Azure routing port 25

I’ve known that Azure restricts outbound port 25 within its cloud for security reasons, but today I learned a little more granularity to that.

As a baseline, here’s a configuration I’m using in Azure right now, that is functional:

This is two virtual networks, connected with a VNET Peer, with each subnet protected by a Network Security Group allowing port 25 traffic. Clients send un-authenticated SMTP to an internal relay over port 25, and then the relay is configured to send outbound authenticated over port 587 with TLS.

 

Now here is a configuration that doesn’t work:

This is two virtual networks, connected by a site-to-site VPN tunnel established through a network virtual appliance (in this case, a VeloCloud, but it could be anything).

Then in order to get traffic to the NVA, we use a User-Defined-Route, on a route table, with the NVA LAN interface set as the next hop IP address.

In this scenario, our internal relay is configured to use port 25 to a different relay on the other side of the tunnel.

From what I can tell (because there aren’t diagnostic flow logs like the NSG), the traffic gets blocked at the UDR, because it never hits my NVA. However, other types of traffic (SSH, HTTPS, port 587) have no problem being routed and received.

Its very interesting to me that the native routing of Azure vnets will allow port 25 traffic, but not UDR’s.

Install Windows Feature from Source

Here’s the syntax to use when trying to use Install-WindowsFeature cmdlet with source as ISO mounted as DVD:

Install-WindowsFeature -Name "Web-App-Dev" -source wim:f:\sources\install.wim:4

Interestingly, when I tried to do this with the feature “Web-Net-Ext” for the .net 3.5 extensibility, it failed with a download error.

Even trying to install .net 3.5 through Install-WindowsFeature or the Server Manager failed with a similar error.

I had to install it through DISM, and then the rest of the command worked:

Dism /online /enable-feature /featurename:NetFX3 /All /Source:F:\sources\sxs

 

Exchange Online PowerShell access denied

I am attempting to test aspects of Office 365 Modern Authentication in a UAT environment prior to enabling it within our production Tenant.

Part of this work is testing the Exchange Online PowerShell access, as there is quite amount of automation configured in our environment and we want to ensure it doesn’t break. I’ve read it “shouldn’t”, but that’s a dangerous word to trust.

Until now I’ve been unable to make the PowerShell connection to Exchange Online in our UAT environment, receiving the following during my attempts:

New-PSSession : [outlook.office365.com] Connecting to remote server outlook.office365.com failed with the following error message:[ClientAccessServer=servername,BackEndServer=servername.prod.outlook.com,RequestId=e6f6b9e7-7c5e-45ec-87fe-59332db1fb95,TimeStamp=8/17/2017 3:16:52 PM] Access Denied For more information, see the about_Remote_Troubleshooting Help topic.

I can use the same account to connect in-browser to http://portal.office.com, and it is set as a Global Administrator in O365, so I know that the account itself has appropriate access.

Interestingly, if I connect with the MFA-supported PowerShell method, with the same account, it connects successfully.

Through testing I’ve determined that using any on-premise account synchronized through Azure AD Connect fails with the same “Access Denied” message, while any cloud-only account connects successfully.

I began to look at our ADFS implementation in UAT since that is a key component for authenticating the on-premise user account. This environment has ADFS 2.0 on Server 2008 R2, which is different than production but shouldn’t be a barrier to connectivity (without MFA).

After comparing the O365 trust configuration and finding no issues, I decided to use the Microsoft Connectivity tool to test. Using the Office 365 Single Sign On test, I saw a failure with this error:

A certificate chain couldn't be constructed for the certificate.
Additional Details
The certificate chain has errors. Chain status = NotTimeValid.

This let me on the path to fixing expired/broken SSL certificates in our UAT ADFS, which I posted about previously here.

Now that the SSL problem is resolved, I attempted to connect to Exchange Online PowerShell again, and was successful!

Looks like this “Access Denied” message was directly related to the expired certificate of the ADFS proxy.

 

 

Telerik ASP.NET Radcontrols

When I first began developing web applications, it was with .net 4.0, gridviews, formviews and the Microsoft Ajaxtoolkit. Since I was learning on the job, Google was my first resource when stuck on a problem and I would consistently come across unhelpful articles for RadGrid and other Telerik tools.

Now, I have Telerik ASP.NET AJAX controls at my disposal, purchased for the current web application I’m building and I’m finding them to be such an amazing resource.

Being able to quickly build something like the RadPivotGrid from scratch is an empowering experience. In some circles I’ve seen the Telerik tools get a bad rap for being buggy or heavy unnecessary code, but as a part-time developer they are quite amazing. These two screenshots show grids of information that took less than a day to build.

grid1
RadGrid with grouping
grid2
RadPivotGrid

Writing code for all these features based on the Ajax GridMenu would have been horrible and taken a drastically long time.

The Telerik support and forums are fantastic as well. A couple of times I’ve had an issue trying to build something and submitted a support ticket. I had a response a few hours later, and it actually was a helpful response!

Overall, if you’re a web developer and are building ASP.NET applications, check out the Telerik tools, they’re worth the investment.