12/14/14

Notes about setting up AD FS for Hosted Exchange in Office 365

I've been learning about Active Directory Federation for Office 365's Hosted Exchange.  Here are some links and notes about the process that I don't want to forget.

Where to sign-up: Exchange Online account ($4/month/mailbox).

Instructions on how to configure DirSync to sync a single OU.

The excellent tutorial that I followed to setup AD FS w/ O365.

A discussion of the 3 sign-in models for Office 365.

A discussion of whether to use SQL or WID for ADFS authentication to O365.

Should you use O365?  Yes!

How to test AD FS functionality: https://adfs.trimideas.com/adfs/ls/idpinitiatedsignon.htm

Introduction to Azure multi-factor authentication for Office 365 (it's free!).

The AD FS Proxy appears to fetch configuration information from the AD FS farm once per minute.

This guy says the Web Application Proxy can route requests to different servers via hostname!

Here's how to configure extranet lockout with AD FS 3.0.  You can only configure this on the primary ADFS server...and I think it pushes the configuration out to the web proxy, but haven't validated that thought.

Here's how to customize the logo on the AD FS sign-in page.

12/7/14

How to prevent rogue DHCP servers with DHCP snooping in an HP Procurve switch

This is cool.  I'm using an HP Procurve 2530 switch, running firmware YA.15.16.  These switches, by the way, come with a lifetime next-business-day warranty.

To learn how to configure this feature, I went to HP's support lookup tool, typed in J9777A, looked up the manuals, went into the general reference area, then opened the HP Switch Software Access Security Guide for YA/YB.15.16.

Here are the commands to run:
dhcp-snooping (this enables the feature)
dhcp-snooping trust 8 (this permits a DHCP server to operate on port 8)
dhcp-snooping vlan 1 (this enables the feature on the default VLAN of 1)

Here's a screenshot pre-DHCP-snooping (two DHCP servers respond to the request):



Here's a screenshot with DHCP replies permitted only on port 8 (server is 192.168.100.254):



Here's a screenshot with DHCP replies permitted only on port 1 (server is 192.168.100.110):


The switch also keeps track of what IP address(es) and MAC address(es) are connected to each untrusted port - show dhcp-snooping binding.  If you see a bunch of IP addresses on a port, that could indicate someone has added a downstream switch.


It appears (per this post) that if you have multiple HP switches, you'd want to use no dhcp-snooping option 82.