Automatically add trusted IPs to an Azure IP Group for Azure Firewall

For many reasons we choose to not use a VPN for traffic which is already encrypted and authenticated. Sometimes this is a challenge though, especially when the authentication opens us up for password guessing attacks. 

In this case, that vulnerability is our on-premises Exchange Server which is needed for Public Folder access amongst other things. We've tried different solutions to prevent this, including the Azure Web Application Firewall, but always end up needing to expose a portion of the Exchange Web Services to the internet. 

I'm sure some of you are wondering what we are doing wrong with Exchange to need this but I really can't recall each of the obstacles we ran into while trying to nail this down. 

Our latest attempt at mitigating this vulnerability collects the IP addresses of all of our trusted clients and automatically adds then to an Azure IP Group which is used in an Azure Firewall rule to allow HTTPS traffic to our on-premises Exchange Server.

The solution utilizes the following:

  • Azure Functions
  • Azure Firewall
  • Azure IP Groups
  • PowerShell
  • Intune

1. We used Intune to push out a Powershell Script which will run every 5 minutes. One caveat we ran into was Intune Powershell scripts will only run once in most cases but we found a great script from Jos Lieben which will allow for the script to run every 5 minutes. It can be found here.

The PowerShell code inserted into Jos's script is simple. It just retrieves the NAT address of the client and sends a POST with the IP address to the Azure Function App webhook. The PowerShell code is:

## Test if client already has access to our server on port 443
$connectstatus = Test-NetConnection -port 443 ourserver.com

## If the connection fails run the code to get public IP of the client
if ($connectstatus.TcpTestSucceeded -ne "True") {
$ipaddress=(Invoke-WebRequest -usebasicparsing -uri "https://api.ipify.org").Content
if ($ipaddress) {

Invoke-WebRequest -method POST -usebasicparsing -Uri "https://p-functionapp-allowip.azurewebsites.net/api/ExchangeAllowIP?code=xxx==&ipaddress=$ipaddress"
}
else {
    $ipaddress=(Invoke-WebRequest -usebasicparsing -uri "http://ifconfig.me/ip").Content  
    if ($ipaddress) {
        Invoke-WebRequest -method POST -Uri "https://p-functionapp-allowip.azurewebsites.net/api/ExchangeAllowIP?code=xxx==&ipaddress=$ipaddress"
    }  
}
}

That code is just inserted into Jos's script at the bottom where he includes comments on where to insert it.

2. The client runs the script above every 5 minutes to POST its IP address to the Azure Function App web hook. The Function App code is as follows:
using namespace System.Net
# Input bindings are passed in via param block.
param($Request, $TriggerMetadata)
# Interact with query parameters or the body of the request.
$ipaddress = $Request.Query.ipaddress
if (-not $ipaddress) {
$name = $Request.Body.ipaddress
}
# Write to the Azure Functions log stream.
Write-Host "PowerShell HTTP trigger function processed a request."
$ipGroup = Get-AzIpGroup -Name "p-ipg-exchangeclients" -ResourceGroupName "p-ipg-exchangeclients"
if ($ipGroup.IpAddresses.Contains($ipaddress)) {
return
}
else {
$ipGroup.IpAddresses.Add($ipaddress)
Set-AzIpGroup -IpGroup $ipGroup
$body = "This HTTP triggered function executed successfully. Pass a name in the query string or in the request body for a personalized response."
if ($ipaddress) {
}
$body = "The IP address $ipaddress has been added to the IP Group $ipGroup.IpAddresses"
}
# Associate values to output bindings by calling 'Push-OutputBinding'.
Push-OutputBinding -Name Response -Value ([HttpResponseContext]@{
StatusCode = [HttpStatusCode]::OK
Body = $body
})
view raw FunctionAppAddIpAddressToIpGroup hosted with ❤ by GitHub


3. When creating the Function App in Azure you are given the option to create a System Assigned Identity. Doing so will make sure that your Function App only has permissions to modify the IP Group which will be used in the Azure Firewall rule to allow HTTPS to the Exchange Server.

When we created the IP Group we also created a Resource Group containing only this one object. So we are able to scope the permissions of the Azure Function App Identity to be a Contributor to that Resource Group:





Notes:
We chose to use an Azure Premium Function App to gain the advantage of always having a warmed instance to fire the Function so everything runs as quickly as possible.

Currently, the Azure Firewall requires a Save after the IP Group has been modified to recognize the new IP addresses in the IP Group. I've created a Feedback to hopefully have this resolved which can be found here. I'll be modifying my Function App to issue a Save to the firewall to automate this in the future.

Comments

Post a Comment

Popular posts from this blog

Auto-installing extensions on Firefox using Intune

Image
To build onto my previous blog post concerning ADMX ingestion in Intune to configure Mozilla Firefox settings I'm going to show you how to auto-install extensions in Firefox with Intune. In this example I'm using the uBlock Origin extension as an example. First you'll need to get the URL of the extension. This is different from Chrome where you just need to get the ID of the extension. The easiest way I found to do this is to open Firefox and go to the Extensions Page  at Mozilla and locate the extensions you want to install. Then right-click and copy the link to the "Add to Firefox" button on the extension page. Save the link for later. Now go to the Custom OMA-URI Settings profile in Intune and add a new row. Configure the fields as follows: Name : Extensions_Install OMA-URI (case sensitive):  ./Device/Vendor/MSFT/Policy/Config/Firefox~Policy~firefox~Extensions/Extensions_Install Data type (String value)*: <enabled/> <data id="...
Read more

Disable DNS over HTTPS in Firefox using Intune

Image
Mozilla makes available admx files (Group Policy settings) which allow you to configure some settings in Firefox using Group Policy.  I'm trying to move away from using Group Policy to manage our endpoints since it requires connectivity to a Domain Controller which in turn depends on a VPN connection for remote computers. Too many dependencies there for my taste and Intune makes it much easier to push out changes with the push of a button. This week I've been trying to use a custom configuration profile in Intune to disable DNS over HTTPS on our Windows endpoints. Some of our IPS functionality uses DNS requests to block access to certain websites and DNS over HTTPS makes it easy to bypass that method of content blocking. Intune offers something they call "ADMX ingestion" which sounds weird and biological but basically it just lets you apply Group Policy like functionality using Intune. Making changes to Chrome was easy using this method because Google has a...
Read more

How to find the OMA-URI from ingested ADMX files

Image
There's a great  article  explaining how to ingest third party ADMX files into Intune and then configure policy using Intune per the settings in the ADMX file. I had trouble piecing together the OMA-URI using the steps in the article so I'm writing to explain a method I found which I feel is much easier to determine the OMA-URI. After ingesting the ADMX file into Intune assign the profile to a test device and then using Regedit browse to the following location: Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PolicyManager\AdmxDefault That will list all of the settings along with the OMA-URI paths to include in your Intune profile for the Custom OMA-URI Settings. Just be sure to replace the backslash in the registry path with a forward slash as shown below:
Read more