Windows Authentication fails with AWS Application ELB

While configuring an AWS Elastic Load Balancer for a customer I came across a strange issue related to Windows Authentication. Going through an internal application load balancer configured with HTTP listener, the target web server (IIS) constantly prompted for credentials and would not accept the correct ones, causing logon issues and even connections to other users’ sessions. After some investigation, I created a new network load balancer instead of the application load balancer used initially and it started working.

Windows Authentication (either Kerberos or NTLM fallback) needs for the TCP connection to maintain the same source port in order to stay authenticated. This is not happening with the HTTP, where browser may switch source port causing a new TCP session to be created and proxied to the web server over the old port, invalidating authentication. This does not occur with Layer 4 “network” load-balancers. Windows Authentication over the Layer 7 “application” load balancer is not possible.

WatchGuard Gotcha

I ran into a nasty gotcha today. For the past few years we’ve recommended, sold, installed and configured Juniper SRX firewalls. They’re extremely flexible and can be made to do just about anything but they have one major drawback: the web console sucks! It’s slow, clunky, unintuitive, constantly crashes and is obviously a bolt-on to the command line interface.

Anyway, we decided to start implementing some of the WatchGuard “T” series firewalls because they have a very slick web console that is almost the complete opposite of the SRX: fast, smooth, intuitive, and stable. The command line interface on the WatchGuards is pretty weak but that’s a topic for another post.

So back to my gotcha. I needed to provide external access to a phone system listening on TCP ports 8000-8002. I configured the SNAT and the firewall policy but when testing from an external location I could only telnet into port 8001. Huh?

Well, the first troubleshooting task is obvious: telnet to all three ports from a device inside the firewall. I did this and got a response from ports 8000 and 8001 but not 8002 so that explains why I couldn’t connect to 8002 from the outside. But what about port 8000?

I configured the firewall policy to send the traffic over to a Windows server instead of the phone system, fired up my beloved Wireshark and tested telnetting into the three ports from the outside. Sure enough, ports 8001 and 8002 made it to the server but port 8000 did not. I changed the port range from 7900-8010, re-tested and all ports but 8000 made it through. Oy vey! Fortunately, a quick Google search on “watchGuard tcp 8000” revealed that by default WatchGuard blocks a number of ports that it deems particularly unsafe and sure enough, TCP 8000 is one of them. Once I removed that entry from the “blocked ports” list everything worked perfectly.  I hate when software tries to save you from yourself for exactly this reason but at least now I know and won’t get stung by this one again.

Why should your business use “the cloud”? Well, why do you work in an office?

Here at Netblaze, we’ve helped many businesses move to the cloud in one way or another. Sometimes we see they’re doing something that could be accomplished much better (and cheaper) in the cloud; sometimes a client already knows the cloud service they want and ask us to help set it up; sometimes they come to us with a problem and ask if this cloud thingamajig might solve it.

Sometimes when talking with clients, I can hear some hesitation on the other side when the word “cloud” comes up, and I can almost hear in that hesitation: Um, I know “the cloud” is apparently the hottest thing since sliced bread, but what the heck is it really? I’m not going to ask

That’s a totally understandable reaction, because even among techies, the concept of “the cloud” is as shapeless and foggy as, well, a cloud.

Putting aside all the technical terminology, for businesses, we can boil the cloud down to this:

“The cloud” is made up of all the places on the Internet, that you don’t own, that can take care of your data for you.

Simple, isn’t it? Maybe a little too simple, in fact, because many businesspeople will immediately ask, “Why would I put my data in a place I don’t own? That’s not safe, is it?”

So let me propose another way of thinking about it:

Using “the cloud” is like renting office space for your data.

Here’s what I mean. When you own a business and need a place for your employees, you could buy an office building, move everyone in, and then maintain it: pay the taxes and insurance, clean the restrooms and replace the lights, fix the roof when it leaks, and remodel as your business grows.

Or, like so many other businesses, you could lease office space. For a monthly fee, you can rent as much square footage as your business needs, and leave all the maintenance to the experts.

Similarly, your business needs a place for all its data (your email, your spreadsheets and presentations, your business applications and databases, web sites, etc). You could buy servers for a hefty up-front fee, maintain them, and replace them as they wear out and your business grows. Or you can put your data in the cloud, paying a steady monthly fee for just the computing space and power that you need.

So the cloud’s advantages are very similar to renting an office. Here are a few:

·         Predictable costs: Instead of paying a lot of capital up-front for your servers, followed by unknown costs in future years when they need to be replaced, you’re paying a much smaller monthly or annual fee – the kind of utility cost that looks good on the books.

·         Easy expansion: When you need more space, instead of hustling to buy new servers and disks, you just let your cloud provider know. Most services have a small fee per user, per gigabyte, and/or per-gigahertz that makes it easy to absorb the cost for more resources.

·         Fewer technical headaches: When you don’t own the server, you don’t have to worry about a dead hard disk or power supply, or for that matter, keeping your server in a closet with air conditioning. You (and your IT staff) can concentrate on the needs of your business rather than routine maintenance work.

·         Fewer regulatory headaches: Most cloud companies are keenly aware that their customers need to comply with data privacy rules such as HIPAA and PCI – so they design their services with that security in mind, just like commercial property owners keep up with ADA and local building codes.

One very practical difference between the cloud and real office space is that the cloud mostly exists in the virtual space of the internet, which is practically infinite; and it runs on hardware that is constantly improving and getting cheaper for cloud companies to buy. And the fact that the internet makes it easy to move data from place to place – especially in the cloud – means that there’s a lot of healthy competition out there. So while leasing office space can get more expensive with the price of real estate, cloud services have stayed at the same price or even dropped over time. At this point, prices have come down so much that we rarely recommend servers for our clients anymore – we can almost always find a better cloud solution.

Thinking about the cloud as your data’s “office space” can help illuminate the practical advantages of putting your data there. We at Netblaze can help you find the best fit for your needs, and we’re experts at setting it up as intuitively as possible, so your business can flourish without worrying about the technical details. Email or call us to get started!