5nine Cloud Security Azure Pack Extension. Version 5.2

5nine Cloud Security Azure Pack Extension Version 5.2 June 2015

2015 5nine Software. All rights reserved. All trademarks are the property of their respective owners. No part of this publication may be reproduced, transmitted, transcribed, stored in a retrieval system, or translated into any language in any form by any means, without written permission from 5nine Software Inc. (5nine). The information contained in this document represents the current view of 5nine on the issue discussed as of the date of publication and is subject to change without notice. 5nine shall not be liable for technical or editorial errors or omissions contained herein. 5nine makes no warranties, express or implied, in this document. 5nine may have patents, patent applications, trademark, copyright, or other intellectual property rights covering the subject matter of this document. All other trademarks mentioned herein are the property of their respective owners. Except as expressly provided in any written license agreement from 5nine, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. Important! Please read the End User Software License Agreement before using the accompanying software program(s). Using any part of the software indicates that you accept the terms of the End User Software License Agreement. 1

Table of Contents Summary... 4 System Requirements... 5 Permissions... 6 Installation... 6 5nine Cloud Security Network Manager Plugin installation... 7 5nine Cloud Security Azure Pack Extension installation... 10 Microsoft Web Platform Installer... 16 Pre-configuration... 18 5nine Cloud Security Network Manager Plugin pre-configuration... 18 5nine Cloud Security Azure Pack Extension pre-configuration... 20 Operations... 24 Admin portal operations... 24 Adding, removing and changing hosts... 25 Viewing virtual machines and log records... 27 Managing security groups... 30 Managing templates... 31 User actions audit... 32 Disaster recovery management... 32 Usage record and limits... 34 Viewing tenants... 35 Tenant portal operations... 37 Enable 5nine Cloud Security features... 38 Viewing virtual machines and log records... 39 Managing security groups... 41 Managing templates... 43 User actions audit... 43 Common operations... 44 Operations with security groups... 44 Operations with templates... 46 Managing virtual firewall protection status... 47 Managing IDS status... 48 Managing traffic scanner status... 48 2

Adding rules... 48 Changing VM settings... 58 User actions log filter... 61 Uninstallation... 62 3

Summary 5nine Cloud Security Azure Pack Extension represents the plugin specifically designed for Azure Pack web-based portal, which allows users to work with 5nine Cloud Security functions directly via Azure Pack web interface. Extension is conveniently embedded into Azure Pack Admin and Tenant portals as an additional menu item. Admin portal view with 5nine Cloud Security for Azure Pack Admin Extension: Tenant portal view with 5nine Cloud Security for Azure Pack Tenant Extension: 4

System Requirements 5nine Cloud Security Azure Pack Extension requirements correspond to those stipulated for Azure Pack and 5nine Cloud Security for Hyper-V: Supported Operating Systems: Windows Server 2012 or Windows Server 2012 R2 (also refer to https://technet.microsoft.com/en-us/library/dn747886.aspx for details on Windows Server compatibility) Before you install 5nine Cloud Security Azure Pack Extension, the following software must be installed in your environment: Azure Pack using Web Platform Installer 5.0 (http://www.microsoft.com/web/downloads/platform.aspx), which requires: Microsoft System Center Virtual Machine Manager R2 and Microsoft System Center Orchestrator R2: http://www.microsoft.com/en-us/evalcenter/evaluatesystem-center-2012-r2?i=1. WCF Data Services 5.0 (OData v3): http://www.microsoft.com/enus/download/details.aspx?id=29306. Service Provider Foundation (SPF) prerequisite. ASP.NET MVC 4: http://www.microsoft.com/enus/download/details.aspx?id=30683. SPF prerequisite. Windows Assessment and Deployment Kit for Windows 8.1: http://www.microsoft.com/en-us/download/details.aspx?id=39982. SCVMM prerequisite. MS SQL 2012 SP1 or 2014 full setup: http://www.microsoft.com/enus/evalcenter/evaluate-sql-server-2014. Required for SCVMM, SPF and Azure Pack. 5nine Cloud Security for Hyper-V 5.1 5nine Cloud Security Network Manager Plugin (SCVMM compliance extension). 5

Permissions TCP port 30077 is used by default for Cloud Security site https connection in the IIS settings. Make sure it s opened on the Azure Pack server. Default ports for Azure Pack are 30091 for Admin site, 30081 for Tenant site, 30071 and 30072 for Auth sites. Make sure they are opened unless you set alternative ports for Azure Pack components. TCP port 8090 used for SPF must be opened on the SPF server. If it is not configured at all, 5nine Cloud Security Azure Pack Extension will still work partially with Admin portal only as Tenant portal itself will be inoperable without properly configured SPF. 5nine Cloud Security Azure Pack Extension should be installed with domain administrative account. This account should also meet requirements stipulated for 5nine Cloud Security for Hyper-V. Domain account that is used to install 5nine Cloud Security Azure Pack Extension must be added to Azure Pack admins list. It can be the same account under which Azure Pack has been previously installed this account has already been added to Azure Pack admins list during installation of Azure Pack. To add a new user to the Azure Pack admins list use the following PS command (PS must be run with administrative privileges Run as Administrator ): Get-MgmtSvcAdminUser to check the currently added admins; Add-MgmtSvcAdminUser -Principal "Domain\User" to add the new admin. Substitute Domain/User with yours and keep quotes where they are. Domain account that is used to install 5nine Cloud Security Azure Pack Extension must be added to 5nine Cloud Security for Hyper-V Global Admins list and must be assigned both SecurityAdministrator and Auditor roles. Installation 5nine Cloud Security Azure Pack Extension installation consists of two steps, considering that all other components as are SCVMM, SPF, Azure Pack and 5nine Cloud Security for Hyper-V 5.1 are already installed in your environment: - 5nine Cloud Security Network Manager Plugin (SCVMM compliance extension) the plugin that is required to get the VMM logical switches to compliant state. Azure Pack 6

Tenant Portal operation assumes having logical switches properly set in SCVMM and they must be in compliant state so the logical networks/tenant VMs are fully operable. This component should be installed directly on your SCVMM server. Refer to the 5nine Cloud Security Network Manager Plugin installation subsection below. - 5nine Cloud Security Azure Pack Extension installation. The main web application that is embedded into Azure Pack web interface. This component should be installed directly on your Azure Pack server. Refer to the 5nine Cloud Security Azure Pack Extension installation subsection below. 5nine Cloud Security Network Manager Plugin installation To install 5nine Cloud Security Network Management Plugin, run the single setup launcher application on your SCVMM server: Select SC VMM compliance extension and click Install. The 5nine Cloud Security for Hyper-V Network Manager Plugin Setup wizard will open. Click Next. 7

Select the destination folder or leave the default path and click Next. 8

Click Install to start the 5nine Cloud Security for Hyper-V Network Manager Plugin installation process. Wait until the following screen appears, and then click Finish to complete the 5nine Cloud Security for Hyper-V Network Manager Plugin installation process. 9

The installation process is complete, but the further steps are required to finalize 5nine Cloud Security for Hyper-V Network Manager Plugin configuration and setting up corresponding SCVMM items configuration. Refer to the Pre-configuration section below for details. 5nine Cloud Security Azure Pack Extension installation To install 5nine Cloud Security Azure Pack Extension, first run the single setup launcher application with administrative privileges ( Run as Administrator ) on your Azure Pack server: Select Extension for Azure Pack and click Install. The 5nine Cloud Security for Azure Pack Setup wizard will open. Click Next. 10

Read and accept the EULA (end user license agreement). Click Next. 11

Choose the components to install on your Azure Pack server: - MgmtSvc-AdminSite Extension 5nine Cloud Security Azure Pack Extension for Admin site; - MgmtSvc-TenantSite Extension 5nine Cloud Security Azure Pack Extension for Tenant site. Note. The first two components Admin and Tenant site extensions, are also available in Microsoft Web Platform Installer (Web PI) and alternatively can be installed directly from Web PI console. Please refer to the Microsoft Web Platform Installer subsection below for details. - MgmtSvc-CloudSecurity Backend Service this component sets up MgmtSvc- CloudSecurity site IIS service and provides connectivity and data exchange between Azure Pack and 5nine Cloud Security for Hyper-V. Click Next. 12

Enter credentials to connect to 5nine Cloud Security management server. The user must be assigned SecurityAdministrator (required) and Auditor (preferable) 5nine Cloud Security roles (please refer to 5nine Cloud Security for Hyper-V QSG for detailed information). Click Next. 13

Enter credentials for Azure Pack to use for communication with Cloud Security API web service. For security reasons do not use windows/domain account credentials. Click Next. Click Install to start the 5nine Cloud Security for Azure Pack installation process. 14

Wait until the following screen appears, and then click Finish to complete the 5nine Cloud Security for Azure Pack installation process. The installation is complete, but the further steps are required to finalize 5nine Cloud Security Azure Pack Extension configuration. Refer to the Pre-configuration section below for details. 15

Microsoft Web Platform Installer 5nine Cloud Security Azure Pack Extension for Admin site and 5nine Cloud Security Azure Pack Extension for Tenant site are available and can be installed directly from Microsoft Web Platform Installer (Web PI) 1. To use this installation option, run the Web PI console on your Azure Pack server(s): - Go to the Products tab and find extensions: 5nine Cloud Security for Azure Pack: Admin Site Extension; 5nine Cloud Security for Azure Pack: Tenant Site Extension. - Click the Add button against products as required either both together or just one of them, depending on whether you need to install them on the same server or on different servers (distributed installation). 1 Get more information and download Microsoft Web Platform Installer at http://www.microsoft.com/web/downloads/platform.aspx. 16

- Click the Install button in the bottom of the Web PI console: - Accept license terms: 17

- Wait until installation is complete and then close Web PI console: Pre-configuration Upon installation, further steps are required to complete 5nine Cloud Security Network Management Plugin and 5nine Cloud Security Azure Pack Extension configuration to get all components to be fully operable. 5nine Cloud Security Network Manager Plugin pre-configuration Upon installation, do the following actions on your SCVMM server to complete 5nine Cloud Security for Hyper-V Network Manager Plugin configuration: 1. Restart SCVMM service. Re-open SCVMM management console, make sure you do it with administrative privileges ( Run as Administrator ). 2. Go to Settings Configuration Providers. Check that "5nine Cloud Security Network Management Provider" is present in configuration providers list. 3. Create Network Service in SCVMM: Go to Fabric Networking Network Service (right click) Add Network Service; 18

Name the network service (e.g. Cloud Security Filtering Service ); Select 5nine Software, Inc CloudSecurity Manager ; Enter credentials. The best way is to add current domain user account that has all necessary permissions; Connection string: localhost; Host group: check All Hosts 4. Go to Fabric Networking Logical Switches: Right-click on the logical switch Properties; Select Extensions; Check the box against the new 5nine Cloud Security Filtering extension. Click OK. 5. Check that logical switch extensions order in SCVMM console and Hyper-V manager match for each Hyper-V host. Alter the order if necessary by using the Move UP/Move Down buttons. 6. Go to Fabric Networking Logical Switches: Select "Hosts" on the main pane; Select logical switches that are in Not Compliant state. Remediate the logical switches that are in Not Compliant state. Wait until the state of logical switch becomes Compliant. Note: You might have to refresh the hosts that do not run 5nine Cloud Security Host Management Service (in the case you have those in your environment) upon remediate action is complete to get the logical switches to Compliant state on such hosts! 19

5nine Cloud Security Azure Pack Extension pre-configuration Once 5nine Cloud Security for Azure Pack is installed onto your Azure Pack server, do the following pre-configuration settings to finally prepare the system for operation: 1. Make sure the proper SSL certificate is selected for MgmtSvc-CloudSecurity site in your Azure Pack server s IIS settings: Go to Computer Management Services and Applications Internet Information Services (IIS) Manager. Open Sites under your Azure Pack server and select MgmtSvc-CloudSecurity site. Right-click MgmtSvc-CloudSecurity site and select Edit Bindings (or click Edit Site Bindings on the right). Select the site binding and click the Edit button: 20

Ensure that MgmtSvc-CloudSecurity SSL certificate is selected and click OK: 2. Open 5nine Cloud Security for Hyper-V Management Console and make sure the Azure Pack domain user (admin) is added to Cloud Security global admins list: Set the SecurityAdministrator and preferably Auditor roles for Azure Pack domain user. Refer to 5nine Cloud Security for Hyper-V QSG for details. Note. If Azure Pack admin is not present in Cloud Security global admins list, tenant subscription with Cloud Security service will be out of sync! 21

3. Open Azure Pack admin portal, go to the 5NINE CLOUD SECURITY menu item and register the Cloud Security REST endpoint: Click the link Connect the portal to your Cloud Security REST endpoint. Fill in the Cloud Security REST endpoint registration form: 22

Type the endpoint url to the Cloud Security REST API that the Azure Pack portal will connect to into the REST API ENDPOINT field. The string has the following format: https://<server>:<port>, where <server> is the hostname of the server where MgmtSvc-CloudSecurity Backend Service is installed; <port> is TCP port that is used by MgmtSvc-CloudSecurity Backend Service. Default port is 30077. Enter the user name into the USER NAME field. Use the non-windows user that you specified earlier at the 5nine Cloud Security Azure Pack Extension (MgmtSvc-CloudSecurity Backend Service component) installation. E.g., Admin. Enter the password you have set earlier for this user into the PASSWORD field. Click the V mark in the right-lower corner to save the Cloud Security REST endpoint connection settings. Wait until the endpoint connection is set, it may take several seconds depending on environment. Note. In the current version of 5nine Cloud Security Azure Pack Extension it is not possible to change the Cloud Security REST endpoint connection settings once they are successfully registered. 4. Add Cloud Security service to Azure Pack plan(s) where it s necessary to use 5nine Cloud Security Extension for tenants: 23

Cloud security must be listed as another service in the selected plan(s): At this stage 5nine Cloud Security Azure Pack Extension is configured and ready for operation. Operations 5nine Cloud Security Azure Pack Extension operation is divided into two parts: Admin portal operation and tenant portal operation. These functions reflect the corresponding operations performed via 5nine Cloud Security Management Console with adaptation to Azure Pack concept. Some operations like adding/editing/removing rules, security groups, templates, loading logs are common for both admin and tenant portals. Admin portal operations subsection below describes operations specific for Azure Pack admin portal. Tenant portal operations subsection below describes operations specific for Azure Pack tenant portal. Common operations subsection below describes operations common to both admin and tenant portals. Admin portal operations Admin portal operations with 5nine Cloud Security functions allow: - Viewing all virtual machines either placed into the clouds or directly on hosts, including those deployed by tenants. - Viewing all tenants including those created in Azure Pack and those created in 5nine Cloud Security Management console. - Adding/removing managed hosts. - Applying security policies (adding, editing, removing virtual firewall rules, security groups, operating with virtual firewall status on virtual machines). - Setting usage limits. 24

Adding, removing and changing hosts To add, remove or change settings of managed hosts, go to the 5NINE CLOUD SECURITY menu item in the Azure Pak admin portal and select HOSTS: Then use an appropriate button in the lower part of your browser: - To add a new host, click the ADD button. Then enter the host name and credentials (if applicable) or let default credentials be used: 25

Click the V mark in the right-lower corner to complete the operation. Azure Pack will inform you if the operation is succeeded or not. - To remove managed host, select it and click the REMOVE button. Then confirm the operation. - To change host name and/or credentials click the CREDENTIALS button. Enter a new name and/or credentials: Click the V mark in the right-lower corner to complete the operation. Azure Pack will inform you if the operation is succeeded or not. 26

Viewing virtual machines and log records To view virtual machines from admin portal, either go to VIRTUAL MACHINES tab of 5NINE CLOUD SECURITY menu item or open any of hosts to view VMs on particular host: All hosts view: Selected host view: 27

Open any of VMs to view rule list, filtering log, IDS and network traffic scanner events and connections table: View rules list: View filtering log: 28

View IDS log: View network traffic scanner log: View connections table: Use the ADD IP RULE, ADD ARP/L2 RULE buttons to add new rules. To edit the rule, select it and then click the EDIT button to open the rule for editing. 29

Please refer to the Common operations section for details. These operations are similar for admin and tenant Azure Pack portals. To remove the rule, select it, then click the REMOVE button and confirm the operation. Managing security groups To manage security groups from admin portal go to VIRTUAL MACHINES GROUPS tab: - To create group click the CREATE button on the bottom panel. - To remove security group, select the necessary group and click the REMOVE button on the bottom panel. Confirm the operation. - To use rules template, select the necessary group and click the USE TEMPLATE button on the bottom panel. Please refer to the Common operations section for details. This operation is similar for admin and tenant Azure Pack portals. - To add, edit or remove rules in the group, open the target group and go to the RULES tab: 30

Then use the appropriate buttons on the bottom panel. Please refer to the Common operations section for details. These operations are similar for admin and tenant Azure Pack portals. - To add or remove virtual machines from the security group, go to the MEMBERS tab: To add or remove a member, use the appropriate button in the bottom panel. Please refer to Common operations section for details. These operations are similar for admin and tenant Azure Pack portals. Managing templates Go to the TEMPLATES tab of the 5NINE CLOUD SECURITY item to view and manage userdefined rule templates: Please refer to the Common operations section for details. These operations are similar for admin and tenant Azure Pack portals. 31

User actions audit Go to USER ACTIONS LOG tab of the 5NINE CLOUD SECURITY item to view user actions log: Filter is available to select the events by date. Please refer to the Common operations section below. Disaster recovery management On the MANAGEMENT SERVERS tab of the 5NINE CLOUD SECURITY item you can set disaster recovery feature: 32

Use the appropriate buttons on the bottom panel to add, remove and change position of the management servers: - To add a new management server click the ADD button. Then enter management server parameters and click the V mark to save changes: Note. 5nine Cloud Security Management service must be installed on the target server prior to adding it to the management servers list for disaster recovery. Refer to the 5nine Cloud Security for Hyper-V QSG for details. - To change the position of the management server click the MOVE UP or MOVE DOWN buttons accordingly. The top management server will be a primary one that takes control over 5nine Cloud Security. - To remove management server from the list click the DELETE button and confirm the operation. 33

Usage record and limits 5nine Cloud Security Azure Pack Extension includes mandatory service usage record and standard usage endpoint to connect to the billing system. Azure Pack admin is also able to set service usage limits for Cloud Security service within a particular tenant plan. These limits determine the maximal number of virtual machines allowed to enable each feature on (plan quota). The following 5nine Cloud Security features are included in Azure Pack plan quota for Cloud Security service: - Virtual Firewall; - IDS; - Network Traffic Scanner. To set usage limits for Cloud Security service, select the necessary plan in Azure Pack admin portal and open Cloud Security service (the plan should include this service): Click the right arrow in the NAME column of the Cloud Security entry. You will see service quota parameters: 34

Set the maximal number of virtual machines that a tenant can enable each feature on using the subscription to this plan. Type the number into the Usage limit field for virtual firewall, ids and traffic scanner features accordingly. The default limit is set to 10 VMs for each feature. If you do not need to limit any feature or all features, mark the Unlimited option where needed: In the bottom panel click the SAVE button to save limitation settings or the DISCARD button to cancel the changes. Viewing tenants 5nine Cloud Security Azure Pack Extension does not allow admin to actively manage tenants. Tenants and subscriptions are managed in the same Azure Pack admin portal by its own standard means using USER ACCOUNTS and PLANS Azure Pack admin portal menu items. Under 5NINE CLOUD SECURITY item admin can work with tenants in observation mode only. All actions with tenants are done automatically when corresponding changes are applied by using Azure Pack and/or Cloud Security Management Console means. Note that tenants created via Azure Pack will be automatically replicated to main Cloud Security application 35

(database). They must not be manually altered in any way in Cloud Security Management Console as it will lead to out-of-sync tenant subscription. Tenants that are originally created via 5nine Cloud Security Management Console will also be displayed under 5NINE CLOUD SECURITY item of Azure Pack admin portal. These tenants are not registered in Azure Pack and can t use Azure Pack subscriptions/operate VMs. Azure Pack-created tenants are fully capable with 5nine Cloud Security operations. There is a difference in these two tenant conceptions. To view tenants go to the TENANTS tab of the 5NINE CLOUD SECURITY item: In this tab you will see tenants list and usage statistics for each tenant. Statistics displays virtual firewall, traffic scanner, and IDS services quota usage by each tenant in format: <VMs currently in service>/<maximal number of VMs for the service (quota)>. This way you always can check how many VMs are used by tenants in each service and how many left in quota for each tenant. 36

Tenants, originated from Azure Pack admin portal, have their own passwords set for each one at the time tenant user account is created by Azure Pack admin. This password allows tenants to access tenant portals only. It cannot be used to access 5nine Cloud Security Management console under the tenant account as there is another hidden password to connect to 5nine Cloud Security, which is generated automatically and is hidden from tenants. Azure Pack admin can retrieve it in the case if it s necessary to access 5nine Cloud Security Management console under the tenant account, but cannot change this password. To get the internal password, select the necessary tenant in the TENANTS tab of the 5NINE CLOUD SECURITY item in Azure Pack admin portal and open it the password will be displayed in the INTERNAL PASSWORD column of the USERS subtub: This password shall be used to access 5nine Cloud Security Management Console under tenant account in the case of necessity. Do not make attempts to change this password using 5nine Cloud Security Management Console means. Tenant portal operations Tenant portal operations with 5nine Cloud Security functions allow: - Adding/removing virtual machines from 5nine Cloud Security tenant s list. - Viewing virtual machines deployed by a tenant from Azure Pack portal and also the ones that 5nine Cloud Security global admin additionally assigned to a tenant and their statuses. - Applying security policies for virtual machines assigned to the tenant (adding, editing, removing virtual firewall rules, policy templates and security groups, operating with virtual firewall status on virtual machines). - Viewing firewall logs, IDS and Network traffic scanner events and VM connections table. - Viewing user actions log. 37

Enable 5nine Cloud Security features Tenant admin deploys virtual machines via Azure Pack tenant portal using a subscription to Azure Pack Virtual Machine Clouds plan. 5nine Cloud Security features are disabled on these machines by default. To enable 5nine Cloud Security features on these virtual machines, tenant should add them to 5nine Cloud Security service list. Cloud Security service should be in the same plan as Virtual Machine Clouds service. 5nine Cloud Security global admin is able to add and remove any virtual machines to/from the tenant s 5nine Cloud Security list. If 5nine Cloud Security global admin assigns additional virtual machines to the tenant that are not part of the tenant s subscription, those virtual machines will also be displayed under the 5NINE CLOUD SECURITY item of Azure Pack tenant portal. 5nine Cloud Security features will apply to these virtual machines, but Azure Pack native features will not (guest console, RDP connection etc.). To add a new virtual machine to 5nine Cloud Security click the NEW button of the Azure Pack tenant portal, then click CLOUD SECURITY ADD VM. The VMs that have been deployed by the tenant, but have not been added to 5nine Cloud Security tenant s list yet, will appear in the following box: 38

Select VMs that you want to add to 5nine Cloud Security tenant s list using CTRL/SHIFT keys and click the V mark to complete the operation. Selected VMs will appear under the 5NINE CLOUD SECURITY item of Azure Pack tenant portal. Viewing virtual machines and log records To view virtual machines from tenant portal go to VIRTUAL MACHINES tab of 5NINE CLOUD SECURITY menu item: Open any of VMs to view rule list, filtering log, IDS and network traffic scanner events and connections table: View rules list: 39

View filtering log: View IDS log: View network traffic scanner log: 40

View connections table: Use the ADD IP RULE, ADD ARP/L2 RULE buttons to add new rules. To edit the rule, select it and then click the EDIT button to open the rule for editing. Please refer to Common operations section for details. These operations are similar for admin and tenant Azure Pack portals. To remove the rule, select it, then click the REMOVE button and confirm the operation. Managing security groups To manage security groups from tenant portal, go to VIRTUAL MACHINE GROUPS tab: To add, edit or remove a security group, click the appropriate button on the bottom panel. 41

- To add, edit or remove rules in the group, open the target group and go to the RULES tab: Then use the appropriate buttons on the bottom panel. - To add or remove virtual machines from the security group, go to the MEMBERS tab: To add or remove a member, use the appropriate button in the bottom panel. Please refer to Common operations section for details. All these operations are similar for admin and tenant Azure Pack portals. 42

Managing templates Go to the TEMPLATES tab of the 5NINE CLOUD SECURITY item to view and manage userdefined rule templates: Please refer to the Common operations section for details. These operations are similar for admin and tenant Azure Pack portals. User actions audit 5nine Cloud Security performs user actions audit. It records all actions that users do when working with 5nine Cloud Security into the database. These data are blocked from modification for all users, only observation is possible. Go to USER ACTIONS LOG tab of the 5NINE CLOUD SECURITY item to view user actions log: Filter is available to select the events by date. Please refer to the Common operations section below. 43

Common operations This section describes operations common to admin and tenant Azure Pack portals. Operations with security groups Creating a new security group: upon clicking the CREATE button on the bottom panel of the admin or tenant portals, enter parameters for the new group set the group name and select virtual machines: Use CTRL/SHIFT buttons to select virtual machines into the group. Then click the V mark to save the group. To edit security group, select it and click the EDIT button. Alter group parameters just like when creating a new group. To remove security group, select it and click the REMOVE button. Then confirm the operation. 44

To add rules into the security group, select the target security group, open it, go to the RULES tab and click the ADD IP RULE/ADD ARP/L2 RULE to add a new rule. Please refer to the Adding rules subsection below for details. To edit the rule in the security group, select the target security group, open it, go to the RULES tab, select the rule and click the EDIT button. Then alter rule parameters just like when adding the new rule and save the changes by clicking the V mark on the last page of the ADD RULE wizard. To remove the rule from the security group, select the target security group, open it, go to the RULES tab, select the rule, click the REMOVE button and confirm the operation. To add members to the security group, open the target security group, then go to the MEMBERS tab and click the ADD VM TO GROUP button. Select the necessary virtual machines using left click, up/down arrow keys and CTRL/SHIFT keys. Click the V mark to add the selected virtual machines into the security group. To remove virtual machine from a security group, select the target security group, then go to the MEMBERS tab, select the virtual machine, click the DELETE VM button and confirm the operation. 45

Operations with templates To create a new template click the CREATE button on the bottom panel of the admin or tenant portals. Then enter parameters name and description (optional) for the new template: Click the V mark to save the template. To edit template, select it and click the EDIT button. Alter template parameters just like when creating a new template. To remove template, select it and click the REMOVE button. Then confirm the operation. To add rules into the template, select the target template, open it and click the ADD IP RULE/ADD ARP/L2 RULE to add a new rule. Please refer to the Adding rules subsection below for details. To edit the rule in the template, select the target template, open it, select the rule and click the EDIT button. Then alter rule parameters just like when adding the new rule and save the changes by clicking the V mark on the last page of the ADD RULE wizard. To remove the rule from the template, select the target template, open it, select the rule, click the REMOVE button and confirm the operation. 46

To apply a template to a virtual machine or a security group, select the target virtual machine or security group from admin or tenant portal and use the appropriate buttons on the bottom panel: Then select the template to apply to the target virtual machine or a group: Click the V mark to complete the operation. Managing virtual firewall protection status Select any VM you need to manage 5nine Cloud Security Virtual Firewall protection status on and use the appropriate buttons on the bottom panel of admin or tenant Azure Pack portals: The target VM will get the On or Off virtual firewall status accordingly. 47

Managing IDS status Select the target virtual machine from admin or tenant portal and use the appropriate buttons on the bottom panel to manage IDS status: The target VM will get the On or Off IDS status accordingly. Managing traffic scanner status Select the target virtual machine from admin or tenant portal and use the appropriate buttons on the bottom panel to manage Traffic scanner status: The target VM will get the On or Off traffic scanner status accordingly. Adding rules 5nine Cloud Security Virtual Firewall rules can be added into the virtual machine s list, security group s list or template s list. Select the necessary entity from admin or tenant Azure Pack portals (virtual machine, security group or template) and use the appropriate buttons on the bottom panel: - To add ARP/L2 rule: 48

Enter parameters for the new ARP/L2 rule: NAME use any convenient name to identify rule in the list. DESCRIPTION (optional) enter the detailed description if necessary. ACTION select action for the rule to apply to corresponding network traffic allow or block actions are only applicable for ARP/L2 rule. Note that 5nine Cloud Security blocks all traffic by default when the virtual machine s firewall protection is enabled. However, in certain cases you may need to use both type of rule s action with multiple rules to create a proper set. Also note that any blocking rule has a higher priority over corresponding allowing rule in the case they cross/overlap, regardless of its position in the list or whether it is added into a security group that the target VM is the member of or directly into VM s rule list. Please refer to 5nine Cloud Security for Hyper-V QSG for details. TYPE set the traffic direction in respect of the target VM(s): any to apply the rule in both directions; inbound to apply the rule for inbound traffic only; outbound to apply the rule for outbound traffic only. 49

Click the right arrow to proceed. FRAME TYPE (HEX) enter the frame type to identify L2 protocol. By default there are two values available from the list: ARP (0806) and RARP (0835). Type the necessary number for the L2 protocol. ARP protocol will let you additionally specify remote IP addresses to limit rule action to. 50

REMOTE MACS enter remote MAC addresses to/from which the L2/ARP traffic is sent/received. Empty field counts as any MAC address Click the right arrow to proceed. 51

ADDRESS TYPE select the address type: Any. The rule will apply to any MAC address type. Broadcast. The rule will apply to broadcast MACs only (FF:FF:FF:FF:FF:FF). Unicast. The rule will apply to unicast MACs only. Multicast. The rule will apply to multicast MACs only (0x:01:00:5E:00:00:xx). VLAN ID enter the VLAN number to add VLAN tagging option to the rule. The rule will apply to the frames with specified VLAN ID only. Click the V mark to save the changes. - To add IP rule: Enter parameters for the new IP rule: NAME use any convenient name to identify the rule in the list. DESCRIPTION (optional) enter the detailed description if necessary. 52

ACTION select action for the rule to apply to corresponding network traffic. The following options are available for IP rule: allow allow all packets including SPI. allow (no SPI) allow direct packets only, SPI packets will be filtered. block block all packets. Note that 5nine Cloud Security blocks all traffic by default when the virtual machine s firewall protection is enabled. However, in certain cases you may need to use both type of rule s action with multiple rules to create a proper set. Also note that any blocking rule has a higher priority over corresponding allowing rule in the case they cross/overlap, regardless of its position in the list or whether it is added into a security group that the target VM is the member of or directly into VM s rule list. Please refer to 5nine Cloud Security for Hyper-V QSG for details. TYPE set the traffic direction in respect of the target VM(s): any to apply the rule in both directions; inbound to apply the rule for inbound traffic only (SPI packets will be excluded if allow action is set); outbound to apply the rule for outbound traffic only (SPI packets will be excluded if allow action is set). SPI packets are normally allowed through 5nine Cloud Security virtual firewall when the certain traffic is set to be passed through it. E.g., the RDP inbound allowing rule on TCP port 3389 will let corresponding outbound SPI packets from TCP port 3389 to the remote private TCP port on the remote host that initiate RDP session in the case allow action is set. It will be considered as TCP established connection and will be displayed in connections table for the target VM. In certain situations such connections will be dropped by timeout, which results in losing the current session. Using allow (no SPI) action you can set two separate rules for inbound and outbound traffic to avoid such issues. 53

In the given example it will look like: allow (no SPI), inbound, TCP local ports 3389, remote ports empty (any); allow (no SPI), outbound, TCP local ports 3389, remote ports empty (any); Such sessions are not recognized by 5nine Cloud Security virtual firewall as established TCP connections and will not be displayed in the connections table for the target virtual machine, while the sessions themselves will be allowed and will not be dropped by time out unlike SPI-based TCP connections. Click the right arrow to proceed. PROTOCOL select the protocol that is used to send the certain traffic type. You have the following options: Any any IP protocol. 54

ICMP or ICMPv6 ICMP (ICMPv6) protocol. The following additional options are available for this protocols: MESSAGE TYPES: Echo Reply 0, Destination Unreachable 3, Source Quench 4, Redirect (change route) 5, Echo Request 8, Time Exceeded 11, Parameter Problem 12, Timestamp Reply 14, Information Request 15, Information Reply 16, Address Mask Request 17, Address Mask Reply 18. Enter the required number(s) divided by commas (spaces will be added automatically). Leave the field empty to allow all types of ICMP messages. TCP TCP protocol. UDP UDP protocol. GRE GRE protocol. LOCAL PORTS (if applicable) enter the local ports through which the traffic flows. Empty field counts as any local port. REMOTE PORTS (if applicable) enter the remote ports through which the traffic flows. Empty field counts as any remote port. REMOTE IPS enter remote IP addresses to/from which the traffic is sent/received. Empty field counts as any address. Click the right arrow to proceed. 55

REMOTE VMS select remote virtual machines to/from which the traffic is sent/received. Empty field assumes any remote VM. Use SHIFT/CTRL key and left click for multiple selection. REMOTE MACS enter remote MAC addresses to/from which the traffic is sent/received. Empty field assumes any address Click the right arrow to proceed. 56

ADDRESS TYPE select the address type to which the traffic is sent: Any all address types will be considered by the rule. Broadcast only broadcast traffic will be considered by the rule. E.g. the one that is sent to the IPv4 addresses like x.x.x.255 for the subnet mask like 255.255.255.0 (VLSM broadcast addresses are also considered, they depend on the subnet mask length each time). Unicast only traffic that is sent to a single receiver will be considered. E.g. the one that is sent to the IPv4 single host address like 192.168.1.10 with the subnet mask of 255.255.255.0. Multicast only multi-recipient traffic will be considered. E.g. in IPv4 the target addresses must be within the following range: 224.x.x.x 239.x.x.x. Note. Certain types of traffic are unicast, multicast or broadcast by their nature. E.g. RDP connection on port 3389 is the unicast type. Link Local Multicast Name Resolution on port 5355 is the multicast type. You have to be aware of it when setting this parameter so that the rule applies correctly unless you choose to set it to Any. 57

VLAN ID enter the VLAN number to add VLAN tagging option to the rule. The rule will apply to the frames with specified VLAN ID only. Use 0 to set no VLAN tagging (the rule will not apply to packets having VLAN tagging) and 4095 to set any VLAN (the rule will apply to all packets regardless of VLAN). Click the V mark to save the changes. Changing VM settings To change VM settings select the target VM in admin or tenant Azure Pack portals and click the VM SETTINGS button: Then alter the following parameters as needed: Check the DEFINE IP MANUAL box to detect the VM IP address for 5nine Cloud Security manually. 58

Enter IP addresses (if applicable) that are assigned to the VM in the IP ADDRESS field as shown in the picture above. In most cases you don t have to do this, because normally the IP address is detected automatically by 5nine Cloud Security. However, there are certain situations when this option is needed, such as with non-windows OS based VMs, when 5nine Cloud Security is unable to automatically detect VM IP configuration. In the cases like this it is necessary to manually determine IP address so that Virtual Firewall rules work for this kind of virtual machines. Note: The IP address that is set here manually does not affect actual IP settings on a virtual machine. It is only used by 5nine Cloud Security to analyze the virtual machine traffic and properly apply virtual firewall rules in case it is unable to automatically detect it. Set allowed send/receive bandwidth limits: - Enter the maximum (in Kbps) allowed send bandwidth limit in the SEND BANDWIDTH field. - Enter the maximum (in Kbps) allowed receive bandwidth limit in the RECEIVE BANDWIDTH field. Blank fields will set unlimited bandwidth. Click the right arrow to proceed. 59

Set virtual firewall and IDS logging parameters: - Select virtual firewall logging level: Filtered only filtered VM events will be recorded to the log. Allowed only allowed VM events will be recorded to the log. All (default) all VM events except SPI packets will be recorded to the log. No Logging neither of the VM events will be recorded to the log. Allowed and SPI allowed VM events and allowed SPI packets will be recorded to the log. All and SPI all VM events including SPI packets will be recorded to the log. It is the maximal logging level. - Enter the number of days to keep the log records in the LOG RETENTION DAYS / IDS LOG RETENTION DAYS field. 60

- Enter the maximum number of records that will be added to the log in the LOG RECORDS COUNT / IDS LOG RECORDS COUNT field. Click the V mark to save VM settings. User actions log filter To apply user actions log filter by date click the FILTER button on the bottom panel of admin or tenant Azure Pack portals: Set start and finish dates to filter events. Use built-in calendar for convenience. Click the V mark to apply the filter. 61

Uninstallation Current version of Azure Pack does not allow removing services from plans if the plans have active subscriptions unless they are removed from user accounts. Therefore, before uninstalling 5nine Cloud Security Azure Pack Extension you have to make sure all subscriptions that using plans with enabled Cloud Security Service are removed. Then do the following actions from admin portal: - Remove Cloud Security service from all plans it had been added: Select the plan and open plan services. Select Cloud Security service and click the REMOVE SERVICE button on the bottom panel. It will only be possible if no active subscriptions are using the plan. - Using the single setup application, select Extension for Azure Pack and click Uninstall: 62

- Unregister the cloudsecurity resource provider from Azure Pack: Open PowerShell module with administrative privileges (using Run as Administrator start option): Run the following cmdlets in the same order as shown below: $rp = Get-MgmtSvcResourceProviderConfiguration -Name "cloudsecurity" Remove-MgmtSvcResourceProviderConfiguration -Name "cloudsecurity" - InstanceId $rp.instanceid Make sure the cloudsecurity resource provider has been successfully unregistered. Run the cmdlet: Get-MgmtSvcResourceProviderConfiguration -Name "cloudsecurity" It should return the empty string. 63