Hopefully this article helps to resolve that mystery, or gives you something more to think about as the answer will depend on your situation.

First of all lets look at the recovery options already available. The table below highlights the key backup and recovery features.

Note: If the user (with the correct level of permissions) enters the recycle bin and selects permanently delete item then the asset/item will be removed and can’t be recovered

What have we learnt. Backups are retained for 28-days after a project or organisation is deleted. Asset recovery is available by using the recycle-bin and is kept for 30-days or your source code can be reverted or rolled back. Therefore your business will need to answer the following questions.

1. Is it important to be able to restore accidently deleted DevOps Projects and Organisations beyond the 28-day window
2. Do you need to be able to restore Pipelines and Board Assets/Items beyond the 30-day recycle Bin
3. Do you need the ability to granularly restore Test Plans?
   1. Note: Although these will be in a deleted Organisation and Project Backup – Granular asset restores are not part of the built in service. so, once a test is deleted it can’t be recovered
4. For Repos are you looking for a recycle bin restore? rather than using the built in Git capabilities

If you answer yes to any of the questions from points 1-4 then you will need a third-party backup solution from the likes of Keepit (https://www.keepit.com) or Backrightup (https://backrightup.com).

The post Azure DevOps Backup and Recovery appeared first on TSLS - Luke Smith.

Introduction

Virtual Private Network (VPN) is a technology that creates a secure and encrypted connection over a public network, such as the Internet, to access corporate resources and services. VPN is widely used by remote workers and mobile users who need to connect to their organisation’s network and applications. However, VPN also has some limitations and challenges, such as performance degradation, bandwidth consumption, complexity, and security risks.

Secure Access Service Edge (SASE) is a new concept that combines network and security functions into a unified cloud-based service. SASE aims to provide secure and fast access to any application, anywhere, and on any device. SASE solutions, such as zScaler and Entra global secure gateway, leverage modern security approaches, such as zero trust network access (ZTNA), cloud access security broker (CASB), and software-defined perimeter (SDP), to protect the data and identity of the users and devices.

The purpose of the next sections is to assess broadly how a VPN and SASE can access corporate resources and services (Cloud and non-cloud based). It will contrast the five main VPN options and their advantages and disadvantages from a network speed, reliability, high availability and security point of view. It will also suggest a VPN option or a No VPN option that uses modern security methods and functions.

VPN Options

There are five main VPN options that can be used to access corporate resources and services. They are:

• VPN Forced Tunnel: 100% of traffic goes into VPN appliance, including on-premise, Internet, and all SaaS/M365
• VPN Forced Tunnel with few exceptions: VPN tunnel is used by default (default route points to VPN), with few, most important exempt scenarios that are allowed to go direct
• VPN Forced Tunnel with broad exceptions: VPN tunnel is used by default (default route points to VPN), with broad exceptions that are allowed to go direct (such as all Microsoft 365, All Salesforce, All Zoom)
• VPN Selective Tunnel: VPN tunnel is used only for corpnet-based services (typically on-premise). Default route (Internet and all Internet-based services) goes direct.
• No VPN: A variation of #2. Instead of legacy VPN, all corpnet services are published through modern security approaches (like Zscaler and Microsoft Entra Global Secure Access)

Pros and Cons of VPN Options

The following table summarizes the pros and cons of each VPN option from a network speed, reliability, high availability and security perspective.

Recommendation

Based on the comparison of the VPN options, the recommendation is to use either the VPN Selective Tunnel option or the No VPN option, depending on the availability and feasibility of the SASE solutions and integration. Both options offer the best network speed, reliability, high availability and security for accessing corporate resources and services.

The VPN Selective Tunnel option is suitable for organisations that have a mix of corpnet-based and Internet-based services, and that want to reduce the VPN bandwidth consumption and cost, and improve the user experience and productivity, while maintaining the network and security policies for the corpnet-based services. However, this option also requires complex and inconsistent configuration, and lacks network and security policies for the Internet-based services (such as Microsoft 365).

The No VPN option is suitable for organisations that have mostly Internet-based services, and that want to eliminate the VPN bandwidth consumption and cost, and optimize the user experience and productivity, while applying modern and consistent security policies for all services. This option also provides full visibility and control of all services, and leverages the features of the SASE solutions, such as zScaler, Entra Global Secure Access (GSA), FortiGate FortiSASE . However, this option also requires SASE solutions and integration, identity and device management, and cloud and network optimisation.

Some of the features of the SASE solutions that improve the security posture over a traditional VPN are:

• Tenant restriction option (Feature of Microsoft Entra): This feature allows the organisation to restrict the access to its cloud services only to the authorized devices and users, and prevent the access from any unauthorized or compromised devices or users.
• Conditional Access (Feature of Microsoft Entra): This feature allows the organisation to enforce granular and dynamic policies based on the context of the user, device, location, application, and data, and grant or deny the access accordingly.
• Continuous Access Evaluation (Feature of Microsoft Entra): This feature allows the organisation to monitor and evaluate the security posture of the user and device continuously, and adjust the access level or revoke the access if any changes or anomalies are detected.
• Support for multi-platform: This feature allows the organisation to support and secure the access from any device and platform, such as Windows, Android, Mac, Linux, iOS, etc.

Useful reference materials:

1. What is Global Secure Access? – Global Secure Access | Microsoft Learn
2. Learn about the Global Secure Access clients for Microsoft Entra Private Access and Microsoft Entra Internet Access – Global Secure Access | Microsoft Learn
3. Zscaler Internet Access | AI-Powered Security Service Edge
4. SASE Solution – Secure Access Service Edge | Fortinet
5. Pulse Secure: Secure Access Made Easy | Ivanti

Final Note: Microsoft Entra Global Secure Access is a fairly new service and some of its features are still in preview, which means as of writing that are not yet fully functional. However, the technology is built on services that are well-established and widely used, such as Application Proxy, Conditional Access and Continuous Access Evaluation. It might be a good idea to evaluate the use of both VPN selective Tunnelling and Entra GSA together. Entra GSA could be applied to Microsoft 365 traffic. Traffic for Microsoft would go directly from the local internet breakout and be secured by Entra GSA.

The post Evaluating VPN and SASE Options for Secure and Reliable Access appeared first on TSLS - Luke Smith.

Issue

You try to connect your Draytek 2860n but receive the below error in the logs:

Reason

Reason for the failure is because the device is unable to decrypt the key. This might be because cypher suites are not be supported. – Currently working with Draytek to understand how this can be resolved.

The post Entra Remote Network to Draytek 2860n Failure appeared first on TSLS - Luke Smith.

The scenario is focused on a FortiGate Firewall Appliance but other VPN Devices should work in a similar way.

NB: not all VPN device will work. IKEv2 Phase 2 is limited to support only GCMAES128, GCMAES192, GCMAES256 and not all device will support these cyphers.

Step	Screenshot
Navigate to https://entra.microsoft.com/   Expand Global Secure Access Expand Remote Network   Click “Create remote network”
Basic Information:   Name: <Endpoint Name> Region: <Local Region>   Click Next
Connectivity Information:   Select Add a Link
Add a Link – General Information   Link Name: <Name of the connected location> Device Type: <Your VPN Device Make> IP Address: <Your VPN Public IP> Local BGP Address: <Microsoft BGP IP Address which you generate and must not conflict with any existing networks> Peer BGP Address: <Your Route BGP Address> Link ASN: <Your Router BGP ASN Address> Redundancy: <Select as per your requirements> Bandwidth capacity: <Select you required capacity; 250mbps, 500mbps, 750mbps, 1000mbps>   Click Next
Add a Link – Details Information   Protocol: IKEv2 IPSEC/IKE Policy: <Default / Custom>   If custom then the following options will need to be completed:   IKE Phase 1: Encryption: <AES128, AES192, AES256, GCMAES128, GCMAES265> IKEv2 integrity: <SHA256,SHA384, GCMAES128, GCMAES265> DH Group: <DHGroup14,>   IKE Phase 2: IPSec Encryption: <GCMAES128, GCMAES192, GCMAES256, None> IPSec Integrity: <GCMAES128, GCMAES192, GCMAES256, SHA256> PFS Group: <None, PFS1, PFS2, PFS14, PFS2048, PFSMM, SCP256, ECP384> SA lifetime (seconds): <value from 300 – 86400>   Click Next   Note: SA IP Range must be configured as 0.0.0.0/0 – 0.0.0.0/0
Add a Link – Security   Pre-shared key (PSK): <enter a key to be used on Entra and on your VPN Device> Click Save
Connectivity Tab Information:   Click Next
Traffic Profile:   Select the traffic profile for this connection
Review + Create Information   Confirm the information is correct   Click Create remote network
From the main remote network Select view configuration
From the network configuration   Click Copy and Save

FortiGate Firewall Configuration

The following table details the steps to configure a FortiGate Firewall (in this instance a 60E)

Step	Screenshot
Navigate to your routers IP http://x.x.x.x Expand VPN Expand IPsec Tunnel Click Create New Tunnel
Within the Wizard Name: VPNtoEntra Template Type: Custom Click Next
On the Next Screen complete the following: IP Version: IPv4 IP Address: EntraID VPN Interface: WAN Port NAT: Disabled DPD: On Idle Method: PSK Pre-Shared Key: xxxxx IKE: 2
Phase 1 Proposal Encryption: AES256 Authentication: SHA256 DH: G14 Key Life: 86400 Phase 2 Proposal Local Address: 0.0.0.0/0.0.0.0 Remote Address: 0.0.0.0/0.0.0.0 Encryption: AES256GCM Enable PFS: uncheck Key Lifetime: 27000 (from above) Next Click OK
Configure BGP Navigate to Network Expand BGP (if missing add via system/feature visibility) Enter your Local AS: (ASN from above) Under Neighbors Click Create New
Add in the Azure BGP details: IP: (Azure BGP from above) Remote AS: (Azure ASN from above) Update source: name of your IPSEC tunnel Enable Enforce eBGP multihop Enable Activate IPv4 Check Soft reconfiguration Check Capability: route refresh Click OK
Navigate to Network Expand BGP (if missing add via system/feature visibility) Add in the local networks Click Apply
Confirm the BGP has established and is not idle
And confirm that the routes are visible
Next you will need to config the firewall policy to allow the internal traffic to Entra	TBC

Conclusion

Make sure the following are in place:

• SA is configured with the routes 0.0.0.0/0 – 0.0.0.0/0.
• Route is configured for the Entra BGP Peer within the subnet /32 i.e. 172.16.2.254/32 (172.16.2.254 being the Microsoft BGP endpoint).
• Within BGP make sure enforce eBGP multihop is enabled (if you see packets being RST/DROP from your router IP to the Azure BGP IP it’s likely because eBGP is not enabled.
• Routes to your local network is enabled in BGP

The post How to create a remote network into Entra Global Security Access appeared first on TSLS - Luke Smith.

1. LG Magic Remote ( OLED Screen)
2. Sky Q remote (basic controller)
3. Sonos Soundbar

Using the LG Magic Remote select the home button.

1. Select LG Device Connections
2. Select Soundbar
3. Select Optical
4. Select Pioneer
5. Select Option 1 and Save

From Sky Q

1. Select Settings
2. Select Setup
3. Select Remote Controls
4. Select Sky Remote
5. Configure the TV and Home Theatre with the following codes

TV = 0206 (LG) | Home Theatre = ?0041 (Pioneer)

From the Sonos App

1. Settings
2. System
3. Speaker Name
4. Remote Control Setup
5. Point the sky remote at the soundbar and press the volume button.

Both the Sky remote and LG remote should be able to control the TV, Volume and Sky.

The post Remote Controller LG Magic Remote, Sonos and Sky Q appeared first on TSLS - Luke Smith.

AzureDiagnostics | where ResourceType == “APPLICATIONGATEWAYS” and Category == “ApplicationGatewayFirewallLog”

The post Azure App Gateway Log Analytics appeared first on TSLS - Luke Smith.

To increase the php upload size please run through the following steps:

In the Azure Portal, select your App Service
Navigate to Configuration
Select Application Settings
Click New Application settings

Name = PHP_INI_SCAN_DIR
Value = D:\home\site\ini

Click Save

Then Under Development Tools select Advanced Toolees (KUDU) or navigate to https://.scm.azurewebsites.net

From the menu select Debug Console\CMD

Go to site directory and press the “+” button and create an “ini” directory.
In the ini directory, create an “extensions.ini” file.
Press the edit button next to the file.
Add the following to the file and save. This will modify the Master values.
upload_max_filesize=30M
post_max_size=30M
Go to the wwwroot directory and create a “.user.ini” file.
Edit the file and add the same values as mentioned in step 7 above. This will modify the Local values.
Restart the site using the Azure Portal.
PHPMyAdmin Import page will also reflect the changes.

The post Azure MySQL In App Manager – Increase Import Size appeared first on TSLS - Luke Smith.

When you create an Office 365 Data Loss Protection (DLP) Policy the Action to “Encrypt email messages (applies only to content in Exchange)” is missing.

RESOLUTION:

Exchange Online Azure AD Rights Management needs to be eneabled.

Download the Exchange Online PowerShell from: https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/exchange-online-powershell?view=exchange-ps


Connect-ExchangeOnline
Connect-AadrmService
(Get-AadrmConfiguration).LicensingIntranetDistributionPointUrl -match “https:\/\/[0-9A-Za-z\.-]*” | Out-Null; $matches[0]

#Copy URL into $list below
$irmConfig = Get-IRMConfiguration
$list = $irmConfig.LicensingLocation
$list += “https://512889fd-d24f-4f29-87e1-7111b27ebada.rms.eu.aadrm.com/_wmcs/licensing“
Set-IRMConfiguration -LicensingLocation $list
Set-IRMConfiguration -internallicensingenabled $true
<\code>

The post Office 365 DLP Action Encrypt email messages Missing appeared first on TSLS - Luke Smith.

netsh advfirewall firewall add rule name=”ICMP Allow incoming V4 echo request” protocol=”icmpv4:8,any” dir=in action=allow

netsh firewall set service RemoteAdmin enable

netsh firewall add portopening protocol=tcp port=135 name=DCOM_TCP135

The post Lansweeper Windows Firewall Requriements appeared first on TSLS - Luke Smith.

You have configured a Point-to-Site VPN on the Azure Gateway

The Azure Gateway also has Site-to-Site Connections using BGP or Static Routes

The Point-to-Site is configured for SSTP and IKEv2

You configure the VPN and notice that only SSTP is used and when trying to manually set IKEv2 the client fails with the following error:

“Error processing ID payload”

Resolution 1

First check how many routes are being published on the VPN

1. Select an Azure VM > Select Network > Select Network Card > Select Effective Routes
2. Count the number of Routes

If you have more than 25 routes (published on the VPN) you will need to limit the routes by summarizing them below 25 routes.

The Windows VPN Client built into Windows 10 (1607 and above) doesn’t support more than 25 routes hence they this fails.

If you are not able to limit these routes you will need to Use SSTP

NB: SSTP only allows 128 concurrent connection

Resolution 2

If you are running Windows 10 builds 1607-1709 update to the latest windows 10 build or apply the following changes\fixes:

Install the update.

Set the registry key value. Create or set “HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\ IKEv2\DisableCertReqPayload” REG_DWORD key in the registry to 1.

Resolution 3

If you are running Windows 10 builds below 1607 you will need to update to the latest windows 10 build

The post Azure Gateway – Point-to-Site Windows VPN Client – Error processing ID payload appeared first on TSLS - Luke Smith.