Monthly Archives: March 2017

Avoid Cisco Meraki for S2S VPN with Azure

Just got off a phone call with some engineers at Microsoft who informed me that both Cisco and Microsoft have mutually agreed that using a Cisco Meraki firewall is not recommended for creating site to site (S2S) VPN tunnels to Microsoft Azure.

The issue is the Phase 1 IKE Timeout value that the Meraki uses is not supported.

This was rumored to be fixed in late 2016, and then later in a firmware update in February 2017, but as of yet, we have not seen it yet.

If anyone has updated information on this please post it in the comments as I have a few clients running the Meraki’s.

Thanks,

Joe

Error 1603 when Installing Skype for Business Server 2015

[Updated 3/25/2017]

During the installation of Skype for Business 2017 you may run into errors if you select ‘Connect to the internet to check for updates’ and you also change the default installation location to something other than the C:\ drive. There is a potential third variable that might be required to run into problems as well: If you do not initially deploy conferencing during the front end pool wizard in topology builder. (Additional testing would need to be done to further isolate it from here).

The error that you may run into actually happens later, during the server component installation, and it is:

failure code 1603
Error returned while installing OcsMcu.msi, code 1603. Error Message: A fatal error occurred during installation”

The solution was to uninstall just the Skype components from control panel and then re-run setup. Only took 10 minutes so wasn’t too big of a deal. But now we must remember to manually apply the latest cumulative updates after the installation completes =)

The Uninstall order (for what it is worth) is the following:

(First uninstall XMPP then proceed with uninstalling the core components last). It is not necessary to remove all the language packs and local SQL instances (at least in my case it wasn’t).

At this point you will be able to successfully complete the full installation of Skype for Business. But you are not out of the woods yet! Because when you attempt to apply the latest cumulative update (in my case it was February 2017) then you will have that same Error 1603 on the Conferencing Service (OCSMCU.msi). When digging into the log files it appears that it is trying to find some files on the C:\ drive despite that during the installation, we selected a custom install path to the E:\ drive. 

The solution for me was to uninstall again a 2nd time, and this time I updated the Topology builder to include all of the AV Conferencing Options.

So my recommendation is to deploy to the C:\ Drive (just make it a large drive like 250GB) and to initially deploy all of the conferencing features to avoid these issues.

Reference: https://social.technet.microsoft.com/Forums/ie/en-US/42e284fb-ae07-424c-9ed3-07b6a85748da/skype-for-business-server-components-install-fails-when-patching-ocsmcumsi?forum=sfbfr

Windows Information Protection

Windows Information Protection is a feature of Windows 10 Anniversary Update that helps protect corporation information by encrypting data using the Encrypted File System.

This is not to be confused with Azure Information Protection (which was rebranded from Azure Rights Management Services RMS).

How WIP works

Enterprise data is automatically encrypted after it’s downloaded to a device from SharePoint, a network share, or an enterprise web location, while using a WIP-protected device or if an employee marks the data as corporate. Then, when the enterprise data is written to disk, WIP uses the Windows-provided Encrypting File System (EFS) to protect it and associate it with your enterprise identity.

A WIP Policy includes a list of applications that are allowed to access corporate data. This list of apps is implemented through AppLocker functionality.

Requirements

Requires Intune or SCCM Policy

Devices requires Windows 10 Anniversary Update or devices that are enrolled with Intune or a supported 3rd party MDM (I was unable to find a list of supported 3rd party MDMs).

Limitations

  • Files encrypted with WIP cannot be shared externally. Each user would need the ability to disable WIP on a particular file and then re-encrypt the file using a separate technology such as Azure Information Protection.
  • All clients in your environment must be running Windows 10 Anniversary update or a mobile device managed by Intune or supported 3rd party MDM. For example, a Mac OSX machine that downloads data from SharePoint, a file share, or wherever, is not going to be protected by WIP and therefore that employee can bypass WIP and leak sensitive information. Think of WIP as a client side solution that is only truly effective when all client systems fit the mold.
  • WIP is not compatible with Direct Access. The workaround is to replace DirectAccess with Windows 10 Always-ON VPN for client access to Intranet instead.*
  • WIP is not compatible with Network Isolation (IPSEC feature).
  • Cortana must be disabled otherwise Cortana can leak encrypted information*
  • WIP is not compatible with shared workstations.* One user per device.
  • Marriage/Separation name changes can disrupt WIP. Workaround: Disable WIP before changing someone’s first or last name.* This is pretty time intensive as it requires decrypting all files that were protected by WIP.
  • Internet Explorer 11 with webpages using ActiveX controls can cause data leakage. Work-around is to use Microsoft Edge browser. Issue is that not all websites are compatible with Edge.*
  • There are only 11 applications that are considered WIP “Enlightened Apps” (see list below). All other apps will force encryption on all data saved, which cannot be shared externally unless the user manually removes the encryption and re-encrypts with AIP.

*https://technet.microsoft.com/en-us/itpro/windows/keep-secure/limitations-with-wip
References

Original Announcement from 6/29/2016

https://blogs.technet.microsoft.com/windowsitpro/2016/06/29/introducing-windows-information-protection/

Official Documentation for WIP

https://technet.microsoft.com/en-us/itpro/windows/keep-secure/protect-enterprise-data-using-wip

WIP “Enlightened Apps”

  • Microsoft Edge
  • Internet Explorer 11
  • Microsoft People
  • Mobile Office apps, including Word, Excel, PowerPoint, OneNote, and Outlook Mail and Calendar
  • Microsoft Photos
  • Groove Music
  • Notepad
  • Microsoft Paint
  • Microsoft Movies & TV
  • Microsoft Messaging
  • Microsoft Remote Desktop

*These apps allow you to save things as personal (unencrypted). All other applications not listed will encrypt everything 100% with EFS encryption.

Patriot Guidance

Use Azure Information Protection and Avoid WIP unless you have a regulatory reason that justifies the effort to deploy WIP because of its restrictive encryption policy and only 11 apps allow the user to save things without encryption. One look at the implementation page (here) below shows how difficult an implementation would be, and more so to maintain.