Microsoft Azure Installation.

Deploy NetConnect in your Azure environment following our easy instructions below.

ORDER. INSTALL. CONFIGURE. GO.

The NetConnect application on Microsoft Azure allows you to deploy simply and very quickly a full NetConnect server. The NetConnect deployment available on the Azure marketplace is pre-installed, allowing you to dive into configuration and be ready for your first connection within 15 minutes.

Installing NetConnect will install a separate virtual machine within your Microsoft Azure deployment. This machine will serve as a gateway between your secure resources hosted within Microsoft Azure, and your users trying to access resources from the Internet, via any device.

The following outlines the primary steps required to build a fully functional environment, synchronised with your Azure Active Directory deployment, and publish a simple remote desktop server. It is assumed you already have a server running on Microsoft Azure, ready to accept remote desktop connections (even for testing purposes).

Additional configuration is of course possible to increase the number of features deployed, such as publishing legacy applications, intranets, and linux servers, setting up a VPN, multi-factor authentication, etc.

Experiencing issues? Our support team is available at all times via customersupport@northbridgesecure.com.
Our sales team is also available to assist at sales@northbridgesecure.com.

Phase 1 Order and Installation

configure basic machine settings

Fill in information as required:

Name: Enter a name as required, for example ‘NetConnect’
VM disk type: HDD
Username: Enter a username as required. Please note, the username will only be required in a very limited number of scenarios and will not be used in day to day activities.
Authentication type: Password
Subscription: Select as required.
Resource Group: Select as required.
Location: Select as required.

Click “OK” to continue.

choose virtual machine size

We recommend using the A2 Standard Configuration for evaluation purposes. The A2 Standard will sustain up to 50 concurrent users under normal activity, however this can be increased to meet requirements.

Click “Select” to continue.

configure optional features

Disk Type:                           HDD
Use Managed disks:       No
Network Settings:           Configure as required. Ensure you select the same network as the server(s) which you wish to provide access to.
Extensions:                        No Extensions
High Availability:             None
Monitoring:                       Select as required.
Diag Storage Account:   Select as required.

Click “OK” to continue.

Summary page

Confirm all values are correct and click “OK

Azure purchase screen

Note: this only confirms the purchase of the Virtual Machine and does not include the NetConnect licences. NetConnect licences can be purchased from NorthbridgeSecure partners all over the world.

More information is available on pricing at https://netconnect.co/pricing

Tick the box “I give Microsoft….”, and click “Purchase”.

You server will be provisioned in under a minute.

Congratulations, you have installed your server! Now all you need to do is configure your first connection.

Phase 2 Basic Configuration

netconnect log in page

Your NetConnect server is now available from any browser by connecting to the public IP Address provided by Microsoft.

https://xxx.xxx.xxx.xxx

At this stage your NetConnect server will not have an SSL certificate installed, so you will see a security warning (the exact format of this warning will vary based on your browser) – please proceed past the warning to connect the server to reach the NetConnect logon page.

You can connect using the default admin username and passwords:
Username: admin
Password: adminv8
V-Realm: Local

It is strongly recommended that all default passwords are changed and recorded securely  upon your first connection.

admin access via the webtop

Once logged in, NetConnect will present you with the admin account WebTop. This is the space where users will access their assigned applications once NetConnect configuration is complete.

Click on “Admin” application to get access to the administration portal.

changing the admin password

From the Administrator Site, navigate to Authentication Settings > Datastores > Internal Auth Stores

  • Select Admins and then click Get User List as shown.
  • Select the admin account for which you want to change the password and then click Edit Properties.
  • Enter a new password in the New Password field and then type the identical password in the New Password Confirm field.
  • Once you have changed the password, log out and then log in again using the new password.

Ensure you record the new password in a secure location. If the password is lost, there is no facility to recover.

publishing a server desktop part one
publishing a server desktop part two
  • Navigate to Applications > Configuration on the Admin portal.
  • Select Create New Application.

From the Create New Application page:

  • Enter ‘Desktop’ as the application name in the Application Name field.
  • Select Remote Application from the Application Protocol drop-down menu
  • Click Submit.

From the General Properties page:

  • Enter the hostname or IP address of the server you wish to publish in the Full Address field.
  • Ensure HTML5 Client is turned to On
  • Leave all other settings as default and click Modify to complete creating the application.

The new ‘Desktop’ application has now been created and is available to be assigned to users.

assigning applications

Navigate to Applications > Configuration within the Admin portal.

  • Select the application created in the previous step and click on Authorized Users.

From the Users Associated with Desktop page:

  • Highlight Local\Admin within the Non-Member column, then click on the arrow pointing towards the ‘Members’ column. Note, changes to the Members and Non Members columns are saved automatically.

Finally, close the Admin tab log out of NetConnect from the WebTop. The next time you log in you will see the new Desktop application on the WebTop. Click on this and you’ll launch your very first NetConnect session.

Congratulations, you have just finished your first installation of NetConnect!

The form may take a while to submit, please be patient.

In order to access NetConnect for testing with non-admin accounts, you will require a trial licence. Simply complete the form to the right to request a licence and our team will email a licence along with instructions on how to apply the licence. In the meantime, you’re free to continue exploring the configuration options within NetConnect using your Admin account. Don’t forget to check our Configuration Guide for more detail in the options available, we’ll also cover some Azure-specific options below.

*Your MAC address can be located by navigate to System Configuration > Network > General within the Admin portal. Copy the MAC address listed under ETH0 Interface.

Secure

NetConnect can be configured for external access tvia a sub-domain of your choice (for example, netconnect.yourdomain.com). It is strongly recommended that an SSL Certificate is applied to your NetConnect instance in order to ensure connections to your network are securely encrypted. Detailed instruction on requesting and applying a certificate can be found with the NetConnect Configuration Guide, however as an overview you will need to:

  • Generate a CSR from within the NetConnect Admin Portal.
  • Submit the CSR to the certificate provider of your choice.
  • Once your certificate provider has issued your certificate, simply apply it to the NetConnect system along with any required Root or Intermediate certificates.

Note, you will need to make the appropriate updates to your DNS to ensure your chosen sub-domain resolves to your Public IP address.

Phase 3 Detailed Configuration - Azure AD

The following section describes how to integrate NetConnect with Azure Active Directory. NetConnect can integrate with Azure Active Directory to simplify authentication and access for specific users/accounts. In order to integrate, Azure Active Directory Domain Services must be enabled on your Microsoft Azure environment https://azure.microsoft.com/en-au/services/active-directory-ds/.

If you do not wish to integrate NetConnect with Azure AD you can skip past this section. Please note, if you plan to integrate with Azure MFA, you do not need to follow the steps listed in this section.

NetConnect authentication is built around the concept of V-Realms, which allow for advanced authentication management. V-Realms simplify the provisioning of authentication and entitlements, which can include employees, partners and affiliated authorised users (such as physicians affiliated with a hospital). A user’s association with a V-Realm determines the user’s method of authentication, and also determines the authentication server(s) against which a user’s credentials are validated.

Authentication stages are defined within a V-Realm and are used to indicate the type of authentication server that validates a user’s login credentials. Each defined authentication stage has two components, an authentication section and a policy section. The authentication section is required for any given stage. However, the policy definition is optional. Configuring policy enables retrieval of group membership information about users from external authentication servers when they log in.

Pre–Requisites
1. Sound understanding of, and experience with the Microsoft Azure platform.
2. An understanding of the following areas in the context of Microsoft Azure:

  • Virtualized environments.
  • Virtual machines.
  • Networking fundamentals.

3. Admin access to a deployed instance of NetConnect on Microsoft Azure.
4. At least one application configured within NetConnect.
5. An Azure environment with Azure Active Directory Domain Service enabled.
6. A sound understanding of Microsoft Azure Active Directory Domain Services.

  • https://azure.microsoft.com/en-au/services/active-directory-ds/

7. The IP address of your Azure AD.

  • This can be found within the Active Directory section of your Azure Portal; the IP address is located within the ‘Configure’ page of your directory. See http://docs.microsoft.com/en-au/azure/active-directory-domain-services/active-directory-ds-getting-started-enableaadds for details.
authorising access step one
authorising access step two

Once your V-Realm has been created and configured, applications can be assigned. Authorised applications appear on users’ WebTop when they log in. Application access can be granted to individual users, a group of users or by V-Realm.

  • Navigate to Applications > Configuration. The Applications page opens.
  • Select the name of the application that you wish to assign users to.
  • Click one of the following options from the Actions menu.
    • Authorised Users: Assign application access to individual users. Note, the user must have logged into NetConnect prior to appearing.
    • Authorised Groups: Assign application access to groups of users. Note, a user from this group must have logged into NetConnect prior to a group appearing.
    • Authorised V-Realms: Assign application access to users of a particular V-Realm.
  • Choose the user/group/V-Realm you want to grant access to this application from the Non-Members column, and then click the arrow to move them to the Members column.

Changes are saved automatically. Next time a user logs in to NetConnect, the assigned application will be available on their webtop.

Add Role 1
ADAC2

When creating an LDAP authentication stage, you will need to enter a Bind DN as part of the configuration steps. The Bind DN contains informatio unique to your Azure AD which is used to create the authentication link between Active Directory and NetConnect. It is recommended a single, specific user is created within your Azure AD for this purpose. In order to locate the Bind DN from Azure Active Directory a specific server feature must first be added to a server joined to your domain.

    1. From your Azure Portal, create a new user within your Active Directory. We recommend you use a name that clearly specifies this users purpose, for example NetConnectBind. Please note NetConnect will need to be updated if this users password is changed or expires, you may wish to consider removing any password expiration policies from this specific account.
    2. Add the ‘NetConnectBind’ user to the AAD DC Administrators group. This group would have been created when you initial configured Azure Active Directory Domain Services, see https://azure.microsoft.com/en-au/services/active-directory-ds/ for more information.
    3. From a server joined to your Azure domain, navigate to the Add Roles and Features Wizard within your chosen server Server Manager console.
    4. Locate the Remote Server Administration Tools feature and install using the default settings. Once the remote server administration tool feature is installed, you will have access to the Active Directory Administrative Centre.
    5. Navigate to the Active Directory Administrative Centre and select on AADDC Users.
    6. Right click on the NetConnectBind user and select Properties. Click
      Extensions from the right hand side and then select the Attribute Editor
    7. Scroll Down to the distingushedName attribute and double click to open. The value represents the Bind DN for your Azure AD and will be required when configuring the NetConnect authentication stage.Locate the Remote Server Administration Tools feature and install using the default settings. Once the remote server administration tool feature is installed, you will have access to the Active Directory Administrative Centre.
add v-realm
LDAP2

This section describes the steps required to create a V-Realm and an LDAP Authentication Stage.

  • Log in to NetConnect with the administrator account.
  • From the Administrator Site, click Authentication Settings.
  • Click V-Realm Management. The Authentication Settings page opens.
    • Note once you have created your V-Realm, you use the arrows buttons to change the order that V-Realms appear on the log on page.
  • Click Add Realm as shown
  • Enter a name to identify the authentication V-Realm and click Submit.
  • Select LDAP from the Stage Type drop down list box located under Create New Authentication Stage.
  • Click Submit.

You will be presented with the Authentication Stage properties page. The basic settings that are required for configuring NetConnect to authenticate users against an external LDAP server can be seen below.

  • Authentication Scope: This field is used to enable Single Sign-On (SSO)/Password Forwarding.
    Enter a unique name of your choice for the Authentication Scope; for example SSO-01. This name will be referenced when configuring SSO for an Application.
  • Domain: Enter the domain which the Azure Active Directory is joined to.
  • Username Template: Leave as Default (%USERNAME%)
  • Method: Select LDAP
  • Host: Enter the IP address of your Azure AD. Your IP address can be found within the Active Directory section of your Azure Portal, the IP address is located within the ‘Configure’ page of your directory. See https://docs.microsoft.com/en-au/azure/active-directory-domain-services/active-directory-ds-getting-started-enableaadds for details.
  • Port: Enter 3389.
  • LDAP Version: Select LDAPv3
  • Bind DN: Enter the distinguished name (DN) of a client authorised to search within the LDAP server, as located earlier in this document. For example CN=NetConnectBind,OU=AADDC Users,DC=nsstestingmfa,DC=onmicrosoft,DC=com
  • Bind Password: Enter the password of the account created for Bind DN. Please note, this field will need to be updated if the Bind account is changed or expires.
  • Base DN: Specify the point in the directory hierarchy where a search begins. Enter the base DN (or base Object) from which you want to search. For example DC=nsstestingmfa,DC=onmicrosoft,DC=com
  • Login Attribute: Enter sAMAccountName.
  • Click Submit.

Once completed, users from your Azure Active Directory will be able to log into your NetConnect instance.

Phase 3 Detailed Configuration - Azure MFA

NetConnect can be configured to integrate with Azure Multi-Factor Authentication service in order to provide an additional layer of security to your infrastructure. Utilising the Azure Multi-Factor Authentication Server as a RADIUS server, users must respond to an automated phone call or text message from Microsoft in order to access NetConnect. The following steps assume you have an existing Azure MFA instance, configured with directory integration on a domain joined Active Directory or Azure Active Directory.

If you do not wish to integrate with Azure MFA, you can skip past this section.

NetConnect can be configured to allow user authentication in a number of ways. Authentication is built around the concept of V-Realms, which allow for advanced authentication management. V-Realms simplify the provisioning of authentication and entitlements, which can include employees, partners and affiliated authorised users (such as physicians affiliated with a hospital). A user’s association with a V-Realm determines the user’s method of authentication, and also determines the authentication server(s) against which a user’s credentials are validated.

Authentication stages are defined within a V-Realm and are used to indicate the type of authentication server that validates a user’s login credentials. Each defined authentication stage has two components, an authentication section and a policy section. The authentication section is required for any given stage. However, the policy definition is optional. Configuring policy enables retrieval of group membership information about users from external authentication servers when they log in.
Pre–Requisites
1. Sound understanding of, and experience with the Microsoft Azure platform.
2. An understanding of the following areas in the context of Microsoft Azure:

  • Virtualized environments.
  • Virtual machines.
  • Networking fundamentals.

3. Admin access to a deployed instance of NetConnect on Microsoft Azure.
4. At least one application configured within NetConnect.
5. An Azure environment configured with Azure MFA, with directory integration on a domain joined Active Directory or Azure Active Directory.
6. A sound understanding of Azure MFA.

  • https://azure.microsoft.com/en-au/services/multi-factor-authentication/
multifactorauthentication1
multifactorauthentication2
  1. Navigate to the Radius Authentication section within the MFA server. Ensure Enable RADIUS authentication is ticked. Within the Clients tab, click Add.
  2. Enter the following details
  • IP Address: Internal IP address of the NetConnect VM
  • Application Name: NetConnect
  • Shared Secret: Enter a shared secret of your choice.
  • Confirm Share Secret: Re-enter Shared Secret.
  • Multi-Factor Authentication user match: Ensure this box is ticked.
  • Click “OK“.

3. Within the Target tab, ensure ‘Windows Domain’ is selected.

locating RADIUS IP

As part of the configuration steps, you will be required to enter the IP address of your Azure MFA server. This can be located within your Azure Portal by navigating to the IP address section of the virtual machine where your Azure Multi-Factor Authentication Server is installed.

add v-realm
RADIUS1

This section describes the steps required to create a V-Realm and an RADIUS Authentication Stage.

  • Log in to NetConnect with the local admin account.
  • From the Administrator Site, click Authentication Settings.
  • Click V-Realm Management. The Authentication Settings page opens.
    • Note once you have created your V-Realm, you use the arrows buttons to change the order that V-Realms appear on the log on page.
  • Click Add V-Realm as shown
  • Enter a name to identify the authentication V-Realm and click Submit.
  • Choose RADIUS from the Stage Type drop down list box located under Create New Authentication Stage.
  • Click Submit

The Authentication Stage properties page opens.

  • Authentication Scope: This field is used to enable Single Sign-On (SSO)/Password Forwarding.
    Enter a unique name of your choice for the Authentication Scope; for example SSO-01. This name will be referenced when configuring SSO for an Application.
  • Domain: Enter the domain which the Azure MFA server is joined to.
  • Username Template: Leave as Default (%USERNAME%)
  • Primary RADIUS Server IP: IP address of the server with Azure MFA installed.
  • Primary RADIUS Secret: Enter the Shared Secret configured for NetConnect within the MFA server. The RADIUS Secret is case-sensitive and must match the RADIUS server secret exactly.
  • Primary RADIUS Port: 1812.
  • Click Submit

Once you have completed the above steps you will be able to access NetConnect using an account from the configured domain, with a second authentication stage via Azure MFA. When testing, ensure you select the appropriate V-Realm from at the log in page. Once you have entered your username and password, you will be prompted to either enter a text message, or answer a phone call depending on the configuration of your Azure MFA instance.

single sign on step one
single sign on step two

If your application servers require users to enter credentials for access, you can simplify the log in process by setting up password forwarding. With password forwarding, once users log in, they can access back end application servers without having to enter credentials. In order for Single Sign On to be enabled, the Authentication Scope and Domain fields must be completed within the specific V-Realms Authentication Stage. Password Forwarding can be configured for RDP and VNC applications.

  • Navigate to Applications > Configuration
  • Select the name of the application that you wish to enable SSO and click Password Forward.
  • Authentication Scope: Enter the Authentication Scope you created during the LDAP Authentication configuration. Enter the same name that was entered in the authentication configuration in this field. This entry must match exactly.
  • Domain Name Forwarding: Set to ‘On’
  • Click Update to complete the process.

Once all the relevant details have been entered, users will be able to log into your NetConnect instance using their Azure AD credentials and access their assigned application(s).

EXPERIENCING PROBLEMS?

Located in Australia, USA, and Europe, there is always someone available to help.