Renewed as Microsoft MVP for 2019-2020

I am renewed as Microsoft MVP for 2019-2020! Yesterday, Juli 1st 2019 while reading my e-mail in the afternoon, one just more just arrived. What’s good about that? This is 2019 and many (still) struggle with too much e-mail. So that this one more is hardly blog post worthy. But still, this one is important. This e-mail announced that I am renewed as Microsoft MVP for 2019-2020 in Cloud & Datacenter Management.

This is great news to get on a Monday. This calls for a celebration. On the 4th of July we are having small party at night with a buddy form North America so we’ll combine both festivities.

I count myself lucky to be part of this program. I look forward to working with the product managers again and heading back over to Redmond in 2020. Thank you Microsoft for the trust, the insights, the two-way feedback that will ultimately lead to better decisions and products.

In the end this ties in to Microsoft’s mission which is to empower every person and organization on the planet to achieve more. We live in a world where things change fast. As a side effect, sometimes things don’t last very long. In such an environment a continuous feedback and decision loop is one of the necessities to make progress without getting lost. I will happily contribute to that.

Introduction

Windows Server 2019 went RTM on October 3rd 2018. Ever since we have been waiting for the Hyper-V Server 2019 edition. It has been sadly missing in action until now. Hyper-V Server 2019 is available since June 14th 2019. We’ll kindly distract the time for which Windows Server 2019 went AWOL for a month after RTM due to certain issues and bugs. It became available again on November 13th 2018. That means we had to wait 214 days ( 7 months, 2 days) to get it Hyper-V Server 2019. This makes the time it took to get the evaluation ISO of Windows Server 2019 look short (January 2019).

You can download Hyper-V Server 2019 here on the Windows Server Evaluations page.

What is Hyper-V Server?

Microsoft Hyper-V Server is a free product that delivers the same enterprise-class virtualization you get with Windows Server 2019. Hosters of Linux servers and VDI deployments are prime customers. Any one looking for the best performing hypervisor for free is interested in this version. It comes a “core only”and does not support any any other roles and features bar what is necessary to make Hyper-V work. Basically it is the hypervisor and not the rest of Windows. Which is fine!

Why does this matter?

The fact that it is here now is a big deal. The fact that it was missing so long sent many on speculations about the reasons for this. It fed the rumors that Hyper-V is dead to Microsoft and the Windows Server doesn’t matter anymore. Taking away the free version had people guessing that Microsoft was not even interested anymore in competing with VMware on this front.

Now, the IT landscape is changing and we’ll see the next generation hyper-visors appear that are tailored for and specialized in modern workloads. But sending of Hyper-V to the pastures already would be a huge mistake. Just like missing or incomplete features are hurting the product. Servers are going to be around for may years still and we need a modern, capable and reliable product to serve those needs for a long time.

Not having that is sending the wrong message and is a breach of trust. Trust is important. With trust you feel confident to rely on a technology and build on it. knowing. Only focusing on the new, which evolves ever faster and lasts ever less, is not how one builds long term customer loyalty. In this regards the fact that Hyper-V Server 2019 is here is hopefully enough to put the minds of people that rely on it at easy.

Introduction

I had been running a SonicWall NSA 220 “for ages” in my home lab but after 5 years of non-stop service, it died on me. This was not good. The appliance provided both my home office and my lab environment with routing and firewall capabilities. Part of that setup is static and part of it is dynamic as for testing purposes lab environments are built and destroyed. So I needed to fix this asap.TL-DR: a WatchGuard Firebox M200 joins the home lab.

Workaround

I was looking at buying a pfSense dedicated appliance or a MikroTik router. It wanted to avoid my temporary workaround which was pfSense running in a virtual machine. That is great for temporary testing especially when you need to test various distros depending on the project. Integrating a dedicated appliance in the home lab does have some advantages. The drawback is that it does cost extra money to go get an appliance.

Dedicated appliance

With a dedicated appliance, I can isolate and protect my guest network, my home network as well as maintain a secured IoT segment. If the appliance is a VM I need to make sure it is always running. The appliance is also always ready to whenever I start up my home lab and work environment. Likewise, when I shut that all down the physical appliance still provides services for other needs.

A physical appliance also has the benefit of a small form factor, a 1U size which provides the ability to rack mount it. We need to keep the lab clean and well ventilated to prevent a fire hazard. A desk full of powered on devices is not the way to go.

Last but not least I find that getting some hands-on with the more popular brands these is always a good thing. While they all provide similar functionality and some are more capable than others, they all do have their own particular ways of doing things. This means that working with different appliances helps solve issues in real life as we encounter a variety of appliances out there.

A WatchGuard Firebox M200 joins the home lab

I was in luck, however. After talking shop on our way to some community events, a buddy who runs his own company provided me with some decommissioned WatchGuard hardware to use in the home office lab. I have tried to help him out with various small things over the years and what goes around came around. Thanks, buddy! You see, you don’t have to take dumpster diving to literally.

I got a WatchGuard Firebox M200 and a WatchGuard AP300 to go with it. This meant I could rebuild the main firewall/router functionality in the home lab. These products have been replaced by newer editions (M270). They are still excellent products however and provide great functionality to test. In a lab environment, these are great to have around. As I work in environments that require enterprise-level functionality within SME budget this kit hits the mark.

Even with the licenses for the advanced features expired it packs a punch. I also found a way to upgrade the OS to the latest version (v12.4.1). The standard ways require an active license but there is an option that does not. It took me a while to find it but it works and it is legit.

The WAP, which I also upgraded to the latest firmware (2.0.0.11) provides Wi-Fi for a guest network and a corporate authenticated network in my default permanent lab setup. More SSIDs and networks can be configured when the need arises for testing various scenarios. Wi-Fi in all its forms plays an essential part in any environment with more mobile and flexible roles than ever before. More recently I was testing 802.1x port authentication for deployments in DevOps environments that leverage Hyper-V quite a lot. You might recall the fact that the Hyper-V switch supports 802.1x since Windows Server 2019 (LTSC 1809) and Windows 10 (1809 and above) which was very timely for the solution I needed to provide.

The fist and most essential configurations

I registered with another free dynamic DNS provider (http://freedns.afraid.org/about-us/) which the M200 on firmware 12.4.1 supports. The previous one I used to was not supported. That was easily done quickly. I don’t need this because “host” stuff at the home lab but mainly because that how I keep my dynamic IP updated in a place where I can grab it with some code to update VPN local gateway settings in Azure and other stuff like that.

The WatchGuard Firebox M200 is now the new core of the home network. I recreated all my VLANs and routes. While I am not yet done with everything, I do have BGP routing running between my lab Azure deployments and my on-premises home lab now. This testing out hybrid connectivity as well as high availability, failover, and transitive scenarios.

After making sure RDS Gateway was working I created a custom rule to have SMTP work with STARTTLS over 587 next to TLS over 465. But that was about it. Except for one special jump host in a DMZ. For this host, I added rules to enable TeamViewer to work. Which was kind of easy to do as we can specify FQDN names so no matter how many and changing IP addresses are used this helps deal with this. TeamViewer, for better or for worse, is used a lot, and once in a while, I need to test with it.

Conclusion

Now that I have the M200 & AP300 up and running the lab and home office are now again capable of simulating and testing business environment scenarios. This matters a lot while testing and learning because it helps me get a better grasp of all the pieces and parts that make up a design or solution. In my humble opinion, this has always been more helpful than pure paper-driven designs. My experimenting in the lab benefits myself, my employers and the community at large. Self-improvement and community contributions are by nature a win-win situation. So I am happy a WatchGuard Firebox M200 joins the home lab.

While I am at it I will upgrade my Azure VPN script from AzureRM to AZ. The reason is that I need to delete the Gateway when not testing as the minimal BGP capable VPN gateway SKU ( VpnGw1) is eating away at my limited Azure at home budget. This is still my main beef with cloud computing. Dumpster diving is a cost-effective CAPEX budget model. OPEX is not a personal budget-friendly model.  It is game over when that runs out.

Introduction

In this article, I share my first design & configuration for fixed port 802.1x authentication via the Hyper-V switch. This is geared especially toward developers and engineers. These are a mixture of internal staff and contractors, using AD joined as well as BYOD clients. The gist of this article is actually you need to learn about networking, 802.1x, RADIUS/NPS. You can just consider the Hyper-V switch as an unmanaged switch in most scenarios here.

In a previous blog 802.1x Support with the Hyper-V switch is here!, I shared how you can now enable 802.1x for use with the Hyper-V switch in Windows 10 1809 and Windows Server 2019 or later. Note that this a requirement for the Hyper-V host only, lower OS versions of the guests are fine.

Enabling is as simple as adding a registry key and rebooting the host.

Reg add “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vmsmp\parameters” /v 8021xEnabled /t REG_DWORD /d 1 /f

The existing situation

In the HQ and branch offices there are VLANs for AD joined fixed port clients, AD joined Wi-Fi clients (SSID CORP-WIFI), and a guest VLAN for non-authenticated device both on Wi-Fi (SSID GUEST-WIFI) and fixed ports. These VLANs are untagged and are on physical access ports (authenticated, i.e. AD joined and non-authenticated, i.e. non-AD joined) on the switch. Or they are different SSID on the WAP.

When a non-authenticated client connects to an authenticated port, Radius authentication fails but the port and as such the client is given access to the guest VLAN. It’s functionally the same as for the unauthenticated ports on guest VLAN.

There are also ports that are authenticated and will not provide guest VLAN access but discard the traffic or even shut down the port when authentication fails. These are in more security-focused parts of the branch offices.

The goal

We wanted to have this functionality available to the developers running Hyper-V. It needs to work for both authenticated and non-authenticated physical clients as well as VMs. Also, we need to provide a solution for when the host has only one NIC (physical or wireless) or multiple (1 or more physical, more wireless). In the case of a desktop with only one NIC, the management vNIC has to authenticate for the host as well as for the VMs.

When you have a wireless NIC such as laptops this also works (bridge). When you dedicate a docking station ethernet port for the vSwitch you’re good to go as well but can also use wireless for the host and the physical NIC for the vSwitch. The same principles work both with AD joined and non-AD joined physical clients. This has been an issue with Hyper-V as the vSwitch did not support EAPoL and authentication was impossible.

The design and configuration

The lay of the land

I have this running in the lab with various PowerConnect switches. These are older 2800 and 5400 series as well as the 5500 series and the N2000 series. It is also in production at one organization with the 5500 series and soon also one with N2000 series.

A functional 802.1x infrastructure for both wired and wireless clients is assumed. This is not an article about configuring that. Many of you have the CA/PKI, NPS/RADIUS, GPO (cert auto enroll, wired/wireless client config) running. I have it in the lab and it’s based on computers certs as well as in production environments. If you don’t, you’ll need to take care of that first.

My lab NPS/radius reauthenticating my guest VM on a Windows 10 1809 Hyper-V host every 5 minutes (for demo purposes). Note the dynamic VLAN assignment in the NPS network policy.

Considerations

There are multiple ways to achieve a solution. The idea, however, is to avoid anything but access ports toward clients unless unavoidable. So, no trunk, general or however you preferred vendors call it.

To achieve our goals, we configure the physical switch ports as follows:

• We need to multi-session authentication (we have multiple devices attached to one port that all need to and must authenticate or fail. This does mean there is no option to shut down that port on failure.
• We leverage dynamic VLAN association (NPS Policy) to move successfully authenticated ports into the corporate VLAN.
• We leverage the guest VLAN to move unauthenticated ports into so those devices get minimal network access and internet connectivity. This can be a dedicated VLAN for that purpose. Call it what you want (Quarantine, VM-Guest, Isolated).
• The switch port mode remains in access mode and is not in general/trunk/hybrid mode. Now depending on the switch that might not be possible. In the old budget PowerConnect 2808, the port is in general mode actually and you configure trunk or access via PVID and untagged/tagged allowed VLANs. Let’s keep it simple here, whatever goes on behind the scenes we don’t configure the port as a trunk or so for this unless we really have to.
• It avoids having to use an unauthenticated VLAN per se (which would involve tagging and I don’t want to go there with the developers).
• This approach leverages what is already there and requires only port reconfiguration as needed for 802.1x
• If we need to disable port auth for troubleshooting RADIUS you can opt to either put the access port on the guest or even (whatever suits the needs better and is allowed) on the corporate VLAN by default.

Dynamic VLAN assignment & RADIUS/NPS policies rock here!

But based on the group membership I can give the Hyper-V Host or VM attached to the vSwitch going to that port a different VLAN via Dynamic VLAN assignment in the RADIUS network policies. You can get creative here (infra, dev, test, acceptance, …. they can be in different VLANs when required). Below is lab implementation of a scenario where people bring their own client with Hyper-V. When they need VMs that authenticate with AD that is possible while other VMs get a guest network assigned

I offer this to both internal and external employees now and reduce dependencies on workarounds, physical security and “hope” nothing bad connect to the wire. This is a sweet setup for freelancers, contractors, consultants & employees alike. Combine this with Veeam Agent for Windows 3.0 to protect your client Hyper-V host and VMs. Sweet! It has been a driving factor to upgrade for some of them.

Conclusion

802.1x via the Hyper-V switch works very well. The intricacies are the same as with 802.1x in a purely physical environment that has a mix of managed/non-managed switches going to clients. I’ll repeat myself here and state the same as I did in my other blog post. The point is you’ll have to wrap your head around port authentication with 802.1x and its various options, permutations on the switches and radius servers.

I normally deal with Windows NPS for the radius needs and the majority of my sites have DELL campus switches. But I find my way around any other model as well both big and small names.

Depending on the needs of the users (developers, IT Pros, engineers) for your VMs you will have to configure port authentication a bit differently and you’d better either own that network or have a willing and able network team to work with. Where this is running in production POC I’m in charge of the entire stack so I can move fast, effective, efficient and offer great value for money. One week after 802.1x support with the Hyper-V switch going public. That is agility, that is speed, that is IT at its best.