My new article with @AltaroSoftware – How to Boost Network Performance Inside China’s Great Firewall

Together with Altaro, I wrote a new article about how to improve the performance for users inside of china using services and cloud services outside of china.

I hope you enjoy reading.

Maximize free subscription days when upgrading to XBox Game Pass Ultimate

Hi everyone,

during a sleepless night I discovered and browsing the XBox Store, I discovered an interesting offer which hides a lot of free fun for gamers. 🙂

Microsoft XBox has currently a really great offer when changing from XBOX Gold and Game Pass to Game Pass Ultimate.

First, you get the first month for 1€.

That is already nice but there is an additional thing you should know. As you might have already discovered, the new Game Pass Ultimate combines XBox Gold and Game Pass into one subscription.

To help players who paid more for both subscriptions and have them currently running, adds all prepaid subscriptions days from Gold and Game Pass and combines them into Ultimate. That means following:

1 month XBox Gold + 1 month XBox Game Pass = 2 months Game Pass Ultimate 🙂

Thats really nice, I tried that with my account yesterday with following Resultat.

Where I started:

Where I ended:

yes, I don’t need any new Game Pass for 2 years now.

But … one moment! Every prepaid is eligable to be converted for 1€ right?

Yes it is and now here comes the magic and an awesome offer Microsoft makes to their gaming community.

Microsoft XBox trial licences you get with and nex XBox, some games, events etc. are also prepaid.

So I tried it with another account. I added some free trials which had at home. As you know, you can add trials more than one time per account.

At the end I did following:

  1. Added two passes for XBox Gold (1 Month)
  2. enabled the automatic payment to get another free month
  3. Added two passes for XBox Game Pass (1 Mpnth)
  4. enabled the automatic payment to get another free month
  5. Upgraded to Ultimate for 1€

Resultat: I ended up with 5 months XBox live for 1€. 🙂

Afterwards you can cancel automatic payment in your XBox account.

I hope the blogs helps and happy to here from you.

Cheers,

Flo

What happens when a Certification Junkie lifes to near to a Testcenter? – Certification Overload!

Hi everyone,

since 10 months I life in a walking distance from about 20 minutes to a Microsoft Testcenter.

As resultate, I’m taking exams everytime my calender allows it. Currently I’m going for one exam per month, mainly without any preperation.

I only want to test my current knowledge which I gained by my job and personal interest.

As a resultate, I ended up with gaining following certifications in the last 12 months.

  • Microsoft Certified: Azure Security Engineer Associate
  • Microsoft Certified Solutions Expert: Core Infrastructure
    • Implementing a Software-Defined Datacenter
  • Microsoft Certified: Azure Fundamentals
  • Microsoft Certified: Azure Solutions Architect Expert
  • Microsoft Certified: Azure Administrator Associate
  • Microsoft Certified Solutions Associate: Cloud Platform
    • Configuring and Operating a Hybrid Cloud with Microsoft Azure Stack
  • Microsoft Certified Solutions Expert: Cloud Platform and Infrastructure

Next to go, will be the new Modern Workplace Certifications and maybe the Microsoft DevOps Certfications. 🙂

Currently I save some money for the certified ethnical hacker certification. 🙂 Donations are welcome :p

If you have any question regarding the exams, just drop me a comment or mail.

Cheers,
Flo

Storage Spaces Direct Series Part 2 & 3 via Altaro Blog

Hi everyone,

I want to inform you about my two new blogpots about Storage Spaces Direct that I wrote for Altaro.

In the second post I write about the technologies in focus of S2D

You can find the post by following the link below.

In the third post you will learn the following things:

  • Where Did S2D Come From?
  • Converged vs. Hyper-Converged Infrastructure
  • How to License Storage Spaces Direct

You can find the post by following the link below.

You can post feedback and questions in the comment sections of the Altaro Blogs. 🙂

Cheers,

Flo

How to download VPN Device Configurations from Azure

Hi everyone,

as you may know IPSec VPN Config with Azure and different Firewall / VPN Device Vendors can become very tricky.

Some devices like from Palo Alto, Barracuda, FortiNet or CheckPoint are able to autonegotiate the VPN Configurations with an Azure Virtual Network Gateway but there are also the other like from Cisco or Ubiquiti Networks.

Microsoft published a very small but amazing new feature into the Azure Virtual Network Gateway Service. It happend very silently somewhen in the last weeks.

Since that update you are able to download the VPN configuration for some of those Vendors where you need a manuel configuration. You can easily replicate or upload the configuration into you device and it will do the rest.

Let me show you how to do it.

Select the connect of your Local Network Gateway / ExpressRoute Circuit to your Virtual Network Gateway

Afterwards you click on Download Configuration.

Now you select your vendor or the generic sample

Select the device

The firmware version

And at last download the configuration

The outcome will be a file with a configuration similar to this one.

! Microsoft Corporation
! ——————————————————————————————————————————————–
! Generic configuration templates
!
! IMPORTANT: This template is for Allied Telesis AR Series VPN Routers running on Firmware Version 5.4.7 or higher.
!
! This configuration template shows all the VPN configuration parameters associated with your S2S VPN connection.
! The script you need to copy onto your Allied Telesis AR Series VPN Router (5.4.7+) to setup a RouteBased IKEv2 VPN Tunnel to Azure with VTI Support (no BGP) is found below [#10]:
! ——————————————————————————————————————————————–

! [1] Resource names
! CONNECTION NAME : This field is the name of your connection resource
! VIRTUAL NETWORK GATEWAY : The name of your Azure VPN gateway resource for the connection
! LOCAL NETWORK GATEWAY : The name of your local network gateway resource for the connection
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_NAME = Demo-GW01-Demo-LW01
/Data/VNG_NAME = b3b85211-0dd1-4850-87c9-1029cc4579da
/Data/LNG_NAME = Demo-LW01
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [2] Public IP address of the Azure VPN gateway
! Active-Standby VPN gateway (single public IP address)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/VNG_GATEWAYIP = 51.144.114.218
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! Active-Active VPN gateway (A/A mode if more than one public IP is listed below)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VNG_GATEWAYIPS/IpAddress/IP =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [3] Public IP address of the on-premises VPN device
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_GATEWAYIP =
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [4] VNet address prefixes: a list of all VNet address prefixes in different formats
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/VnetSubnets/Subnet/SP_NetworkIpRange = 192.168.155.0
SP_NetworkSubnetMask = 255.255.255.0
SP_NetworkWildcardBits = 0.0.0.255
SP_NetworkCIDR = 192.168.155.0/24
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [5] On-premises address prefixes: a list of all on-premises address prefixes defined in LNG
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

/Data/OnPremiseSubnets/Subnet/SP_NetworkIpRange = 172.20.100.0
SP_NetworkSubnetMask = 255.255.252.0
SP_NetworkWildcardBits = 0.0.3.255
SP_NetworkCIDR = 172.20.100.0/22
SP_TunnelName = SP_TunnelName
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [6] Phase 1/Main Mode:
! IKE encryption algorithm
! IKE hashing algorithm
! IKE Diffie-Hellman group
! IKE SA lifetime (seconds)
! IKE SA data size (Kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IKE_ENCRYPTION_1 = aes256
/Data/IKE_INTEGRITY_1 = sha1
/Data/IKE_DHGROUP_1 = 2
/Data/IKE_SALIFETIME_1 = 28800
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [7] Phase 2/Quick Mode:
! IPsec encryption algorithm
! IPsec hashing algorithm
! PFS Group (Perfect Forward Secrecy)
! IPsec SA (QMSA) lifetime (seconds)
! IPsec SA (QMSA) lifetime (kilobytes)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/IPsec_ENCRYPTION_1 = aes256
/Data/IPsec_INTEGRITY_1 = sha1
/Data/IPsec_PFSGROUP_1 = None
/Data/IPsec_SALIFETIME = 3600
/Data/IPsec_KB_SALIFETIME = 102400000
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [8] Connection pre-shared key
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_PSK = Abcd1234
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [9] BGP parameters – Azure VPN gateway
! Enable BGP
! BGP ASN for Azure VPN gateway
! BGP speaker IP address for the Azure VPN gateway
! BGP peer IP address(es)
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/CONNECTION_BGP_ENABLED = False
/Data/VNG_ASN = VNG_ASN
/Data/VNG_BGPIP = VNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
! [10] BGP parameters – on-premises network / LNG
! BGP ASN for the on-premises network
! BGP speaker IP address for the on-premises network
!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
/Data/LNG_ASN = LNG_ASN
/Data/LNG_BGPIP = LNG_BGPIP
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!

! ########################################################################################################
! !!! Search for “REPLACE” to find the values that require special considerations
! ########################################################################################################
! ON-PREMISES ENVIRONMENT:
!
! – AR-Series WAN/Public Interface:
! INTERFACE: ETH1
! ZONE: VPN
! IP: VPN PUBLIC IP
! ISP Default GW: x.x.x.1
!
! – A.T ONPREMISES/LOCAL ENVIRONMENT:
! INTERFACE: VLAN1
! ZONE: PRIVATE
! On-Premises Addr Range: ON-PREMISES ADDRESS RANGE (ex. 192.168.1.0/24)
! A.T MGMT/LAN Interface: 192.168.1.254
!
! – AR-Series VPN BLADE:
! TUNNEL VTI IP: ex. 192.168.2.222/32
! TUNNEL INTERFACE: tunnel0
! ISAKMP PROFILE: AZURE-ISAKMP
! IPSEC PROFILE: AZURE-IPSEC
! ISAKMP PEER: AZURE GW PUBLIC IP
!
! AZURE VNET ENVIRONMENT:
!
! – AZURE VIRTUAL NETWORK:
! – ADDRESS RANGE: AZURE ADDRESS RANGE (ex. 10.10.0.0/16)
! – AZURE GATEWAY IP: AZURE GATEWAY PUBLIC IP

! ============================================================================================
! Example – Allied Telesis AR Series VPN Router (5.4.7+) in Active/Passive Azure GW Mode, with VTI Support (No BGP Router)
! ============================================================================================

! FOLLOW THESE STEPS TO CREATE YOUR IKEv2 TUNNEL TO AZURE:

! CREATE YOUR PRIVATE ZONE, CONTAINING YOUR ON-PREMISES/LAN NETWORK
! Note: REPLACE “vlan1” and “192.168.1.254” as needed. They are used here as examples for your LAN network and LAN Host/Management IP.

zone PRIVATE
network LAN
ip subnet 172.20.100.0/22 interface vlan1
host LAN_IP
ip address 192.168.1.254
!

! Note: REPLACE “eth1” as needed. It is used here as your WAN interface.
zone PUBLIC
network WAN
ip subnet 0.0.0.0/0 interface eth1
host WAN_IP
ip address
!

! Note: REPLACE “tunnel0” as needed. It is used here to denote your VTI tunnel interface.
zone VPN
network AZURE
ip subnet 192.168.155.0/24 interface tunnel0
!

application esp
protocol 50
!
application icmp
protocol icmp
!
application isakmp
protocol udp
sport 500
dport 500
!
! Below shows you how to enable the Web-Control Feature Function, in case you have a valid feature license key (commented out)
!web-control
! action permit
! provider digitalarts
!

! THESE ARE YOUR REQUIRED FIREWALL RULES FOR YOUR AZURE CONNECTION

firewall
rule 10 permit isakmp from PUBLIC.WAN.WAN_IP to PUBLIC.WAN
rule 20 permit isakmp from PUBLIC.WAN to PUBLIC.WAN.WAN_IP
rule 30 permit esp from PUBLIC.WAN.WAN_IP to PUBLIC.WAN
rule 40 permit esp from PUBLIC.WAN to PUBLIC.WAN.WAN_IP
rule 45 permit ping from PRIVATE to PRIVATE
rule 50 permit ping from VPN.AZURE to PRIVATE.LAN
rule 60 permit ping from PRIVATE.LAN to VPN.AZURE
rule 70 permit ping from PUBLIC.WAN to PRIVATE.LAN
rule 75 permit ping from PRIVATE to PUBLIC
rule 80 permit any from PRIVATE.LAN to VPN.AZURE
rule 90 permit any from VPN.AZURE to PRIVATE.LAN
protect
!

! NAT RULE
nat
rule 10 masq any from PRIVATE to PUBLIC
enable
!

! AZURE IPSEC PROFILE
crypto ipsec profile AZURE-IPSEC-Demo-GW01-Demo-LW01
lifetime seconds 3600
transform 1 protocol esp integrity SHA1 encryption AES256
!

! AZURE ISAKMP/IKEv2 PHASE 1 PROFILE
crypto isakmp profile AZURE-IPSEC-Demo-GW01-Demo-LW01
!
crypto isakmp profile AZURE-ISAKMP-Demo-GW01-Demo-LW01
version 2
lifetime 28800
transform 1 integrity SHA1 encryption AES256 group 2
!

! AZURE ISAKMP PRE-SHARED KEY
crypto isakmp key 8 Abcd1234 address
!

! AZURE ISAKMP PEER (AZURE GATEWAY)
crypto isakmp peer address <-> profile AZURE-ISAKMP-Demo-GW01-Demo-LW01
!

! MAKE SURE YOU HAVE CONFIGURED VPN WAN INTERFACE WITH A PUBLIC IP ADDRESS. BELOW IS AN EXAMPLE
! Note: REPLACE “eth1” if already used.
! Note: REPLACE subnet prefix “/24” below by the correct prefix (offered by your ISP) for your public IP block if it’s different.

interface eth1
description external wan
ip address 84.177.215.91/24

! MAKE SURE YOU HAVE CONFIGURED YOUR VPN MANAGEMENT/LAN INTERFACE, FOR YOUR ONPREMISES NETWORK. BELOW IS AN EXAMPLE
! Note: REPLACE “vlan1” if already used
! IMPORTANT:
! Ensure that the management interface for your onPremises network, that is used by your AR-Series LAN, is listed below !
! REPLACE “192.168.1.254” as needed (Azure does not have visibility over your MGMT IP).
! In this example, my management IP is 192.168.1.254, for my onPremises LAN network 192.168.1.0/24.

interface vlan1
description Internal LAN
ip address 192.168.1.254/24

! CREATE YOUR VTI INTERFACE FOR THE ROUTEBASED TUNNEL TO AZURE:
! REPLACE “Tunnel0” to something else, if already used.
! IMPORTANT: Ensure that the local network address space for your onPremises network, that is used by your AR-Series LAN interface, is listed under “tunnel local selector” !
! –> It is essential to list this one first in the Azure Portal, under your Local Network Gateway –> Configuration–>”Address Space” blade.
! –> Following this, you must also define your VTI interface next (/32), as a second entry under the same Azure blade mentioned above.
! (LNG –> Configuration–> “Address Space”)

! IMPORTANT NOTES:
! > Your VTI Interface IP below (192.168.2.222/32) is an example. REPLACE ‘192.168.2.222/32’ with a different /32 host IP, it if this range is already used by another interface.
! > As explained above, make sure that you have also added this IP to the “LOCAL NETWORK GATEWAY” object in the Azure Portal, following your actual LAN segment. When doing so, please
! add a /32 subnet mask to it, and ensure that this IP doesn’t overlap with your on-premises address range(s).

interface Tunnel10
ip address 192.168.2.222/32
ip tcp adjust-mss 1350
tunnel source
tunnel destination
tunnel local selector 1 172.20.100.0/22
tunnel remote selector 1 192.168.155.0/24
tunnel protection ipsec profile AZURE-IPSEC-PROFILE-Demo-GW01-Demo-LW01
tunnel mode ipsec ipv4
!

! CREATE YOUR STATIC ROUTES
! Note: The 0/0 route needs to have your ISP Default GW as your Next-Hop.
! REPLACE “x.x.x.1” by your assigned ISP Default GW IP.

ip route 0.0.0.0/0 x.x.x.1 eth1
ip route 192.168.155.0/24 tunnel0
!
line con 0
line vty 0 4
!
end
!————————————————–END——————————————————-!

I hope the post was helpful and if you have any questions, don’t hesitate to ask.

Cheers,
Flo