Friday, October 19, 2012

Business Intelligence, the Microsoft style

Of course, Microsoft has been in the Business Intelligence (BI) game for some time now, but until now the solution sets lacked focus, clarity, consistency, and homogeneity. Well, in my opinion that is. But wait no longer, the company is bringing its a game to BI with clear and concise messaging and a much more focused and simplified tool set:
  • Excel – one authoring tool for your BI. And a great “Personal BI” solution.
  • SharePoint – the best solution for sharing, collaborating, and adding mobility (tablets, smartphones) to your BI. And a great “Group BI” solution.
  • SQL Server – rock solid high-performance, high-availability data platform for supporting very large data sets, and providing reporting, analysis, and integration services. And a great “Corporate BI” solution.

As far as BI solutions go, it hardly gets any simpler than that. And in full recognition that it's a big world out there (or is it a Big Data world?) there's plenty of support for non-Microsoft platforms - Oracle, SAP, Hadoop, Hive, etc.:
So, arm yourself with the awesome, easy to use tools like PowerPivot and PowerView and Explore, Visualize, and Control:

Tuesday, October 9, 2012

Office 365 Resources

Few months ago I have put together a post "Office 365 Information and Resources" with helpful links to various resources that provide a good overview of Office 365. Here are a few things that should help you explore Office 365 further:

CAL Suite Bridges for Office 365

This quick post is on a highly confusing (IMHO) subject of Microsoft licensing. Have you ever heard of CAL Suite Bridges for Office 365?  Do you know what they are? If you need a quick overview, I would suggest taking a look at the following article.  

Wednesday, September 5, 2012

UAG 2010 SP2

Check out issues fixed and features included in UAG 2010 Service Pack 2. Detailed information and download link are available here. To find out what version of UAG you are currently running and to verify prerequisites refer to the following article

Tuesday, July 24, 2012

SharePoint 2013 Materials

I can't really take credit for the following great collection of SharePoint 2013 resources - it was compiled by Shannon Bray. All I can do - is rebroadcast it to the world. Enjoy!

Training Materials

MSDN & TechNet Articles



Thursday, July 5, 2012

User attributes in Office 365

Much like some of the group settings can only be applied via PowerShell (see my previous post), so are some of the user attributes. For example, the value of Assistant attribute can not be set via management portal, but using Powershell will do the trick. Here's sample statement:

set-user -identity [User's email address] -AssistantName "[Assistant's Name]"

To view object properties before and after, use the following:

get-user -identity  [User's email address] | format-list

Mail-enabled security groups in Office 365

Another update (11/19/2013): further evolution of Office 365 services makes creation of distribution and security groups even easier, plus there's now an option of creating a dynamic distribution group (click here for more information):

Update (08/06/2012): a clear sign of Office 365 evolving along the same lines as other agile cloud services - small incremental features and minor new functionality are being delivered almost continuously and, unlike important major service updates, without much fanfare. For example, there's no need to resort to using PowerShell to setup mail-enabled security groups anymore, it can now be done at creation using management portal:    

Those managing Office 365 (O365) tenant via the Microsoft Online Services Portal (MOS Portal) interface would notice that there are two distinct group entities:
  • Security Groups:
    • can be created via MOS Portal (main portal page>Management>Security Groups) and used for assigning permissions within SharePoint Online
    • do not show up in Exchange Online portal under distribution groups
  • Distribution Groups:
    • can be created via Exchange Online portal  (MOS Portal>main portal page>Exchange>Manage)
    • can't be used for assigning permissions
    • do not show up in MOS Portal under security groups
This suggests that if one needs to group users for permission assignment and email distribution, one would need to create two different groups - a security group and an email distribution group. Clearly, there are cases (for example: when the same users need to be assigned permissions to a resource and receive email notifications about it) when it would be desirable to have a single group to be used for both.

In on-premise Active Directory (AD) and Exchange one would use mail-enabled security group for this purpose, but what are the options in Office 365?

Surprisingly, the answer to this question wasn't as forthcoming as I would expect it to be and finding any information on how to create an email-enabled security group in O365 proved to be challenging. Finally, I came across the following Knowledge Base article, which indicated that it could be done via directory synchronization (DirSync) tool. 

This is great, but what about environments that don't use DirSync? First of all, there’s clearly no way to accomplish the desired via MOS Portal (sorry, no point-and-click). So, one would have to resort to using PowerShell. After looking at the various PowerShell cmdlets for O365 and Exchange Online and doing some poking around, I came to the following conclusions:
  • Once a group has been created, changing group's type (mail-enabling security group or making distribution group a security group as well) doesn't seem possible.
  • However, at moment of creation distribution group can be designated as security group as well.
Here's a sample PowerShell statement:

new-distributiongroup -name "[Group's Name]" -alias "[Group's Alias]" -type "security" -primarysmtpaddress "[your_address@your_domain]"

For more information about the command try one of the following:
  • get-help new-distributiongroup -detailed
  • get-help new-distributiongroup -examples
  • get-help new-distributiongroup -full
To view group properties, the following sample PowerShell statement can be used:

get-distributiongroup -identity [Group's Name or Email Address] | format-list

When retrieving information about distribution group created with -type "security", expect to see the following as part of the output:

Distribution group created with default options would have it as:

Friday, June 15, 2012


I have already written about UAG authentication providers available out-of-the-box (here) and mentioned "WinHTTP" and "Other" options as the way to extend this default functionality. Here's a good example based on a popular configuration for exposing Sharepoint based content to external parties (extranet): UAG + SQL Authentication + Sharepoint FBAThis would basically be a 2 part process, and I found a couple of great blog posts that cover it really well:
  1. Configure UAG for SQL authentication (
    • Define custom authentication provider in UAG (for the SQL/aspnetdb) 
    • Add a custom [repository].inc 
    • Build a custom authentication function (within [repository].inc)
  2. Enable UAG SSO (
    • Extend the Sharepoint site to external Users using ASP.Net Membership
    • Publish the extranet Sharepoint site via the UAG
    • Configure the UAG to work with Sharepoint FBA
Many thanks to Andreas Hecker for putting together these thorough instructions!

Wednesday, June 13, 2012

Problems Accessing UAG Server

Sometimes administrators may find themselves in a situation when they don't seem to be able to access UAG server (via RDP and/or Ping). In most cases the issue is due to either – 1) routing; 2) security restrictions:
  1. UAG [typically] has two interfaces – internal and external, but only one, external, should be configured with the default gateway. This means that for internal interface to be reachable from subnets other than the one it’s on one would need to add persistent static routes using “route add –p [destination network] mask [mask] [gateway]” command. Verify the results using “route print” command.
  2. UAG is a harden network device protected by TMG and as such only allows administrative access from authorized hosts. To see or modify the list of allowed hosts go to TMG Management Console, navigate to Firewall Policy, select Toolbox \ Computer Sets \ Remote Management Computers, double-click to view or edit (modify to suit your needs):

Tuesday, May 22, 2012

Microsoft Private Cloud Solutions

It's all about the cloud nowadays, and the competition is tough. First, there's Amazon, arguably the largest cloud computing platform out there, but being a market leader is both a blessing and a curse - others are constantly trying to dethrone you. And the list of those others is a notable one: Google and Microsoft are working tirelessly to improve their already impressive cloud platforms as are other industry heavyweights - IBMHP, CA; and let's not forget telecom giant - AT&T, Sprint, and Verizon; and many others - Rackspace, GoGrid, Joyent, Savvis, SoftLayer, CloudShare, Skytap, ...

So, how does Microsoft fair against the competition? I think it fairs quite well, thanks to its strong foothold in the Enterprise and the breadth and depth of its cloud solutions. Whether it is a traditional on-premise deployment, highly virtualized datacenter, private cloud, or public cloud offering - Microsoft has a compelling solution, great integration story, deep corporate pockets, and strong technical expertise required to further enhance and support it. So, you choose whatever road to take, it's on your terms:
When it comes to Microsoft's public cloud offerings, they are fairly well known and publicized: Dynamics CRM Online, Office 365, Windows Intune, Windows Azure, SkyDrive. So, I wanted to spend some time highlighting the features and benefits of Microsoft's private cloud offering and its cornerstone - System Center 2012. Hence, meet SC2012, I suggest you start with reviewing the following:
Then, work your way down to the individual products and technologies:
And now, take a look at the entire private cloud stack:
Impressive? I think so, but this is not the whole story yet. So far we have only covered the foundation - infrastructure, process automation, management and monitoring - necessary to establish a solid platform for applications and services; after all, this is what business users and consumers alike are typically after - I guess it's not all about the cloud, it's about the apps.

Naturally, Microsoft's own wide-ranging product portfolio (from productivity, communications and collaboration software; to customer relationship management and enterprise resource planning solutions; to data warehousing, online analytical processing, and business intelligence), along with a diverse ecosystem of products from Microsoft partners and independent software vendors, present a perfect fit and deliver significant value when provisioned, delivered, managed, and monitored via the private cloud platform.

About the benefits. Private cloud can provide a healthy mix of usual cloud incentives - such as agility, focus, and economics - along with enhanced abilities to control, secure, and customize the environment. Here are a few specific benefits of the Microsoft private cloud:  
  • Heterogeneous support: multiple hardware vendors (Dell, IBM, HP, Hitachi, Fujitsu, NetApp, Cisco), hypervisors (hyper-v, vmware, xenserver), operating systems (Widows, Linux), and application platforms (.Net, Java, PHP, Ruby) are supported.
  • Process automation: strong automation capabilities via Orchestrator across all System Center products as well as 3rd party tools (HP, CA, BMC, EMC)
  • Self-service infrastructure: robust self-service capabilities delivered via App Controller and Service Manager, supported by process automation
  • Service-centric approach: holistic approach to service definition (includes hardware, software, multiple inter-related systems) 
  • Comprehensive systems and application manageability: solid management  capabilities delivered via Configuration Manager, supported by process automation 
  • Deep systems and application monitoring and diagnosis: robust monitoring capabilities delivered via Operations Manager, supported by process automation
  • Flexible delegation and control: role based administration and granular control 
  • Cross-cloud application management: manage private and public cloud applications  via a single console, move applications between clouds
  • Physical, virtual, and cloud management: use the same set of tools to manage physical and virtual infrastructure, as well as public and private clouds
To summarize - how would a sample Private Cloud based, System Center 2012 infused environment conceptually look like? Somewhat like this:
Cloud computing and Microsoft private cloud solutions - these are voluminous topics, but I hope you get the picture. To learn more please, follow the links, read through the datasheets, and do some digging of your own.
Many of the leading cloud computing platforms are proprietary in nature (i.e. Amazon, Microsoft), while others are build upon open source projects (i.e. HP and Rackspace using OpenStack, Datapipe and Zynga using CloudStack; CERN using OpenNebula; NASA using Eucalyptus; Yandex using Nimbula). Neither approach is either good or bad, right or wrong. Time will settle the score; meanwhile, there's nothing wrong with variety and a healthy competition is always good for the consumers of cloud services and platforms.

Wednesday, May 9, 2012

Cloud Standards

Want to keep up on all the current cloud standards (as well as those that are work in progress), but have trouble keeping track of the rapidly changing field? Look no further than - Cloud Standards Wiki. Great resource!

Tuesday, May 8, 2012

UAG Authentication Capabilities

Sometimes the subject of authentication in UAG seems to confuse people, and to lead them to the wrong conclusions. To set the record straight on a couple of issues:

Misconception #1: UAG includes robust authentication capabilities - this is a true statement, but sometimes is gets interpreted in a way that implies a presence of some sort of secure identity store within UAG. This is not the case. UAG leverages different authentication repositories and options and can temporarily hold certain identity information to support things such as single sign-on (SSO), but is not a repository in itself. Here's a list of repositories and options supported out of the box (OOB):    

Options such as "WINHTTP" and "Other" allow for new methods to be implemented to extend the OOB functionality (see a great example here). 

Misconception #2: UAG supports multi-factor authentication, including bio-metrics, hardware and software tokens, one time passwords (OTP), etc. - once again, this is a true statement, but supports does not mean includes. You would need a solution that implements said capabilities (bio-metrics, OTP, etc.) and integrates with UAG.

Luckily, UAG is a highly extensible products and integration is its strong suite. You would find plenty of great, ready to use solutions in both software only or appliance formats or you could opt to implement your own unique scheme. Furthermore, for your convenience many of the appliance based solutions include both the UAG itself + those strong authentication extensions, all integrated and ready to go. Here's a quick sample of what's available:
  • Winfrasoft UAG Appliance with PINsafe, link
  • PORTSYS UAG Applicance with SafeLogin, link
  • Clestix WSA UAG and HOTpin Appliances, link 
  • Deepnet Security DualShield Unified Authentication Platform, link 
  • PointSharp ID Unified Authentication, link
  • Gemalto SA Server, link
  • nGSA Gemalto Appliance, link
So, one might ask - "What does UAG do?" Well, first of all - it is pretty busy being scalable, secure, remote access solution that supports granular access control and provides robust support for different authentication repositories and options. And then - it is the remote access platform that put's it all together (multiple repositories, advanced authentication options, single sign-on, etc.)

Thursday, May 3, 2012

UAG Certificate Validation

Sometime it may be desirable to disable certificate validation for the SSL protected back-end services published via UAG. You can do this by editing the following registry keys:
  • Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\WhaleCom\e-Gap\Von\URLFilter\Comm\SSL
    • right-click ValidateRwsCert, select Modify, and change the Value data to 0
    • right-click ValidateRwsCertCRL, select Modify, and change the Value data to 0
    • restart IIS
Please, note that disabling certificate validation process may not be an acceptable security practice in certain environments. For a complete list of UAG registry keys consult the following TechNet article. Also, there are different uses for certificates within UAG, to understand them better I strongly recommend reading through the following excellent blog post by Ben Ari.

Wednesday, May 2, 2012

Windows Live - Reimagined

Windows Live was born on November 1st, 2005; and now, almost seven years later, with Windows 8 and Windows Phone striding towards more meaningful cloud services integration than ever before, it is about to undergo some serious changes. Want to know more about it? Check out the following post - "Cloud services for Windows 8 and Windows Phone: Windows Live, re-imagined"

Monday, April 16, 2012

UAG Logging

Microsoft Forefront Unified Access Gateway (UAG) is a comprehensive, secure remote access solution; and as such provides robust logging capabilities including the following options:
  • Built-in
  • Syslog
  • Mail
  • SQL
Please, note that all file locations mentioned in this article are installation defaults and may differ from locations you have selected during the installation.
Most of the logging options (with the exception of SQL logging configured via TMG) can be configured via "Admin > Event Logs Settings":

UAG built-in option is enabled by default and default log files location is C:\Program Files\Microsoft Forefront Unified Access Gateway\Logs\Events\. It could be a good idea to periodically backup the content of this directory either via a backup software or a script. UAG Web Monitor can then be used to query event log files, and to filter events according to type, time, and other parameters:
The following briefly outlines other logging options:

For more detailed information please, refer to the following TechNet article.

UAG Backup

Every organization should have disaster recovery and continuity of operations plans that commensurate with its risk reduction goals and its overall risk management profile. And of course UAG infrastructure should be an integral part of such plans, subject to associated backup and recovery procedures. However, this post doesn't have much to do with these fundamental things. Instead, it aims to cover the very basics of UAG configuration settings backup or import/export. Here's where one would configure automatic backups (that will be performed automatically every time new configuration is activated):

Please, note that all file locations mentioned in this article are installation defaults and may differ from locations you have selected during the installation.
  • The password must be at least 8 characters long and backup default location is C:\Program files\Microsoft Forefront Unified Access Gateway\Backup\. It could be a good idea to periodically backup the content of this directory either via a backup software or a script.
  • To perform manual import/export via GUI simply select "File > Import" or "File > Export", supply required parameters and click on "Export":
  • To perform import/export via command line navigate to C:\Program Files\Microsoft Forefront Unified Access Gateway\utils\ConfigMgr\ and run one of the following commands:
    • configmgrutil export filename.xml password [comment]
    • configmgrutil import filename.xml password 
  • For more detailed information please, refer to the following TechNet article.

UAG Basic Customization, Part 2

For information on how to change basic logon page settings please, refer to the first part of this post - UAG Basic Customization, Part 1.
Please, note that all file locations mentioned in this article are installation defaults and may differ from locations you have selected during the installation.
We can also customize basic properties of the UAG Portal pages (displayed after successful logon on trunks that use built-in Portal as a default application):   
  header & toolbar

  • Under C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\Data\Languages\ locate an appropriate language file, in our case en-US.xml, and copy it to C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\Data\Languages\CustomUpdate\.
  • Open en-US.xml file in the \CustomUpdate folder using Notepad and perform the following edits (based on the above sample):
    1. <String id="12" _locID="12"> - desired title
    2. <String id="182" _locID="182"> - desired support contact
    3. <String id="1" _locID="1"> - desired corporate message
  • Save the changes in en-US.xml (remember to always use customization file under \CustomUpdate, and not the original one)

It may also be desirable to add hyperlinks to the following areas, for example to point: 1) to the Help Desk email address; 2) to the Corporate web site:

  • Under C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\Data\SiteMap\Footer\ locate file LeftFooter.sitemap and copy it to C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\Data\SiteMap\Footer\CustomUpdate\
  • Edit siteMapNode url parameters as needed. Here's an example:

<?xml version="1.0" encoding="utf-8" ?>
<siteMap xmlns="" enableLocalization="true">
    <siteMapNode url="" title=""  description="">
      <siteMapNode url=""                   title="$Resources:Resource, 182"
                   description="$Resources:Resource, 182"
                   target="_blank" />
      <siteMapNode url=""
      <siteMapNode url=""                   title="$Resources:Resource,1"

Last but not least, there's "E-mail system administrator" button on the toolbar that can be hyperlink enabled:

  • Under C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\Data\SiteMap\ToolBar\ locate file Web.sitemap and copy it to C:\Program Files\Microsoft Forefront Unified Access Gateway\von\PortalHomePage\Data\SiteMap\ToolBar\CustomUpdate\
  • Open Web.sitemap file in the \CustomUpdate folder using Notepad. Find the line that contains "mailto:" and change it to reflect an appropriate support contact information:
    • for example: <siteMapNode url=""
  • Save the changes in Web.sitemap (remember to always use customization file under \CustomUpdate, and not the original one)

UAG Basic Customization, Part 1

In one of my previous posts I have referenced a couple of good resources on the subject of UAG customization: 
TechNet resource "Customizing Forefront UAG" is a good starting point, and there’s a book that was just published that covers this very topic – “Mastering Microsoft Forefront UAG 2010 Customization” by Erez Ben-Ari.
Much is possible when it comes to customizing and extending UAG, and this is when you would need to refer to those materials mentioned above and to study them carefully; but in some cases only basic customization may be desired, like changing default logon page (say edit the title and add a standard security banner). This post aims to cover those basic changes. So, let's say we want our default logon page to look somewhat like this:
And here are the things we would need to do:
Please, note that all file locations mentioned in this article are installation defaults and may differ from locations you have selected during the installation.
  • Under C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\Languages\ locate an appropriate language file, in our case en-US.xml, and copy it to C:\Program Files\Microsoft Forefront Unified Access Gateway\von\InternalSite\Languages\CustomUpdate.
  • Open en-US.xml file in the \CustomUpdate folder using Notepad and perform the following edits (based on the above sample):
    1. <String id="2" _locID="2"> - desired title 
    2. <String id="4" _locID="4"> - desired system security message
    3. <String id="5" _locID="5"> - desired support information
    4. <String id="1" _locID="1"> - desired password self-service information
  • To change the default message displayed when users log off modify the following:
    • <String id=3" _locID"3"> - desired LogOff message (for example: Thank you for using Company XYZ Remote Access Portal)
  • Save the changes in en-US.xml (remember to always use customization file under \CustomUpdate, and not the original one)