classpost-footer-line post-footer-line-1>span classpost-author vcard>Posted byspan classfn itempropauthor itemscopeitemscope itemtypehttp://schema.org/Person>meta contenthttps://www.blogger.com/profile/11479868060801724272 itempropurl/>a classg-profile hrefhttps://www.blogger.com/profile/11479868060801724272 relauthor titleauthor profile>span itempropname>Toby Meyer/span>/a>/span>/span>span classpost-timestamp>atmeta contenthttps://blog.ittoby.com/2016/04/installing-chef-on-raspberry-pi-23.html itempropurl/>a classtimestamp-link hrefhttps://blog.ittoby.com/2016/04/installing-chef-on-raspberry-pi-23.html relbookmark titlepermanent link>abbr classpublished itempropdatePublished title2016-04-19T21:45:00-05:00>9:45 PM/abbr>/a>/span>span classpost-comment-link>a classcomment-link hrefhttps://www.blogger.com/comment/fullpage/post/5458589696790815336/6925285669746901707 onclick>7 comments: /a>/span>span classpost-icons>span classitem-control blog-admin pid-649803412>a hrefhttps://www.blogger.com/post-edit.g?blogID5458589696790815336&postID6925285669746901707&frompencil titleEdit Post>img alt classicon-action height18 srchttps://resources.blogblog.com/img/icon18_edit_allbkg.gif width18/>/a>/span>/span>div classpost-share-buttons goog-inline-block>a classgoog-inline-block share-button sb-email hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID6925285669746901707&targetemail target_blank titleEmail This>span classshare-button-link-text>Email This/span>/a>a classgoog-inline-block share-button sb-blog hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID6925285669746901707&targetblog onclickwindow.open(this.href, _blank, height270,width475); return false; target_blank titleBlogThis!>span classshare-button-link-text>BlogThis!/span>/a>a classgoog-inline-block share-button sb-twitter hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID6925285669746901707&targettwitter target_blank titleShare to Twitter>span classshare-button-link-text>Share to Twitter/span>/a>a classgoog-inline-block share-button sb-facebook hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID6925285669746901707&targetfacebook onclickwindow.open(this.href, _blank, height430,width640); return false; target_blank titleShare to Facebook>span classshare-button-link-text>Share to Facebook/span>/a>a classgoog-inline-block share-button sb-pinterest hrefhttps://www.blogger.com/share-post.g?blogID5458589696790815336&postID6925285669746901707&targetpinterest target_blank titleShare to Pinterest>span classshare-button-link-text>Share to Pinterest/span>/a>/div>/div>div classpost-footer-line post-footer-line-2>span classpost-labels>Labels:a hrefhttps://blog.ittoby.com/search/label/Chef reltag>Chef/a>,a hrefhttps://blog.ittoby.com/search/label/IoT reltag>IoT/a>,a hrefhttps://blog.ittoby.com/search/label/Powershell reltag>Powershell/a>,a hrefhttps://blog.ittoby.com/search/label/Raspberry%20Pi reltag>Raspberry Pi/a>,a hrefhttps://blog.ittoby.com/search/label/Ruby reltag>Ruby/a>,a hrefhttps://blog.ittoby.com/search/label/SSH reltag>SSH/a>/span>/div>div classpost-footer-line post-footer-line-3>span classpost-location>/span>/div>/div>/div>/div> /div>/div> /div>div classblog-pager idblog-pager>span idblog-pager-older-link>a classblog-pager-older-link hrefhttps://blog.ittoby.com/search?updated-max2016-04-19T21:45:00-05:00&max-results15 idBlog1_blog-pager-older-link titleOlder Posts>Older Posts/a>/span>a classhome-link hrefhttps://blog.ittoby.com/>Home/a>/div>div classclear>/div>div classblog-feeds>div classfeed-links>Subscribe to:a classfeed-link hrefhttps://blog.ittoby.com/feeds/posts/default target_blank typeapplication/atom+xml>Posts (Atom)/a>/div>/div>/div>/div>/div>/div>div classcolumn-left-outer>div classcolumn-left-inner>aside>/aside>/div>/div>div classcolumn-right-outer>div classcolumn-right-inner>aside>div classsidebar section idsidebar-right-1>div classwidget PopularPosts data-version1 idPopularPosts1>h2>Popular Posts/h2>div classwidget-content popular-posts>ul>li>a hrefhttps://blog.ittoby.com/2013/01/setup-and-tweak-your-new-asus-rt-ac66u.html>Setup and Tweak Your New Asus RT-AC66U or N66U Router! (partially OT)/a>/li>li>a hrefhttps://blog.ittoby.com/2014/07/why-schannel-eventid-36888-36874-occurs.html>Why Schannel EventID 36888 / 36874 Occurs and How to Fix It/a>/li>li>a hrefhttps://blog.ittoby.com/2013/08/starting-small-set-up-hadoop-compute.html>Starting Small: Set Up a Hadoop Compute Cluster Using Raspberry Pis/a>/li>li>a hrefhttps://blog.ittoby.com/2013/05/using-raspberry-pi-as-thin-client-for.html>Using a Raspberry Pi as a Thin Client for RDP/RemoteFX/VMWare View or Citrix/a>/li>li>a hrefhttps://blog.ittoby.com/2013/06/safely-demote-windows-2008r2-core.html>Safely Demote a Windows 2008/r2 Core Domain Controller/a>/li>li>a hrefhttps://blog.ittoby.com/2014/04/web-application-proxy-server-in-2012-r2.html>Web Application Proxy Server in 2012 R2/a>/li>/ul>div classclear>/div>/div>/div>div classwidget BlogSearch data-version1 idBlogSearch1>h2 classtitle>Search itToby.com/h2>div classwidget-content>div idBlogSearch1_form>form actionhttps://blog.ittoby.com/search classgsc-search-box target_top>table cellpadding0 cellspacing0 classgsc-search-box>tbody>tr>td classgsc-input>input autocompleteoff classgsc-input nameq size10 titlesearch typetext value/>/td>td classgsc-search-button>input classgsc-search-button titlesearch typesubmit valueSearch/>/td>/tr>/tbody>/table>/form>/div>/div>div classclear>/div>/div>/div>table border0 cellpadding0 cellspacing0 classsection-columns columns-2>tbody>tr>td classfirst columns-cell>div classsidebar section idsidebar-right-2-1>div classwidget HTML data-version1 idHTML1>h2 classtitle>Follow on Twitter/h2>div classwidget-content>a hrefhttps://twitter.com/Toby_Meyer classtwitter-follow-button data-show-countfalse>Follow @Toby_Meyer/a>script>!function(d,s,id){var js,fjsd.getElementsByTagName(s)0;if(!d.getElementById(id)){jsd.createElement(s);js.idid;js.src//platform.twitter.com/widgets.js;fjs.parentNode.insertBefore(js,fjs);}}(document,script,twitter-wjs);/script>/div>div classclear>/div>/div>div classwidget Profile data-version1 idProfile1>h2>About Me/h2>div classwidget-content>dl classprofile-datablock>dt classprofile-data>a classprofile-name-link g-profile hrefhttps://www.blogger.com/profile/11479868060801724272 relauthor stylebackground-image: url(//www.blogger.com/img/logo-16.png);>Toby Meyer/a>/dt>/dl>a classprofile-link hrefhttps://www.blogger.com/profile/11479868060801724272 relauthor>View my complete profile/a>div classclear>/div>/div>/div>/div>/td>td classcolumns-cell>div classsidebar no-items section idsidebar-right-2-2>/div>/td>/tr>/tbody>/table>div classsidebar section idsidebar-right-3>div classwidget BlogArchive data-version1 idBlogArchive1>h2>Blog Archive/h2>div classwidget-content>div idArchiveList>div idBlogArchive1_ArchiveList>ul classhierarchy>li classarchivedate expanded>a classtoggle hrefjavascript:void(0)>span classzippy toggle-open> ▼ /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2017/>2017/a>span classpost-count dirltr>(2)/span>ul classhierarchy>li classarchivedate expanded>a classtoggle hrefjavascript:void(0)>span classzippy toggle-open> ▼ /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2017/06/>June/a>span classpost-count dirltr>(1)/span>ul classposts>li>a hrefhttps://blog.ittoby.com/2017/06/automating-service-principal-setup-in.html>Automating Service Principal Setup in Azure Active.../a>/li>/ul>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2017/02/>February/a>span classpost-count dirltr>(1)/span>/li>/ul>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2016/>2016/a>span classpost-count dirltr>(2)/span>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2016/10/>October/a>span classpost-count dirltr>(1)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2016/04/>April/a>span classpost-count dirltr>(1)/span>/li>/ul>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2015/>2015/a>span classpost-count dirltr>(2)/span>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2015/04/>April/a>span classpost-count dirltr>(1)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2015/01/>January/a>span classpost-count dirltr>(1)/span>/li>/ul>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2014/>2014/a>span classpost-count dirltr>(12)/span>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2014/12/>December/a>span classpost-count dirltr>(1)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2014/11/>November/a>span classpost-count dirltr>(2)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2014/09/>September/a>span classpost-count dirltr>(1)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2014/07/>July/a>span classpost-count dirltr>(2)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2014/05/>May/a>span classpost-count dirltr>(2)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2014/04/>April/a>span classpost-count dirltr>(1)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2014/02/>February/a>span classpost-count dirltr>(2)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2014/01/>January/a>span classpost-count dirltr>(1)/span>/li>/ul>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/>2013/a>span classpost-count dirltr>(30)/span>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/12/>December/a>span classpost-count dirltr>(2)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/10/>October/a>span classpost-count dirltr>(2)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/09/>September/a>span classpost-count dirltr>(1)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/08/>August/a>span classpost-count dirltr>(2)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/07/>July/a>span classpost-count dirltr>(2)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/06/>June/a>span classpost-count dirltr>(3)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/05/>May/a>span classpost-count dirltr>(3)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/04/>April/a>span classpost-count dirltr>(3)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/03/>March/a>span classpost-count dirltr>(3)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/02/>February/a>span classpost-count dirltr>(4)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2013/01/>January/a>span classpost-count dirltr>(5)/span>/li>/ul>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2012/>2012/a>span classpost-count dirltr>(18)/span>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2012/12/>December/a>span classpost-count dirltr>(4)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2012/11/>November/a>span classpost-count dirltr>(3)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2012/10/>October/a>span classpost-count dirltr>(5)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2012/07/>July/a>span classpost-count dirltr>(2)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2012/04/>April/a>span classpost-count dirltr>(1)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2012/03/>March/a>span classpost-count dirltr>(3)/span>/li>/ul>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2011/>2011/a>span classpost-count dirltr>(2)/span>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2011/08/>August/a>span classpost-count dirltr>(1)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2011/01/>January/a>span classpost-count dirltr>(1)/span>/li>/ul>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2009/>2009/a>span classpost-count dirltr>(2)/span>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2009/12/>December/a>span classpost-count dirltr>(1)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2009/02/>February/a>span classpost-count dirltr>(1)/span>/li>/ul>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2008/>2008/a>span classpost-count dirltr>(4)/span>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2008/09/>September/a>span classpost-count dirltr>(1)/span>/li>/ul>ul classhierarchy>li classarchivedate collapsed>a classtoggle hrefjavascript:void(0)>span classzippy> ► /span>/a>a classpost-count-link hrefhttps://blog.ittoby.com/2008/05/>May/a>span classpost-count dirltr>(3)/span>/li>/ul>/li>/ul>/div>/div>div classclear>/div>/div>/div>/div>/aside>/div>/div>/div>div styleclear: both>/div>!-- columns -->/div>!-- main -->/div>/div>div classmain-cap-bottom cap-bottom>div classcap-left>/div>div classcap-right>/div>/div>/div>footer>div classfooter-outer>div classfooter-cap-top cap-top>div classcap-left>/div>div classcap-right>/div>/div>div classfauxborder-left footer-fauxborder-left>div classfauxborder-right footer-fauxborder-right>/div>div classregion-inner footer-inner>div classfoot no-items section idfooter-1>/div>table border0 cellpadding0 cellspacing0 classsection-columns columns-2>tbody>tr>td classfirst columns-cell>div classfoot no-items section idfooter-2-1>/div>/td>td classcolumns-cell>div classfoot no-items section idfooter-2-2>/div>/td>/tr>/tbody>/table>!-- outside of the include in order to lock Attribution widget -->div classfoot section idfooter-3 nameFooter>div classwidget Attribution data-version1 idAttribution1>div classwidget-content styletext-align: center;>Simple theme. Powered by a hrefhttps://www.blogger.com target_blank>Blogger/a>./div>div classclear>/div>/div>/div>/div>/div>div classfooter-cap-bottom cap-bottom>div classcap-left>/div>div classcap-right>/div>/div>/div>/footer>!-- content -->/div>/div>div classcontent-cap-bottom cap-bottom>div classcap-left>/div>div classcap-right>/div>/div>/div>/div>script typetext/javascript> window.setTimeout(function() { document.body.className document.body.className.replace(loading, ); }, 10); /script>script typetext/javascript srchttps://www.blogger.com/static/v1/widgets/2410024450-widgets.js>/script>script typetext/javascript>window__wavt AOuZoY6N5Zyc-o7-Rrog3Zu6GDrMuMV2og:1723312505102;_WidgetManager._Init(//www.blogger.com/rearrange?blogID\x3d5458589696790815336,//blog.ittoby.com/,5458589696790815336);_WidgetManager._SetDataContext({name: blog, data: {blogId: 5458589696790815336, title: itToby, url: https://blog.ittoby.com/, canonicalUrl: https://blog.ittoby.com/, homepageUrl: https://blog.ittoby.com/, searchUrl: https://blog.ittoby.com/search, canonicalHomepageUrl: https://blog.ittoby.com/, blogspotFaviconUrl: https://blog.ittoby.com/favicon.ico, bloggerUrl: https://www.blogger.com, hasCustomDomain: true, httpsEnabled: true, enabledCommentProfileImages: true, gPlusViewType: FILTERED_POSTMOD, adultContent: false, analyticsAccountNumber: , encoding: UTF-8, locale: en, localeUnderscoreDelimited: en, languageDirection: ltr, isPrivate: false, isMobile: false, isMobileRequest: false, mobileClass: , isPrivateBlog: false, isDynamicViewsAvailable: true, feedLinks: \x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22itToby - Atom\x22 href\x3d\x22https://blog.ittoby.com/feeds/posts/default\x22 /\x3e\n\x3clink rel\x3d\x22alternate\x22 type\x3d\x22application/rss+xml\x22 title\x3d\x22itToby - RSS\x22 href\x3d\x22https://blog.ittoby.com/feeds/posts/default?alt\x3drss\x22 /\x3e\n\x3clink rel\x3d\x22service.post\x22 type\x3d\x22application/atom+xml\x22 title\x3d\x22itToby - Atom\x22 href\x3d\x22https://www.blogger.com/feeds/5458589696790815336/posts/default\x22 /\x3e\n, meTag: \x3clink rel\x3d\x22me\x22 href\x3d\x22https://www.blogger.com/profile/11479868060801724272\x22 /\x3e\n, adsenseHostId: ca-host-pub-1556223355139109, adsenseHasAds: false, adsenseAutoAds: false, boqCommentIframeForm: true, loginRedirectParam: , view: , dynamicViewsCommentsSrc: //www.blogblog.com/dynamicviews/4224c15c4e7c9321/js/comments.js, dynamicViewsScriptSrc: //www.blogblog.com/dynamicviews/4fc239077fad56d1, plusOneApiSrc: https://apis.google.com/js/platform.js, disableGComments: true, interstitialAccepted: false, sharing: {platforms: {name: Get link, key: link, shareMessage: Get link, target: }, {name: Facebook, key: facebook, shareMessage: Share to Facebook, target: facebook}, {name: BlogThis!, key: blogThis, shareMessage: BlogThis!, target: blog}, {name: Twitter, key: twitter, shareMessage: Share to Twitter, target: twitter}, {name: Pinterest, key: pinterest, shareMessage: Share to Pinterest, target: pinterest}, {name: Email, key: email, shareMessage: Email, target: email}, disableGooglePlus: true, googlePlusShareButtonWidth: 0, googlePlusBootstrap: \x3cscript type\x3d\x22text/javascript\x22\x3ewindow.___gcfg \x3d {\x27lang\x27: \x27en\x27};\x3c/script\x3e}, hasCustomJumpLinkMessage: false, jumpLinkMessage: Read more, pageType: index, pageName: , pageTitle: itToby}}, {name: features, data: {}}, {name: messages, data: {edit: Edit, linkCopiedToClipboard: Link copied to clipboard!, ok: Ok, postLink: Post Link}}, {name: template, data: {name: Simple, localizedName: Simple, isResponsive: false, isAlternateRendering: false, isCustom: false, variant: simplysimple, variantId: simplysimple}}, {name: view, data: {classic: {name: classic, url: ?view\x3dclassic}, flipcard: {name: flipcard, url: ?view\x3dflipcard}, magazine: {name: magazine, url: ?view\x3dmagazine}, mosaic: {name: mosaic, url: ?view\x3dmosaic}, sidebar: {name: sidebar, url: ?view\x3dsidebar}, snapshot: {name: snapshot, url: ?view\x3dsnapshot}, timeslide: {name: timeslide, url: ?view\x3dtimeslide}, isMobile: false, title: itToby, description: Because if I don\x27t write it down I might forget it., url: https://blog.ittoby.com/, type: feed, isSingleItem: false, isMultipleItems: true, isError: false, isPage: false, isPost: false, isHomepage: true, isArchive: false, isLabelSearch: false}});_WidgetManager._RegisterWidget(_HeaderView, new _WidgetInfo(Header1, header, document.getElementById(Header1), {}, displayModeFull));_WidgetManager._RegisterWidget(_BlogView, new _WidgetInfo(Blog1, main, document.getElementById(Blog1), {cmtInteractionsEnabled: false, lightboxEnabled: true, lightboxModuleUrl: https://www.blogger.com/static/v1/jsbin/2318942983-lbx.js, lightboxCssUrl: https://www.blogger.com/static/v1/v-css/13464135-lightbox_bundle.css}, displayModeFull));_WidgetManager._RegisterWidget(_PopularPostsView, new _WidgetInfo(PopularPosts1, sidebar-right-1, document.getElementById(PopularPosts1), {}, displayModeFull));_WidgetManager._RegisterWidget(_BlogSearchView, new _WidgetInfo(BlogSearch1, sidebar-right-1, document.getElementById(BlogSearch1), {}, displayModeFull));_WidgetManager._RegisterWidget(_HTMLView, new _WidgetInfo(HTML1, sidebar-right-2-1, document.getElementById(HTML1), {}, displayModeFull));_WidgetManager._RegisterWidget(_ProfileView, new _WidgetInfo(Profile1, sidebar-right-2-1, document.getElementById(Profile1), {}, displayModeFull));_WidgetManager._RegisterWidget(_BlogArchiveView, new _WidgetInfo(BlogArchive1, sidebar-right-3, document.getElementById(BlogArchive1), {languageDirection: ltr, loadingMessage: Loading\x26hellip;}, displayModeFull));_WidgetManager._RegisterWidget(_AttributionView, new _WidgetInfo(Attribution1, footer-3, document.getElementById(Attribution1), {}, displayModeFull));/script>/body>/html>
View on OTX
|
View on ThreatMiner
Please enable JavaScript to view the
comments powered by Disqus.
Data with thanks to
AlienVault OTX
,
VirusTotal
,
Malwr
and
others
. [
Sitemap
]