...
The first thought that came to mind: since we're running several Linux servers already on IPv6-only, would it be possible to run a Windows server also exclusively on IPv6?
Last year my intern Joris Claassen has proved that it was possible to run a basic VMware VSphere cluster on IPv6 only, and that included a Windows box as well. So things look bright.
...
To manage the server, Remote Desktop Protocol (RDP) is used, which supports IPv6 without any configuration.
Windows Update
Unfortunately the Microsoft Update servers are also available only on IPv4 .
Microsoft Update
According to Microsoft, Windows 8 will use IPv6, if available, to download Windows Updates. They will works with Content Delivery Networks (CDNs) to extend IPv6 support later. So at this time, for Windows Server 2008 R2, the update servers are accessible only through IPv4.
As a solution I I set-up a dual-stack limiting HTTP proxy server, and added a number of regular expressions to allow Windows updates to happen.
Details of the proxy and the Windows configuration process are described on a separate page.
Microsoft Updates to happen.
Details of the proxy and the Windows configuration process are described on a separate page.
As can be seen from the lists, several other URLs also need whitelisting, such as CRLs and OCSPs.
Windows Activation
Same story here. Activating Windows is done by several HTTP POSTs to URLs in the go.microsoft.com domain, which is not (yet) accessible through IPv6:
http://go.microsoft.com/fwlink/?LinkID=88342 | Processor Certificate URL |
http://go.microsoft.com/fwlink/?LinkID=88343 | Machine Certificate URL |
http://go.microsoft.com/fwlink/?LinkID=88345 | Use License URL |
http://go.microsoft.com/fwlink/?LinkID=88344 | Product Key Certificate URL |
Since the proxy server was already in place, I just needed to add this domain to the proxy whitelist, and then the Windows activation succeeded.
As can be seen from the lists, several other URLs also need whitelisting, such as CRLs and OCSPs.
Secunia CSI
This tool monitors installed software for vulnerabilities. We have the corporate version CSI 6. This is a service that registers itself at Secunia to download patch lists, upload results, etc.
...
Now that the server has an SSL certificate, it should be monitored so that we the admins get a warning when it is about to expire in about 3 years. The way I usually do this is by using a Nagios plugin to monitor a service that uses the certificate, and then pick the certificate expiration option of the plugin. For example the check_smtp plugin has this option:
...
Connecting to SQL Server on port 1433 does not do anythingyielded nothing, the handshake wasn't establisched, so that's a dead end for now. Connecting Connecting to RDP on port 3389 however happens with a nice TLS 1.0 handshake
...