Windows Server 2012 R2 server hardening and best practices

You can search for Windows Server hardening until you’re blue in the face, and find a little bit here and there. The sum of the parts are still less than the whole of this article. I’m going to provide you with my own personal hardening guidelines, as well as the Powershell code/GPO settings to easily implement them. In addition, I’m going to throw in some best practices. That said, every environment is different… so… do your own testing and research, but feel free to use this as your baseline.

Powershell

Set TcpTimedWait to 30 seconds to avoid running out of ephemeral ports

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -name TcpTimedWaitDelay -propertytype dword -value 30 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters' -name TcpTimedWaitDelay -value 30 -errorAction SilentlyContinue | Out-Null

Set Priority Separation to background services

Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\PriorityControl' -name Win32PrioritySeparation -value 24 -errorAction SilentlyContinue | Out-Null

Disable NIC power management

new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -errorAction SilentlyContinue | Out-Null
new-Item -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0000' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0001' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0002' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0003' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0004' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0005' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0006' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0007' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0008' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0009' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0010' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0011' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0012' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0013' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0014' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0015' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0016' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0017' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0018' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0019' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -name PnPCapabilities -propertytype dword -value 24 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}\0020' -name PnPCapabilities -value 24 -errorAction SilentlyContinue | Out-Null

Turn UAC off since it just gets in the way and doesn’t add as much security as Microsoft tried to sell us on

Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name ConsentPromptBehaviorAdmin -value 0 -errorAction SilentlyContinue | Out-Null
Set-ItemProperty -path 'HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System' -name EnableLUA -value 0 -errorAction SilentlyContinue | Out-Null

Set DEP to Opt-In

bcdedit /set nx OptIn | Out-Null

Configure WinRM

winrm quickconfig -quiet | Out-Null

Enable Windows Firewall

netsh advfirewall set allprofiles state on | Out-Null

Disable Server Manager from running at login

schtasks /change /disable /tn "\Microsoft\Windows\Server Manager\ServerManager" | Out-Null

Disable IE (make sure you have Chrome installed… or don’t use web browsing at all on the server and use a central software repo)

dism /online /disable-feature /featurename:Internet-Explorer-Optional-amd64 | Out-Null

Disable SMBv1. If you have any vendors at all still using SMBv1, open up a support ticket every day until they fix it. That’s just stupid.

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi | Out-Null
sc.exe config mrxsmb10 start= disabled | Out-Null
Set-SmbServerConfiguration -EnableSMB1Protocol $false -Force | Out-Null
Disable-WindowsOptionalFeature -Online -FeatureName smb1protocol -NoRestart | Out-Null

Rename the Administrator account

$admin=[adsi]“WinNT://./Administrator,user”
$admin.psbase.rename(“therealadmin”)

Configure NTP

sc config w32time start= auto > nul
sc start w32time > nul
timeout 5
w32tm /config /syncfromflags:domhier /update > nul

Configure Windows to dump full memory.dmp file

wmic recoveros set debuginfotype = 1 > nul

Group Policy

Disable last username (because there are python scripts out there that can scrub usernames using OCR via RDP). Yea, it’s that easy for people to find usernames to bruteforce on your network. We’re also going to disable cached logons, it’s too easy for attackers to exploit these saved credentials.

Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Interactive Logon

Interactive logon: Do not display last username: Enabled
Interactive logon: Number of previous logons to cache: 0

Enable SMB signing. Without it you’re basically giving your network away to attackers.


Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Microsoft Network Client

Microsoft Network client: Digitally sign communication (if server agrees): enabled

Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Microsoft Network Server

Microsoft Network server: Digitally sign communication (always): enabled
Microsoft Network server: Digitally sign communication (if client agrees): enabled

Full paranoia mode… let’s clear that pagefile at shutdown.


Computer>Policies>Windows Settings>Security Settings>Local Policies/Security Options>Shutdown

Shutdown: Clear virtual memory pagefile: enabled

Disable WPAD because it leaks NTLMv1 hashes which are easy to crack.


Computer>Policies>Windows Settings>Security Settings>System Services

WinHTTP Web Proxy Auto-Discovery Service (Startup Mode: Disabled)

Turn off LLMNR, because poisoning is bad mmmmkay.


Computer>Policies>Administrative Templates>Network/DNS Client

Turn off multicast name resolution: enabled

Turn off wdigest, another leaky NTLM hash hole.


Computer>Preferences>Windows Settings>Registry

HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest
UseLogonCredential 0x0 (DWORD)

Enable NLA for Remote Desktop. There’s zero reason NOT to do this.


Computer>Administrative Templates>Windows Components>Remote Desktop Services>Remote Desktop Session Host/Security

Require user authentication for remote connections by using Network Level Authentication

Change DNS TTL to 300 seconds (5 minutes) instead of the default. If something happens and the IP changes, this will minimize the outage for clients.


Computer>Administrative Templates>Network>DNS Client

TTL value for A and PTR records: enabled, 300 seconds

… and that’s all I have. These are lessons learned through various security audits and technical issues I’ve run into over the years. I deploy these to every server that gets spun up, and recently received praise from the guys at Rapid7 during our last security audit. I made it very difficult for them 🙂

Did you find value in this article?
Feel free to donate!
BTC 13QFVycCaP3QV8uRXKSm7picypE1a2gLYx
LTC LPA3M2mHcwJG5WpKi8oyS2RiJoLHt1bXyw
ETH 0x0cd8434f8C47fC2d92197748958824B8e7bFD2f2

The “easy” way to setup a Nutanix Disaster Recovery site

Nutanix is great for many reasons, I won’t go into all of them here, but one of my favorite features is the asynchronous replication. If your environment is configured correctly, setting up a disaster recovery environment can be super simple.

Let’s start with prerequisites:

  • At least 2 sites running Nutanix
  • Network infrastructure capable of configuring VRFs
  • Virtual IPAM solution, or duplicate IPAM hardware for test/dev
  • Asynchronous replication is already configured to the remote site

Now, let’s make some assumptions. Your corporate network is 10.0.0.0/16, and you have multiple subnets for various things. The only subnet we care about for this scenario are the subnet(s) added to networking within Nutanix. Let’s pretend it’s a single subnet, 10.0.1.0/24, on VLAN 101. Your second site can be any site; dedicated to disaster recovery or ROBO. Networking for the DR site is irrelevant for now.

The first thing we’re going to do is plan out the DR networking requirements. You have 1 or more PDs being replicated on a single VLAN. The remote site probably has it’s own networking. There are a whole bunch of things we could probably do (VXLAN for instance), but we’re going to make this simple. VRFs allow us to create duplicate networks without having a conflict on interfaces or in routing tables. You’ll need a single VRF and 1 VLAN assigned to that VRF. I’m going to use Brocade VDX (NOS) in this example.

First, the VLAN interfaces. Remember how I said we only needed 1? Yea, well… you could probably get away with 1 but I like to use /30 for firewalls, so we’ll add that now as well as the WAN VLAN. I’ll explain later. We’ll be making all of these changes to the switching/routing infrastructure at your disaster recovery site.

int vlan 1099
name DR_WAN
int vlan 1100
name DR_FWP2P
int vlan 1101
name DR_SUBNET10_1

Now I’m going to define the VRF. The VDX in my example is running in a VCS fabric. The default gateway will come into play later. Also, we’re enabling OSPF to make things easy. The default gateway for the new VRF will be whatever firewall you use. Virtual firewall, dedicated firewall… whatever you want.

rbr 1
vrf dr-vrf
address-family ipv4 unicast
ip route 0.0.0.0/0 10.255.255.1
router ospf vrf dr-vrf
area 0

Next up, we’re going to setup the router interfaces. I’m going to assume you use DHCP and have 2 DHCP servers. I actually prefer to use DHCP and DHCP reservations for servers (cattle not pets; see devops mentality). The IPAM solution I use has great APIs that are leveraged during the automated build process to automatically reserve an IP in a pool of addresses. The WAN VLAN does not require a routed interface, we just need that layer 2 connection.


interface Ve 1100
vrf forwarding dr-vrf
ip ospf area 0
no ip proxy-arp
ip address 10.255.255.2/30
no shutdown
interface Ve 1101
vrf forwarding dr-vrf
ip ospf area 0
ip dhcp relay address 10.0.1.10
ip dhcp relay address 10.0.1.11
no ip proxy-arp
ip address 10.0.1.1/24
no shutdown

At this point, we now have 3 VLANs on a VRF with two routed interfaces. The next step would be to add all 3 VLANs, 1099-1100 and 1101 to all of your Nutanix interfaces, and also into Prism networking. I typically use the VLAN name in the switch as the name in Prism for consistency. Once the VLANs are added, you will go into the Protection Domains at both sites and remap the production network to the DR VRF network. Let’s visualize it…

Now… why the firewall VLAN? To make things REALLY easy, I recommend using a permanent virtual firewall that is always running in your DR environment. Several vendors offer virtual instances now, and many of them will offer discounted rates for non-production environments. This applies to load balancers as well… If you use the same vendor, likely, you can backup and restore the config periodically so that the firewall and load balancers are always ready for a DR event. You will need a dedicated internet connection, or at the very least, a spare dedicated IP you can assign to the DR firewall (which would end up reusing a pre-existing WAN VLAN or moving WAN connections to a switched VLAN). You will likely not be able to use your ROBO firewall due to IP and routing conflicts (firewalls are not VRF aware), hence a separate virtual firewall. In this case, I’m using VLAN 1099.

WAN connection -> switch port on VLAN 1099 -> VLAN 1099 added to all Nutanix interfaces -> VLAN 1099 assigned to virtual firewall NIC 1 “WAN”
VLAN 1100 added to all Nutanix interfaces -> VLAN 1100 assigned to virtual firewall NIC 2 “LAN”

Configure your firewall appropriately. I assigned 10.255.255.2/30 to the switch, so assign 10.255.255.1/30 to the firewall LAN interface. Assign an appropriate IP to your WAN interface. You have a lot of remote access options here… SSL VPN, IPSEC VPN, RemoteApp (if you are a Windows environment), Citrix, etc. Essentially however your users typically access your production environment will be how you want to configure your DR firewall. You can use Amazon’s Route53 or DNSMadeEasy for DNS failover, or a specific DR DNS record. For example, if production users goto remote.whateveryourdomainis.com, then DR would be remote-dr.whateveryourdomainis.com. The rest is user education.

So, to recap, we have our PDs mapped to our new VRF network. A virtual firewall that mimics our production firewall, with it’s own dedicated IP. At this point you can activate the PD on the ROBO site. All of the VMs will get added to Prism… double check the VLAN assignment if you wish. Power everything up. Your self contained DR is now ready to go. If your team is compartmentalized (network admins, server admins, Nutanix admins, etc.) this may be more difficult to accomplish as it requires a great deal of teamwork. However, I highly recommend this route as it is extremely easy to setup, test and run. When you’re done testing, shut everything down and deactivate the PD.

If you have a DMZ in addition to a production network, you can create a second VRF or add the DMZ network to the same VRF as production. This would obviously remove security constraints, but in a DR scenario… what do you want to be troubleshooting? ACLs and multiple VRFs? or would you rather focus on restoring access to end users… Every environment is unique, some environments will require mirrored security constraints. Others will not, and for those I suggest dumping ALL VLANs into a single DR VRF for simplicity.

Side note: Fortinet, in my opinion, has an amazing product line and an UI/UX similar to what I’ve come to appreciate about Nutanix. We use them pretty heavily at the office, so they provided us with a virtual Fortigate and virtual FortiADC (load balancer) for practically nothing. Took about 5 minutes to spin them both up. I highly recommend looking at their products. As an alternative, their larger hardware firewalls support virtual domains (think: virtualized firewalls or VRF but for firewalls). If your company is budget-minded, you can place your DR and Production firewall on the same hardware. I’m sure other vendors are capable of this, but I’ve found that Fortinet makes it super easy.

Did you find value in this article?
Feel free to donate!
BTC 13QFVycCaP3QV8uRXKSm7picypE1a2gLYx
LTC LPA3M2mHcwJG5WpKi8oyS2RiJoLHt1bXyw
ETH 0x0cd8434f8C47fC2d92197748958824B8e7bFD2f2