0

First of all i would like say that i'm not a sys admin or network admin... i'm a dev... That being said lets go to the question.

I'm conducting some tests (say a study) to see if the Azure platform will be usefull and fit our requirements. The problem is that our TMG keeps blocking everything (SQL Azure, Remote Desktop, etc...) and since we have to ask out network admin to keep opening exceptions for the databases addresses and other services PLUS the fact that we're opening new servers everyday PLUS the fact that the guy is a total douch i was wondering if there's some kind of "One to Rule them All" tmg rule that would allow access to all of the Azure services...

something like "Allow Everything From/To *.microsoft.net"

the kind of answer i'm looking for is something i can present to my network admin and he would just implement... TKS ALL!!!

Leonardo
  • 121
  • 6

2 Answers2

2

Standard speech for users in this situation: Unfortunately TMG doesn't block this sort of access with the Default Web Access rules that come with the product. Your Administrator is blocking more than the default configuration. It's therefor your network's Policy to block those sites and anything we could help you with would be violating your networking policy.

That said, your exact request, allow everything To *.microsoft.[com|net] can be done, and should be trivial for an administrator who knows how to configure TMG. If they deny this request then you'd either have to take it over their head (which tends to be frowned on by most company politics) or live with the crappy situation. If you're thinking about going over his/her head on this one, definitely back it up with an argument based in the time wasted on such requests (salaries/pay, lost productivity, etc).

Chris S
  • 77,945
  • 11
  • 124
  • 216
  • ok tks! only one quick question: What you mean by "TMG doesn't block this sort of access with the Default Web Access rules"... how does it work then? (i think that presenting this in my argument would benefit me...) – Leonardo Jan 23 '13 at 18:40
  • 1
    The default "Web Access" rule allows all users of the "Internal" network to access HTTP (any port) and HTTP (port 443 only) on the "External" network. There is also a set of default "Blocked Web Destinations" which includes some normal unsavory stuff like websites identified as Criminal Activities, Gambling, Illegal Drugs, etc. Any additional restrictions on web access would have to be specifically added to TMG. Outbound connections on other protocols would have to be added specifically, but the admin could also say "Any" protocol to "microsoft.[net|com]" is allowed... Or just allow all access – Chris S Jan 23 '13 at 18:50
1

Even it is not the best approach (in my point of view your network admin is too much focused on old methods to secure a network perimeter), vous can ask your network admin to allow every traffic to Microsoft Datacenter IP adresses.

Microsoft Azure Datacenter IP Ranges is well documented in a XML file available to download here : http://www.microsoft.com/en-us/download/details.aspx?id=41653

You can also create a rule with Microsoft domains name but it will dificult also to manage (and Microsoft doesn't provide a full and updated list as I know) :

*.core.windows.net –> Azure Storage

*.cloudapp.net –> Cloud Service, VM

*.msapproxy.net => Azure AD Application Proxy

*.trafficmanager.net ==> Azure CDN

*.microsoftonline.com ==> Azure AD login

*.windowsazure.com ==> Azure classic portal

*.azure.com => Azure new portal and many other things

Regards

Stanislas Quastana Pro
  • 634
  • 3
  • 4