diff --git a/deployment/administration/SHM_Manage_VMs.ps1 b/deployment/administration/SHM_Manage_VMs.ps1
index 2675b7f3b0..9cc8f2b20b 100644
--- a/deployment/administration/SHM_Manage_VMs.ps1
+++ b/deployment/administration/SHM_Manage_VMs.ps1
@@ -34,7 +34,6 @@ if ($Group -eq "Identity") {
} elseif ($Group -eq "Mirrors") {
# Remove Identity VMs from list
$vmsByRg.Remove($config.dc.rg)
- $vmsByRg.Remove($config.nps.rg)
}
switch ($Action) {
@@ -48,23 +47,19 @@ switch ($Action) {
$primaryDCAlreadyRunning = Confirm-VmRunning -Name $config.dc.vmName -ResourceGroupName $config.dc.rg
if ($primaryDCAlreadyRunning) {
Add-LogMessage -Level InfoSuccess "VM '$($config.dc.vmName)' already running."
- # Start Secondary DC and NPS
+ # Start Secondary DC
Start-VM -Name $config.dcb.vmName -ResourceGroupName $config.dc.rg
- Start-VM -Name $config.nps.vmName -ResourceGroupName $config.nps.rg -SkipIfNotExist
} else {
- # Stop Secondary DC and NPS as these must start after Primary DC
+ # Stop Secondary DC as it must start after Primary DC
Add-LogMessage -Level Info "Stopping Secondary DC and NPS as Primary DC is not running."
Stop-Vm -Name $config.dcb.vmName -ResourceGroupName $config.dc.rg
- Stop-Vm -Name $config.nps.vmName -ResourceGroupName $config.nps.rg -SkipIfNotExist
# Start Primary DC
Start-VM -Name $config.dc.vmName -ResourceGroupName $config.dc.rg
- # Start Secondary DC and NPS
+ # Start Secondary DC
Start-VM -Name $config.dcb.vmName -ResourceGroupName $config.dc.rg
- Start-VM -Name $config.nps.vmName -ResourceGroupName $config.nps.rg -SkipIfNotExist
}
# Remove Identity VMs from general VM list so they are not processed twice
$vmsByRg.Remove($config.dc.rg)
- $vmsByRg.Remove($config.nps.rg)
}
# Process remaining SHM VMs covered by the specified group
foreach ($key in $vmsByRg.Keys) {
diff --git a/deployment/administration/SRE_Manage_VMs.ps1 b/deployment/administration/SRE_Manage_VMs.ps1
index 3a6cf45d3c..6ac5e77377 100644
--- a/deployment/administration/SRE_Manage_VMs.ps1
+++ b/deployment/administration/SRE_Manage_VMs.ps1
@@ -27,6 +27,7 @@ $vmsByRg = Get-VMsByResourceGroupPrefix -ResourceGroupPrefix $config.sre.rgPrefi
switch ($Action) {
"EnsureStarted" {
# Remove remote desktop VMs to process last
+ # May be able to simplify this further now that MSRDS is removed
$remoteDesktopVms = $vmsByRg[$config.sre.remoteDesktop.rg]
$vmsByRg.Remove($config.sre.remoteDesktop.rg)
# Start all other VMs before RDS VMs so all services will be available when users can login via RDS
@@ -40,32 +41,8 @@ switch ($Action) {
}
# Ensure remote desktop VMs are started
Add-LogMessage -Level Info "Ensuring VMs in resource group '$($config.sre.remoteDesktop.rg)' are started..."
- if ($config.sre.remoteDesktop.provider -eq "ApacheGuacamole") {
- # Start Guacamole VMs
- $remoteDesktopVms | ForEach-Object { Start-VM -VM $_ }
- } elseif ($config.sre.remoteDesktop.provider -eq "MicrosoftRDS") {
- # RDS gateway must be started before RDS session hosts
- $gatewayAlreadyRunning = Confirm-VmRunning -Name $config.sre.remoteDesktop.gateway.vmName -ResourceGroupName $config.sre.remoteDesktop.rg
- if ($gatewayAlreadyRunning) {
- Add-LogMessage -Level InfoSuccess "VM '$($config.sre.remoteDesktop.gateway.vmName)' already running."
- # Ensure session hosts started
- foreach ($vm in $remoteDesktopVms | Where-Object { $_.Name -ne $config.sre.remoteDesktop.gateway.vmName }) {
- Start-VM -VM $vm
- }
- } else {
- # Stop session hosts as they must start after gateway
- Add-LogMessage -Level Info "Stopping RDS session hosts as gateway is not running."
- foreach ($vm in $remoteDesktopVms | Where-Object { $_.Name -ne $config.sre.remoteDesktop.gateway.vmName }) {
- Stop-VM -VM $vm
- }
- # Start gateway
- Start-VM -Name $config.sre.remoteDesktop.gateway.vmName -ResourceGroupName $config.sre.remoteDesktop.rg
- # Start session hosts
- foreach ($vm in $remoteDesktopVms | Where-Object { $_.Name -ne $config.sre.remoteDesktop.gateway.vmName }) {
- Start-VM -VM $vm
- }
- }
- }
+ # Start Guacamole VMs
+ $remoteDesktopVms | ForEach-Object { Start-VM -VM $_ }
}
"EnsureStopped" {
foreach ($key in $vmsByRg.Keys) {
diff --git a/deployment/common/Configuration.psm1 b/deployment/common/Configuration.psm1
index c1090d9bb8..9c21a51232 100644
--- a/deployment/common/Configuration.psm1
+++ b/deployment/common/Configuration.psm1
@@ -186,14 +186,12 @@ function Get-ShmConfig {
netbiosName = ($shmConfigBase.netbiosName ? $shmConfigBase.netbiosName : $shm.id).ToUpper() | Limit-StringLength -MaximumLength 15 -FailureIsFatal
dn = "DC=$(($shmConfigBase.domain).Replace('.',',DC='))"
ous = [ordered]@{
- databaseServers = [ordered]@{ name = "Secure Research Environment Database Servers" }
- linuxServers = [ordered]@{ name = "Secure Research Environment Linux Servers" }
- rdsGatewayServers = [ordered]@{ name = "Secure Research Environment RDS Gateway Servers" }
- rdsSessionServers = [ordered]@{ name = "Secure Research Environment RDS Session Servers" }
- researchUsers = [ordered]@{ name = "Safe Haven Research Users" }
- securityGroups = [ordered]@{ name = "Safe Haven Security Groups" }
- serviceAccounts = [ordered]@{ name = "Safe Haven Service Accounts" }
- identityServers = [ordered]@{ name = "Safe Haven Identity Servers" }
+ databaseServers = [ordered]@{ name = "Secure Research Environment Database Servers" }
+ linuxServers = [ordered]@{ name = "Secure Research Environment Linux Servers" }
+ researchUsers = [ordered]@{ name = "Safe Haven Research Users" }
+ securityGroups = [ordered]@{ name = "Safe Haven Security Groups" }
+ serviceAccounts = [ordered]@{ name = "Safe Haven Service Accounts" }
+ identityServers = [ordered]@{ name = "Safe Haven Identity Servers" }
}
}
$shm.domain.fqdnLower = ($shm.domain.fqdn).ToLower()
@@ -400,31 +398,21 @@ function Get-ShmConfig {
# ---------
$shm.users = [ordered]@{
computerManagers = [ordered]@{
- databaseServers = [ordered]@{
+ databaseServers = [ordered]@{
name = "$($shm.domain.netbiosName) Database Servers Manager"
samAccountName = "$($shm.id)databasesrvrs".ToLower() | Limit-StringLength -MaximumLength 20
passwordSecretName = "shm-$($shm.id)-computer-manager-password-database-servers".ToLower()
}
- identityServers = [ordered]@{
+ identityServers = [ordered]@{
name = "$($shm.domain.netbiosName) Identity Servers Manager"
samAccountName = "$($shm.id)identitysrvrs".ToLower() | Limit-StringLength -MaximumLength 20
passwordSecretName = "shm-$($shm.id)-computer-manager-password-identity-servers".ToLower()
}
- linuxServers = [ordered]@{
+ linuxServers = [ordered]@{
name = "$($shm.domain.netbiosName) Linux Servers Manager"
samAccountName = "$($shm.id)linuxsrvrs".ToLower() | Limit-StringLength -MaximumLength 20
passwordSecretName = "shm-$($shm.id)-computer-manager-password-linux-servers".ToLower()
}
- rdsGatewayServers = [ordered]@{
- name = "$($shm.domain.netbiosName) RDS Gateway Manager"
- samAccountName = "$($shm.id)gatewaysrvrs".ToLower() | Limit-StringLength -MaximumLength 20
- passwordSecretName = "shm-$($shm.id)-computer-manager-password-rds-gateway-servers".ToLower()
- }
- rdsSessionServers = [ordered]@{
- name = "$($shm.domain.netbiosName) RDS Session Servers Manager"
- samAccountName = "$($shm.id)sessionsrvrs".ToLower() | Limit-StringLength -MaximumLength 20
- passwordSecretName = "shm-$($shm.id)-computer-manager-password-rds-session-servers".ToLower()
- }
}
serviceAccounts = [ordered]@{
aadLocalSync = [ordered]@{
@@ -624,22 +612,17 @@ function Get-SreConfig {
# Import minimal management config parameters from JSON config file - we can derive the rest from these
$sreConfigBase = Get-CoreConfig -shmId $shmId -sreId $sreId
+ # Support for "MicrosoftRDS" has been removed. The "remotedDesktopProvider" field now defaults to "ApacheGuacamole"
+ if ($sreConfigBase.remoteDesktopProvider -ne "ApacheGuacamole") {
+ Add-LogMessage -Level Fatal "Support for remote desktops other than ApacheGuacamole has been removed"
+ } elseif ($sreConfigBase.remoteDesktopProvider -eq "ApacheGuacamole") {
+ Add-LogMessage -Level Warning "The remoteDesktopProvider configuration option has been deprecated and will be removed in the future"
+ }
+ $sreConfigBase.remoteDesktopProvider = "ApacheGuacamole"
+
# Secure research environment config
# ----------------------------------
- # Check that one of the allowed remote desktop providers is selected
- $remoteDesktopProviders = @("ApacheGuacamole", "MicrosoftRDS")
- if (-not $sreConfigBase.remoteDesktopProvider) {
- Add-LogMessage -Level Warning "No remoteDesktopType was provided. Defaulting to $($remoteDesktopProviders[0])"
- $sreConfigBase.remoteDesktopProvider = $remoteDesktopProviders[0]
- }
- if (-not $remoteDesktopProviders.Contains($sreConfigBase.remoteDesktopProvider)) {
- Add-LogMessage -Level Fatal "Did not recognise remote desktop provider '$($sreConfigBase.remoteDesktopProvider)' as one of the allowed remote desktop types: $remoteDesktopProviders"
- }
- if (
- ($sreConfigBase.remoteDesktopProvider -eq "MicrosoftRDS") -and (-not @(2, 3, 4).Contains([int]$sreConfigBase.tier))
- ) {
- Add-LogMessage -Level Fatal "RemoteDesktopProvider '$($sreConfigBase.remoteDesktopProvider)' cannot be used for tier '$($sreConfigBase.tier)'"
- }
+
# Setup the basic config
$config = [ordered]@{
shm = Get-ShmConfig -shmId $sreConfigBase.shmId
@@ -879,8 +862,8 @@ function Get-SreConfig {
}
}
- # Remote desktop either through Apache Guacamole or Microsoft RDS
- # ---------------------------------------------------------------
+ # Apache Guacamole remote desktop
+ # -------------------------------
$config.sre.remoteDesktop.rg = "$($config.sre.rgPrefix)_REMOTE_DESKTOP".ToUpper()
if ($config.sre.remoteDesktop.provider -eq "ApacheGuacamole") {
$config.sre.network.vnet.subnets.remoteDesktop.nsg = [ordered]@{
@@ -900,44 +883,6 @@ function Get-SreConfig {
}
}
}
- } elseif ($config.sre.remoteDesktop.provider -eq "MicrosoftRDS") {
- $config.sre.remoteDesktop.gateway = [ordered]@{
- adminPasswordSecretName = "$($config.sre.shortName)-vm-admin-password-rds-gateway"
- vmName = "RDG-SRE-$($config.sre.id)".ToUpper() | Limit-StringLength -MaximumLength 15
- vmSize = "Standard_DS2_v2"
- ip = Get-NextAvailableIpInRange -IpRangeCidr $config.sre.network.vnet.subnets.remoteDesktop.cidr -Offset 4
- installationDirectory = "C:\Installation"
- nsg = [ordered]@{
- name = "$($config.sre.nsgPrefix)_RDS_SERVER".ToUpper()
- rules = "sre-nsg-rules-gateway.json"
- }
- disks = [ordered]@{
- data = [ordered]@{
- sizeGb = "1023"
- type = $config.sre.diskTypeDefault
- }
- os = [ordered]@{
- sizeGb = "128"
- type = $config.sre.diskTypeDefault
- }
- }
- }
- $config.sre.remoteDesktop.appSessionHost = [ordered]@{
- adminPasswordSecretName = "$($config.sre.shortName)-vm-admin-password-rds-sh1"
- vmName = "APP-SRE-$($config.sre.id)".ToUpper() | Limit-StringLength -MaximumLength 15
- vmSize = "Standard_DS2_v2"
- ip = Get-NextAvailableIpInRange -IpRangeCidr $config.sre.network.vnet.subnets.remoteDesktop.cidr -Offset 5
- nsg = [ordered]@{
- name = "$($config.sre.nsgPrefix)_RDS_SESSION_HOSTS".ToUpper()
- rules = "sre-nsg-rules-session-hosts.json"
- }
- disks = [ordered]@{
- os = [ordered]@{
- sizeGb = "128"
- type = $config.sre.diskTypeDefault
- }
- }
- }
} else {
Add-LogMessage -Level Fatal "Remote desktop type '$($config.sre.remoteDesktop.type)' was not recognised!"
}
diff --git a/deployment/safe_haven_management_environment/arm_templates/shm-nps-template.json b/deployment/safe_haven_management_environment/arm_templates/shm-nps-template.json
deleted file mode 100644
index f9fb6d3ae6..0000000000
--- a/deployment/safe_haven_management_environment/arm_templates/shm-nps-template.json
+++ /dev/null
@@ -1,244 +0,0 @@
-{
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "administratorPassword": {
- "type": "securestring",
- "metadata": {
- "description": "Password for domain administrator"
- }
- },
- "administratorUsername": {
- "type": "string",
- "metadata": {
- "description": "Username for domain administrator"
- }
- },
- "bootDiagnosticsAccountName": {
- "type": "string",
- "metadata": {
- "description": "Name of storage account used for boot diagnostics"
- }
- },
- "domainJoinOuPath": {
- "type": "string",
- "metadata": {
- "description": "OU path to add this VM to"
- }
- },
- "domainJoinPassword": {
- "type": "securestring",
- "metadata": {
- "description": "Password for domain joining"
- }
- },
- "domainJoinUser": {
- "type": "string",
- "metadata": {
- "description": "Username for domain joining"
- }
- },
- "domainName": {
- "type": "string",
- "metadata": {
- "Description": "Public domain name for the SHM"
- }
- },
- "virtualNetworkName": {
- "type": "string",
- "metadata": {
- "description": "Name of virtual network to provision these VMs"
- }
- },
- "virtualNetworkResourceGroupName": {
- "type": "string",
- "metadata": {
- "description": "Name of resource group that is associated with the virtual network above"
- }
- },
- "virtualNetworkSubnetName": {
- "type": "string",
- "metadata": {
- "description": "Name of subnet where you want to provision this VM"
- }
- },
- "vmHostName": {
- "type": "string",
- "metadata": {
- "description": "Hostname for NPS"
- }
- },
- "vmName": {
- "type": "string",
- "metadata": {
- "description": "VM name of NPS"
- }
- },
- "vmOsDiskSizeGb": {
- "type": "int",
- "metadata": {
- "description": "Size of NPS OS disk in GB"
- }
- },
- "vmOsDiskType": {
- "type": "string",
- "metadata": {
- "description": "Type of NPS OS disk"
- }
- },
- "vmPrivateIpAddress": {
- "type": "string",
- "metadata": {
- "description": "Private IP address for NPS"
- }
- },
- "vmSize": {
- "type": "string",
- "metadata": {
- "description": "VM size of NPS"
- }
- }
- },
- "variables": {
- "npsnic": "[concat(parameters('vmName'),'-','NIC')]",
- "vnetID": "[resourceId(parameters('virtualNetworkResourceGroupName'), 'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
- "subnetId": "[concat(variables('vnetID'),'/subnets/', parameters('virtualNetworkSubnetName'))]"
- },
- "resources": [
- {
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[parameters('vmName')]",
- "apiVersion": "2021-11-01",
- "location": "[resourceGroup().location]",
- "scale": null,
- "properties": {
- "hardwareProfile": {
- "vmSize": "[parameters('vmSize')]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "MicrosoftWindowsServer",
- "offer": "WindowsServer",
- "sku": "2022-Datacenter",
- "version": "latest"
- },
- "osDisk": {
- "osType": "Windows",
- "name": "[concat(parameters('vmName'),'-OS-DISK')]",
- "createOption": "FromImage",
- "caching": "ReadWrite",
- "writeAcceleratorEnabled": false,
- "managedDisk": {
- "storageAccountType": "[parameters('vmOsDiskType')]"
- },
- "diskSizeGB": "[parameters('vmOsDiskSizeGb')]"
- }
- },
- "osProfile": {
- "computerName": "[parameters('vmHostName')]",
- "adminUsername": "[parameters('administratorUsername')]",
- "adminPassword": "[parameters('administratorPassword')]",
- "windowsConfiguration": {
- "enableAutomaticUpdates": false,
- "provisionVMAgent": true
- },
- "secrets": [],
- "allowExtensionOperations": true
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('npsnic'))]",
- "properties": {
- "primary": true
- }
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat('https', '://', parameters('bootDiagnosticsAccountName'), '.blob.core.windows.net', '/')]"
- }
- }
- },
- "dependsOn": [
- "[resourceId('Microsoft.Network/networkInterfaces', variables('npsnic'))]"
- ]
- },
- {
- "type": "Microsoft.Network/networkInterfaces",
- "name": "[variables('npsnic')]",
- "apiVersion": "2020-05-01",
- "location": "[resourceGroup().location]",
- "scale": null,
- "properties": {
- "ipConfigurations": [
- {
- "name": "ipconfig1",
- "properties": {
- "privateIPAddress": "[parameters('vmPrivateIpAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('subnetId')]"
- },
- "primary": true,
- "privateIPAddressVersion": "IPv4"
- }
- }
- ],
- "dnsSettings": {
- "dnsServers": [],
- "appliedDnsServers": []
- },
- "enableAcceleratedNetworking": false,
- "enableIPForwarding": false,
- "primary": true,
- "tapConfigurations": []
- },
- "dependsOn": []
- },
- {
- "type": "Microsoft.Compute/virtualMachines/extensions",
- "name": "[concat(parameters('vmName'), '/', 'bginfo')]",
- "apiVersion": "2019-07-01",
- "location": "[resourceGroup().location]",
- "scale": null,
- "properties": {
- "autoUpgradeMinorVersion": true,
- "publisher": "Microsoft.Compute",
- "type": "bginfo",
- "typeHandlerVersion": "2.1"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]"
- ]
- },
- {
- "type": "Microsoft.Compute/virtualMachines/extensions",
- "name": "[concat(parameters('vmName'),'/joindomain')]",
- "apiVersion": "2019-07-01",
- "location": "[resourceGroup().location]",
- "dependsOn": [
- "[resourceId('Microsoft.Compute/virtualMachines', parameters('vmName'))]",
- "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('vmName'),'bginfo')]"
- ],
- "properties": {
- "publisher": "Microsoft.Compute",
- "type": "JsonADDomainExtension",
- "typeHandlerVersion": "1.3",
- "autoUpgradeMinorVersion": true,
- "settings": {
- "Name": "[parameters('domainName')]",
- "OUPath": "[parameters('domainJoinOuPath')]",
- "User": "[concat(parameters('domainName'), '\\', parameters('domainJoinUser'))]",
- "Restart": "true",
- "Options": "3"
- },
- "protectedSettings": {
- "Password": "[parameters('domainJoinPassword')]"
- }
- }
- }
- ]
-}
\ No newline at end of file
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/DC1DesiredState.ps1 b/deployment/safe_haven_management_environment/desired_state_configuration/DC1DesiredState.ps1
index f5475372c9..8c21de41be 100755
--- a/deployment/safe_haven_management_environment/desired_state_configuration/DC1DesiredState.ps1
+++ b/deployment/safe_haven_management_environment/desired_state_configuration/DC1DesiredState.ps1
@@ -467,14 +467,6 @@ configuration ApplyGroupPolicies {
[ValidateNotNullOrEmpty()]
[string]$OuNameLinuxServers,
- [Parameter(HelpMessage = "RDS gateway servers OU name (eg. 'Secure Research Environment RDS Gateway Servers')")]
- [ValidateNotNullOrEmpty()]
- [string]$OuNameRdsGatewayServers,
-
- [Parameter(HelpMessage = "RDS session servers OU name (eg. 'Secure Research Environment RDS Session Servers')")]
- [ValidateNotNullOrEmpty()]
- [string]$OuNameRdsSessionServers,
-
[Parameter(HelpMessage = "Research users OU name (eg. 'Safe Haven Research Users')")]
[ValidateNotNullOrEmpty()]
[string]$OuNameResearchUsers,
@@ -520,8 +512,7 @@ configuration ApplyGroupPolicies {
Write-Verbose -Verbose "Importing GPOs..."
foreach ($sourceTargetPair in (("0AF343A0-248D-4CA5-B19E-5FA46DAE9F9C", "All servers - Local Administrators"),
("EE9EF278-1F3F-461C-9F7A-97F2B82C04B4", "All Servers - Windows Update"),
- ("742211F9-1482-4D06-A8DE-BA66101933EB", "All Servers - Windows Services"),
- ("B0A14FC3-292E-4A23-B280-9CC172D92FD5", "Session Servers - Remote Desktop Control"))) {
+ ("742211F9-1482-4D06-A8DE-BA66101933EB", "All Servers - Windows Services"))) {
$source, $target = $sourceTargetPair
$null = Import-GPO -BackupId "$source" -TargetName "$target" -Path $using:GpoOutputPath -CreateIfNeeded
if ($?) {
@@ -545,19 +536,12 @@ configuration ApplyGroupPolicies {
Write-Verbose -Verbose "Linking GPOs to OUs..."
foreach ($gpoOuNamePair in (("All servers - Local Administrators", "$using:OuNameDatabaseServers"),
("All servers - Local Administrators", "$using:OuNameIdentityServers"),
- ("All servers - Local Administrators", "$using:OuNameRdsSessionServers"),
- ("All servers - Local Administrators", "$using:OuNameRdsGatewayServers"),
("All Servers - Windows Services", "Domain Controllers"),
("All Servers - Windows Services", "$using:OuNameDatabaseServers"),
("All Servers - Windows Services", "$using:OuNameIdentityServers"),
- ("All Servers - Windows Services", "$using:OuNameRdsSessionServers"),
- ("All Servers - Windows Services", "$using:OuNameRdsGatewayServers"),
("All Servers - Windows Update", "Domain Controllers"),
("All Servers - Windows Update", "$using:OuNameDatabaseServers"),
- ("All Servers - Windows Update", "$using:OuNameIdentityServers"),
- ("All Servers - Windows Update", "$using:OuNameRdsSessionServers"),
- ("All Servers - Windows Update", "$using:OuNameRdsGatewayServers"),
- ("Session Servers - Remote Desktop Control", "$using:OuNameRdsSessionServers"))) {
+ ("All Servers - Windows Update", "$using:OuNameIdentityServers"))) {
$gpoName, $ouName = $gpoOuNamePair
$gpo = Get-GPO -Name "$gpoName"
# Check for a match in existing GPOs
@@ -628,29 +612,6 @@ configuration ApplyGroupPolicies {
TestScript = { $false }
DependsOn = "[Script]ImportGroupPolicies"
}
-
- Script SetRemoteDesktopServerLayout {
- SetScript = {
- try {
- Write-Verbose -Verbose "Setting the layout file for the Remote Desktop servers..."
- $null = Set-GPRegistryValue -Key "HKCU\Software\Policies\Microsoft\Windows\Explorer\" `
- -Name "Session Servers - Remote Desktop Control" `
- -Type "ExpandString" `
- -ValueName "StartLayoutFile" `
- -Value "\\$($using:DomainFqdn)\SYSVOL\$($using:DomainFqdn)\scripts\ServerStartMenu\LayoutModification.xml"
- if ($?) {
- Write-Verbose -Verbose "Setting the layout file for the Remote Desktop servers succeeded"
- } else {
- throw "Setting the layout file for the Remote Desktop servers failed!"
- }
- } catch {
- Write-Error "SetRemoteDesktopServerLayout: $($_.Exception)"
- }
- }
- GetScript = { @{} }
- TestScript = { $false }
- DependsOn = "[Script]ImportGroupPolicies"
- }
}
}
@@ -831,8 +792,6 @@ configuration ConfigurePrimaryDomainController {
OuNameDatabaseServers = $domainOus.databaseServers.name
OuNameIdentityServers = $domainOus.identityServers.name
OuNameLinuxServers = $domainOus.linuxServers.name
- OuNameRdsGatewayServers = $domainOus.rdsGatewayServers.name
- OuNameRdsSessionServers = $domainOus.rdsSessionServers.name
OuNameResearchUsers = $domainOus.researchUsers.name
OuNameSecurityGroups = $domainOus.securityGroups.name
OuNameServiceAccounts = $domainOus.serviceAccounts.name
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/NPSBootstrap.ps1 b/deployment/safe_haven_management_environment/desired_state_configuration/NPSBootstrap.ps1
deleted file mode 100644
index 46fab947aa..0000000000
--- a/deployment/safe_haven_management_environment/desired_state_configuration/NPSBootstrap.ps1
+++ /dev/null
@@ -1,7 +0,0 @@
-# Here we install
-# - NuGet (for module management)
-# - PowerShellModule (to allow modules to be installed in DSC)
-# - various x* modules (to enable DSC functions)
-# Other Powershell modules should be installed through DSC
-Install-PackageProvider -Name NuGet -MinimumVersion 2.8.5.201 -Force;
-Install-Module PowerShellModule -MinimumVersion 0.3 -Force;
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/NPSDesiredState.ps1 b/deployment/safe_haven_management_environment/desired_state_configuration/NPSDesiredState.ps1
deleted file mode 100755
index e41a22d982..0000000000
--- a/deployment/safe_haven_management_environment/desired_state_configuration/NPSDesiredState.ps1
+++ /dev/null
@@ -1,209 +0,0 @@
-configuration InstallPowershellModules {
- Import-DscResource -ModuleName PowerShellModule
-
- Node localhost {
- PSModuleResource MSOnline {
- Ensure = "present"
- Module_Name = "MSOnline"
- }
-
- PSModuleResource PackageManagement {
- Ensure = "present"
- Module_Name = "PackageManagement"
- }
-
- PSModuleResource PowerShellGet {
- Ensure = "present"
- Module_Name = "PowerShellGet"
- }
-
- PSModuleResource PSWindowsUpdate {
- Ensure = "present"
- Module_Name = "PSWindowsUpdate"
- }
- }
-}
-
-
-configuration UploadArtifacts {
- param (
- [Parameter(HelpMessage = "Absolute path to directory which blobs should be downloaded to")]
- [ValidateNotNullOrEmpty()]
- [string]$ArtifactsDirectory,
-
- [Parameter(HelpMessage = "Array of blob names to download from storage blob container")]
- [ValidateNotNullOrEmpty()]
- [PSCustomObject]$BlobNames,
-
- [Parameter(HelpMessage = "SAS token with read/list rights to the storage blob container")]
- [ValidateNotNullOrEmpty()]
- [string]$BlobSasToken,
-
- [Parameter(HelpMessage = "Name of the storage account")]
- [ValidateNotNullOrEmpty()]
- [string]$StorageAccountName,
-
- [Parameter(HelpMessage = "Name of the storage container")]
- [ValidateNotNullOrEmpty()]
- [string]$StorageContainerName
- )
-
- Node localhost {
- Script EmptyDirectory {
- SetScript = {
- try {
- Write-Verbose -Verbose "Clearing all pre-existing files and folders from '$using:ArtifactsDirectory'"
- if (Test-Path -Path $using:ArtifactsDirectory) {
- Get-ChildItem $using:ArtifactsDirectory -Recurse | Remove-Item -Recurse -Force
- } else {
- New-Item -ItemType directory -Path $using:ArtifactsDirectory
- }
- } catch {
- Write-Error "EmptyDirectory: $($_.Exception)"
- }
- }
- GetScript = { @{} }
- TestScript = { (Test-Path -Path $using:ArtifactsDirectory) -and -not (Test-Path -Path "$using:ArtifactsDirectory/*") }
- }
-
- Script DownloadArtifacts {
- SetScript = {
- try {
- Write-Verbose -Verbose "Downloading $($using:BlobNames.Length) files to '$using:ArtifactsDirectory'..."
- foreach ($BlobName in $using:BlobNames) {
- # Ensure that local directory exists
- $LocalDir = Join-Path $using:ArtifactsDirectory $(Split-Path -Parent $BlobName)
- if (-not (Test-Path -Path $LocalDir)) {
- $null = New-Item -ItemType Directory -Path $LocalDir
- }
- $LocalFilePath = Join-Path $LocalDir (Split-Path -Leaf $BlobName)
-
- # Download file from blob storage
- $BlobUrl = "https://$($using:StorageAccountName).blob.core.windows.net/$($using:StorageContainerName)/${BlobName}$($using:BlobSasToken)"
- Write-Verbose -Verbose " [ ] Fetching $BlobUrl..."
- $null = Invoke-WebRequest -Uri $BlobUrl -OutFile $LocalFilePath
- if ($?) {
- Write-Verbose -Verbose "Downloading $BlobUrl succeeded"
- } else {
- throw "Downloading $BlobUrl failed!"
- }
- }
- } catch {
- Write-Error "DownloadArtifacts: $($_.Exception)"
- }
- }
- GetScript = { @{} }
- TestScript = { $false }
- DependsOn = "[Script]EmptyDirectory"
- }
- }
-}
-
-
-configuration CreateNetworkPolicyServer {
- param (
- [Parameter(HelpMessage = "Path to the NPS MFA plugin installer")]
- [ValidateNotNullOrEmpty()]
- [string]$AzureMfaInstallerPath,
-
- [Parameter(HelpMessage = "Path to the NPS policy XML file")]
- [ValidateNotNullOrEmpty()]
- [string]$NpsPolicyXmlPath
- )
-
- Node localhost {
- WindowsFeature NPAS {
- Ensure = "Present"
- Name = "NPAS"
- }
-
- WindowsFeature NPASTools {
- Ensure = "Present"
- Name = "RSAT-NPAS"
- DependsOn = "[WindowsFeature]NPAS"
- }
-
- Script InstallNpsExtension {
- SetScript = {
- try {
- Write-Verbose -Verbose "Installing NPS extension..."
- Start-Process -FilePath $using:AzureMfaInstallerPath -ArgumentList '/install', '/quiet'
- if ($?) {
- Write-Verbose -Verbose "Successfully installed NPS extension"
- } else {
- throw "Failed to install NPS extension!"
- }
- } catch {
- Write-Error "InstallNpsExtension: $($_.Exception)"
- }
- }
- GetScript = { @{} }
- TestScript = { $false }
- DependsOn = "[WindowsFeature]NPASTools"
- }
-
- Script ImportNpsConditionalAccessPolicy {
- SetScript = {
- try {
- Write-Verbose -Verbose "Importing NPS configuration for RDG_CAP policy..."
- Import-NpsConfiguration -Path $using:NpsPolicyXmlPath
- } catch {
- Write-Error "ImportNpsConditionalAccessPolicy: $($_.Exception)"
- }
- }
- GetScript = { @{} }
- TestScript = { $false }
- DependsOn = "[Script]InstallNpsExtension"
- }
- }
-}
-
-
-configuration ConfigureNetworkPolicyServer {
- param (
- [Parameter(Mandatory = $true, HelpMessage = "Base-64 encoded array of blob names to download from storage blob container")]
- [ValidateNotNullOrEmpty()]
- [string]$ArtifactsBlobNamesB64,
-
- [Parameter(Mandatory = $true, HelpMessage = "Base-64 encoded SAS token with read/list rights to the storage blob container")]
- [ValidateNotNullOrEmpty()]
- [string]$ArtifactsBlobSasTokenB64,
-
- [Parameter(Mandatory = $true, HelpMessage = "Name of the artifacts storage account")]
- [ValidateNotNullOrEmpty()]
- [string]$ArtifactsStorageAccountName,
-
- [Parameter(Mandatory = $true, HelpMessage = "Name of the artifacts storage container")]
- [ValidateNotNullOrEmpty()]
- [string]$ArtifactsStorageContainerName,
-
- [Parameter(Mandatory = $true, HelpMessage = "Absolute path to directory which blobs should be downloaded to")]
- [ValidateNotNullOrEmpty()]
- [string]$ArtifactsTargetDirectory
- )
-
- # Construct variables for passing to DSC configurations
- $artifactsBlobNames = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ArtifactsBlobNamesB64)) | ConvertFrom-Json
- $artifactsBlobSasToken = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($ArtifactsBlobSasTokenB64))
- $azureMfaInstallerPath = (Join-Path $ArtifactsTargetDirectory "NpsExtnForAzureMfaInstaller.exe")
- $npsPolicyXmlPath = (Join-Path $ArtifactsTargetDirectory "nps_config.xml")
-
- Node localhost {
- InstallPowershellModules InstallPowershellModules {}
-
- UploadArtifacts UploadArtifacts {
- BlobNames = $artifactsBlobNames
- BlobSasToken = $artifactsBlobSasToken
- StorageAccountName = $ArtifactsStorageAccountName
- StorageContainerName = $ArtifactsStorageContainerName
- ArtifactsDirectory = $ArtifactsTargetDirectory
- DependsOn = "[InstallPowershellModules]InstallPowershellModules"
- }
-
- CreateNetworkPolicyServer CreateNetworkPolicyServer {
- AzureMfaInstallerPath = $azureMfaInstallerPath
- NpsPolicyXmlPath = $npsPolicyXmlPath
- DependsOn = "[UploadArtifacts]UploadArtifacts"
- }
- }
-}
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/Backup.xml b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/Backup.xml
deleted file mode 100755
index 1e620c2023..0000000000
--- a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/Backup.xml
+++ /dev/null
@@ -1,20 +0,0 @@
-
- 01 00 04 9c 00 00 00 00 00 00 00 00 00 00 00 00 14 00 00 00 04 00 ec 00 08 00 00 00 05 02 28 00 00 01 00 00 01 00 00 00 8f fd ac ed b3 ff d1 11 b4 1d 00 a0 c9 68 f9 39 01 01 00 00 00 00 00 05 0b 00 00 00 00 00 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 b2 02 19 6c 8a 79 30 07 b6 4d ff 37 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 b2 02 19 6c 8a 79 30 07 b6 4d ff 37 00 02 00 00 00 02 24 00 ff 00 0f 00 01 05 00 00 00 00 00 05 15 00 00 00 b2 02 19 6c 8a 79 30 07 b6 4d ff 37 07 02 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 09 00 00 00 00 02 14 00 94 00 02 00 01 01 00 00 00 00 00 05 0b 00 00 00 00 02 14 00 ff 00 0f 00 01 01 00 00 00 00 00 05 12 00 00 00 00 0a 14 00 ff 00 0f 00 01 01 00 00 00 00 00 03 00 00 00 00
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/Machine/comment.cmtx b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/Machine/comment.cmtx
deleted file mode 100755
index 4f729bb80f..0000000000
--- a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/Machine/comment.cmtx
+++ /dev/null
@@ -1,12 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf
deleted file mode 100755
index 91061e3d80..0000000000
Binary files a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/Machine/microsoft/windows nt/SecEdit/GptTmpl.inf and /dev/null differ
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/Machine/registry.pol b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/Machine/registry.pol
deleted file mode 100755
index 22e3194e7a..0000000000
Binary files a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/Machine/registry.pol and /dev/null differ
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/User/comment.cmtx b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/User/comment.cmtx
deleted file mode 100755
index 07652973a4..0000000000
--- a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/User/comment.cmtx
+++ /dev/null
@@ -1,15 +0,0 @@
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/User/registry.pol b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/User/registry.pol
deleted file mode 100755
index cc51e09d89..0000000000
Binary files a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/DomainSysvol/GPO/User/registry.pol and /dev/null differ
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/bkupInfo.xml b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/bkupInfo.xml
deleted file mode 100755
index e8f9c8626a..0000000000
--- a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/bkupInfo.xml
+++ /dev/null
@@ -1 +0,0 @@
-
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/gpreport.xml b/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/gpreport.xml
deleted file mode 100755
index 904285f8a7..0000000000
Binary files a/deployment/safe_haven_management_environment/desired_state_configuration/dc1Artifacts/source/{B0A14FC3-292E-4A23-B280-9CC172D92FD5}/gpreport.xml and /dev/null differ
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/npsArtifacts/Ensure_MFA_SP_AAD.ps1 b/deployment/safe_haven_management_environment/desired_state_configuration/npsArtifacts/Ensure_MFA_SP_AAD.ps1
deleted file mode 100644
index 541098fefe..0000000000
--- a/deployment/safe_haven_management_environment/desired_state_configuration/npsArtifacts/Ensure_MFA_SP_AAD.ps1
+++ /dev/null
@@ -1,4 +0,0 @@
-Import-Module MSOnline -ErrorAction Stop
-Connect-MsolService
-New-MsolServicePrincipal -AppPrincipalId 981f26a1-7f43-403b-a875-f8b09b8cd720 -DisplayName "Azure Multi-Factor Auth Client"
-New-MsolServicePrincipal -AppPrincipalId 1f5530b3-261a-47a9-b357-ded261e17918 -DisplayName "Azure Multi-Factor Auth Connector"
diff --git a/deployment/safe_haven_management_environment/desired_state_configuration/npsArtifacts/nps_config.xml b/deployment/safe_haven_management_environment/desired_state_configuration/npsArtifacts/nps_config.xml
deleted file mode 100644
index 9b0a1a2e72..0000000000
--- a/deployment/safe_haven_management_environment/desired_state_configuration/npsArtifacts/nps_config.xml
+++ /dev/null
@@ -1,1190 +0,0 @@
-
-
- <_locDefinition>
- <_locDefault _loc="locNone"/>
- <_locDefaultAttr _loc="locNone"/>
- <_locTag _loc="locNone" _locAttrData="name">Connections_to_other_access_servers
- <_locTag _loc="locNone" _locAttrData="name">Connections_to_Microsoft_Routing_and_Remote_Access_server
- <_locTag _loc="locNone" _locAttrData="name">Use_Windows_authentication_for_all_users
-
-
- 257
-
-
-
- NPS
-
-
-
-
-
-
- 1
- 2
- 3
- 4
- 9
- 10
- 0
-
-
-
-
- 1
- 2
- 5
- 4
- 10
- 3
- 9
- 1a000000000000000000000000000000
- 0d000000000000000000000000000000
- 0
- 2
- 14
- 0100000048000000010000000100FFFF2800000001000000200000000000000001000000010000000100000000000000000000000000000000000000000000000000000000000000
-
-
- {00000000-0000-0000-0000-000000000000}{00000000-0000-0000-0000-000000000000}0139410712
-
-
-
-
- Connections to other access servers
- TIMEOFDAY("0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00")
- 999999
-
-
-
-
- Connections to Microsoft Routing and Remote Access server
- MATCH("MS-RAS-Vendor=^311$")
- 999998
-
-
- 10{00000000-0000-0000-0000-000000000000}RDG_CAPTIMEOFDAY("0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00")1
-
-
-
-
- Use Windows authentication for all users
- TIMEOFDAY("0 00:00-24:00; 1 00:00-24:00; 2 00:00-24:00; 3 00:00-24:00; 4 00:00-24:00; 5 00:00-24:00; 6 00:00-24:00")
- 999999
-
-
-
-
-
-
-
-
- 1
-
-
-
-
-
-
-
-
- IAS.IasHelper
- 262145
-
-
-
-
- IAS.RadiusProtocol
- 262144
- 1812,1645
- 1813,1646
-
-
-
-
-
-
- 0
-
-
- <_Com name="3Com">
-
- 43
-
-
-
-
- 5
-
-
-
-
- 181
-
-
-
-
- 529
-
-
-
-
- 14
-
-
-
-
- 272
-
-
-
-
- 52
-
-
-
-
- 9
-
-
-
-
- 332
-
-
-
-
- 434
-
-
-
-
- 64
-
-
-
-
- 343
-
-
-
-
- 244
-
-
-
-
- 307
-
-
-
-
- 1
-
-
-
-
- 166
-
-
-
-
- 117
-
-
-
-
- 429
-
-
-
-
- 15
-
-
-
-
- 311
-
-
-
-
- 2352
-
-
-
-
- 562
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IAS.PolicyEnforcer
- 7
-
-
-
-
- IAS.NTSamAuthentication
- 1
- 1
-
-
-
-
- IAS.ProxyPolicyEnforcer
- 5
-
-
-
-
- IAS.RadiusProxy
- 8
-
-
-
- 9IAS.Accounting1111C:\windows\system32\LogFiles0111110{00000000-0000-0000-0000-000000000000}
- 13IAS.DatabaseAccounting0000020{00000000-0000-0000-0000-000000000000}
-
-
-
-
-
- IAS.NTEventLog
- 524288
- 1
- 1
- 1
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
- IAS.SdoClient
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Require_Signature
- Shared_Secret
- NAS_Manufacturer
- IP_Address
- Radius_Client_Enabled
- Template_Guid
- Opaque_Data
- Client_Secret_Template_Guid
-
-
-
-
- IAS.SdoCondition
- Condition_Text
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
-
-
-
-
- IAS.SdoPolicy
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- msNPConstraint
- msNPSequence
- msNPAction
- Policy_Action
- Conditions
- Policy_Enabled
- Policy_SourceTag
- Template_Guid
- Opaque_Data
-
-
-
-
- IAS.SdoProfile
- Profile_Attributes
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Template_Guid
- Opaque_Data
- IP_Filter_Template_Guid
-
-
-
-
- IAS.NTEventLog
- Component_Id
- Component_Prog_Id
- Log_Application_Events
- Log_Malformed_Packets
- Log_Verbose
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
-
-
-
-
- IAS.PolicyEnforcer
- Component_Id
- Component_Prog_Id
- NAP_Policies
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
-
-
-
-
- IAS.NTSamAuthentication
- Allow_LM_Authentication
- Component_Id
- Component_Prog_Id
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
-
-
-
-
- IAS.Accounting
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Component_Id
- Component_Prog_Id
- Log_Accounting_Packets
- Log_Interim_Accounting_Packets
- Log_Authentication_Packets
- New_Log_Frequency
- New_Log_Size
- Log_File_Directory
- Log_Format
- Delete_If_Full
- Log_Interim_Authentication_Packets
- Log_File_Is_Backup
- Discard_On_Failure
- Template_Guid
- Opaque_Data
-
-
-
-
- IAS.SdoServiceIAS
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Description
- Policies
- Profiles
- Protocols
- Auditors
- Request_Handlers
- RADIUS_Server_Groups
- Proxy_Policies
- Proxy_Profiles
-
-
-
-
- IAS.SdoTemplatesRoot
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Description
- Policies_Templates
- Profiles_Templates
- Profiles_InPolicyTemplates
- ProxyPolicies_Templates
- ProxyProfiles_Templates
- ProxyProfiles_InPolicyTemplates
- Radius_Clients_Templates
- RADIUS_Servers_Templates
- RADIUS_Shared_Secrets_Templates
- IP_Filters_Templates
-
-
-
-
- IAS.RadiusProtocol
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Component_Id
- Component_Prog_Id
- Vendor_Information
- Clients
- Authentication_Port
- Accounting_Port
-
-
-
-
- IAS.IasHelper
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Component_Id
- Component_Prog_Id
-
-
-
-
- IAS.SdoVendor
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- NAS_Vendor_Id
-
-
-
-
- IAS.SdoRadiusServerGroup
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Servers
-
-
-
-
- IAS.SdoRadiusServer
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Server_Accounting_Port
- Server_Authentication_Port
- Accounting_Secret
- Authentication_Secret
- Address
- Forward_Accounting_On_Off
- Priority
- Weight
- Timeout
- Maximum_Lost_Packets
- Blackout_Interval
- Send_Signature
- Template_Guid
- Opaque_Data
- Auth_Secret_Template_Guid
- Acct_Secret_Template_Guid
-
-
-
-
- IAS.ProxyPolicyEnforcer
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Component_Id
- Component_Prog_Id
- NAP_Policies
-
-
-
-
- IAS.RadiusProxy
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Component_Id
- Component_Prog_Id
- Server_Groups
-
-
-
-
- IAS.DatabaseAccounting
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Component_Id
- Component_Prog_Id
- Log_Accounting_Packets
- Log_Interim_Accounting_Packets
- Log_Authentication_Packets
- SQL_Max_Sessions
- Log_Interim_Authentication_Packets
- Discard_On_Failure
- Template_Guid
- Opaque_Data
-
-
-
-
- IAS.SdoIPFilter
- IP_Filter_Attributes
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Template_Guid
-
-
-
-
- IAS.SdoSharedSecret
- RADIUS_Shared_Secret
- {46557888-4DB8-11d2-8ECE-00C04FC2F519}
- {46557889-4DB8-11d2-8ECE-00C04FC2F519}
- Template_Guid
-
-
-
-
-
-
-
-
- 3
- 96
- 8
- 255
-
-
-
-
- 6
- 3120
- 8
- 38
- 38
- {00000000-0000-0000-0000-000000000000}
-
-
-
-
- 7
- 1024
- 8
-
-
-
-
-
- 1025
- 450
- 9
-
-
-
-
- 1026
- 450
- 9
-
-
-
-
- 1027
- 450
- 9
-
-
-
-
- 1028
- 450
- 9
-
-
-
-
- 1029
- 450
- 9
-
-
-
-
- 1024
- 1088
- 11
- 0
-
-
-
-
- 1026
- 112
- 8
- 0
- 64
-
-
-
-
- 1027
- 1088
- 3
- 0
-
-
-
-
- 1028
- 64
- 8
-
-
-
-
- 1024
- 64
- 8
-
-
-
-
- 1027
- 3136
- 8
- 1813,1646
-
-
-
-
- 1028
- 3136
- 8
- 1812,1645
-
-
-
-
- 1029
- 2498
- 9
-
-
-
-
- 1026
- 3136
- 11
- 1
-
-
-
-
- 1027
- 3136
- 11
- 0
-
-
-
-
- 1028
- 3136
- 11
- 0
-
-
-
-
- 1026
- 3136
- 11
- 1
-
-
-
-
- 1026
- 3136
- 11
- 0
-
-
-
-
- 1027
- 3136
- 11
- 0
-
-
-
-
- 1028
- 3136
- 11
- 0
-
-
-
-
- 1029
- 3148
- 3
- 0
- 0
- 5
-
-
-
-
- 1030
- 3148
- 3
- 10
- 1
- 100000
-
-
-
-
- 1031
- 3184
- 8
- 1
- 255
- %windir%\LogFiles
-
-
-
-
- 1032
- 3136
- 3
- 0
-
-
-
-
- 1024
- 64
- 3
-
-
-
-
- 1025
- 64
- 8
-
-
-
-
- 1025
- 448
- 8
-
-
-
-
- 1026
- 2242
- 9
-
-
-
-
- 1024
- 576
- 8
-
-
-
-
- 1025
- 64
- 3
-
-
-
-
- 1028
- 112
- 8
- 1
- 255
-
-
-
-
- 1029
- 193
- 9
-
-
-
-
- 1030
- 450
- 9
-
-
-
-
- 1024
- 450
- 9
-
-
-
-
- 1036
- 192
- 0
-
-
-
-
- 1024
- 320
- 3
-
-
-
-
- 1030
- 450
- 9
-
-
-
-
- 1030
- 450
- 9
-
-
-
-
- 1031
- 450
- 9
-
-
-
-
- 1024
- 450
- 9
-
-
-
-
- 1024
- 450
- 9
-
-
-
-
- 1026
- 1024
- 3
- 1813
-
-
-
-
- 1027
- 0
- 8
-
-
-
-
- 1024
- 1024
- 3
- 1812
-
-
-
-
- 1025
- 1024
- 8
-
-
-
-
-
- 1028
- 0
- 8
-
-
-
-
- 1029
- 1024
- 11
- 1
-
-
-
-
- 1030
- 1024
- 3
- 1
-
-
-
-
- 1031
- 1024
- 3
- 50
-
-
-
-
- 1026
- 2242
- 9
-
-
-
-
- 1032
- 1024
- 3
- 3
-
-
-
-
- 1033
- 1024
- 3
- 5
-
-
-
-
- 1034
- 1024
- 3
- 30
-
-
-
-
- 1034
- 3072
- 11
- 0
-
-
-
-
- 1035
- 2060
- 3
- 1
- 100
-
-
-
-
- 1036
- 3072
- 11
- 0
-
-
-
-
- 1031
- 1088
- 11
- 1
-
-
-
-
- 1030
- 1088
- 11
- 1
-
-
-
-
- 1035
- 1088
- 11
- 1
-
-
-
-
- 1032
- 1088
- 3
- 0
-
-
-
-
- 1037
- 3136
- 11
- 0
-
-
-
-
- 1038
- 3136
- 11
- 1
-
-
-
-
- 1024
- 450
- 9
-
-
-
-
- 1025
- 450
- 9
-
-
-
-
- 1026
- 450
- 9
-
-
-
-
- 1027
- 450
- 9
-
-
-
-
- 1028
- 450
- 9
-
-
-
-
- 1029
- 450
- 9
-
-
-
-
- 1032
- 450
- 9
-
-
-
-
- 1033
- 450
- 9
-
-
-
-
- 1024
- 450
- 9
-
-
-
-
- 1024
- 1024
- 8
-
-
-
-
-
- 1034
- 450
- 9
-
-
-
-
- 1035
- 450
- 9
-
-
-
-
- 1025
- 3120
- 8
- 38
- 38
- {00000000-0000-0000-0000-000000000000}
-
-
-
-
- 1036
- 3120
- 8
- 38
- 38
- {00000000-0000-0000-0000-000000000000}
-
-
-
-
- 1037
- 3120
- 8
- 38
- 38
- {00000000-0000-0000-0000-000000000000}
-
-
-
-
- 1031
- 3120
- 8
- 38
- 38
- {00000000-0000-0000-0000-000000000000}
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/deployment/safe_haven_management_environment/network_rules/shm-nsg-rules-identity.json b/deployment/safe_haven_management_environment/network_rules/shm-nsg-rules-identity.json
index 86219b1118..178af1e085 100644
--- a/deployment/safe_haven_management_environment/network_rules/shm-nsg-rules-identity.json
+++ b/deployment/safe_haven_management_environment/network_rules/shm-nsg-rules-identity.json
@@ -59,18 +59,6 @@
"sourceAddressPrefix": "VirtualNetwork",
"sourcePortRange": "*"
},
- {
- "name": "AllowRADIUSAuthenticationInbound",
- "access": "Allow",
- "description": "Allows RDS servers to connect to NPS server for MFA",
- "destinationAddressPrefix": "{{nps.ip}}",
- "destinationPortRange": ["1645", "1646", "1812", "1813"],
- "direction": "Inbound",
- "priority": 1300,
- "protocol": "UDP",
- "sourceAddressPrefix": "VirtualNetwork",
- "sourcePortRange": "*"
- },
{
"name": "AllowAdminVPNInbound",
"access": "Allow",
diff --git a/deployment/safe_haven_management_environment/setup/Deploy_SHM.ps1 b/deployment/safe_haven_management_environment/setup/Deploy_SHM.ps1
index bd79417d1c..52d4a7489c 100755
--- a/deployment/safe_haven_management_environment/setup/Deploy_SHM.ps1
+++ b/deployment/safe_haven_management_environment/setup/Deploy_SHM.ps1
@@ -85,11 +85,6 @@ Invoke-Command -ScriptBlock { & "$(Join-Path $PSScriptRoot 'Setup_SHM_DC.ps1')"
Invoke-Command -ScriptBlock { & "$(Join-Path $PSScriptRoot 'Setup_SHM_Update_Servers.ps1')" -shmId $shmId }
-# Setup SHM network policy server
-# -------------------------------
-Invoke-Command -ScriptBlock { & "$(Join-Path $PSScriptRoot 'Setup_SHM_NPS.ps1')" -shmId $shmId }
-
-
# Setup SHM package repositories
# ------------------------------
Invoke-Command -ScriptBlock { & "$(Join-Path $PSScriptRoot 'Setup_SHM_Package_Repositories.ps1')" -shmId $shmId }
diff --git a/deployment/safe_haven_management_environment/setup/Setup_SHM_Key_Vault_And_Emergency_Admin.ps1 b/deployment/safe_haven_management_environment/setup/Setup_SHM_Key_Vault_And_Emergency_Admin.ps1
index 274b7ea571..f53e0bc012 100644
--- a/deployment/safe_haven_management_environment/setup/Setup_SHM_Key_Vault_And_Emergency_Admin.ps1
+++ b/deployment/safe_haven_management_environment/setup/Setup_SHM_Key_Vault_And_Emergency_Admin.ps1
@@ -77,7 +77,6 @@ try {
try {
$null = Resolve-KeyVaultSecret -VaultName $config.keyVault.name -SecretName $config.keyVault.secretNames.domainAdminPassword -DefaultLength 20 -AsPlaintext
$null = Resolve-KeyVaultSecret -VaultName $config.keyVault.name -SecretName $config.dc.safemodePasswordSecretName -DefaultLength 20 -AsPlaintext
- $null = Resolve-KeyVaultSecret -VaultName $config.keyVault.name -SecretName $config.nps.adminPasswordSecretName -DefaultLength 20 -AsPlaintext
$null = Resolve-KeyVaultSecret -VaultName $config.keyVault.name -SecretName $config.monitoring.updateServers.linux.adminPasswordSecretName -DefaultLength 20 -AsPlaintext
foreach ($repositoryTier in $config.repository.Keys) {
$null = Resolve-KeyVaultSecret -VaultName $config.keyVault.name -SecretName $config.repository[$repositoryTier].nexus.adminPasswordSecretName -DefaultLength 20 -AsPlaintext
diff --git a/deployment/safe_haven_management_environment/setup/Setup_SHM_NPS.ps1 b/deployment/safe_haven_management_environment/setup/Setup_SHM_NPS.ps1
deleted file mode 100644
index 21a96849bc..0000000000
--- a/deployment/safe_haven_management_environment/setup/Setup_SHM_NPS.ps1
+++ /dev/null
@@ -1,130 +0,0 @@
-param(
- [Parameter(Mandatory = $true, HelpMessage = "Enter SHM ID (e.g. use 'testa' for Turing Development Safe Haven A)")]
- [string]$shmId
-)
-
-Import-Module Az.Accounts -ErrorAction Stop
-Import-Module Az.Compute -ErrorAction Stop
-Import-Module Az.Storage -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureCompute -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureKeyVault -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureResources -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureStorage -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Configuration -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Cryptography -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/DataStructures -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Logging -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/RemoteCommands -Force -ErrorAction Stop
-
-
-# Get config and original context before changing subscription
-# ------------------------------------------------------------
-$config = Get-ShmConfig -shmId $shmId
-$originalContext = Get-AzContext
-$null = Set-AzContext -SubscriptionId $config.subscriptionName -ErrorAction Stop
-
-
-# Create resource group if it does not exist
-# ------------------------------------------
-$null = Deploy-ResourceGroup -Name $config.nps.rg -Location $config.location
-
-
-# Retrieve passwords from the Key Vault
-# -------------------------------------
-Add-LogMessage -Level Info "Creating/retrieving secrets from Key Vault '$($config.keyVault.name)'..."
-$domainJoinPassword = Resolve-KeyVaultSecret -VaultName $config.keyVault.name -SecretName $config.users.computerManagers.identityServers.passwordSecretName -DefaultLength 20 -AsPlaintext
-$vmAdminUsername = Resolve-KeyVaultSecret -VaultName $config.keyVault.name -SecretName $config.keyVault.secretNames.vmAdminUsername -DefaultValue "shm$($config.id)admin".ToLower() -AsPlaintext
-$vmAdminPassword = Resolve-KeyVaultSecret -VaultName $config.keyVault.name -SecretName $config.nps.adminPasswordSecretName -DefaultLength 20 -AsPlaintext
-
-
-# Ensure that artifacts resource group, storage account and storage container exist
-# ---------------------------------------------------------------------------------
-$null = Deploy-ResourceGroup -Name $config.storage.artifacts.rg -Location $config.location
-$storageAccount = Deploy-StorageAccount -Name $config.storage.artifacts.accountName -ResourceGroupName $config.storage.artifacts.rg -Location $config.location
-$null = Deploy-StorageContainer -Name $config.storage.artifacts.containers.shmArtifactsNPS -StorageAccount $storageAccount
-
-
-# Upload artifacts
-# ----------------
-Add-LogMessage -Level Info "Uploading NPS artifacts to storage account '$($config.storage.artifacts.accountName)'..."
-try {
- $success = $true
- # Desired state
- $dscPath = Join-Path $PSScriptRoot ".." "desired_state_configuration"
- $null = Publish-AzVMDscConfiguration -ConfigurationPath (Join-Path $dscPath "NPSDesiredState.ps1") `
- -ContainerName $config.storage.artifacts.containers.shmDesiredState `
- -Force `
- -ResourceGroupName $config.storage.artifacts.rg `
- -SkipDependencyDetection `
- -StorageAccountName $config.storage.artifacts.accountName
- $success = $success -and $?
- # Local artifacts
- foreach ($filePath in $(Get-ChildItem (Join-Path $dscPath "npsArtifacts") -Recurse)) {
- $null = Set-AzStorageBlobContent -Container $config.storage.artifacts.containers.shmArtifactsNPS -Context $storageAccount.Context -File $filePath -Force
- $success = $success -and $?
- }
- # Remote artifacts
- $null = Set-AzureStorageBlobFromUri -FileUri "https://raw.githubusercontent.com/Azure-Samples/azure-mfa-nps-extension-health-check/master/MFA_NPS_Troubleshooter.ps1" -StorageContainer $config.storage.artifacts.containers.shmArtifactsNPS -StorageContext $storageAccount.Context
- $null = Set-AzureStorageBlobFromUri -FileUri "https://download.microsoft.com/download/B/F/F/BFFB4F12-9C09-4DBC-A4AF-08E51875EEA9/NpsExtnForAzureMfaInstaller.exe" -StorageContainer $config.storage.artifacts.containers.shmArtifactsNPS -StorageContext $storageAccount.Context
- if (-not $success) { throw }
- Add-LogMessage -Level Success "Uploaded NPS artifacts to storage account '$($config.storage.artifacts.accountName)'"
-} catch {
- Add-LogMessage -Level Fatal "Failed to upload NPS artifacts to storage account '$($config.storage.artifacts.accountName)'!"
-}
-
-
-# Deploy NPS from template
-# ------------------------
-Add-LogMessage -Level Info "Deploying network policy server (NPS) from template..."
-$params = @{
- administratorPassword = (ConvertTo-SecureString $vmAdminPassword -AsPlainText -Force)
- administratorUsername = $vmAdminUsername
- bootDiagnosticsAccountName = $config.storage.bootdiagnostics.accountName
- domainJoinOuPath = $config.domain.ous.identityServers.path
- domainJoinPassword = (ConvertTo-SecureString $domainJoinPassword -AsPlainText -Force)
- domainJoinUser = $config.users.computerManagers.identityServers.samAccountName
- domainName = $config.domain.fqdn
- virtualNetworkName = $config.network.vnet.name
- virtualNetworkResourceGroupName = $config.network.vnet.rg
- virtualNetworkSubnetName = $config.network.vnet.subnets.identity.name
- vmHostName = $config.nps.hostname
- vmName = $config.nps.vmName
- vmOsDiskSizeGb = [int]$config.nps.disks.os.sizeGb
- vmOsDiskType = $config.nps.disks.os.type
- vmPrivateIpAddress = $config.nps.ip
- vmSize = $config.nps.vmSize
-}
-Deploy-ArmTemplate -TemplatePath (Join-Path $PSScriptRoot ".." "arm_templates" "shm-nps-template.json") -TemplateParameters $params -ResourceGroupName $config.nps.rg
-
-
-# Apply SHM NPS desired state
-# ---------------------------
-Add-LogMessage -Level Info "Installing desired state prerequisites on NPS..."
-$null = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath (Join-Path $dscPath "NPSBootstrap.ps1") -VMName $config.nps.vmName -ResourceGroupName $config.nps.rg -SuppressOutput
-$params = @{
- ArtifactsBlobNamesB64 = Get-AzStorageBlob -Container $config.storage.artifacts.containers.shmArtifactsNPS -Context $storageAccount.Context | ForEach-Object { $_.Name } | ConvertTo-Json -Depth 99 | ConvertTo-Base64
- ArtifactsBlobSasTokenB64 = (New-ReadOnlyStorageAccountSasToken -SubscriptionName $config.subscriptionName -ResourceGroup $config.storage.artifacts.rg -AccountName $config.storage.artifacts.accountName) | ConvertTo-Base64
- ArtifactsStorageAccountName = $config.storage.artifacts.accountName
- ArtifactsStorageContainerName = $config.storage.artifacts.containers.shmArtifactsNPS
- ArtifactsTargetDirectory = $config.nps.installationDirectory
-}
-$null = Invoke-AzureVmDesiredState -ArchiveBlobName "NPSDesiredState.ps1.zip" `
- -ArchiveContainerName $config.storage.artifacts.containers.shmDesiredState `
- -ArchiveResourceGroupName $config.storage.artifacts.rg `
- -ArchiveStorageAccountName $config.storage.artifacts.accountName `
- -ConfigurationName "ConfigureNetworkPolicyServer" `
- -ConfigurationParameters $params `
- -VmLocation $config.location `
- -VmName $config.nps.vmName `
- -VmResourceGroupName $config.nps.rg
-
-
-# Set locale, install updates and reboot
-# --------------------------------------
-Add-LogMessage -Level Info "Updating NPS VM '$($config.nps.vmName)'..."
-Invoke-WindowsConfiguration -VMName $config.nps.vmName -ResourceGroupName $config.nps.rg -TimeZone $config.time.timezone.windows -NtpServer ($config.time.ntp.serverAddresses)[0]
-
-
-# Switch back to original subscription
-# ------------------------------------
-$null = Set-AzContext -Context $originalContext -ErrorAction Stop
diff --git a/deployment/secure_research_environment/arm_templates/sre-rds-template.json b/deployment/secure_research_environment/arm_templates/sre-rds-template.json
deleted file mode 100644
index bc01b3920f..0000000000
--- a/deployment/secure_research_environment/arm_templates/sre-rds-template.json
+++ /dev/null
@@ -1,481 +0,0 @@
-{
- "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
- "contentVersion": "1.0.0.0",
- "parameters": {
- "administratorUsername": {
- "type": "string",
- "metadata": {
- "description": "Enter name for VM Administrator"
- }
- },
- "bootDiagnosticsAccountName": {
- "type": "string",
- "metadata": {
- "description": "Enter name of storage account used for boot diagnostics"
- }
- },
- "domainName": {
- "type": "string",
- "metadata": {
- "Description": "Public domain name for the SHM"
- }
- },
- "gatewayAdministratorPassword": {
- "type": "securestring",
- "metadata": {
- "description": "Password for RDS gateway"
- }
- },
- "gatewayDataDiskSizeGb": {
- "type": "int"
- },
- "gatewayDataDiskType": {
- "type": "string"
- },
- "gatewayDomainJoinOuPath": {
- "type": "string",
- "metadata": {
- "description": "Enter OU path for gateway VMs"
- }
- },
- "gatewayDomainJoinPassword": {
- "type": "securestring",
- "metadata": {
- "description": "Enter name for DC Administrator Password"
- }
- },
- "gatewayDomainJoinUser": {
- "type": "string",
- "metadata": {
- "description": "Enter name for DC Administrator"
- }
- },
- "gatewayNsgName": {
- "type": "string",
- "metadata": {
- "description": "Enter NSG Gateway Name"
- }
- },
- "gatewayOsDiskSizeGb": {
- "type": "int"
- },
- "gatewayOsDiskType": {
- "type": "string"
- },
- "gatewayPrivateIpAddress": {
- "type": "string",
- "defaultValue": "10.250.x.250",
- "metadata": {
- "description": "Enter IP address for RDS Gateway VM, must end in 250"
- }
- },
- "gatewayVmName": {
- "type": "string",
- "metadata": {
- "description": "Name of the RDS gateway VM"
- }
- },
- "gatewayVmSize": {
- "type": "string",
- "defaultValue": "Standard_B2ms",
- "metadata": {
- "description": "Select size of RDS Gateway VM"
- }
- },
-
- "sessionHostAppsAdministratorPassword": {
- "type": "securestring",
- "metadata": {
- "description": "Password for RDS gateway"
- }
- },
- "sessionHostAppsOsDiskSizeGb": {
- "type": "int"
- },
- "sessionHostAppsOsDiskType": {
- "type": "string"
- },
- "sessionHostAppsPrivateIpAddress": {
- "type": "string",
- "defaultValue": "10.250.x.249",
- "metadata": {
- "description": "Enter IP address for RDS_Session_Host_Apps VM, must end in 249"
- }
- },
- "sessionHostAppsVmName": {
- "type": "string",
- "metadata": {
- "description": "Name of the RDS apps session host VM"
- }
- },
- "sessionHostAppsVmSize": {
- "type": "string",
- "defaultValue": "Standard_B2ms",
- "metadata": {
- "description": "Select size of RDS_Session_Host_Apps VM"
- }
- },
- "sessionHostsDomainJoinOuPath": {
- "type": "string",
- "metadata": {
- "description": "Enter OU path for session host VMs"
- }
- },
- "sessionHostsDomainJoinPassword": {
- "type": "securestring",
- "metadata": {
- "description": "Enter name for DC Administrator Password"
- }
- },
- "sessionHostsDomainJoinUser": {
- "type": "string",
- "metadata": {
- "description": "Enter name for DC Administrator"
- }
- },
- "virtualNetworkGatewaySubnetName": {
- "type": "string",
- "metadata": {
- "description": "Name of the subnet that the RDS gateway should belong to"
- }
- },
- "virtualNetworkName": {
- "type": "string",
- "metadata": {
- "description": "Name of virtual network to provision these VMs"
- }
- },
- "virtualNetworkResourceGroupName": {
- "type": "string",
- "metadata": {
- "description": "Name of resource group that is associated with the virtual network above"
- }
- },
- "virtualNetworkSessionHostsSubnetName": {
- "type": "string",
- "metadata": {
- "description": "Name of the subnet that the RDS gateway should belong to"
- }
- },
- },
- "variables": {
- "rdsGatewayNic": "[concat(parameters('gatewayVmName'),'-','NIC')]",
- "rdsAppSessionHostNic": "[concat(parameters('sessionHostAppsVmName'),'-','NIC')]",
- "rdsGatewayPip": "[concat(parameters('gatewayVmName'),'-','PIP')]",
- "vnetID": "[resourceId(parameters('virtualNetworkResourceGroupName'), 'Microsoft.Network/virtualNetworks', parameters('virtualNetworkName'))]",
- "rdsGatewaySubnet": "[concat(variables('vnetID'),'/subnets/', parameters('virtualNetworkGatewaySubnetName'))]",
- "rdsServersSubnet": "[concat(variables('vnetID'),'/subnets/', parameters('virtualNetworkSessionHostsSubnetName'))]"
- },
- "resources": [
- {
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[parameters('gatewayVmName')]",
- "apiVersion": "2021-11-01",
- "location": "[resourceGroup().location]",
- "scale": null,
- "properties": {
- "hardwareProfile": {
- "vmSize": "[parameters('gatewayVmSize')]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "MicrosoftWindowsServer",
- "offer": "WindowsServer",
- "sku": "2022-Datacenter",
- "version": "latest"
- },
- "osDisk": {
- "osType": "Windows",
- "name": "[concat(parameters('gatewayVmName'),'-OS-DISK')]",
- "createOption": "FromImage",
- "caching": "ReadWrite",
- "writeAcceleratorEnabled": false,
- "managedDisk": {
- "storageAccountType": "[parameters('gatewayOsDiskType')]"
- },
- "diskSizeGB": "[parameters('gatewayOsDiskSizeGb')]"
- },
- "dataDisks": [
- {
- "lun": 0,
- "name": "[concat(parameters('gatewayVmName'),'-DATA-DISK')]",
- "createOption": "Empty",
- "caching": "None",
- "writeAcceleratorEnabled": false,
- "managedDisk": {
- "storageAccountType": "[parameters('gatewayDataDiskType')]"
- },
- "diskSizeGB": "[parameters('gatewayDataDiskSizeGb')]"
- }
- ]
- },
- "osProfile": {
- "computerName": "[parameters('gatewayVmName')]",
- "adminUsername": "[parameters('administratorUsername')]",
- "adminPassword": "[parameters('gatewayAdministratorPassword')]",
- "windowsConfiguration": {
- "enableAutomaticUpdates": true,
- "provisionVMAgent": true
- },
- "secrets": [],
- "allowExtensionOperations": true
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('rdsGatewayNic'))]",
- "properties": {
- "primary": true
- }
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat('https://', parameters('bootDiagnosticsAccountName'), '.blob.core.windows.net/')]"
- }
- }
- },
- "dependsOn": [
- "[resourceId('Microsoft.Network/networkInterfaces', variables('rdsGatewayNic'))]"
- ]
- },
- {
- "type": "Microsoft.Compute/virtualMachines",
- "name": "[parameters('sessionHostAppsVmName')]",
- "apiVersion": "2021-11-01",
- "location": "[resourceGroup().location]",
- "scale": null,
- "properties": {
- "hardwareProfile": {
- "vmSize": "[parameters('sessionHostAppsVmSize')]"
- },
- "storageProfile": {
- "imageReference": {
- "publisher": "MicrosoftWindowsServer",
- "offer": "WindowsServer",
- "sku": "2022-Datacenter",
- "version": "latest"
- },
- "osDisk": {
- "osType": "Windows",
- "name": "[concat(parameters('sessionHostAppsVmName'),'-OS-DISK')]",
- "createOption": "FromImage",
- "caching": "ReadWrite",
- "writeAcceleratorEnabled": false,
- "managedDisk": {
- "storageAccountType": "[parameters('sessionHostAppsOsDiskType')]"
- },
- "diskSizeGB": "[parameters('sessionHostAppsOsDiskSizeGb')]"
- },
- "dataDisks": []
- },
- "osProfile": {
- "computerName": "[parameters('sessionHostAppsVmName')]",
- "adminUsername": "[parameters('administratorUsername')]",
- "adminPassword": "[parameters('sessionHostAppsAdministratorPassword')]",
- "windowsConfiguration": {
- "enableAutomaticUpdates": true,
- "provisionVMAgent": true
- },
- "secrets": [],
- "allowExtensionOperations": true
- },
- "networkProfile": {
- "networkInterfaces": [
- {
- "id": "[resourceId('Microsoft.Network/networkInterfaces', variables('rdsAppSessionHostNic'))]",
- "properties": {
- "primary": true
- }
- }
- ]
- },
- "diagnosticsProfile": {
- "bootDiagnostics": {
- "enabled": true,
- "storageUri": "[concat('https://', parameters('bootDiagnosticsAccountName'), '.blob.core.windows.net/')]"
- }
- }
- },
- "dependsOn": [
- "[resourceId('Microsoft.Network/networkInterfaces', variables('rdsAppSessionHostNic'))]"
- ]
- },
- {
- "type": "Microsoft.Network/networkInterfaces",
- "name": "[variables('rdsAppSessionHostNic')]",
- "apiVersion": "2020-11-01",
- "location": "[resourceGroup().location]",
- "scale": null,
- "properties": {
- "ipConfigurations": [
- {
- "name": "ipConfigRdsAppSessionHost",
- "properties": {
- "privateIPAddress": "[parameters('sessionHostAppsPrivateIpAddress')]",
- "privateIPAllocationMethod": "Static",
- "subnet": {
- "id": "[variables('rdsServersSubnet')]"
- },
- "primary": true,
- "privateIPAddressVersion": "IPv4"
- }
- }
- ],
- "dnsSettings": {
- "dnsServers": [],
- "appliedDnsServers": []
- },
- "enableAcceleratedNetworking": false,
- "enableIPForwarding": false,
- "primary": true,
- "tapConfigurations": []
- },
- "dependsOn": []
- },
- {
- "type": "Microsoft.Network/networkInterfaces",
- "name": "[variables('rdsGatewayNic')]",
- "apiVersion": "2020-11-01",
- "location": "[resourceGroup().location]",
- "scale": null,
- "properties": {
- "ipConfigurations": [
- {
- "name": "ipConfigRdsGateway",
- "properties": {
- "privateIPAddress": "[parameters('gatewayPrivateIpAddress')]",
- "privateIPAllocationMethod": "Static",
- "publicIPAddress": {
- "id": "[resourceId('Microsoft.Network/publicIPAddresses', variables('rdsGatewayPip'))]"
- },
- "subnet": {
- "id": "[variables('rdsGatewaySubnet')]"
- },
- "primary": true,
- "privateIPAddressVersion": "IPv4"
- }
- }
- ],
- "dnsSettings": {
- "dnsServers": [],
- "appliedDnsServers": []
- },
- "enableAcceleratedNetworking": false,
- "enableIPForwarding": false,
- "networkSecurityGroup": {
- "id": "[resourceId(parameters('virtualNetworkResourceGroupName'), 'Microsoft.Network/networkSecurityGroups', parameters('gatewayNsgName'))]"
- },
- "primary": true,
- "tapConfigurations": []
- },
- "dependsOn": [
- "[resourceId('Microsoft.Network/publicIPAddresses', variables('rdsGatewayPip'))]"
- ]
- },
- {
- "type": "Microsoft.Network/publicIPAddresses",
- "sku": {
- "name": "Basic",
- "tier": "Regional"
- },
- "name": "[variables('rdsGatewayPip')]",
- "apiVersion": "2020-11-01",
- "location": "[resourceGroup().location]",
- "scale": null,
- "properties": {
- "publicIPAddressVersion": "IPv4",
- "publicIPAllocationMethod": "Static",
- "idleTimeoutInMinutes": 4,
- "ipTags": []
- },
- "dependsOn": []
- },
- {
- "type": "Microsoft.Compute/virtualMachines/extensions",
- "name": "[concat(parameters('gatewayVmName'), '/', 'bginfo')]",
- "apiVersion": "2021-11-01",
- "location": "[resourceGroup().location]",
- "scale": null,
- "properties": {
- "autoUpgradeMinorVersion": true,
- "publisher": "Microsoft.Compute",
- "type": "bginfo",
- "typeHandlerVersion": "2.1"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Compute/virtualMachines', parameters('gatewayVmName'))]"
- ]
- },
- {
- "type": "Microsoft.Compute/virtualMachines/extensions",
- "name": "[concat(parameters('sessionHostAppsVmName'), '/', 'bginfo')]",
- "apiVersion": "2021-11-01",
- "location": "[resourceGroup().location]",
- "scale": null,
- "properties": {
- "autoUpgradeMinorVersion": true,
- "publisher": "Microsoft.Compute",
- "type": "bginfo",
- "typeHandlerVersion": "2.1"
- },
- "dependsOn": [
- "[resourceId('Microsoft.Compute/virtualMachines', parameters('sessionHostAppsVmName'))]"
- ]
- },
- {
- "type": "Microsoft.Compute/virtualMachines/extensions",
- "name": "[concat(parameters('gatewayVmName'),'/joindomain')]",
- "apiVersion": "2021-11-01",
- "location": "[resourceGroup().location]",
- "dependsOn": [
- "[resourceId('Microsoft.Compute/virtualMachines', parameters('gatewayVmName'))]",
- "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('gatewayVmName'),'bginfo')]"
- ],
- "properties": {
- "publisher": "Microsoft.Compute",
- "type": "JsonADDomainExtension",
- "typeHandlerVersion": "1.3",
- "autoUpgradeMinorVersion": true,
- "settings": {
- "Name": "[parameters('domainName')]",
- "OUPath": "[parameters('gatewayDomainJoinOuPath')]",
- "User": "[concat(parameters('domainName'), '\\', parameters('gatewayDomainJoinUser'))]",
- "Restart": "true",
- "Options": "3"
- },
- "protectedSettings": {
- "Password": "[parameters('gatewayDomainJoinPassword')]"
- }
- }
- },
- {
- "type": "Microsoft.Compute/virtualMachines/extensions",
- "name": "[concat(parameters('sessionHostAppsVmName'),'/joindomain')]",
- "apiVersion": "2021-11-01",
- "location": "[resourceGroup().location]",
- "dependsOn": [
- "[resourceId('Microsoft.Compute/virtualMachines', parameters('sessionHostAppsVmName'))]",
- "[resourceId('Microsoft.Compute/virtualMachines/extensions', parameters('sessionHostAppsVmName'),'bginfo')]"
- ],
- "properties": {
- "publisher": "Microsoft.Compute",
- "type": "JsonADDomainExtension",
- "typeHandlerVersion": "1.3",
- "autoUpgradeMinorVersion": true,
- "settings": {
- "Name": "[parameters('domainName')]",
- "OUPath": "[parameters('sessionHostsDomainJoinOuPath')]",
- "User": "[concat(parameters('domainName'), '\\', parameters('sessionHostsDomainJoinUser'))]",
- "Restart": "true",
- "Options": "3"
- },
- "protectedSettings": {
- "Password": "[parameters('sessionHostsDomainJoinPassword')]"
- }
- }
- }
- ]
-}
\ No newline at end of file
diff --git a/deployment/secure_research_environment/network_rules/sre-nsg-rules-gateway.json b/deployment/secure_research_environment/network_rules/sre-nsg-rules-gateway.json
deleted file mode 100644
index 3fbd5c0b10..0000000000
--- a/deployment/secure_research_environment/network_rules/sre-nsg-rules-gateway.json
+++ /dev/null
@@ -1,222 +0,0 @@
-[
- {
- "name": "AllowRDSSessionHostsInbound",
- "access": "Allow",
- "description": "Allow inbound connections from RDS session hosts",
- "destinationAddressPrefix": "{{sre.remoteDesktop.gateway.ip}}",
- "destinationPortRange": ["135", "137-139", "443", "445", "3389", "3391", "5504", "5985", "49152-65535"],
- "direction": "Inbound",
- "priority": 700,
- "protocol": "*",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowAdminVPNInbound",
- "access": "Allow",
- "description": "Allow RDP connection to servers from admin P2S VPN",
- "destinationAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "destinationPortRange": "3389",
- "direction": "Inbound",
- "priority": 2000,
- "protocol": "TCP",
- "sourceAddressPrefix": "{{shm.network.vpn.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowUsersApprovedHttpsInbound",
- "access": "Allow",
- "description": "Allow inbound https connections from clients to RDS server",
- "destinationAddressPrefix": "{{sre.remoteDesktop.gateway.ip}}",
- "destinationPortRange": "443",
- "direction": "Inbound",
- "priority": 2200,
- "protocol": "TCP",
- "sourceAddressPrefix": [
- {{#sre.remoteDesktop.networkRules.allowedSources}}
- "{{.}}",
- {{/sre.remoteDesktop.networkRules.allowedSources}}
- ],
- "sourcePortRange": "*"
- },
- {
- "name": "AllowExternalSslLabsHttpsInbound",
- "access": "Allow",
- "description": "Allow inbound https connections from ssllabs.com for SSL quality reporting",
- "destinationAddressPrefix": "{{sre.remoteDesktop.gateway.ip}}",
- "destinationPortRange": "443",
- "direction": "Inbound",
- "priority": 3400,
- "protocol": "TCP",
- "sourceAddressPrefix": "64.41.200.0/24",
- "sourcePortRange": "*"
- },
- {
- "name": "DenyAllOtherInbound",
- "access": "Deny",
- "description": "Deny all other inbound traffic.",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "*",
- "direction": "Inbound",
- "priority": 4096,
- "protocol": "*",
- "sourceAddressPrefix": "*",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowPrivateDataEndpointsOutbound",
- "access": "Allow",
- "description": "Allow outbound connections to private endpoints in the VNet",
- "destinationAddressPrefix": "{{sre.network.vnet.subnets.data.cidr}}",
- "destinationPortRange": "*",
- "direction": "Outbound",
- "priority": 400,
- "protocol": "*",
- "sourceAddressPrefix": "{{sre.remoteDesktop.gateway.ip}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowRDSSessionHostsOutbound",
- "access": "Allow",
- "description": "Allow outbound connections to RDS session hosts",
- "destinationAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "destinationPortRange": ["135", "137-139", "443", "445", "3389", "3391", "5504", "5985", "49152-65535"],
- "direction": "Outbound",
- "priority": 700,
- "protocol": "*",
- "sourceAddressPrefix": "{{sre.remoteDesktop.gateway.ip}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowDomainJoinedClientsUdpOutbound",
- "access": "Allow",
- "description": "Allow domain-joined client requests over UDP: Kerberos; LDAP.",
- "destinationAddressPrefix": "{{shm.network.vnet.subnets.identity.cidr}}",
- "destinationPortRange": ["88", "389"],
- "direction": "Outbound",
- "priority": 1000,
- "protocol": "UDP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowDomainJoinedClientsTcpOutbound",
- "access": "Allow",
- "description": "Allow domain-joined client requests over TCP: (see https://devopstales.github.io/linux/pfsense-ad-join/ for details).",
- "destinationAddressPrefix": "{{shm.network.vnet.subnets.identity.cidr}}",
- "destinationPortRange": ["88", "135", "139", "389", "445", "464", "636", "3268", "3269", "49152-65535"],
- "direction": "Outbound",
- "priority": 1100,
- "protocol": "TCP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowDNSOutbound",
- "access": "Allow",
- "description": "Allow DNS requests to SHM",
- "destinationAddressPrefix": "{{shm.network.vnet.subnets.identity.cidr}}",
- "destinationPortRange": "53",
- "direction": "Outbound",
- "priority": 1200,
- "protocol": "*",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowRADIUSAuthenticationOutbound",
- "access": "Allow",
- "description": "Allows RDS servers to connect to NPS server for MFA",
- "destinationAddressPrefix": "{{shm.nps.ip}}",
- "destinationPortRange": ["1645", "1646", "1812", "1813"],
- "direction": "Outbound",
- "priority": 1300,
- "protocol": "UDP",
- "sourceAddressPrefix": "{{sre.remoteDesktop.gateway.ip}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowMonitoringToolsOutbound",
- "access": "Allow",
- "description": "Allow connections to local monitoring tools",
- "destinationAddressPrefix": "{{shm.network.vnet.subnets.monitoring.cidr}}",
- "destinationPortRange": "443",
- "direction": "Outbound",
- "priority": 1500,
- "protocol": "TCP",
- "sourceAddressPrefix": "{{sre.remoteDesktop.gateway.ip}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowExternalNTPOutbound",
- "access": "Allow",
- "description": "Allow outbound connections to external NTP servers",
- "destinationAddressPrefix": [
- {{#shm.time.ntp.serverAddresses}}
- "{{.}}",
- {{/shm.time.ntp.serverAddresses}}
- ],
- "destinationPortRange": "123",
- "direction": "Outbound",
- "priority": 3000,
- "protocol": "UDP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowWindowsUpdatesOutbound",
- "access": "Allow",
- "description": "Allow outbound connections to Windows update servers",
- "destinationAddressPrefix": [
- {{#shm.monitoring.updateServers.externalIpAddresses.windows}}
- "{{.}}",
- {{/shm.monitoring.updateServers.externalIpAddresses.windows}}
- ],
- "destinationPortRange": ["80", "443"],
- "direction": "Outbound",
- "priority": 3700,
- "protocol": "TCP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowAzureAutomationOutbound",
- "access": "Allow",
- "description": "Allow outbound connections to Azure automation servers",
- "destinationAddressPrefix": [
- {{#shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
- "{{.}}",
- {{/shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
- ],
- "destinationPortRange": ["443"],
- "direction": "Outbound",
- "priority": 3800,
- "protocol": "TCP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowExternalInternetOutbound",
- "access": "Allow",
- "description": "Allow outbound connections to internet",
- "destinationAddressPrefix": "Internet",
- "destinationPortRange": "*",
- "direction": "Outbound",
- "priority": 3900,
- "protocol": "*",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "DenyAllOtherOutbound",
- "access": "Deny",
- "description": "Deny all other outbound traffic.",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "*",
- "direction": "Outbound",
- "priority": 4096,
- "protocol": "*",
- "sourceAddressPrefix": "*",
- "sourcePortRange": "*"
- }
-]
diff --git a/deployment/secure_research_environment/network_rules/sre-nsg-rules-session-hosts.json b/deployment/secure_research_environment/network_rules/sre-nsg-rules-session-hosts.json
deleted file mode 100644
index 90b87ac4e6..0000000000
--- a/deployment/secure_research_environment/network_rules/sre-nsg-rules-session-hosts.json
+++ /dev/null
@@ -1,194 +0,0 @@
-[
- {
- "name": "AllowRDSGatewayInbound",
- "access": "Allow",
- "description": "Allow inbound connections from RDS gateway",
- "destinationAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "destinationPortRange": ["135", "137-139", "443", "445", "3389", "3391", "5504", "5985", "49152-65535"],
- "direction": "Inbound",
- "priority": 700,
- "protocol": "*",
- "sourceAddressPrefix": "{{sre.remoteDesktop.gateway.ip}}",
- "sourcePortRange": "*"
- },
- {
- "name": "DenyAdminVPNInbound",
- "access": "Deny",
- "description": "Deny connections from admin P2S VPN",
- "destinationAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "destinationPortRange": "*",
- "direction": "Inbound",
- "priority": 2000,
- "protocol": "*",
- "sourceAddressPrefix": "{{shm.network.vpn.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "DenyAllOtherInbound",
- "access": "Deny",
- "description": "Deny all other inbound traffic.",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "*",
- "direction": "Inbound",
- "priority": 4096,
- "protocol": "*",
- "sourceAddressPrefix": "*",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowWebappsSubnetOutbound",
- "access": "Allow",
- "description": "Allow outbound http(s) connections to the webapps subnet",
- "destinationAddressPrefix": "{{sre.network.vnet.subnets.webapps.cidr}}",
- "destinationPortRange": ["80", "443"],
- "direction": "Outbound",
- "priority": 600,
- "protocol": "TCP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowRDSGatewayOutbound",
- "access": "Allow",
- "description": "Allow outbound connections to RDS gateway",
- "destinationAddressPrefix": "{{sre.remoteDesktop.gateway.ip}}",
- "destinationPortRange": ["135", "137-139", "443", "445", "3389", "3391", "5504", "5985", "49152-65535"],
- "direction": "Outbound",
- "priority": 700,
- "protocol": "*",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowSRDOutbound",
- "access": "Allow",
- "description": "Allow connections to SRDs from session hosts",
- "destinationAddressPrefix": "{{sre.network.vnet.subnets.compute.cidr}}",
- "destinationPortRange": ["22", "3389"],
- "direction": "Outbound",
- "priority": 800,
- "protocol": "*",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowDomainJoinedClientsUdpOutbound",
- "access": "Allow",
- "description": "Allow domain-joined client requests over UDP: Kerberos; LDAP.",
- "destinationAddressPrefix": "{{shm.network.vnet.subnets.identity.cidr}}",
- "destinationPortRange": ["88", "389"],
- "direction": "Outbound",
- "priority": 1000,
- "protocol": "UDP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowDomainJoinedClientsTcpOutbound",
- "access": "Allow",
- "description": "Allow domain-joined client requests over TCP: (see https://devopstales.github.io/linux/pfsense-ad-join/ for details).",
- "destinationAddressPrefix": "{{shm.network.vnet.subnets.identity.cidr}}",
- "destinationPortRange": ["88", "135", "139", "389", "445", "464", "636", "3268", "3269", "49152-65535"],
- "direction": "Outbound",
- "priority": 1100,
- "protocol": "TCP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowDNSOutbound",
- "access": "Allow",
- "description": "Allow DNS requests to SHM",
- "destinationAddressPrefix": "{{shm.network.vnet.subnets.identity.cidr}}",
- "destinationPortRange": "53",
- "direction": "Outbound",
- "priority": 1200,
- "protocol": "*",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowMonitoringToolsOutbound",
- "access": "Allow",
- "description": "Allow connections to local monitoring tools",
- "destinationAddressPrefix": "{{shm.network.vnet.subnets.monitoring.cidr}}",
- "destinationPortRange": "443",
- "direction": "Outbound",
- "priority": 1500,
- "protocol": "TCP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowExternalNTPOutbound",
- "access": "Allow",
- "description": "Allow outbound connections to external NTP servers",
- "destinationAddressPrefix": [
- {{#shm.time.ntp.serverAddresses}}
- "{{.}}",
- {{/shm.time.ntp.serverAddresses}}
- ],
- "destinationPortRange": "123",
- "direction": "Outbound",
- "priority": 3000,
- "protocol": "UDP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.remoteDesktop.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowWindowsUpdatesOutbound",
- "access": "Allow",
- "description": "Allow outbound connections to Windows update servers",
- "destinationAddressPrefix": [
- {{#shm.monitoring.updateServers.externalIpAddresses.windows}}
- "{{.}}",
- {{/shm.monitoring.updateServers.externalIpAddresses.windows}}
- ],
- "destinationPortRange": ["80", "443"],
- "direction": "Outbound",
- "priority": 3700,
- "protocol": "TCP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.databases.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "AllowAzureAutomationOutbound",
- "access": "Allow",
- "description": "Allow outbound connections to Azure automation servers",
- "destinationAddressPrefix": [
- {{#shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
- "{{.}}",
- {{/shm.monitoring.updateServers.externalIpAddresses.azureAutomation}}
- ],
- "destinationPortRange": ["443"],
- "direction": "Outbound",
- "priority": 3800,
- "protocol": "TCP",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.databases.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "DenyExternalInternetOutbound",
- "access": "Deny",
- "description": "Allow outbound connections to internet",
- "destinationAddressPrefix": "Internet",
- "destinationPortRange": "*",
- "direction": "Outbound",
- "priority": 3900,
- "protocol": "*",
- "sourceAddressPrefix": "{{sre.network.vnet.subnets.databases.cidr}}",
- "sourcePortRange": "*"
- },
- {
- "name": "DenyAllOtherOutbound",
- "access": "Deny",
- "description": "Deny all other outbound traffic.",
- "destinationAddressPrefix": "*",
- "destinationPortRange": "*",
- "direction": "Outbound",
- "priority": 4096,
- "protocol": "*",
- "sourceAddressPrefix": "*",
- "sourcePortRange": "*"
- }
-]
diff --git a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_RDS_Gateway_RADIUS_Client_Remote.ps1 b/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_RDS_Gateway_RADIUS_Client_Remote.ps1
deleted file mode 100644
index a7f6926353..0000000000
--- a/deployment/secure_research_environment/remote/configure_shm_dc/scripts/Remove_RDS_Gateway_RADIUS_Client_Remote.ps1
+++ /dev/null
@@ -1,23 +0,0 @@
-# Don't make parameters mandatory as if there is any issue binding them, the script will prompt for them
-# and remote execution will stall waiting for the non-present user to enter the missing parameter on the
-# command line. This take up to 90 minutes to timeout, though you can try running resetState.cmd in
-# C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0 on the remote VM to cancel a stalled
-# job, but this does not seem to have an immediate effect
-# For details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command
-param(
- [Parameter(Mandatory = $false, HelpMessage = "FQDN of RDS gateway")]
- [String]$rdsGatewayFqdn
-)
-
-if (Get-NpsRadiusClient | Where-Object { $_.Name -eq "$rdsGatewayFqdn" }) {
- Write-Output " [ ] Removing RADIUS Client '$rdsGatewayFqdn'"
- Remove-NpsRadiusClient -Name "$rdsGatewayFqdn"
- if ($?) {
- Write-Output " [o] Succeeded"
- } else {
- Write-Output " [x] Failed"
- exit 1
- }
-} else {
- Write-Output "No RADIUS Client '$rdsGatewayFqdn' exists"
-}
diff --git a/deployment/secure_research_environment/remote/create_rds/scripts/Add_RDS_Gateway_RADIUS_Client_Remote.ps1 b/deployment/secure_research_environment/remote/create_rds/scripts/Add_RDS_Gateway_RADIUS_Client_Remote.ps1
deleted file mode 100644
index d75e0e5074..0000000000
--- a/deployment/secure_research_environment/remote/create_rds/scripts/Add_RDS_Gateway_RADIUS_Client_Remote.ps1
+++ /dev/null
@@ -1,72 +0,0 @@
-# Don't make parameters mandatory as if there is any issue binding them, the script will prompt for them
-# and remote execution will stall waiting for the non-present user to enter the missing parameter on the
-# command line. This take up to 90 minutes to timeout, though you can try running resetState.cmd in
-# C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0 on the remote VM to cancel a stalled
-# job, but this does not seem to have an immediate effect
-# For details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command
-param(
- [Parameter(HelpMessage = "Base-64 encoded NPS secret")]
- [ValidateNotNullOrEmpty()]
- [string]$npsSecretB64,
- [Parameter(HelpMessage = "IP address of RDS gateway")]
- [ValidateNotNullOrEmpty()]
- [string]$rdsGatewayIp,
- [Parameter(HelpMessage = "FQDN of RDS gateway")]
- [ValidateNotNullOrEmpty()]
- [string]$rdsGatewayFqdn,
- [Parameter(HelpMessage = "SRE ID")]
- [ValidateNotNullOrEmpty()]
- [string]$sreId
-)
-
-
-# Deserialise Base-64 encoded variables
-# -------------------------------------
-$npsSecret = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($npsSecretB64))
-
-
-# Ensure that RADIUS client is registered
-# ---------------------------------------
-Write-Output "Ensuring that RADIUS client '$rdsGatewayFqdn' is registered..."
-if (Get-NpsRadiusClient | Where-Object { $_.Name -eq "$rdsGatewayFqdn" }) {
- Write-Output " [o] RADIUS client '$rdsGatewayFqdn' already exists"
- Write-Output "Updating RADIUS client '$rdsGatewayFqdn' at '$rdsGatewayIp'..."
- $null = Set-NpsRadiusClient -Address $rdsGatewayIp -Name "$rdsGatewayFqdn" -SharedSecret "$npsSecret"
- if ($?) {
- Write-Output " [o] Successfully updated RADIUS client"
- } else {
- Write-Output " [x] Failed to update RADIUS client!"
- }
-} else {
- Write-Output "Creating RADIUS client '$rdsGatewayFqdn' at '$rdsGatewayIp'..."
- $null = New-NpsRadiusClient -Address $rdsGatewayIp -Name "$rdsGatewayFqdn" -SharedSecret "$npsSecret"
- if ($?) {
- Write-Output " [o] Successfully created RADIUS client"
- } else {
- Write-Output " [x] Failed to create RADIUS client!"
- }
-}
-
-
-# Add RDS gateway inbound rule
-# ----------------------------
-Write-Output "Adding RDS gateway inbound rule..."
-$ruleName = "SRE $($sreId.ToUpper()) RDS Gateway RADIUS inbound ($rdsGatewayIp)"
-if (Get-NetFirewallRule | Where-Object { $_.DisplayName -eq "$ruleName" }) {
- Write-Output " [o] Inbound RADIUS firewall rule '$ruleName' already exists"
- Write-Output "Updating '$ruleName' inbound RADIUS firewall rule for $rdsGatewayFqdn ($rdsGatewayIp)..."
- $null = Set-NetFirewallRule -DisplayName $ruleName -Direction Inbound -RemoteAddress $rdsGatewayIp -Action Allow -Protocol UDP -LocalPort "1645", "1646", "1812", "1813" -Profile Domain -Enabled True
- if ($?) {
- Write-Output " [o] Successfully updated RDS gateway inbound rule"
- } else {
- Write-Output " [x] Failed to update RDS gateway inbound rule!"
- }
-} else {
- Write-Output "Adding '$ruleName' inbound RADIUS firewall rule for $rdsGatewayFqdn ($rdsGatewayIp)..."
- $null = New-NetFirewallRule -DisplayName $ruleName -Direction Inbound -RemoteAddress $rdsGatewayIp -Action Allow -Protocol UDP -LocalPort "1645", "1646", "1812", "1813" -Profile Domain -Enabled True
- if ($?) {
- Write-Output " [o] Successfully added RDS gateway inbound rule"
- } else {
- Write-Output " [x] Failed to add RDS gateway inbound rule!"
- }
-}
diff --git a/deployment/secure_research_environment/remote/create_rds/scripts/Configure_CAP_And_RAP_Remote.ps1 b/deployment/secure_research_environment/remote/create_rds/scripts/Configure_CAP_And_RAP_Remote.ps1
deleted file mode 100644
index 87ccd00830..0000000000
--- a/deployment/secure_research_environment/remote/create_rds/scripts/Configure_CAP_And_RAP_Remote.ps1
+++ /dev/null
@@ -1,119 +0,0 @@
-# Don't make parameters mandatory as if there is any issue binding them, the script will prompt for them
-# and remote execution will stall waiting for the non-present user to enter the missing parameter on the
-# command line. This take up to 90 minutes to timeout, though you can try running resetState.cmd in
-# C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0 on the remote VM to cancel a stalled
-# job, but this does not seem to have an immediate effect
-# For details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command
-param(
- [Parameter(HelpMessage = "Base-64 encoded secret that is shared with the NPS server")]
- [ValidateNotNullOrEmpty()]
- [string]$npsSecretB64,
- [Parameter(HelpMessage = "Blackout for NPS server")]
- [ValidateNotNullOrEmpty()]
- [string]$remoteNpsBlackout,
- [Parameter(HelpMessage = "Priority for NPS server")]
- [ValidateNotNullOrEmpty()]
- [string]$remoteNpsPriority,
- [Parameter(HelpMessage = "Whether NPS server requires authentication")]
- [ValidateNotNullOrEmpty()]
- [string]$remoteNpsRequireAuthAttrib,
- [Parameter(HelpMessage = "Server group to check for NPS servers")]
- [ValidateNotNullOrEmpty()]
- [string]$remoteNpsServerGroup,
- [Parameter(HelpMessage = "Timeout for NPS server")]
- [ValidateNotNullOrEmpty()]
- [string]$remoteNpsTimeout,
- [Parameter(HelpMessage = "NetBios name for the SHM domain")]
- [ValidateNotNullOrEmpty()]
- [string]$shmNetbiosName,
- [Parameter(HelpMessage = "IP address for the NPS server")]
- [ValidateNotNullOrEmpty()]
- [string]$shmNpsIp,
- [Parameter(HelpMessage = "Security group that research users belong to")]
- [ValidateNotNullOrEmpty()]
- [string]$sreResearchUserSecurityGroup
-)
-
-Import-Module NPS -ErrorAction Stop
-Import-Module RemoteDesktopServices -ErrorAction Stop
-
-function Get-NpsServerAddresses {
- param(
- [Parameter(Mandatory = $true, HelpMessage = "Server group to check for NPS servers")]
- [string]$remoteServerGroup
- )
- $npserverAddresses = netsh nps show remoteserver "$remoteServerGroup" | Select-String "Address + =" | ForEach-Object { ($_.ToString() -replace '(Address + = )(.*)', '$2').Trim() }
- return $npserverAddresses
-}
-
-
-# Deserialise Base-64 encoded variables
-# -------------------------------------
-$npsSecret = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($npsSecretB64))
-
-
-# Set RAP user groups
-# -------------------
-# Format user group as @
-$sreResearchUserSecurityGroupWithDomain = "${sreResearchUserSecurityGroup}@${shmNetbiosName}"
-foreach ($rapName in ("RDG_AllDomainComputers", "RDG_RDConnectionBrokers")) {
- $success = $true
-
- # NOTE: Need to add SRE Researcher user group / ensure it exists prior to removing existing
- # user groups as there must always be at least one user group assigned for each RAP
- # Ensure SRE Researcher user group is assigned to RAP
- if (-not (Get-Item "RDS:\GatewayServer\RAP\${rapName}\UserGroups\" | Get-ChildItem | Where-Object { $_.Name -eq $sreResearchUserSecurityGroupWithDomain })) {
- $null = New-Item "RDS:\GatewayServer\RAP\${rapName}\UserGroups\" -Name "$sreResearchUserSecurityGroupWithDomain" -ErrorAction SilentlyContinue
- $success = $success -and $?
- }
-
- # Remove all other user groups from RAP
- # If the SRE Researcher group is not in the RAP User Group list (e.g. if the `New-Item` command above failed)
- # this command to remove all other groups will fail, as there must always be at least one User Group.
- $null = Get-Item "RDS:\GatewayServer\RAP\${rapName}\UserGroups\" | Get-ChildItem | Where-Object { $_.Name -ne "$sreResearchUserSecurityGroupWithDomain" } | Remove-Item -ErrorAction SilentlyContinue
- $success = $success -and $?
- # Report success / failure
- if ($success) {
- Write-Output " [o] Successfully restricted '$rapName' user groups to '$sreResearchUserSecurityGroupWithDomain'."
- } else {
- Write-Output " [x] Failed to restrict '$rapName' user groups to '$sreResearchUserSecurityGroupWithDomain'!"
- }
-}
-
-# Configure remote NPS server
-# ---------------------------
-# Remove all existing remote NPS servers
-foreach ($npsServerAddress in (Get-NpsServerAddresses -remoteServerGroup $remoteNpsServerGroup)) {
- $null = netsh nps delete remoteserver remoteservergroup = "$remoteNpsServerGroup" address = "$npsServerAddress"
-}
-# Add SHM NPS server
-$null = netsh nps add remoteserver `
- remoteServerGroup = "$remoteNpsServerGroup" `
- address = "$shmNpsIp" `
- authsharedsecret = "$npsSecret" `
- requireauthattrib = "$remoteNpsRequireAuthAttrib" `
- acctsharedsecret = "$npsSecret" `
- priority = "$remoteNpsPriority" `
- timeout = "$remoteNpsTimeout" `
- blackout = "$remoteNpsBlackout"
-# Check that the change has actually been made (the netsh nps command always returns "ok")
-[array]$npsServerAddresses = (Get-NpsServerAddresses -remoteServerGroup $remoteNpsServerGroup)
-$success = ($npsServerAddresses.Length -eq 1)
-if ($success) {
- $firstNpsServerAddress = $npsServerAddresses[0]
- $success = $success -and ($firstNpsServerAddress -eq $shmNpsIp)
-}
-if ($success) {
- Write-Output " [o] Successfully configured '$firstNpsServerAddress' as the only remote NPS server."
-} else {
- Write-Output " [x] Failed to configure remote NPS server. Found $($npsServerAddresses.Length) candidates!"
-}
-
-# Set RDS Gateway to use remote NPS server
-# ----------------------------------------
-$null = Set-Item RDS:\GatewayServer\CentralCAPEnabled\ -Value 1 -ErrorAction SilentlyContinue
-if ($?) {
- Write-Output " [o] Successfully set remote NPS server as RD CAP store."
-} else {
- Write-Output " [x] Failed to set remote NPS server as RD CAP store!"
-}
diff --git a/deployment/secure_research_environment/remote/create_rds/scripts/Disable_Legacy_TLS_Remote.ps1 b/deployment/secure_research_environment/remote/create_rds/scripts/Disable_Legacy_TLS_Remote.ps1
deleted file mode 100644
index 6dd4af91f4..0000000000
--- a/deployment/secure_research_environment/remote/create_rds/scripts/Disable_Legacy_TLS_Remote.ps1
+++ /dev/null
@@ -1,121 +0,0 @@
-# Don't make parameters mandatory as if there is any issue binding them, the script will prompt for them
-# and remote execution will stall waiting for the non-present user to enter the missing parameter on the
-# command line. This take up to 90 minutes to timeout, though you can try running resetState.cmd in
-# C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0 on the remote VM to cancel a stalled
-# job, but this does not seem to have an immediate effect
-# For details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command
-param(
- [Parameter(Mandatory = $false, HelpMessage = "Base64-encoded list of TLS ciphers")]
- [string]$allowedCiphersB64
-)
-
-
-# Throwing an exception in a remote script means we have to wait 90 minutes for the remote call to time out
-# Accordingly we don't validate any parameters or make them mandatory
-# In reality, all three parameters are required and both 'Role' and 'Action' will only accept certain values
-function Set-ProtocolForRole {
- param(
- [Parameter(HelpMessage = "Name of protocol")]
- $Protocol,
- [Parameter(HelpMessage = "Name of protocol [must be 'Server' or 'Client']")]
- $Role,
- [Parameter(HelpMessage = "Set whether we are enabling or disabling [must be 'Enable' or 'Disable']")]
- $Action
- )
- if ($Action -eq "Enable") {
- $EnabledValue = 1
- $DisabledByDefaultValue = 0
- } elseif ($Action -eq "Disable") {
- $EnabledValue = 0
- $DisabledByDefaultValue = 1
- } else {
- Write-Output " [x] Could not interpret '$Action'. Please use either 'Enable' or 'Disable'."
- return
- }
-
- # Disable protocol for role
- New-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\$Role" -Force | Out-Null
- New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\$Role" -Name 'Enabled' -Value $EnabledValue -PropertyType 'DWord' -Force | Out-Null
- New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\$Role" -Name 'DisabledByDefault' -Value $DisabledByDefaultValue -PropertyType 'DWord' -Force | Out-Null
- # Check status
- $status = Get-Item "HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\$Protocol\$Role"
- if (($status.GetValue("Enabled") -eq $EnabledValue) -and ($status.GetValue("DisabledByDefault") -eq $DisabledByDefaultValue)) {
- Write-Output " [o] '$Protocol' protocol is '${Action}d' for '$Role' role."
- } else {
- Write-Output " [x] Failed to ensure '$Protocol' protocol is '${Action}d' for '$Role' role."
- Write-Output $status
- }
-}
-
-function Set-Protocol {
- param(
- [Parameter(HelpMessage = "Name of protocol")]
- $Protocol,
- [Parameter(HelpMessage = "Set whether we are enabling or disabling [must be 'Enable' or 'Disable']")]
- $Action
- )
- Write-Output "Ensuring '$Protocol' is ${Action}d..."
- Set-ProtocolForRole -Protocol $Protocol -Role "Client" -Action $Action
- Set-ProtocolForRole -Protocol $Protocol -Role "Server" -Action $Action
-}
-
-
-# Disable all legacy protocols
-# ----------------------------
-Set-Protocol -Protocol "SSL 2.0" -Action Disable
-Set-Protocol -Protocol "SSL 3.0" -Action Disable
-Set-Protocol -Protocol "TLS 1.0" -Action Disable
-Set-Protocol -Protocol "TLS 1.1" -Action Disable
-
-
-# Construct allowed/disallowed cipher lists
-# - unserialise JSON and read into PSCustomObject
-# -----------------------------------------------
-$allowedCiphers = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($allowedCiphersB64)) | ConvertFrom-Json
-$disallowedCiphers = Get-TlsCipherSuite | ForEach-Object { $_.Name } | Where-Object { -not $allowedCiphers.Contains($_) }
-
-
-# Disable all ciphers that are not in the allowed list
-# ----------------------------------------------------
-# By disabling before enabling, we ensure that this will not remove any ciphers that we want to keep.
-Write-Output "Disabling any disallowed ciphersuites..."
-foreach ($disallowedCipher in $disallowedCiphers) {
- # Note that running Disable-TlsCipherSuite on eg. TLS_DHE_RSA_WITH_AES_128_CCM will also disable TLS_DHE_RSA_WITH_AES_128_CCM_8
- # Disable-TlsCipherSuite raises an error if the suite is already disabled. Therefore suites are enabled before being disabled.
- if (Get-TlsCipherSuite -Name $disallowedCipher) {
- Enable-TlsCipherSuite -Name $disallowedCipher
- Disable-TlsCipherSuite -Name $disallowedCipher
- if ($?) {
- Write-Output " [o] Disabled '$disallowedCipher' suite."
- } else {
- Write-Output " [x] Failed to ensure '$disallowedCipher' suite is disabled."
- }
- }
-}
-
-
-# Enable all ciphers that are in the allowed list
-# -----------------------------------------------
-Write-Output "Enabling all allowed ciphersuites..."
-foreach ($allowedCipher in $allowedCiphers) {
- if (-not $(Get-TlsCipherSuite | ForEach-Object { $_.Name }).Contains($allowedCipher)) {
- Enable-TlsCipherSuite -Name $allowedCipher
- if ($?) {
- # Check whether this cipher is supported by Windows.
- # If it is not [ie. it has no CipherSuite entry] then immediately disable it.
- if ($((Get-TlsCipherSuite -Name $allowedCipher).CipherSuite) -eq 0) {
- Disable-TlsCipherSuite -Name $allowedCipher
- } else {
- Write-Output " [o] Enabled '$allowedCipher' suite."
- }
- } else {
- Write-Output " [x] Failed to ensure '$allowedCipher' suite is enabled."
- }
- }
-}
-
-
-# List all cipher suites that are still allowed
-# ---------------------------------------------
-Write-Output "There are $(((Get-TlsCipherSuite) | Measure-Object).Count) allowed cipher suites:"
-(Get-TlsCipherSuite) | ForEach-Object { Write-Output "... $($_.Name)" }
diff --git a/deployment/secure_research_environment/remote/create_rds/scripts/Import_And_Install_Blobs.ps1 b/deployment/secure_research_environment/remote/create_rds/scripts/Import_And_Install_Blobs.ps1
deleted file mode 100644
index 7789bf07fe..0000000000
--- a/deployment/secure_research_environment/remote/create_rds/scripts/Import_And_Install_Blobs.ps1
+++ /dev/null
@@ -1,75 +0,0 @@
-# Don't make parameters mandatory as if there is any issue binding them, the script will prompt for them
-# and remote execution will stall waiting for the non-present user to enter the missing parameter on the
-# command line. This take up to 90 minutes to timeout, though you can try running resetState.cmd in
-# C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0 on the remote VM to cancel a stalled
-# job, but this does not seem to have an immediate effect
-# For details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command
-param(
- [Parameter(HelpMessage = "Base-64 encoded array of blob names to download from storage blob container")]
- [string]$blobNameArrayB64,
- [Parameter(HelpMessage = "Absolute path to directory which blobs should be downloaded to")]
- [string]$downloadDir,
- [Parameter(HelpMessage = "Base-64 encoded SAS token with read/list rights to the storage blob container")]
- [string]$sasTokenB64,
- [Parameter(HelpMessage = "File share or blob container name")]
- [string]$shareOrContainerName,
- [Parameter(HelpMessage = "Storage account name")]
- [string]$storageAccountName,
- [Parameter(HelpMessage = "Storage service")]
- [string]$storageService
-)
-
-# Deserialise Base-64 encoded variables
-# -------------------------------------
-$blobNames = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($blobNameArrayB64)) | ConvertFrom-Json
-$sasToken = [System.Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String($sasTokenB64))
-
-
-# Clear any previously downloaded artifacts
-# -----------------------------------------
-Write-Output "Clearing all pre-existing files and folders from '$downloadDir'"
-if (Test-Path -Path $downloadDir) {
- Get-ChildItem $downloadDir -Recurse | Remove-Item -Recurse -Force
-} else {
- $null = New-Item -ItemType directory -Path $downloadDir
-}
-
-# Download artifacts
-Write-Output "Downloading $($blobNames.Count) files to '$downloadDir'"
-foreach ($blobName in $blobNames) {
- # Ensure that local directory exists
- $localDir = Join-Path $downloadDir $(Split-Path -Parent $blobName)
- if (-Not (Test-Path -Path $localDir)) {
- $null = New-Item -ItemType directory -Path $localDir
- }
- $fileName = Split-Path -Leaf $blobName
- $localFilePath = Join-Path $localDir $fileName
-
- # Download file from blob storage
- $blobUrl = "https://${storageAccountName}.${storageService}.core.windows.net/${shareOrContainerName}/${blobName}"
- Write-Output " [ ] Fetching $blobUrl..."
- $null = Invoke-WebRequest -Uri "${blobUrl}${sasToken}" -OutFile $localFilePath
- if ($?) {
- Write-Output " [o] Succeeded"
- } else {
- Write-Output " [x] Failed!"
- }
-
- # If this file is an msi/exe then install it
- if ((Test-Path -Path $localFilePath) -And ($fileName -Match ".*\.(msi|exe)\b")) {
- if ($fileName -like "*.msi") {
- Write-Output " [ ] Installing $fileName..."
- Start-Process $localFilePath -ArgumentList '/quiet' -Verbose -Wait
- } elseif ($fileName -like "*WinSCP*exe") {
- Write-Output " [ ] Installing $fileName..."
- Start-Process $localFilePath -ArgumentList '/SILENT', '/ALLUSERS' -Verbose -Wait
- } else {
- continue
- }
- if ($?) {
- Write-Output " [o] Succeeded"
- } else {
- Write-Output " [x] Failed!"
- }
- }
-}
diff --git a/deployment/secure_research_environment/remote/create_rds/scripts/Install_Signed_Ssl_Cert.ps1 b/deployment/secure_research_environment/remote/create_rds/scripts/Install_Signed_Ssl_Cert.ps1
deleted file mode 100644
index 6a2e9c5e7c..0000000000
--- a/deployment/secure_research_environment/remote/create_rds/scripts/Install_Signed_Ssl_Cert.ps1
+++ /dev/null
@@ -1,96 +0,0 @@
-# Don't make parameters mandatory as if there is any issue binding them, the script will prompt for them
-# and remote execution will stall waiting for the non-present user to enter the missing parameter on the
-# command line. This take up to 90 minutes to timeout, though you can try running resetState.cmd in
-# C:\Packages\Plugins\Microsoft.CPlat.Core.RunCommandWindows\1.1.0 on the remote VM to cancel a stalled
-# job, but this does not seem to have an immediate effect
-# For details, see https://docs.microsoft.com/en-gb/azure/virtual-machines/windows/run-command
-param(
- [Parameter(HelpMessage = "Fully qualified domain name for RDS broker")]
- [string]$rdsFqdn,
- [Parameter(HelpMessage = "Thumbprint for the relevant certificate")]
- [string]$certThumbPrint,
- [Parameter(HelpMessage = "Remote folder to write SSL certificate to")]
- [string]$remoteDirectory
-)
-
-# Set common variables
-# --------------------
-# NB. Cert:\LocalMachine\My is the default Machine Certificate store and is used by IIS
-$certDirLocal = New-Item -ItemType Directory -Path $remoteDirectory -Force
-$certStore = "Cert:\LocalMachine\My"
-
-Write-Output "Looking for certificate with thumbprint: $certThumbPrint"
-$certificate = Get-ChildItem $certStore | Where-Object { $_.Thumbprint -eq $certThumbPrint }
-if ($null -ne $certificate) {
- Write-Output " [o] Found certificate with correct thumbprint"
-} else {
- Write-Output " [x] Failed to find any certificate with the correct thumbprint!"
- throw "Could not load certificate"
-}
-
-
-# Update RDS roles to use new certificate by thumbprint
-# -----------------------------------------------------
-Write-Output "Updating RDS roles to use new certificate..."
-try {
- Set-RDCertificate -Role RDPublishing -Thumbprint $certificate.Thumbprint -ConnectionBroker $rdsFqdn -ErrorAction Stop -Force
- Set-RDCertificate -Role RDRedirector -Thumbprint $certificate.Thumbprint -ConnectionBroker $rdsFqdn -ErrorAction Stop -Force
- Set-RDCertificate -Role RDWebAccess -Thumbprint $certificate.Thumbprint -ConnectionBroker $rdsFqdn -ErrorAction Stop -Force
- Set-RDCertificate -Role RDGateway -Thumbprint $certificate.Thumbprint -ConnectionBroker $rdsFqdn -ErrorAction Stop -Force
- Write-Output " [o] Successfully updated RDS roles"
-} catch {
- Write-Output " [x] Failed to update RDS roles!"
- throw
-}
-Write-Output "Currently installed certificates:"
-Get-RDCertificate -ConnectionBroker $rdsFqdn
-
-
-# Extract a base64-encoded certificate
-# ------------------------------------
-Write-Output "Extracting a base64-encoded certificate..."
-$derCert = (Join-Path $certDirLocal "letsencrypt_der.cer")
-$b64Cert = (Join-Path $certDirLocal "letsencrypt_b64.cer")
-$null = Export-Certificate -filepath $derCert -cert $certificate -type CERT -Force
-$success = $?
-$null = CertUtil -f -encode $derCert $b64Cert
-$success = $success -and $?
-if ($success) {
- Write-Output " [o] Base64-encoded certificate extracted to $b64Cert"
-} else {
- Write-Output " [x] Failed to extract base64-encoded certificate"
- throw "Could not extract base64-encoded certificate"
-}
-
-
-# Import certificate to RDS Web Client
-# ------------------------------------
-Write-Output "Importing certificate to RDS Web Client..."
-Import-RDWebClientBrokerCert $b64Cert
-Publish-RDWebClientPackage -Type Production -Latest
-if ($?) {
- Write-Output " [o] Certificate installed on RDS Web Client"
-} else {
- Write-Output " [x] Failed to install certificate on RDS Web Client"
- throw "Failed to install certificate on RDS Web Client"
-}
-
-
-# Check certificates
-# ------------------
-Write-Output "Checking webclient broker certificate..."
-$webclientThumbprint = (Get-RDWebClientBrokerCert).Thumbprint
-if ($webclientThumbprint -eq $certThumbPrint) {
- Write-Output " [o] Webclient broker certificate has the correct thumbprint: '$webclientThumbprint'"
-} else {
- Write-Output " [x] Webclient broker certificate has incorrect thumbprint: '$webclientThumbprint'"
- throw "Webclient broker certificate has incorrect thumbprint"
-}
-Write-Output "Checking RDGateway certificate..."
-$gatewayThumbprint = (Get-RDCertificate -Role RDGateway -ConnectionBroker $rdsFqdn).Thumbprint
-if ($gatewayThumbprint -eq $certThumbPrint) {
- Write-Output " [o] RDGateway certificate has the correct thumbprint: '$gatewayThumbprint'"
-} else {
- Write-Output " [x] RDGateway certificate has incorrect thumbprint: '$gatewayThumbprint'"
- throw "RDGateway certificate has incorrect thumbprint"
-}
diff --git a/deployment/secure_research_environment/remote/create_rds/scripts/install_ssl_certificate_tier1.sh b/deployment/secure_research_environment/remote/create_rds/scripts/install_ssl_certificate_tier1.sh
deleted file mode 100644
index b3b7811dae..0000000000
--- a/deployment/secure_research_environment/remote/create_rds/scripts/install_ssl_certificate_tier1.sh
+++ /dev/null
@@ -1,15 +0,0 @@
-#! /bin/bash
-# This script is designed to be deployed to an Azure Linux VM via
-# the Powershell Invoke-AzVMRunCommand, which sets all variables
-# passed in its -Parameter argument as environment variables
-# It expects the following parameters:
-# CERT_THUMBPRINT
-
-sudo mkdir -p /opt/ssl
-sudo chmod 0700 /opt/ssl
-sudo rm -rf /opt/ssl/letsencrypt*
-sudo cp /var/lib/waagent/${CERT_THUMBPRINT}.crt /opt/ssl/letsencrypt.cert
-sudo cp /var/lib/waagent/${CERT_THUMBPRINT}.prv /opt/ssl/letsencrypt.key
-sudo chown -R root:root /opt/ssl/
-sudo chmod 0600 /opt/ssl/*.*
-ls -alh /opt/ssl/
\ No newline at end of file
diff --git a/deployment/secure_research_environment/remote/create_rds/templates/Deploy_RDS_Environment.mustache.ps1 b/deployment/secure_research_environment/remote/create_rds/templates/Deploy_RDS_Environment.mustache.ps1
deleted file mode 100644
index 031d61cbb1..0000000000
--- a/deployment/secure_research_environment/remote/create_rds/templates/Deploy_RDS_Environment.mustache.ps1
+++ /dev/null
@@ -1,181 +0,0 @@
-# Enable the RDS-Gateway feature
-$null = Add-WindowsFeature -Name RDS-Gateway -IncludeAllSubFeature -ErrorAction Stop
-
-# Note that RemoteDesktopServices is installed by `Add-WindowsFeature -Name RDS-Gateway`
-Import-Module RemoteDesktop -ErrorAction Stop
-Import-Module RemoteDesktopServices -ErrorAction Stop
-
-# Configure attached disk drives
-# ------------------------------
-Stop-Service ShellHWDetection
-# Initialise disks
-Write-Output "Initialising data drives..."
-$null = Get-Disk | Where-Object { $_.PartitionStyle -eq "raw" } | ForEach-Object { Initialize-Disk -PartitionStyle GPT -Number $_.Number }
-# Check that all disks are correctly partitioned
-Write-Output "Checking drive partitioning..."
-$DataDisks = Get-Disk | Where-Object { $_.Model -ne "Virtual HD" } | Sort -Property Number # This excludes the OS and temp disks
-foreach ($DataDisk in $DataDisks) {
- $existingPartitions = @(Get-Partition -DiskNumber $DataDisk.Number | Where-Object { $_.Type -eq "Basic" }) # This selects normal partitions that are not system-reserved
- # Remove all basic partitions if there is not exactly one
- if ($existingPartitions.Count -gt 1) {
- Write-Output " [ ] Found $($existingPartitions.Count) partitions on disk $($DataDisk.DiskNumber) but expected 1! Removing all of them."
- $existingPartitions | ForEach-Object { Remove-Partition -DiskNumber $DataDisk.DiskNumber -PartitionNumber $_.PartitionNumber -Confirm:$false }
- }
- # Remove any non-lettered partitions
- $existingPartition = @(Get-Partition -DiskNumber $DataDisk.Number | Where-Object { $_.Type -eq "Basic" })[0]
- if ($existingPartition -and (-not $existingPartition.DriveLetter)) {
- Write-Output "Removing non-lettered partition $($existingPartition.PartitionNumber) from disk $($DataDisk.DiskNumber)!"
- Remove-Partition -DiskNumber $DataDisk.DiskNumber -PartitionNumber $existingPartition.PartitionNumber -Confirm:$false
- }
- # Create a new partition if one does not exist
- $existingPartition = @(Get-Partition -DiskNumber $DataDisk.Number | Where-Object { $_.Type -eq "Basic" })[0]
- if ($existingPartition) {
- Write-Output " [o] Partition $($existingPartition.PartitionNumber) of disk $($DataDisk.DiskNumber) is mounted at drive letter '$($existingPartition.DriveLetter)'"
- } else {
- $LUN = $(Get-WmiObject Win32_DiskDrive | Where-Object { $_.Index -eq $DataDisk.Number }).SCSILogicalUnit
- $Label = "DATA-$LUN"
- $Partition = New-Partition -DiskNumber $DataDisk.Number -UseMaximumSize -AssignDriveLetter
- Write-Output " [o] Formatting partition $($Partition.PartitionNumber) of disk $($DataDisk.Number) with label '$Label' at drive letter '$($Partition.DriveLetter)'"
- $null = Format-Volume -Partition $Partition -FileSystem NTFS -NewFileSystemLabel $Label -Confirm:$false
- }
-}
-Start-Service ShellHWDetection
-# Construct map of folders to disk labels
-$DiskLabelMap = @{
- "AppFileShares" = "DATA-0"
-}
-
-
-# Remove any old RDS settings
-# ---------------------------
-Write-Output "Removing any old RDS settings..."
-foreach ($collection in $(Get-RDSessionCollection -ErrorAction SilentlyContinue)) {
- Write-Output "... removing existing RDSessionCollection: '$($collection.CollectionName)'"
- Remove-RDSessionCollection -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName $collection.CollectionName -Force -ErrorAction SilentlyContinue
-}
-foreach ($server in $(Get-RDServer -ErrorAction SilentlyContinue)) {
- Write-Output "... removing existing RDServer: '$($server.Server)'"
- foreach ($role in $server.Roles) {
- Remove-RDServer -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -Server $server.Server -Role $role -Force -ErrorAction SilentlyContinue
- }
-}
-foreach ($policyName in $(Get-Item "RDS:\GatewayServer\RAP" -ErrorAction SilentlyContinue | Get-ChildItem | ForEach-Object { $_.Name })) {
- Write-Output "... removing existing RAP policy '$policyName'"
- Remove-Item "RDS:\GatewayServer\RAP\${policyName}" -Recurse -ErrorAction SilentlyContinue
-}
-$null = Set-Item "RDS:\GatewayServer\CentralCAPEnabled" -Value 0 -ErrorAction SilentlyContinue
-foreach ($policyName in $(Get-Item "RDS:\GatewayServer\CAP" -ErrorAction SilentlyContinue | Get-ChildItem | ForEach-Object { $_.Name })) {
- Write-Output "... removing existing CAP policy '$policyName'"
- Remove-Item "RDS:\GatewayServer\CAP\${policyName}" -Recurse -ErrorAction SilentlyContinue
-}
-
-
-# Create RDS Environment
-# ----------------------
-Write-Output "Creating RDS Environment..."
-try {
- New-RDSessionDeployment -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -WebAccessServer "{{sre.remoteDesktop.gateway.fqdn}}" -SessionHost @("{{sre.remoteDesktop.appSessionHost.fqdn}}") -ErrorAction Stop
- # Setup licensing server
- Add-RDServer -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -Server "{{sre.remoteDesktop.gateway.fqdn}}" -Role RDS-LICENSING -ErrorAction Stop
- Set-RDLicenseConfiguration -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -LicenseServer "{{sre.remoteDesktop.gateway.fqdn}}" -Mode PerUser -Force -ErrorAction Stop
- # Setup gateway server
- Add-RDServer -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -Server "{{sre.remoteDesktop.gateway.fqdn}}" -Role RDS-GATEWAY -GatewayExternalFqdn "{{sre.domain.fqdn}}" -ErrorAction Stop
- Set-RDWorkspace -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -Name "Safe Haven Applications"
- Write-Output " [o] RDS environment configuration update succeeded"
-} catch {
- Write-Output " [x] RDS environment configuration update failed!"
- throw
-}
-
-
-# Create collections
-# ------------------
-foreach ($rdsConfiguration in @(, @("Applications", "{{sre.remoteDesktop.appSessionHost.fqdn}}", "{{sre.domain.securityGroups.researchUsers.name}}", "AppFileShares"))) {
- $collectionName, $sessionHost, $userGroup, $shareName = $rdsConfiguration
- $sharePath = Join-Path "$((Get-Volume | Where-Object { $_.FileSystemLabel -eq $DiskLabelMap[$shareName] }).DriveLetter):" $shareName
-
- # Setup user profile disk shares
- Write-Output "Creating user profile disk shares..."
- $null = New-Item -ItemType Directory -Force -Path $sharePath
- $sessionHostComputerName = $sessionHost.Split(".")[0]
- if ($null -eq $(Get-SmbShare | Where-Object -Property Path -EQ $sharePath)) {
- $null = New-SmbShare -Path $sharePath -Name $shareName -FullAccess "{{shm.domain.netbiosName}}\{{sre.remoteDesktop.gateway.vmName}}$", "{{shm.domain.netbiosName}}\${sessionHostComputerName}$", "{{shm.domain.netbiosName}}\Domain Admins"
- }
-
- # Create collections
- Write-Output "Creating '$collectionName' collection..."
- try {
- $null = New-RDSessionCollection -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName "$collectionName" -SessionHost "$sessionHost" -ErrorAction Stop
- $null = Set-RDSessionCollectionConfiguration -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName "$collectionName" -UserGroup "{{shm.domain.netbiosName}}\$userGroup" -ClientPrinterRedirected $false -ClientDeviceRedirectionOptions None -DisconnectedSessionLimitMin 5 -IdleSessionLimitMin 720 -ErrorAction Stop
- $null = Set-RDSessionCollectionConfiguration -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName "$collectionName" -EnableUserProfileDisk -MaxUserProfileDiskSizeGB "20" -DiskPath "\\{{sre.remoteDesktop.gateway.vmName}}\$shareName" -ErrorAction Stop
- Write-Output " [o] Creating '$collectionName' collection succeeded"
- } catch {
- Write-Output " [x] Creating '$collectionName' collection failed!"
- throw
- }
-}
-
-
-# Create applications
-# -------------------
-Write-Output "Registering applications..."
-Get-RDRemoteApp | Remove-RDRemoteApp -Force -ErrorAction SilentlyContinue
-try {
- $null = New-RDRemoteApp -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName "Applications" -DisplayName "SRD Main (Desktop)" -FilePath "C:\Windows\system32\mstsc.exe" -ShowInWebAccess 1 -CommandLineSetting Require -RequiredCommandLine "-v {{rdsTemplates.ipAddressFirstSRD}}" -ErrorAction Stop
- $null = New-RDRemoteApp -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName "Applications" -DisplayName "SRD Other (Desktop)" -FilePath "C:\Windows\system32\mstsc.exe" -ShowInWebAccess 1 -ErrorAction Stop
- $null = New-RDRemoteApp -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName "Applications" -DisplayName "CoCalc" -FilePath "C:\Program Files\Google\Chrome\Application\chrome.exe" -ShowInWebAccess 1 -CommandLineSetting Require -RequiredCommandLine "http://{{sre.webapps.cocalc.ip}}" -ErrorAction Stop
- $null = New-RDRemoteApp -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName "Applications" -DisplayName "CodiMD" -FilePath "C:\Program Files\Google\Chrome\Application\chrome.exe" -ShowInWebAccess 1 -CommandLineSetting Require -RequiredCommandLine "http://{{sre.webapps.codimd.ip}}" -ErrorAction Stop
- $null = New-RDRemoteApp -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName "Applications" -DisplayName "GitLab" -FilePath "C:\Program Files\Google\Chrome\Application\chrome.exe" -ShowInWebAccess 1 -CommandLineSetting Require -RequiredCommandLine "http://{{sre.webapps.gitlab.ip}}" -ErrorAction Stop
- $null = New-RDRemoteApp -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName "Applications" -DisplayName "SRD Main (SSH)" -FilePath "C:\Program Files\PuTTY\putty.exe" -ShowInWebAccess 1 -CommandLineSetting Require -RequiredCommandLine "-ssh {{rdsTemplates.ipAddressFirstSRD}}" -ErrorAction Stop
- $null = New-RDRemoteApp -ConnectionBroker "{{sre.remoteDesktop.gateway.fqdn}}" -CollectionName "Applications" -DisplayName "SRD Other (SSH)" -FilePath "C:\Program Files\PuTTY\putty.exe" -ShowInWebAccess 1 -ErrorAction Stop
- Write-Output " [o] Registering applications succeeded"
-} catch {
- Write-Output " [x] Registering applications failed!"
- throw
-}
-
-
-# Update server configuration
-# ---------------------------
-Write-Output "Updating server configuration..."
-try {
- Get-Process ServerManager -ErrorAction SilentlyContinue | Stop-Process -Force
- foreach ($targetDirectory in @("C:\Users\{{rdsTemplates.domainAdminUsername}}\AppData\Roaming\Microsoft\Windows\ServerManager",
- "C:\Users\{{rdsTemplates.domainAdminUsername}}.{{shm.domain.netbiosName}}\AppData\Roaming\Microsoft\Windows\ServerManager")) {
- $null = New-Item -ItemType Directory -Path $targetDirectory -Force -ErrorAction Stop
- Copy-Item -Path "{{sre.remoteDesktop.gateway.installationDirectory}}\ServerList.xml" -Destination "$targetDirectory\ServerList.xml" -Force -ErrorAction Stop
- }
- Start-Process -FilePath $env:SystemRoot\System32\ServerManager.exe -WindowStyle Maximized -ErrorAction Stop
- Write-Output " [o] Server configuration update succeeded"
-} catch {
- Write-Output " [x] Server configuration update failed!"
- throw
-}
-
-
-# Install RDS webclient
-# ---------------------
-Write-Output "Installing RDS webclient..."
-try {
- Install-RDWebClientPackage -ErrorAction Stop
- # We cannot publish the WebClient here as we have not yet setup a broker certificate.
- # We do not configure the broker cert here as our RDS SSL certificates are set up in a
- # separate script to support easy renewal. This means that, until the SSL certificate
- # installation script is run for the first time, the RDS WebClient URL will return a 404 page.
- Write-Output " [o] RDS webclient installation succeeded"
-} catch {
- Write-Output " [x] RDS webclient installation failed!"
- throw
-}
-
-
-# Remove the requirement for the /RDWeb/webclient/ suffix by setting up a redirect in IIS
-# ---------------------------------------------------------------------------------------
-Write-Output "Setting up IIS redirect..."
-try {
- Set-WebConfiguration system.webServer/httpRedirect "IIS:\sites\Default Web Site" -Value @{enabled = "true"; destination = "/RDWeb/webclient/"; httpResponseStatus = "Permanent" } -ErrorAction Stop
- Write-Output " [o] IIS redirection succeeded"
-} catch {
- Write-Output " [x] IIS redirection failed!"
- throw
-}
diff --git a/deployment/secure_research_environment/remote/create_rds/templates/ServerList.mustache.xml b/deployment/secure_research_environment/remote/create_rds/templates/ServerList.mustache.xml
deleted file mode 100644
index 0aa539434e..0000000000
--- a/deployment/secure_research_environment/remote/create_rds/templates/ServerList.mustache.xml
+++ /dev/null
@@ -1,5 +0,0 @@
-
-
-
-
-
\ No newline at end of file
diff --git a/deployment/secure_research_environment/setup/Apply_SRE_Network_Configuration.ps1 b/deployment/secure_research_environment/setup/Apply_SRE_Network_Configuration.ps1
index 6a83dbc637..401f21f0f0 100644
--- a/deployment/secure_research_environment/setup/Apply_SRE_Network_Configuration.ps1
+++ b/deployment/secure_research_environment/setup/Apply_SRE_Network_Configuration.ps1
@@ -34,8 +34,8 @@ $nsgs = @{}
Add-LogMessage -Level Info "Applying network configuration for SRE '$($config.sre.id)' (Tier $($config.sre.tier)), hosted on subscription '$($config.sre.subscriptionName)'"
-# ApacheGuacamole and MicrosoftRDS have several NSGs
-# --------------------------------------------------
+# ApacheGuacamole has several NSGs
+# --------------------------------
# Remote desktop
if ($config.sre.remoteDesktop.provider -eq "ApacheGuacamole") {
# RDS gateway
@@ -47,15 +47,6 @@ if ($config.sre.remoteDesktop.provider -eq "ApacheGuacamole") {
} else {
Add-LogMessage -Level Fatal "Guacamole server is not bound to NSG '$($nsgs["remoteDesktop"].Name)'!"
}
-} elseif ($config.sre.remoteDesktop.provider -eq "MicrosoftRDS") {
- # RDS gateway
- Add-LogMessage -Level Info "Ensure RDS gateway is bound to correct NSG..."
- Add-VmToNSG -VMName $config.sre.remoteDesktop.gateway.vmName -VmResourceGroupName $config.sre.remoteDesktop.rg -NSGName $config.sre.remoteDesktop.gateway.nsg.name -NsgResourceGroupName $config.sre.network.vnet.rg
- $nsgs["gateway"] = Get-AzNetworkSecurityGroup -Name $config.sre.remoteDesktop.gateway.nsg.name -ResourceGroupName $config.sre.network.vnet.rg -ErrorAction Stop
- # RDS sesssion hosts
- Add-LogMessage -Level Info "Ensure RDS session hosts are bound to correct NSG..."
- Add-VmToNSG -VMName $config.sre.remoteDesktop.appSessionHost.vmName -VmResourceGroupName $config.sre.remoteDesktop.rg -NSGName $config.sre.remoteDesktop.appSessionHost.nsg.name -NsgResourceGroupName $config.sre.network.vnet.rg
- $nsgs["sessionhosts"] = Get-AzNetworkSecurityGroup -Name $config.sre.remoteDesktop.appSessionHost.nsg.name -ResourceGroupName $config.sre.network.vnet.rg -ErrorAction Stop
} else {
Add-LogMessage -Level Fatal "Remote desktop type '$($config.sre.remoteDesktop.type)' was not recognised!"
}
@@ -94,9 +85,6 @@ if ($computeSubnet.NetworkSecurityGroup.Id -eq $nsgs["compute"].Id) {
if ($config.sre.remoteDesktop.provider -eq "ApacheGuacamole") {
Add-LogMessage -Level Info "Setting inbound connection rules on Guacamole NSG..."
$null = Update-NetworkSecurityGroupRule -Name $inboundApprovedUsersRuleName -NetworkSecurityGroup $nsgs["remoteDesktop"] -SourceAddressPrefix $allowedSources
-} elseif ($config.sre.remoteDesktop.provider -eq "MicrosoftRDS") {
- Add-LogMessage -Level Info "Setting inbound connection rules on RDS Gateway NSG..."
- $null = Update-NetworkSecurityGroupRule -Name $inboundApprovedUsersRuleName -NetworkSecurityGroup $nsgs["gateway"] -SourceAddressPrefix $allowedSources
} else {
Add-LogMessage -Level Fatal "Remote desktop type '$($config.sre.remoteDesktop.type)' was not recognised!"
}
diff --git a/deployment/secure_research_environment/setup/Configure_SRE_RDS_CAP_And_RAP.ps1 b/deployment/secure_research_environment/setup/Configure_SRE_RDS_CAP_And_RAP.ps1
deleted file mode 100644
index 3649c68d8d..0000000000
--- a/deployment/secure_research_environment/setup/Configure_SRE_RDS_CAP_And_RAP.ps1
+++ /dev/null
@@ -1,91 +0,0 @@
-param(
- [Parameter(Mandatory = $true, HelpMessage = "Enter SHM ID (e.g. use 'testa' for Turing Development Safe Haven A)")]
- [string]$shmId,
- [Parameter(Mandatory = $true, HelpMessage = "Enter SRE ID (e.g. use 'sandbox' for Turing Development Sandbox SREs)")]
- [string]$sreId
-)
-
-Import-Module Az.Accounts -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureCompute -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureKeyVault -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Configuration -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Cryptography -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Logging -Force -ErrorAction Stop
-
-
-# Get config and original context before changing subscription
-# ------------------------------------------------------------
-$config = Get-SreConfig -shmId $shmId -sreId $sreId
-$originalContext = Get-AzContext
-$null = Set-AzContext -SubscriptionId $config.sre.subscriptionName -ErrorAction Stop
-
-
-# Check that we are using the correct provider
-# --------------------------------------------
-if ($config.sre.remoteDesktop.provider -ne "MicrosoftRDS") {
- Add-LogMessage -Level Fatal "You should not be running this script when using remote desktop provider '$($config.sre.remoteDesktop.provider)'"
-}
-
-
-# Configure CAP and RAP settings
-# ------------------------------
-Add-LogMessage -Level Info "Creating/retrieving NPS secret from Key Vault '$($config.sre.keyVault.name)'..."
-$npsSecret = Resolve-KeyVaultSecret -VaultName $config.sre.keyVault.name -SecretName $config.sre.keyVault.secretNames.npsSecret -DefaultLength 12 -AsPlaintext
-
-
-# Configure CAP and RAP settings
-# ------------------------------
-Add-LogMessage -Level Info "[ ] Configuring CAP and RAP settings on RDS Gateway"
-$params = @{
- npsSecretB64 = $npsSecret | ConvertTo-Base64
- remoteNpsBlackout = "60"
- remoteNpsPriority = "1"
- remoteNpsRequireAuthAttrib = "Yes"
- remoteNpsServerGroup = "TS GATEWAY SERVER GROUP" # "TS GATEWAY SERVER GROUP" is the group name created when manually configuring an RDS Gateway to use a remote NPS server
- remoteNpsTimeout = "60"
- shmNetbiosName = $config.shm.domain.netbiosName
- shmNpsIp = $config.shm.nps.ip
- sreResearchUserSecurityGroup = $config.sre.domain.securityGroups.researchUsers.name
-}
-$scriptPath = Join-Path $PSScriptRoot ".." "remote" "create_rds" "scripts" "Configure_CAP_And_RAP_Remote.ps1"
-$null = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $scriptPath -VMName $config.sre.remoteDesktop.gateway.vmName -ResourceGroupName $config.sre.remoteDesktop.rg -Parameter $params
-
-
-# Configure SHM NPS for SRE RDS RADIUS client
-# -------------------------------------------
-$null = Set-AzContext -SubscriptionId $config.shm.subscriptionName -ErrorAction Stop
-Add-LogMessage -Level Info "Adding RDS Gateway as RADIUS client on SHM NPS"
-# Run remote script
-$params = @{
- npsSecretB64 = $npsSecret | ConvertTo-Base64
- rdsGatewayIp = $config.sre.remoteDesktop.gateway.ip
- rdsGatewayFqdn = $config.sre.remoteDesktop.gateway.fqdn
- sreId = $config.sre.id
-}
-$scriptPath = Join-Path $PSScriptRoot ".." "remote" "create_rds" "scripts" "Add_RDS_Gateway_RADIUS_Client_Remote.ps1"
-$null = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $scriptPath -VMName $config.shm.nps.vmName -ResourceGroupName $config.shm.nps.rg -Parameter $params
-$null = Set-AzContext -SubscriptionId $config.sre.subscriptionName -ErrorAction Stop
-
-
-# Restart SHM NPS server
-# ----------------------
-# We restart the SHM NPS server because we get login failures with an "Event 13" error -
-# "A RADIUS message was received from the invalid RADIUS client IP address 10.150.9.250"
-# The two reliable ways we have found to fix this are:
-# 1. Log into the SHM NPS and reset the RADIUS shared secret via the GUI
-# 2. Restart the NPS server
-# We can only do (2) in a script, so that is what we do. An NPS restart is quite quick.
-# -------------------------------------------------------------------------------------
-$null = Set-AzContext -SubscriptionId $config.shm.subscriptionName -ErrorAction Stop
-Add-LogMessage -Level Info "Restarting NPS Server..."
-# Restart SHM NPS
-Start-VM -Name $config.shm.nps.vmName -ResourceGroupName $config.shm.nps.rg -ForceRestart
-# Wait 2 minutes for NPS to complete post-restart boot and start NPS services
-Add-LogMessage -Level Info "Waiting 2 minutes for NPS services to start..."
-Start-Sleep 120
-$null = Set-AzContext -SubscriptionId $config.sre.subscriptionName -ErrorAction Stop
-
-
-# Switch back to original subscription
-# ------------------------------------
-$null = Set-AzContext -Context $originalContext -ErrorAction Stop
diff --git a/deployment/secure_research_environment/setup/Disable_Legacy_TLS.ps1 b/deployment/secure_research_environment/setup/Disable_Legacy_TLS.ps1
deleted file mode 100644
index 7093aaf61e..0000000000
--- a/deployment/secure_research_environment/setup/Disable_Legacy_TLS.ps1
+++ /dev/null
@@ -1,47 +0,0 @@
-param(
- [Parameter(Mandatory = $true, HelpMessage = "Enter SHM ID (e.g. use 'testa' for Turing Development Safe Haven A)")]
- [string]$shmId,
- [Parameter(Mandatory = $true, HelpMessage = "Enter SRE ID (e.g. use 'sandbox' for Turing Development Sandbox SREs)")]
- [string]$sreId
-)
-
-Import-Module Az.Accounts -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureCompute -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Configuration -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Cryptography -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/DataStructures -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Logging -Force -ErrorAction Stop
-
-
-# Get config and original context before changing subscription
-# ------------------------------------------------------------
-$config = Get-SreConfig -shmId $shmId -sreId $sreId
-$originalContext = Get-AzContext
-$null = Set-AzContext -SubscriptionId $config.sre.subscriptionName -ErrorAction Stop
-
-
-# Check that we are using the correct provider
-# --------------------------------------------
-if ($config.sre.remoteDesktop.provider -ne "MicrosoftRDS") {
- Add-LogMessage -Level Fatal "You should not be running this script when using remote desktop provider '$($config.sre.remoteDesktop.provider)'"
-}
-
-
-# Disable legacy TLS protocols on RDS Gateway
-# -------------------------------------------
-Add-LogMessage -Level Info "[ ] Disabling legacy SSL/TLS protocols on RDS Gateway"
-$ScriptPath = Join-Path $PSScriptRoot ".." "remote" "create_rds" "scripts" "Disable_Legacy_TLS_Remote.ps1"
-$params = @{
- allowedCiphersB64 = (Get-SslCipherSuites)["tls"] | ConvertTo-Json -Depth 99 | ConvertTo-Base64
-}
-$null = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $ScriptPath -VMName $config.sre.remoteDesktop.gateway.vmName -ResourceGroupName $config.sre.remoteDesktop.rg -Parameter $params
-
-
-# Reboot RDS Gateway
-# ------------------
-Start-VM -Name $config.sre.remoteDesktop.gateway.vmName -ResourceGroupName $config.sre.remoteDesktop.rg -ForceRestart
-
-
-# Switch back to original subscription
-# ------------------------------------
-$null = Set-AzContext -Context $originalContext -ErrorAction Stop
diff --git a/deployment/secure_research_environment/setup/Remove_SRE_Data_From_SHM.ps1 b/deployment/secure_research_environment/setup/Remove_SRE_Data_From_SHM.ps1
index cbd52853c5..a2e67c06c6 100644
--- a/deployment/secure_research_environment/setup/Remove_SRE_Data_From_SHM.ps1
+++ b/deployment/secure_research_environment/setup/Remove_SRE_Data_From_SHM.ps1
@@ -98,18 +98,6 @@ if ($sreResources -or $sreResourceGroups) {
$null = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $scriptPath -VMName $config.shm.dc.vmName -ResourceGroupName $config.shm.dc.rg -Parameter $params
- # Remove RDS Gateway RADIUS Client from SHM NPS
- # ---------------------------------------------
- if ($config.sre.remoteDesktop.provider -eq "MicrosoftRDS") {
- Add-LogMessage -Level Info "Removing RDS Gateway RADIUS Client from SHM NPS..."
- $scriptPath = Join-Path $PSScriptRoot ".." "remote" "configure_shm_dc" "scripts" "Remove_RDS_Gateway_RADIUS_Client_Remote.ps1" -Resolve
- $params = @{
- rdsGatewayFqdn = $config.sre.remoteDesktop.gateway.fqdn
- }
- $null = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $scriptPath -VMName $config.shm.nps.vmName -ResourceGroupName $config.shm.nps.rg -Parameter $params
- }
-
-
# Remove SRE DNS Zone
# -------------------
$null = Set-AzContext -SubscriptionId $config.shm.dns.subscriptionName -ErrorAction Stop
@@ -157,8 +145,6 @@ if ($sreResources -or $sreResourceGroups) {
# Remote desktop server CNAME record
if ($config.sre.remoteDesktop.provider -eq "ApacheGuacamole") {
$serverHostname = "$($config.sre.remoteDesktop.guacamole.hostname)".ToLower()
- } elseif ($config.sre.remoteDesktop.provider -eq "MicrosoftRDS") {
- $serverHostname = "$($config.sre.remoteDesktop.gateway.hostname)".ToLower()
} else {
Add-LogMessage -Level Fatal "Remote desktop type '$($config.sre.remoteDesktop.type)' was not recognised!"
}
diff --git a/deployment/secure_research_environment/setup/Secure_SRE_Remote_Desktop_Gateway.ps1 b/deployment/secure_research_environment/setup/Secure_SRE_Remote_Desktop_Gateway.ps1
deleted file mode 100644
index 88539dbeef..0000000000
--- a/deployment/secure_research_environment/setup/Secure_SRE_Remote_Desktop_Gateway.ps1
+++ /dev/null
@@ -1,46 +0,0 @@
-param(
- [Parameter(Mandatory = $true, HelpMessage = "Enter SHM ID (e.g. use 'testa' for Turing Development Safe Haven A)")]
- [string]$shmId,
- [Parameter(Mandatory = $true, HelpMessage = "Enter SRE ID (e.g. use 'sandbox' for Turing Development Sandbox SREs)")]
- [string]$sreId,
- [Parameter(Mandatory = $false, HelpMessage = "Do a 'dry run' against the Let's Encrypt staging server.")]
- [switch]$dryRun,
- [Parameter(Mandatory = $false, HelpMessage = "Force the installation step even for dry runs.")]
- [switch]$forceInstall
-)
-
-Import-Module $PSScriptRoot/../../common/Configuration -Force -ErrorAction Stop
-
-
-# Get config and original context before changing subscription
-# ------------------------------------------------------------
-$config = Get-SreConfig -shmId $shmId -sreId $sreId
-$originalContext = Get-AzContext
-$null = Set-AzContext -SubscriptionId $config.sre.subscriptionName -ErrorAction Stop
-
-
-# Check that we are using the correct provider
-# --------------------------------------------
-if ($config.sre.remoteDesktop.provider -ne "MicrosoftRDS") {
- Add-LogMessage -Level Fatal "You should not be running this script when using remote desktop provider '$($config.sre.remoteDesktop.provider)'"
-}
-
-
-# Disable legacy TLS on the RDS gateway
-# -------------------------------------
-Invoke-Command -ScriptBlock { & "$(Join-Path $PSScriptRoot 'Disable_Legacy_TLS.ps1')" -shmId $shmId -sreId $sreId }
-
-
-# Configure CAP and RAP settings on the RDS gateway
-# -------------------------------------------------
-Invoke-Command -ScriptBlock { & "$(Join-Path $PSScriptRoot 'Configure_SRE_RDS_CAP_And_RAP.ps1')" -shmId $shmId -sreId $sreId }
-
-
-# Update the SSL certificates on the RDS gateway
-# ----------------------------------------------
-Invoke-Command -ScriptBlock { & "$(Join-Path $PSScriptRoot 'Update_SRE_SSL_Certificate.ps1')" -shmId $shmId -sreId $sreId -dryRun:$dryRun -forceInstall:$forceInstall }
-
-
-# Switch back to original subscription
-# ------------------------------------
-$null = Set-AzContext -Context $originalContext -ErrorAction Stop
diff --git a/deployment/secure_research_environment/setup/Setup_SRE_Key_Vault_And_Users.ps1 b/deployment/secure_research_environment/setup/Setup_SRE_Key_Vault_And_Users.ps1
index d35671c265..7b403758a7 100644
--- a/deployment/secure_research_environment/setup/Setup_SRE_Key_Vault_And_Users.ps1
+++ b/deployment/secure_research_environment/setup/Setup_SRE_Key_Vault_And_Users.ps1
@@ -50,9 +50,6 @@ try {
# Remote desktop
if ($config.sre.remoteDesktop.provider -eq "ApacheGuacamole") {
$null = Resolve-KeyVaultSecret -VaultName $config.sre.keyVault.name -SecretName $config.sre.remoteDesktop.guacamole.adminPasswordSecretName -DefaultLength 20 -AsPlaintext
- } elseif ($config.sre.remoteDesktop.provider -eq "MicrosoftRDS") {
- $null = Resolve-KeyVaultSecret -VaultName $config.sre.keyVault.name -SecretName $config.sre.remoteDesktop.gateway.adminPasswordSecretName -DefaultLength 20 -AsPlaintext
- $null = Resolve-KeyVaultSecret -VaultName $config.sre.keyVault.name -SecretName $config.sre.remoteDesktop.appSessionHost.adminPasswordSecretName -DefaultLength 20 -AsPlaintext
} else {
Add-LogMessage -Level Fatal "Remote desktop type '$($config.sre.remoteDesktop.type)' was not recognised!"
}
diff --git a/deployment/secure_research_environment/setup/Setup_SRE_Networking.ps1 b/deployment/secure_research_environment/setup/Setup_SRE_Networking.ps1
index 85860f2b98..3cdc722af1 100644
--- a/deployment/secure_research_environment/setup/Setup_SRE_Networking.ps1
+++ b/deployment/secure_research_environment/setup/Setup_SRE_Networking.ps1
@@ -87,15 +87,6 @@ if ($config.sre.remoteDesktop.provider -eq "ApacheGuacamole") {
$rules = Get-JsonFromMustacheTemplate -TemplatePath (Join-Path $PSScriptRoot ".." "network_rules" $config.sre.network.vnet.subnets.remoteDesktop.nsg.rules) -Parameters $config -AsHashtable
$null = Set-NetworkSecurityGroupRules -NetworkSecurityGroup $guacamoleNsg -Rules $rules
$remoteDesktopSubnet = Set-SubnetNetworkSecurityGroup -Subnet $remoteDesktopSubnet -NetworkSecurityGroup $guacamoleNsg
-} elseif ($config.sre.remoteDesktop.provider -eq "MicrosoftRDS") {
- # Ensure that gateway NSG exists with correct rules
- $gatewayNsg = Deploy-NetworkSecurityGroup -Name $config.sre.remoteDesktop.gateway.nsg.name -ResourceGroupName $config.sre.network.vnet.rg -Location $config.sre.location
- $rules = Get-JsonFromMustacheTemplate -TemplatePath (Join-Path $PSScriptRoot ".." "network_rules" $config.sre.remoteDesktop.gateway.nsg.rules) -Parameters $config -AsHashtable
- $null = Set-NetworkSecurityGroupRules -NetworkSecurityGroup $gatewayNsg -Rules $rules
- # Ensure that session host NSG exists with correct rules
- $sessionHostNsg = Deploy-NetworkSecurityGroup -Name $config.sre.remoteDesktop.appSessionHost.nsg.name -ResourceGroupName $config.sre.network.vnet.rg -Location $config.sre.location
- $rules = Get-JsonFromMustacheTemplate -TemplatePath (Join-Path $PSScriptRoot ".." "network_rules" $config.sre.remoteDesktop.appSessionHost.nsg.rules) -Parameters $config -AsHashtable
- $null = Set-NetworkSecurityGroupRules -NetworkSecurityGroup $sessionHostNsg -Rules $rules
} else {
Add-LogMessage -Level Fatal "Remote desktop type '$($config.sre.remoteDesktop.type)' was not recognised!"
}
diff --git a/deployment/secure_research_environment/setup/Setup_SRE_Remote_Desktop.ps1 b/deployment/secure_research_environment/setup/Setup_SRE_Remote_Desktop.ps1
deleted file mode 100644
index 105fd806d6..0000000000
--- a/deployment/secure_research_environment/setup/Setup_SRE_Remote_Desktop.ps1
+++ /dev/null
@@ -1,261 +0,0 @@
-param(
- [Parameter(Mandatory = $true, HelpMessage = "Enter SHM ID (e.g. use 'testa' for Turing Development Safe Haven A)")]
- [string]$shmId,
- [Parameter(Mandatory = $true, HelpMessage = "Enter SRE ID (e.g. use 'sandbox' for Turing Development Sandbox SREs)")]
- [string]$sreId
-)
-
-Import-Module Az.Accounts -ErrorAction Stop
-Import-Module Az.Compute -ErrorAction Stop
-Import-Module Az.Dns -ErrorAction Stop
-Import-Module Az.Network -ErrorAction Stop
-Import-Module Az.Storage -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureCompute -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureDns -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureKeyVault -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureNetwork -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureResources -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/AzureStorage -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Configuration -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Cryptography -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/DataStructures -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Logging -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/RemoteCommands -Force -ErrorAction Stop
-Import-Module $PSScriptRoot/../../common/Templates -Force -ErrorAction Stop
-
-
-# Get config and original context before changing subscription
-# ------------------------------------------------------------
-$config = Get-SreConfig -shmId $shmId -sreId $sreId
-$originalContext = Get-AzContext
-$null = Set-AzContext -SubscriptionId $config.sre.subscriptionName -ErrorAction Stop
-
-
-# Check that we are using the correct provider
-# --------------------------------------------
-if ($config.sre.remoteDesktop.provider -ne "MicrosoftRDS") {
- Add-LogMessage -Level Fatal "You should not be running this script when using remote desktop provider '$($config.sre.remoteDesktop.provider)'"
-}
-
-
-# Set constants used in this script
-# ---------------------------------
-$vmNamePairs = @(("RDS Gateway", $config.sre.remoteDesktop.gateway.vmName),
- ("RDS Session Host (App server)", $config.sre.remoteDesktop.appSessionHost.vmName))
-
-
-# Retrieve variables from SHM Key Vault
-# -------------------------------------
-Add-LogMessage -Level Info "Creating/retrieving secrets from Key Vault '$($config.shm.keyVault.name)'..."
-$null = Set-AzContext -SubscriptionId $config.shm.subscriptionName -ErrorAction Stop
-$domainAdminUsername = Resolve-KeyVaultSecret -VaultName $config.shm.keyVault.name -SecretName $config.shm.keyVault.secretNames.domainAdminUsername -AsPlaintext
-$domainJoinGatewayPassword = Resolve-KeyVaultSecret -VaultName $config.shm.keyVault.name -SecretName $config.shm.users.computerManagers.rdsGatewayServers.passwordSecretName -DefaultLength 20 -AsPlaintext
-$domainJoinSessionHostPassword = Resolve-KeyVaultSecret -VaultName $config.shm.keyVault.name -SecretName $config.shm.users.computerManagers.rdsSessionServers.passwordSecretName -DefaultLength 20 -AsPlaintext
-$null = Set-AzContext -SubscriptionId $config.sre.subscriptionName -ErrorAction Stop
-
-
-# Retrieve variables from SRE Key Vault
-# -------------------------------------
-Add-LogMessage -Level Info "Creating/retrieving secrets from Key Vault '$($config.sre.keyVault.name)'..."
-$ipAddressFirstSRD = Get-NextAvailableIpInRange -IpRangeCidr $config.sre.network.vnet.subnets.compute.cidr -Offset 160
-$rdsGatewayAdminPassword = Resolve-KeyVaultSecret -VaultName $config.sre.keyVault.name -SecretName $config.sre.remoteDesktop.gateway.adminPasswordSecretName -DefaultLength 20 -AsPlaintext
-$rdsAppSessionHostAdminPassword = Resolve-KeyVaultSecret -VaultName $config.sre.keyVault.name -SecretName $config.sre.remoteDesktop.appSessionHost.adminPasswordSecretName -DefaultLength 20 -AsPlaintext
-$sreAdminUsername = Resolve-KeyVaultSecret -VaultName $config.sre.keyVault.name -SecretName $config.sre.keyVault.secretNames.adminUsername -DefaultValue "sre$($config.sre.id)admin".ToLower() -AsPlaintext
-
-
-# Ensure that boot diagnostics resource group and storage account exist
-# ---------------------------------------------------------------------
-$null = Deploy-ResourceGroup -Name $config.sre.storage.bootdiagnostics.rg -Location $config.sre.location
-$null = Deploy-StorageAccount -Name $config.sre.storage.bootdiagnostics.accountName -ResourceGroupName $config.sre.storage.bootdiagnostics.rg -Location $config.sre.location
-
-
-# Ensure that SRE resource group and storage accounts exist
-# ---------------------------------------------------------
-$null = Deploy-ResourceGroup -Name $config.sre.storage.artifacts.rg -Location $config.sre.location
-$sreStorageAccount = Get-StorageAccount -Name $config.sre.storage.artifacts.account.name -ResourceGroupName $config.sre.storage.artifacts.rg -SubscriptionName $config.sre.subscriptionName -ErrorAction Stop
-
-# Get SHM storage account
-# -----------------------
-$null = Set-AzContext -Subscription $config.shm.subscriptionName -ErrorAction Stop
-$shmStorageAccount = Deploy-StorageAccount -Name $config.shm.storage.artifacts.accountName -ResourceGroupName $config.shm.storage.artifacts.rg -Location $config.shm.location
-$null = Set-AzContext -Subscription $config.sre.subscriptionName -ErrorAction Stop
-
-
-# Create RDS resource group if it does not exist
-# ----------------------------------------------
-$null = Deploy-ResourceGroup -Name $config.sre.remoteDesktop.rg -Location $config.sre.location
-
-
-# Deploy RDS from template
-# ------------------------
-Add-LogMessage -Level Info "Deploying RDS from template..."
-$params = @{
- administratorUsername = $sreAdminUsername
- bootDiagnosticsAccountName = $config.sre.storage.bootdiagnostics.accountName
- domainName = $config.shm.domain.fqdn
- gatewayAdministratorPassword = (ConvertTo-SecureString $rdsGatewayAdminPassword -AsPlainText -Force)
- gatewayDataDiskSizeGb = [int]$config.sre.remoteDesktop.gateway.disks.data.sizeGb
- gatewayDataDiskType = $config.sre.remoteDesktop.gateway.disks.data.type
- gatewayDomainJoinOuPath = $config.shm.domain.ous.rdsGatewayServers.path
- gatewayDomainJoinPassword = (ConvertTo-SecureString $domainJoinGatewayPassword -AsPlainText -Force)
- gatewayDomainJoinUser = $config.shm.users.computerManagers.rdsGatewayServers.samAccountName
- gatewayNsgName = $config.sre.remoteDesktop.gateway.nsg.name
- gatewayOsDiskSizeGb = [int]$config.sre.remoteDesktop.gateway.disks.os.sizeGb
- gatewayOsDiskType = $config.sre.remoteDesktop.gateway.disks.os.type
- gatewayPrivateIpAddress = $config.sre.remoteDesktop.gateway.ip
- gatewayVmName = $config.sre.remoteDesktop.gateway.vmName
- gatewayVmSize = $config.sre.remoteDesktop.gateway.vmSize
- sessionHostAppsAdministratorPassword = (ConvertTo-SecureString $rdsAppSessionHostAdminPassword -AsPlainText -Force)
- sessionHostAppsOsDiskSizeGb = [int]$config.sre.remoteDesktop.appSessionHost.disks.os.sizeGb
- sessionHostAppsOsDiskType = $config.sre.remoteDesktop.appSessionHost.disks.os.type
- sessionHostAppsPrivateIpAddress = $config.sre.remoteDesktop.appSessionHost.ip
- sessionHostAppsVmName = $config.sre.remoteDesktop.appSessionHost.vmName
- sessionHostAppsVmSize = $config.sre.remoteDesktop.appSessionHost.vmSize
- sessionHostsDomainJoinOuPath = $config.shm.domain.ous.rdsSessionServers.path
- sessionHostsDomainJoinPassword = (ConvertTo-SecureString $domainJoinSessionHostPassword -AsPlainText -Force)
- sessionHostsDomainJoinUser = $config.shm.users.computerManagers.rdsSessionServers.samAccountName
- virtualNetworkGatewaySubnetName = $config.sre.network.vnet.subnets.remoteDesktop.name
- virtualNetworkName = $config.sre.network.vnet.name
- virtualNetworkResourceGroupName = $config.sre.network.vnet.rg
- virtualNetworkSessionHostsSubnetName = $config.sre.network.vnet.subnets.remoteDesktop.name
-}
-Deploy-ArmTemplate -TemplatePath (Join-Path $PSScriptRoot ".." "arm_templates" "sre-rds-template.json") -TemplateParameters $params -ResourceGroupName $config.sre.remoteDesktop.rg
-
-
-# Get public IP address of RDS gateway
-# ------------------------------------
-$rdsGatewayVM = Get-AzVM -ResourceGroupName $config.sre.remoteDesktop.rg -Name $config.sre.remoteDesktop.gateway.vmName
-$rdsGatewayPrimaryNicId = ($rdsGateWayVM.NetworkProfile.NetworkInterfaces | Where-Object { $_.Primary })[0].Id
-$rdsGatewayPublicIp = (Get-AzPublicIpAddress -ResourceGroupName $config.sre.remoteDesktop.rg | Where-Object { $_.IpConfiguration.Id -like "$rdsGatewayPrimaryNicId*" }).IpAddress
-
-
-# Add DNS records for RDS Gateway
-# -------------------------------
-Deploy-DnsRecordCollection -PublicIpAddress $rdsGatewayPublicIp `
- -RecordNameA "@" `
- -RecordNameCAA "letsencrypt.org" `
- -RecordNameCName $serverHostname `
- -ResourceGroupName $config.shm.dns.rg `
- -SubscriptionName $config.shm.dns.subscriptionName `
- -TtlSeconds 30 `
- -ZoneName $config.sre.domain.fqdn
-
-
-# Create blob containers in SRE storage account
-# ---------------------------------------------
-Add-LogMessage -Level Info "Creating blob storage containers in storage account '$($sreStorageAccount.StorageAccountName)'..."
-foreach ($containerName in $config.sre.storage.artifacts.containers.Values) {
- $null = Deploy-StorageContainer -Name $containerName -StorageAccount $sreStorageAccount
- $null = Clear-StorageContainer -Name $containerName -StorageAccount $sreStorageAccount
-}
-
-
-# Upload RDS deployment scripts to SRE storage
-# --------------------------------------------
-Add-LogMessage -Level Info "Upload RDS deployment scripts to storage..."
-# Expand mustache template variables
-$config["rdsTemplates"] = @{
- domainAdminUsername = $domainAdminUsername
- ipAddressFirstSRD = $ipAddressFirstSRD
-}
-# Upload deploy script
-try {
- Add-LogMessage -Level Info "[ ] Uploading RDS deployment script to storage account '$($sreStorageAccount.StorageAccountName)'"
- $temporaryPath = (New-TemporaryFile).FullName
- Expand-MustacheTemplate -TemplatePath (Join-Path $PSScriptRoot ".." "remote" "create_rds" "templates" "Deploy_RDS_Environment.mustache.ps1") -Parameters $config | Out-File $temporaryPath
- $null = Set-AzStorageBlobContent -Container $config.sre.storage.artifacts.containers.sreScriptsRDS -Context $sreStorageAccount.Context -File $temporaryPath -Blob "Deploy_RDS_Environment.ps1" -Force -ErrorAction Stop
- Remove-Item -Path $temporaryPath
-} catch {
- Add-LogMessage -Level Fatal "Uploading RDS deployment script failed!" -Exception $_.Exception
-}
-# Upload deploy script
-try {
- Add-LogMessage -Level Info "[ ] Uploading RDS server list to storage account '$($sreStorageAccount.StorageAccountName)'"
- $temporaryPath = (New-TemporaryFile).FullName
- Expand-MustacheTemplate -TemplatePath (Join-Path $PSScriptRoot ".." "remote" "create_rds" "templates" "ServerList.mustache.xml") -Parameters $config | Out-File $temporaryPath
- $null = Set-AzStorageBlobContent -Container $config.sre.storage.artifacts.containers.sreScriptsRDS -Context $sreStorageAccount.Context -File $temporaryPath -Blob "ServerList.xml" -Force -ErrorAction Stop
- Remove-Item -Path $temporaryPath
-} catch {
- Add-LogMessage -Level Fatal "Uploading RDS server list failed!" -Exception $_.Exception
-}
-
-
-# Upload RDS package installers to SRE storage
-# --------------------------------------------
-Add-LogMessage -Level Info "[ ] Uploading Windows package installers to storage account '$($sreStorageAccount.StorageAccountName)'..."
-try {
- # Chrome
- $null = Set-AzureStorageBlobFromUri -FileUri "http://dl.google.com/edgedl/chrome/install/GoogleChromeStandaloneEnterprise64.msi" -BlobFilename "GoogleChrome_x64.msi" -StorageContainer $config.sre.storage.artifacts.containers.sreArtifactsRDS -StorageContext $sreStorageAccount.Context
- # PuTTY
- $baseUri = "https://the.earth.li/~sgtatham/putty/latest/w64/"
- $filename = $(Invoke-WebRequest -Uri $baseUri).Links | Where-Object { $_.href -like "*installer.msi" } | ForEach-Object { $_.href } | Select-Object -First 1
- $version = ($filename -split "-")[2]
- $null = Set-AzureStorageBlobFromUri -FileUri "$($baseUri.Replace('latest', $version))/$filename" -BlobFilename "PuTTY_x64.msi" -StorageContainer $config.sre.storage.artifacts.containers.sreArtifactsRDS -StorageContext $sreStorageAccount.Context
- Add-LogMessage -Level Success "Uploaded Windows package installers"
-} catch {
- Add-LogMessage -Level Fatal "Failed to upload Windows package installers!" -Exception $_.Exception
-}
-
-
-# Import files to RDS VMs
-# -----------------------
-Add-LogMessage -Level Info "Importing files from storage to RDS VMs..."
-# Set correct list of packages from blob storage for each session host
-$blobfiles = @{}
-$vmNamePairs | ForEach-Object { $blobfiles[$_[1]] = @() }
-foreach ($blob in Get-AzStorageBlob -Container $config.sre.storage.artifacts.containers.sreArtifactsRDS -Context $sreStorageAccount.Context) {
- $blobfiles[$config.sre.remoteDesktop.appSessionHost.vmName] += @{$config.sre.storage.artifacts.containers.sreArtifactsRDS = $blob.Name }
-}
-# ... and for the gateway
-foreach ($blob in Get-AzStorageBlob -Container $config.sre.storage.artifacts.containers.sreScriptsRDS -Context $sreStorageAccount.Context) {
- $blobfiles[$config.sre.remoteDesktop.gateway.vmName] += @{$config.sre.storage.artifacts.containers.sreScriptsRDS = $blob.Name }
-}
-# Copy software and/or scripts to RDS VMs
-$scriptPath = Join-Path $PSScriptRoot ".." "remote" "create_rds" "scripts" "Import_And_Install_Blobs.ps1"
-foreach ($nameVMNameParamsPair in $vmNamePairs) {
- $name, $vmName = $nameVMNameParamsPair
- $containerName = $blobfiles[$vmName] | ForEach-Object { $_.Keys } | Select-Object -First 1
- $fileNames = $blobfiles[$vmName] | ForEach-Object { $_.Values }
- $sasToken = New-ReadOnlyStorageAccountSasToken -SubscriptionName $config.sre.subscriptionName -ResourceGroup $config.sre.storage.artifacts.rg -AccountName $sreStorageAccount.StorageAccountName
- Add-LogMessage -Level Info "[ ] Copying $($fileNames.Count) files to $name"
- $params = @{
- blobNameArrayB64 = $fileNames | ConvertTo-Json -Depth 99 | ConvertTo-Base64
- downloadDir = $config.sre.remoteDesktop.gateway.installationDirectory
- sasTokenB64 = $sasToken | ConvertTo-Base64
- shareOrContainerName = $containerName
- storageAccountName = $sreStorageAccount.StorageAccountName
- storageService = "blob"
- }
- $null = Invoke-RemoteScript -Shell "PowerShell" -ScriptPath $scriptPath -VMName $vmName -ResourceGroupName $config.sre.remoteDesktop.rg -Parameter $params
-}
-
-
-# Set locale, install updates and reboot
-# --------------------------------------
-foreach ($nameVMNameParamsPair in $vmNamePairs) {
- $name, $vmName = $nameVMNameParamsPair
- Add-LogMessage -Level Info "Updating ${name}: '$vmName'..."
- $params = @{}
- # The RDS Gateway needs the RDWebClientManagement Powershell module
- if ($name -eq "RDS Gateway") { $params["AdditionalPowershellModules"] = @("RDWebClientManagement") }
- Invoke-WindowsConfiguration -VMName $vmName -ResourceGroupName $config.sre.remoteDesktop.rg -TimeZone $config.sre.time.timezone.windows -NtpServer ($config.shm.time.ntp.serverAddresses)[0] @params
-}
-
-
-# Add VMs to correct NSG
-# ----------------------
-Add-VmToNSG -VMName $config.sre.remoteDesktop.gateway.vmName -VmResourceGroupName $config.sre.remoteDesktop.rg -NSGName $config.sre.remoteDesktop.gateway.nsg.name -NsgResourceGroupName $config.sre.network.vnet.rg
-Add-VmToNSG -VMName $config.sre.remoteDesktop.appSessionHost.vmName -VmResourceGroupName $config.sre.remoteDesktop.rg -NSGName $config.sre.remoteDesktop.appSessionHost.nsg.name -NsgResourceGroupName $config.sre.network.vnet.rg
-
-
-# Reboot all the RDS VMs
-# ----------------------
-foreach ($nameVMNameParamsPair in $vmNamePairs) {
- $null, $vmName = $nameVMNameParamsPair
- Start-VM -Name $vmName -ResourceGroupName $config.sre.remoteDesktop.rg -ForceRestart
-}
-
-
-# Switch back to original subscription
-# ------------------------------------
-$null = Set-AzContext -Context $originalContext -ErrorAction Stop
diff --git a/deployment/secure_research_environment/setup/Update_SRE_SSL_Certificate.ps1 b/deployment/secure_research_environment/setup/Update_SRE_SSL_Certificate.ps1
index 9f8d7cae24..ff32d9ac0d 100644
--- a/deployment/secure_research_environment/setup/Update_SRE_SSL_Certificate.ps1
+++ b/deployment/secure_research_environment/setup/Update_SRE_SSL_Certificate.ps1
@@ -44,8 +44,6 @@ if ($dryRun) { $certificateName += "-dryrun" }
# ------------------------------------
if ($config.sre.remoteDesktop.provider -eq "ApacheGuacamole") {
$remoteDesktopVmFqdn = $config.sre.remoteDesktop.guacamole.fqdn
-} elseif ($config.sre.remoteDesktop.provider -eq "MicrosoftRDS") {
- $remoteDesktopVmFqdn = $config.sre.remoteDesktop.gateway.fqdn
} else {
Add-LogMessage -Level Fatal "SSL certificate updating is not configured for remote desktop type '$($config.sre.remoteDesktop.type)'!"
}
@@ -263,16 +261,6 @@ if ($doInstall) {
CERT_THUMBPRINT = $kvCertificate.Thumbprint
}
$scriptType = "UnixShell"
- } elseif ($config.sre.remoteDesktop.provider -eq "MicrosoftRDS") {
- $targetVM = Get-AzVM -ResourceGroupName $config.sre.remoteDesktop.rg -Name $config.sre.remoteDesktop.gateway.vmName | Remove-AzVMSecret
- $scriptParams = @{
- rdsFqdn = $remoteDesktopVmFqdn
- certThumbPrint = $kvCertificate.Thumbprint
- remoteDirectory = "/Certificates"
- }
- $scriptPath = Join-Path $PSScriptRoot ".." "remote" "create_rds" "scripts" "Install_Signed_Ssl_Cert.ps1"
- $scriptType = "PowerShell"
- $addSecretParams["CertificateStore"] = "My"
} else {
Add-LogMessage -Level Fatal "SSL certificate updating is not configured for remote desktop type '$($config.sre.remoteDesktop.type)'!"
}
diff --git a/docs/source/deployment/deploy_shm.md b/docs/source/deployment/deploy_shm.md
index 94f652b1f1..df3ea4c6e4 100644
--- a/docs/source/deployment/deploy_shm.md
+++ b/docs/source/deployment/deploy_shm.md
@@ -535,26 +535,6 @@ PS> ./Setup_SHM_Update_Servers.ps1 -shmId
-(roles_system_deployer_shm_deploy_nps)=
-
-
-Deploy network policy server
-
- at {{file_folder}} `./deployment/safe_haven_management_environment/setup`
-
-```powershell
-PS> ./Setup_SHM_NPS.ps1 -shmId
-```
-
-- where `` is the {ref}`management environment ID ` for this SHM
-
-```{error}
-If you see an error similar to `New-AzResourceGroupDeployment: Resource Microsoft.Compute/virtualMachines/extensions NPS-SHM-/joindomain' failed with message` you may find this error resolves if you wait and retry later.
-Alternatively, you can try deleting the extension from the `NPS-SHM- > Extensions` blade in the Azure portal.
-```
-
-
-
(roles_system_deployer_shm_deploy_mirrors)=
@@ -974,119 +954,7 @@ If you see a message about buying licences, you may need to refresh the page for
-(roles_system_deployer_configure_nps)=
-
-## 10. {{station}} Configure network policy server
-
-(roles_system_deployer_shm_remote_desktop_nps)=
-
-### Configure the network policy server (NPS) via Remote Desktop
-
-
-
-- Navigate to the **network policy server** VM in the portal at `Resource Groups > RG_SHM__NPS > NPS-SHM-` and note the `Private IP address` for this VM
-- Use the same `` and `` as for the **SHM primary domain controller** (`DC1-SHM-`)
-
-#### Configure NPS logging
-
-
-
-- Log into the **network policy server** (`NPS-SHM-`) VM using the `private IP address`, `` and `` that you {ref}`obtained from the portal above `.
-- Open Server Manager and select `Tools > Network Policy Server` (or open the `Network Policy Server` desktop app directly)
-- Configure NPS to log to a local text file:
-
- - Select `NPS (Local) > Accounting` on the left-hand sidebar
- Screenshots
-
- ```{image} deploy_shm/nps_accounting.png
- :alt: NPS accounting
- :align: center
- ```
-
- Enabling Multi-Factor Auth Client
-
- - Look at [the documentation here](https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-nps-extension#troubleshooting).
- - Make sure the Safe Haven Azure Active Directory has valid P1 licenses:
- - Go to the Azure Portal and click `Azure Active Directories` in the left hand side bar
- - Click `Licenses`in the left hand side bar then `Manage > All products`
- - You should see `Azure Active Directory Premium P1` in the list of products, with a non-zero number of available licenses.
- - If you do not have P1 licences, purchase some following the instructions at the end of the {ref}`add additional administrators ` section above, making sure to also follow the final step to configure the MFA settings on the Azure Active Directory.
- - If you are using the trial `Azure Active Directory Premium P2` licences, you may find that enabling a trial of `Enterprise Mobility + Security E5` licences will resolve this.
- - Make sure that you have added a P1 licence to at least one user in the `Azure Active Directory` and have gone through the MFA setup procedure for that user.
- You may have to wait a few minutes after doing this
- - If you've done all of these things and nothing is working, you may have accidentally removed the `Azure Multi-Factor Auth Client` Enterprise Application from your `Azure Active Directory`.
- Run `C:\Installation\Ensure_MFA_SP_AAD.ps1` to create a new service principal and try the previous steps again.
- Check user credentials
-
-- Make sure you are logged in to the NPS server as a **domain** user rather than a local user.
- - The output of the `whoami` command in Powershell should be `\` rather than `NPS-SHM-\`.
- - If it is not, reconnect to the remote desktop with the username `admin@`, using the same password as before
-- Make sure you authenticate to `Azure Active Directory` your own **native** Global Administrator (i.e. `admin.firstname.lastname@`) and that you have successfully logged in and verified your phone number and email address and configured MFA on your account.
-
+Remove data from previous deployments
+
+```{include} snippets/03_01_remove_data.partial.md
+:relative-images:
+```
+
+
+
+
+Register SRE with the SHM
+
+```{include} snippets/03_02_register_sre.partial.md
+:relative-images:
+```
+
+
+
+
+Create SRE DNS Zone
+
+```{include} snippets/04_01_sre_dns.partial.md
+:relative-images:
+```
+
+
+
+```{include} snippets/04_02_manual_dns.partial.md
+:relative-images:
+```
+
+
+Deploy the virtual network
+
+```{include} snippets/04_03_deploy_vnet.partial.md
+:relative-images:
+```
+
+
+
+
+Deploy storage accounts
+
+```{include} snippets/05_storage_accounts.partial.md
+:relative-images:
+```
+
+
+
+
+Deploy Apache Guacamole remote desktop
+
+ at {{file_folder}} `./deployment/secure_research_environment/setup`
+
+```powershell
+PS> ./Setup_SRE_Guacamole_Servers.ps1 -shmId -sreId
+```
+
+- where `` is the {ref}`management environment ID ` for this SHM.
+- where `` is the {ref}`secure research environment ID ` for this SRE.
+
+
+
+
+Deploy web applications (CoCalc, CodiMD and GitLab)
+
+```{include} snippets/07_deploy_webapps.partial.md
+:relative-images:
+```
+
+
+
+
+Deploy databases
-We currently support two different end-user remote desktop interfaces.
+```{include} snippets/08_databases.partial.md
+:relative-images:
+```
+
+
+
+
+Deploy Secure Research Desktops (SRDs)
+
+The `-VmSizes` parameter that you provided to the `Deploy_SRE.ps1` script determines how many SRDs are created and how large each one will be.
+
+```{note}
+The following script will be run once for each `` that you specified.
+If you specify the same size more than once, you will create multiple SRDs of that size.
+```
+
+```{include} snippets/09_single_srd.partial.md
+:relative-images:
+```
+
+
+
+
+Apply network configuration
+
+```{include} snippets/10_network_lockdown.partial.md
+:relative-images:
+```
+
+
+
+
+Configure firewall
+
+```{include} snippets/11_configure_firewall.partial.md
+:relative-images:
+```
+
+
+
+
+Configure monitoring
+
+```{include} snippets/12_configure_monitoring.partial.md
+:relative-images:
+```
+
+
+
+
+Enable backup
+
+```{include} snippets/13_enable_backup.partial.md
+:relative-images:
+```
+
+
-[User guide: Apache Guacamole](deploy_sre_apache_guacamole.md)
-: {{sparkles}} **Recommended** {{sparkles}} Step-by-step instructions to deploy an SRE using `Apache Guacamole` (**tiers 0-3**)
+## 4. {{microscope}} Test deployed SRE
-[User guide: Microsoft Remote Desktop](deploy_sre_microsoft_rds.md)
-: Step-by-step instructions to deploy an SRE using `Microsoft Remote Desktop` (**tiers 2-3 only**)
+(deploy_sre_apache_guacamole_create_user_account)=
+
+### {{bicyclist}} Verify non-privileged user account is set up
+
+```{include} snippets/06_01_create_user_account.partial.md
+:relative-images:
+```
+
+To complete the account setup, follow the instructions for password and MFA setup present in the {ref}`user guide `.
+
+(deploy_sre_apache_guacamole_test_remote_desktop)=
+
+### {{pear}} Test the Apache Guacamole remote desktop
+
+- Launch a local web browser on your **deployment machine** and go to `https://.` and log in with the user name and password you set up for the non-privileged user account.
+ - For example for ` = project.turingsafehaven.ac.uk` and ` = sandbox` this would be `https://sandbox.project.turingsafehaven.ac.uk/`
+- You should see a screen like the following. If you do not, follow the **troubleshooting** instructions below.
+
+ ```{image} ../roles/researcher/user_guide/guacamole_dashboard.png
+ :alt: Guacamole dashboard
+ :align: center
+ ```
+
+- At this point you should double click on the {{computer}} `Ubuntu0` link under `All Connections` which should bring you to the secure remote desktop (SRD) login screen
+- You will need the short-form of the user name (ie. without the `@` part) and the same password as before
+- This should bring you to the SRD that will look like the following
+
+ ```{image} deploy_sre/guacamole_desktop.png
+ :alt: Guacamole dashboard
+ :align: center
+ ```
+
+```{important}
+Ensure that you are connecting from one of the **permitted IP ranges** specified in the `inboundAccessFrom` section of the SRE config file.
+For example, if you have authorised a corporate VPN, check that you have correctly configured you client to connect to it.
+```
+
+````{error}
+If you see an error like the following when attempting to log in, it is likely that the AzureAD application is not registered as an `ID token` provider.
+
+```{image} deploy_sre/guacamole_aad_idtoken_failure.png
+:alt: AAD ID token failure
+:align: center
+```
+
+Register AzureAD application
+
+
+
+- From the Azure portal, navigate to the AAD you have created.
+- Navigate to `Azure Active Directory > App registrations`, and select the application called `Guacamole SRE `.
+- Click on `Authentication` on the left-hand sidebar
+- Ensure that the `ID tokens` checkbox is ticked and click on the `Save` icon if you had to make any changes
+ ```{image} deploy_sre/guacamole_aad_app_registration_idtoken.png
+ :alt: AAD app registration
+ :align: center
+ ```
+
-Remove data from previous deployments
-
-```{include} snippets/03_01_remove_data.partial.md
-:relative-images:
-```
-
-
-
-
-Register SRE with the SHM
-
-```{include} snippets/03_02_register_sre.partial.md
-:relative-images:
-```
-
-
-
-
-Create SRE DNS Zone
-
-```{include} snippets/04_01_sre_dns.partial.md
-:relative-images:
-```
-
-
-
-```{include} snippets/04_02_manual_dns.partial.md
-:relative-images:
-```
-
-
-Deploy the virtual network
-
-```{include} snippets/04_03_deploy_vnet.partial.md
-:relative-images:
-```
-
-
-
-
-Deploy storage accounts
-
-```{include} snippets/05_storage_accounts.partial.md
-:relative-images:
-```
-
-
-
-
-Deploy Apache Guacamole remote desktop
-
- at {{file_folder}} `./deployment/secure_research_environment/setup`
-
-```powershell
-PS> ./Setup_SRE_Guacamole_Servers.ps1 -shmId -sreId
-```
-
-- where `` is the {ref}`management environment ID ` for this SHM.
-- where `` is the {ref}`secure research environment ID ` for this SRE.
-
-
-
-
-Deploy web applications (CoCalc, CodiMD and GitLab)
-
-```{include} snippets/07_deploy_webapps.partial.md
-:relative-images:
-```
-
-
-
-
-Deploy databases
-
-```{include} snippets/08_databases.partial.md
-:relative-images:
-```
-
-
-
-
-Deploy Secure Research Desktops (SRDs)
-
-The `-VmSizes` parameter that you provided to the `Deploy_SRE.ps1` script determines how many SRDs are created and how large each one will be.
-
-```{note}
-The following script will be run once for each `` that you specified.
-If you specify the same size more than once, you will create multiple SRDs of that size.
-```
-
-```{include} snippets/09_single_srd.partial.md
-:relative-images:
-```
-
-
-
-
-Apply network configuration
-
-```{include} snippets/10_network_lockdown.partial.md
-:relative-images:
-```
-
-
-
-
-Configure firewall
-
-```{include} snippets/11_configure_firewall.partial.md
-:relative-images:
-```
-
-
-
-
-Configure monitoring
-
-```{include} snippets/12_configure_monitoring.partial.md
-:relative-images:
-```
-
-
-
-
-Enable backup
-
-```{include} snippets/13_enable_backup.partial.md
-:relative-images:
-```
-
-
-
-## 4. {{microscope}} Test deployed SRE
-
-(deploy_sre_apache_guacamole_create_user_account)=
-
-### {{bicyclist}} Verify non-privileged user account is set up
-
-```{include} snippets/06_01_create_user_account.partial.md
-:relative-images:
-```
-
-To complete the account setup, follow the instructions for password and MFA setup present in the {ref}`user guide `.
-
-(deploy_sre_apache_guacamole_test_remote_desktop)=
-
-### {{pear}} Test the Apache Guacamole remote desktop
-
-- Launch a local web browser on your **deployment machine** and go to `https://.` and log in with the user name and password you set up for the non-privileged user account.
- - For example for ` = project.turingsafehaven.ac.uk` and ` = sandbox` this would be `https://sandbox.project.turingsafehaven.ac.uk/`
-- You should see a screen like the following. If you do not, follow the **troubleshooting** instructions below.
-
- ```{image} ../roles/researcher/user_guide/guacamole_dashboard.png
- :alt: Guacamole dashboard
- :align: center
- ```
-
-- At this point you should double click on the {{computer}} `Ubuntu0` link under `All Connections` which should bring you to the secure remote desktop (SRD) login screen
-- You will need the short-form of the user name (ie. without the `@` part) and the same password as before
-- This should bring you to the SRD that will look like the following
-
- ```{image} deploy_sre/guacamole_desktop.png
- :alt: Guacamole dashboard
- :align: center
- ```
-
-```{important}
-Ensure that you are connecting from one of the **permitted IP ranges** specified in the `inboundAccessFrom` section of the SRE config file.
-For example, if you have authorised a corporate VPN, check that you have correctly configured you client to connect to it.
-```
-
-````{error}
-If you see an error like the following when attempting to log in, it is likely that the AzureAD application is not registered as an `ID token` provider.
-
-```{image} deploy_sre/guacamole_aad_idtoken_failure.png
-:alt: AAD ID token failure
-:align: center
-```
-
-Register AzureAD application
-
-
-
-- From the Azure portal, navigate to the AAD you have created.
-- Navigate to `Azure Active Directory > App registrations`, and select the application called `Guacamole SRE `.
-- Click on `Authentication` on the left-hand sidebar
-- Ensure that the `ID tokens` checkbox is ticked and click on the `Save` icon if you had to make any changes
- ```{image} deploy_sre/guacamole_aad_app_registration_idtoken.png
- :alt: AAD app registration
- :align: center
- ```
-
-Details
-
- at {{file_folder}} `./deployment/secure_research_environment/setup`
-
-```powershell
-PS> ./Disable_Legacy_TLS.ps1 -shmId -sreId
-```
-
-- where `` is the {ref}`management environment ID ` for this SHM
-- where `` is the {ref}`secure research environment ID ` for this SRE
-
-```{tip}
-If additional TLS protocols become available (or existing ones are found to be insecure) during the lifetime of the SRE, then you can re-run `./Disable_Legacy_TLS.ps1` to update the list of accepted protocols
-```
-
-
-
-(deploy_sre_microsoft_rds_configure_cap_rap)=
-
-#### Configure RDS CAP and RAP settings
-
-
-Details
-
- at {{file_folder}} `./deployment/secure_research_environment/setup`
-
-```powershell
-PS> ./Configure_SRE_RDS_CAP_And_RAP.ps1 -shmId -sreId
-```
-
-- where `` is the {ref}`management environment ID ` for this SHM
-- where `` is the {ref}`secure research environment ID ` for this SRE
-
-
-
-(deploy_sre_microsoft_update_ssl_certificate)=
-
-#### Update SSL certificate
-
-
-Details
-
- at {{file_folder}} `./deployment/secure_research_environment/setup`
-
-```powershell
-PS> ./Update_SRE_RDS_SSL_Certificate.ps1 -shmId -sreId -emailAddress
-```
-
-- where `` is the {ref}`management environment ID ` for this SHM
-- where `` is the {ref}`secure research environment ID ` for this SRE
-- where `` is an email address that you want to be notified when certificates are close to expiry
-
-```{tip}
-`./Update_SRE_RDS_SSL_Certificate.ps1` should be run again whenever you want to update the certificate for this SRE.
-```
-
-```{caution}
-`Let's Encrypt` will only issue **5 certificates per week** for a particular host (e.g. `rdg-sre-sandbox.project.turingsafehaven.ac.uk`).
-To reduce the number of calls to `Let's Encrypt`, the signed certificates are stored in the Key Vault for easy redeployment.
-For production environments this should usually not be an issue.
-```
-
-````{important}
-If you find yourself frequently redeploying a test environment and hit the `Let's Encrypt` certificate limit, you can can use:
-
-```powershell
-> ./Update_SRE_RDS_SSL_Certificate.ps1 -dryRun $true
-```
-
-to use the `Let's Encrypt` staging server, which will issue certificates more frequently.
-These certificates will **not** be trusted by your browser, and so should not be used in production.
-````
-
-
-
-### {{bicyclist}} Verify non-privileged user account is set up
-
-```{include} snippets/06_01_create_user_account.partial.md
-:relative-images:
-```
-
-To complete the account setup, follow the instructions for password and MFA setup present in the {ref}`user guide `.
-
-### {{nut_and_bolt}} Test the Microsoft RDS remote desktop
-
-- Launch a local web browser on your **deployment machine** and go to `https://.` and log in with the user name and password you set up for the non-privileged user account.
- - For example for ` = project.turingsafehaven.ac.uk` and ` = sandbox` this would be `https://sandbox.project.turingsafehaven.ac.uk/`
-- You should see a screen like the following. If you do not, follow the **troubleshooting** instructions below.
-
- ```{image} deploy_sre/msrds_desktop.png
- :alt: Microsoft RDS desktop
- :align: center
- ```
-
-```{important}
-Ensure that you are connecting from one of the **permitted IP ranges** specified in the `inboundAccessFrom` section of the SRE config file.
-For example, if you have authorised a corporate VPN, check that you have correctly configured you client to connect to it.
-```
-
-```{note}
-Clicking on the apps will not work until the other servers have been deployed.
-```
-
-```{error}
-If you get a `404 resource not found` error when accessing the webclient URL, it is likely that the RDS webclient failed to install correctly.
-- Go back to the previous section and rerun the `C:\Installation\Deploy_RDS_Environment.ps1` script on the RDS gateway.
-- After doing this, follow the instructions to {ref}`configure RDS CAP and RAP settings ` and to {ref}`update the SSL certificate `.
-```
-
-```{error}
-If you get an `unexpected server authentication certificate error` , your browser has probably cached a previous certificate for this domain.
-- Do a [hard reload](https://www.getfilecloud.com/blog/2015/03/tech-tip-how-to-do-hard-refresh-in-browsers/) of the page (permanent fix)
-- OR open a new private / incognito browser window and visit the page.
-```
-
-```{error}
-If you can see an empty screen with `Work resources` but no app icons, your user has not been correctly added to the security group.
-- Ensure that the user you have logged in with is a member of the `SG Research Users` group on the domain controller
-```
-
-## 7. {{snowflake}} Deploy web applications (CoCalc, CodiMD and GitLab)
-
-```{include} snippets/07_deploy_webapps.partial.md
-:relative-images:
-```
-
-### {{microscope}} Test CoCalc, CodiMD and GitLab servers
-
-- Launch a local web browser on your **deployment machine** and go to `https://.` and log in with the user name and password you set up for the non-privileged user account.
- - for example for ` = project.turingsafehaven.ac.uk` and ` = sandbox` this would be `https://sandbox.project.turingsafehaven.ac.uk/`
-- Test `CoCalc` by clicking on the `CoCalc` app icon.
- - You should receive an MFA request to your phone or authentication app.
- - Once you have approved the sign in, you should see a Chrome window with the CoCalc login page.
- - You will get a warning about a `Potential Security Risk` related to a self-signed certificate. It is safe to trust this by selecting `Advanced > Accept the risk and continue`.
- - Create a new username and password and use this to log in.
-- Test `CodiMD` by clicking on the `CodiMD` app icon.
- - You should receive an MFA request to your phone or authentication app.
- - Once you have approved the sign in, you should see a Chrome window with the GitLab login page.
- - Log in with the short-form `username` of a user in the `SG Research Users` security group.
-- Test `GitLab` by clicking on the `GitLab` app icon.
- - You should receive an MFA request to your phone or authentication app.
- - Once you have approved the sign in, you should see a Chrome window with the GitLab login page.
- - Log in with the short-form `username` of a user in the `SG Research Users` security group.
-- If you do not get an MFA prompt or you cannot connect to one of the servers, follow the **troubleshooting** instructions below.
-
-```{error}
-If you can log in to the initial webclient authentication but do not get the MFA request, then the issue is likely that the configuration of the connection between the SHM NPS server and the RDS Gateway server is not correct.
-
-In order to diagnose whether this is an issue with the NPS settings or the MFA connection, run the diagnostic script on the NPS server at `C:\Installation\MFA_NPS_Troubleshooter.ps1` and follow the instructions there.
-
-If the "Checking if Azure MFA SPN exists" test fails, then run `C:\Installation\Ensure_MFA_SP_AAD.ps1` to restore it.
-```
-
-```{error}
-If running the previous script did not help to diagnose the issue then try the following:
-
-- Ensure that both the SHM NPS server and the RDS Gateway are running
-- Follow the instructions to {ref}`configure RDS CAP and RAP settings ` to reset the configuration of the RDS gateway and NPS VMs.
-- Ensure that the default UDP ports `1812`, `1813`, `1645` and `1646` are all open on the SHM NPS network security group (`NSG_SHM_SUBNET_IDENTITY`). [This documentation]() gives further details.
-```
-
-```{error}
-If this does not resolve the issue, trying checking the Windows event logs
-
-- Use `Event Viewer` on the SRE RDS Gateway (`Custom views > Server roles > Network Policy and Access Services`) to check whether the NPS server is contactable and whether it is discarding requests
-- Use `Event Viewer` on the SHM NPS server (`Custom views > Server roles > Network Policy and Access Services`) to check whether NPS requests are being received and whether the NPS server has an LDAP connection to the SHM DC.
- - Ensure that the requests are being received from the **private** IP address of the RDS Gateway and **not** its public one.
-- One common error on the NPS server is `A RADIUS message was received from the invalid RADIUS client IP address x.x.x.x` . [This help page]() might be useful.
- - This may indicate that the NPS server could not join the SHM domain. Try `ping DC1-SHM-` from the NPS server and if this does not resolve, try rebooting it.
-- Ensure that the `Windows Firewall` is set to `Domain Network` on both the SHM NPS server and the SRE RDS Gateway
-```
-
-```{error}
-If you get a `We couldn't connect to the gateway because of an error` message, it's likely that the `Remote RADIUS Server` authentication timeouts have not been set correctly.
-- Follow the instructions to {ref}`configure RDS CAP and RAP settings ` to reset the authentication timeouts on the RDS gateway.
-```
-
-```{error}
-If you get multiple MFA requests with no change in the `Opening ports` message, it may be that the shared RADIUS secret does not match on the SHM server and SRE RDS Gateway.
-- Follow the instructions to {ref}`configure RDS CAP and RAP settings ` to reset the secret on both the RDS gateway and NPS VMs.
-- Alternatively, this can happen if the NPS secret stored in the Key Vault is too long. We found that a 20 character secret caused problems but the (default) 12 character secret works.
-```
-
-```{error}
-Should there be any issues using the web apps (e.g. unable to log in, or log in page not appearing) you can inspect the build log and access the console for the relevant VMs following the guide for {ref}`System Managers `
-````
-
-## 8. {{baseball}} Deploy databases
-
-```{include} snippets/08_databases.partial.md
-:relative-images:
-```
-
-## 9. {{computer}} Deploy secure research desktops (SRDs)
-
-```{include} snippets/09_single_srd.partial.md
-:relative-images:
-```
-
-```{hint}
-If desired, you can also provide a VM size by passing the optional `-vmSize` parameter.
-```
-
-If you want to deploy several SRDs, simply repeat the above steps with a different IP address last octet.
-
-```{important}
-The initial shared `SRD Main` shared VM should be deployed with the last octet `160` as the dashboard is hard-coded to expect this.
-```
-
-## 10. {{lock}} Apply network configuration
-
-```{include} snippets/10_network_lockdown.partial.md
-:relative-images:
-```
-
-## 11. {{fire_engine}} Configure firewall
-
-```{include} snippets/11_configure_firewall.partial.md
-:relative-images:
-```
-
-## 12. {{chart_with_upwards_trend}} Configure logging
-
-```{include} snippets/12_configure_monitoring.partial.md
-:relative-images:
-```
-
-## 13. {{left_right_arrow}} Enable backup
-
-```{include} snippets/13_enable_backup.partial.md
-:relative-images:
-```
-
-## 14. {{fire}} Run smoke tests on SRD
-
-```{include} snippets/14_run_smoke_tests.partial.md
-:relative-images:
-```
diff --git a/docs/source/deployment/security_checklist.md b/docs/source/deployment/security_checklist.md
index f8dcc553c6..3895be133a 100644
--- a/docs/source/deployment/security_checklist.md
+++ b/docs/source/deployment/security_checklist.md
@@ -34,7 +34,7 @@ Some parts of the checklist are only relevant when there are multiple SREs attac
```{important}
- If you haven't already, you'll need download a VPN certificate and configure {ref}`VPN access ` for the SHM
-- Make sure you can use Remote Desktop to log in to the {ref}`domain controller (DC1) ` and the {ref}`network policy server (NPS) `.
+- Make sure you can use Remote Desktop to log in to the {ref}`domain controller (DC1) `.
```
The following users will be needed for this checklist
@@ -68,23 +68,13 @@ Attempt to login to the remote desktop web client as the **SRE standard user**
````{attention}
{{camera}} Verify that:
-
-{{pear}} **Guacamole**:
-user is prompted to setup MFA
+ user is prompted to setup MFA
```{image} security_checklist/login_no_mfa_guacamole.png
:alt: Guacamole MFA setup prompt
:align: center
```
-login works but apps cannot be viewed
-```{image} security_checklist/login_no_mfa_msrds.png
-:alt: Microsoft RDS dashboard with no apps
-:align: center
-```
user is prompted to setup MFA
```{image} security_checklist/login_no_mfa_guacamole.png
:alt: Guacamole MFA setup prompt
:align: center
```
-login works and apps can be viewed
-
-```{image} security_checklist/msrds_dashboard_with_apps.png
-:alt: Microsoft RDS dashboard with apps
-:align: center
-```
-attempting to login to SRD Main fails
-```{image} security_checklist/msrds_failed_to_connect.png
-:alt: Microsoft RDS failed to connect
-:align: center
-```
you are prompted for MFA and can respond
```{image} security_checklist/aad_mfa_approve_signin_request.png
:alt: AAD MFA approve sign-in request
:align: center
```
-you are prompted for MFA and can respond when attempting to log in to SRD Main (Desktop)
-
-```{image} security_checklist/aad_mfa_approve_signin_request.png
-:alt: AAD MFA approve sign-in request
-:align: center
-```
you can connect to Desktop: Ubuntu0
```{image} security_checklist/guacamole_srd_desktop.png
:alt: SRD desktop
:align: center
```
-you can connect to SRD Main (Desktop)
-```{image} security_checklist/msrds_srd_desktop.png
-:alt: SRD desktop
-:align: center
-```
you cannot access the website using curl
@@ -256,6 +209,7 @@ Check that the **SRE standard user** can access the Secure Research Desktop (SRD
:alt: SRD no curl
:align: center
```
+
you cannot look up the IP address for the website using nslookup
@@ -284,6 +238,7 @@ Check that users cannot connect from one SRE to another one in the same SHM, eve
:alt: SSH connection failure
:align: center
```
+