The Windows Azure Pack is a collection of web services (Microsoft Azure technology) to provide Self-Portal to your customers (or tenants). The Windows Azure Pack integrates with your System Center and Windows Server infrastructure to make your datacenter a private cloud. It is the same web interface that Microsoft Azure. Self-Portal included in the Windows Azure Pack (WAP for friends) provides multi-tenants self-services as websites, Virtual Machines, databases and more. Regarding administrators, they have also a Self-Portal to manage resources clouds, user accounts or subscriptions.
Because Windows Azure Pack is a large piece, in this topic we will see some architecture details and how to install Windows Azure Pack without any integration with System Center or Windows Server. It will be for future topics.
Architecture
Several standard architectures are described in this TechNet topic. For my mockup, I have chosen the minimal distributed deployment architecture (CF TechNet topic). This architecture allows me to understand how Windows Azure Pack works. So my WAP architecture is composed by three servers:
VMWAP01-THUB01 hosts tenant components. This server is exposed to the Internet in order for tenants connect to the management portal. On this server, I’m going to install these components:
- Tenant Public API: this API enables tenants to manage and configure services that they subscribe to (through PowerShell command for example). Usually this API is publicly exposed.
- Tenant Authentication Site: this site is used to authenticate tenants on the management portal.
- Management portal for tenants: this is a self-service portal for tenants where they manage services that they subscribe to. The provided services can be Virtual Machines, Databases or Web Sites.
VMWAP02-AHUB01 hosts the Windows Azure Pack management part. Administrator connects to this server to manage Windows Azure Pack. On this server, I’m going to install these components:
- Admin API: This API enables administrators to make management of the Windows Azure Pack from the management portal or from PowerShell commands.
- Tenant API: this API enables tenants to manage and configure services that they subscribe to (through PowerShell command for example). Usually this API is not publicly exposed.
- Admin Authentication Site: this site is used to authenticate administrators on the management portal.
- Management portal for administrators: This is an administration portal where manage services that you provide (Virtual Machine clouds, Web Site clouds, Databases etc.). You can also manage user accounts, resources allocated, plan or subscriptions.
To finish, VMWAP03-SQL01 is my database server. I have installed SQL Server 2012 SP1 CU9 on this server.
I have chosen this architecture because it does not require many servers (my mockup is on my own server with limited resourcesJ) and easily scalable to try high availability. Moreover since tenant services and admin services are separated, it helps me to understand how Windows Azure Pack works.
Prerequisites
The below information come from this TechNet topic.
For my distributed installation the following requirements are needed for VMWAP01-THUB01 and VMWAP02-AHUB01:
- Hardware requirements
- CPU: 2
- RAM: 8GB (without Dynamic Memory)
- Available hard disk space: 40GB
- Software requirements
- Windows Server® 2012 or Windows Server 2012 R2 (see Windows Server 2012 compatibility for information on which version is best for you)
- Microsoft Web Platform Installer 4.6
- Microsoft .NET Framework 3.5 Service Pack (SP) 1
- Internet Information Services (IIS) 8 (built in component of Windows Server® 2012) or IIS 8.5 (built in component of Windows Server 2012 R2
- .NET Framework 4.5 Extended, with ASP.NET for Windows 8
SQL Server consideration
The below information come from this TechNet topic.
Suported SQL Server versions |
Windows Azure Pack express deployment |
Windows Azure Pack distributed deployment |
SQL Server 2012 Service Pack 1 |
SQL Server Express or full version |
Full version only on a dedicated machine |
SQL Server 2008 R2 Service Pack 2 |
SQL Server Express or full version |
Full version only on a dedicated machine |
SQL Server 2008 Service Pack 3 |
SQL Server Express or full version |
Full version only on a dedicated machine |
Public services installation (VMWAP01-THUB01)
After installation of prerequisites described above, start IIS Manager (inetmgr) and run Web Platform Installer. Install following components:
- Windows Azure Pack: Tenant Public API
- Windows Azure Pack: Tenant Authentication Site
- Windows Azure Pack: Tenant Site
Next click on install. On the Prerequisites screen, click on I accept.
Next select your Microsoft Update option (bottom of the Windows) and click on Continue.
When the installation is done, click on continue to launch Windows Azure Pack setup.
On Database Server Setup screen, specify your database server settings. Provide a passphrase for the configuration store. Be aware that the same passphrase needs to be used in all machines on this deployment. Next click on the right arrow.
On the next screen, click on the tick on right bottom of the screen.
Once the web page is closed, you can click on finish on Web Platform Installer screen.
Privileged services installation (VMWAP02-AHUB01)
After installation of prerequisites described above, start IIS Manager (inetmgr) and run Web Platform Installer. Install following components:
- Windows Azure Pack: Admin API
- Windows Azure Pack: Tenant API
- Windows Azure Pack: Admin Authentication Site
- Windows Azure Pack: Admin Site
Once you have selected all components needed, click on Install. On the Prerequisites screen, click on I Accept.
Next set the Microsoft Update option as you want and click on continue.
Once the installation is done, click on Continue to launch the Windows Azure Pack Setup.
On the Database Server Setup screen, specify your database server settings. Enter the passphrase for the Configuration Store that should be the same that you entered previously.
To launch the features setup, click on the tick on right bottom of the screen.
Once the configuration is finished, you can click on Finish on the Web Platform Installer screen.
Web sites binding configuration
Now that components are installed we will modify the certificate and the port binding of the websites. By default, Self-Signed certificates and non-standard ports are used. That means that you have to enter https://<YourServerName> following a port number and accept the security warning about Self-Signed certificate to access to the management portal from your web browser.
To change the binding configuration I will make the following configuration:
- Create DNS alias to use friendly names as www.mydomain.com.
- Get a Web Server trust certificate
- Change Web Sites binding
- Update Windows Azure Pack configuration
Create DNS alias
First of all, open a DNS console (dnsmgmt.msc). The below table describes the DNS alias association with Web Sites:
DNS Alias |
Server Name |
WebSite |
www |
VMWAP01-THUB01 |
MgmtSvc-TenantSite |
Auth |
VMWAP01-THUB01 |
MgmtSvc-AuthSite |
api |
VMWAP01-THUB01 |
MgmtSvc-TenantPublicAPI |
wapadmin |
VMWAP02-AHUB01 |
MgmtSvc-AdminSite |
wapadminauth |
VMWAP02-AHUB01 |
MgmtSvc-WindowsAuthSite |
So I have created my DNS alias as below:
Get a Web Server trust certificate
To achieve this part, you need a Public Key Infrastructure as AD Certificate Services. I will not show you how to configure the certificate services. I have configured my Certificate Services to make enrollment from the Web Server template. For further information you can see this topic.
First I enroll VMWAP01-THUB01. For that:
- Open an MMC;
- Click on File and Add or Remove Snap-In;
- Select Certificates and click on Add. Choose computer account snap-in on the local computer;
- Right click on Certificates in Personal store and choose all Tasks and Request a New Certificate;
Select Active Directory Enrollment Policy and click on Next.
Select Web Server template and click on the Warning link.
Set the following configuration:
- Subject Name Type: Common Name
- Subject Name Value: VMWAP01-THUB01.home.net
- Alternative Name (type DNS):
- www.home.net
- Auth.home.net
- Api.home.net
Once you have made the configuration, click on OK.
On the Request Certificates screen, click on Enroll.
To finish, you can click on finishJ.
To enroll a certificate for VMWAP02-AHUB01, follow the same procedure as above except on this screen:
- Subject Name Type: Common Name
- Subject Name Value: VMWAP02-AHUB01.home.net
- Alternative Name (Type DNS):
- Wapadmin.home.net
- Wapadminauth.home.net
Change Websites binding
Now it is time to change Websites binding. So I begin by VMWAP01-THUB01. Open IIS manager (inetmgr) and navigate to the sites. The following Web Sites will be modified:
- MgmtSvc-AuthSite (auth.home.net)
- MgmtSvc-TenantPublicAPI (api.home.net)
- MgmtSvc-TenantSite (www.home.net)
Right click on one of the above sites and select Edit bindings. Select the https bindings and click on Edit. Change the configuration as below:
Now I do the same thing on VMWAP02-AHUB01 Web Sites. Open IIS manager (inetmgr) and navigate to the sites. The following Web Sites will be modified:
- MgmtSvc-AdminSite (wapadmin.home.net)
- MgmtSvc-WindowsAuthSite (wapadminauth.home.net)
Right click on one of the above sites and select Edit bindings. Select the https bindings and click on Edit. Change the configuration as below:
Now we have to say to the Windows Azure Pack that the configuration has changed. This is the goal of the next part J.
Update Windows Azure Pack configuration
You can find the documentation here.
On VMWAP01-THUB01 run the following PowerShell command:
- Update Windows Azure Pack settings
Set-MgmtSvcFqdn -Namespace "TenantSite" -FullyQualifiedDomainName "www.home.net" -Port 443 -Server "VMWAP03-SQL01" Set-MgmtSvcFqdn -Namespace "AuthSite" -FullyQualifiedDomainName "auth.home.net" -Port 443 -Server "VMWAP03-SQL01" Set-MgmtSvcFqdn -Namespace "TenantPublicAPI" -FullyQualifiedDomainName "api.home.net" -Port 443 -Server "VMWAP03-SQL01"
- Update the WAP authentication service for the tenant portal
Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint 'https://Auth.home.net/FederationMetadata/2007-06/FederationMetadata.xml' -Server "VMWAP03-SQL01"
- Update the authentication service redirection location to the tenant portal:
Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint 'https://www.home.net/FederationMetadata/2007-06/FederationMetadata.xml' -Server "VMWAP03-SQL01"
On VMWAP02-AHUB01 run the following PowerShell command:
- Update Windows Azure Pack settings
Set-MgmtSvcFqdn -Namespace "AdminSite" -FullyQualifiedDomainName "wapadmin.home.net" -Port 443 -Server "VMWAP03-SQL01" Set-MgmtSvcFqdn -Namespace "WindowsAuthSite" -FullyQualifiedDomainName "wapadminauth.home.net" -Port 443 -Server "VMWAP03-SQL01"
- Update the WAP authentication service for the admin portal
Set-MgmtSvcRelyingPartySettings -Target Admin -MetadataEndpoint 'https://wapAdminAuth.home.net/FederationMetadata/2007-06/FederationMetadata.xml' -Server "VMWAP03-SQL01"
- Update the authentication service redirection location to the admin portal:
Set-MgmtSvcIdentityProviderSettings -Target Windows -MetadataEndpoint 'https://wapadmin.home.net/FederationMetadata/2007-06/FederationMetadata.xml' -Server "VMWAP03-SQL01"
That’s all. Let’s try to connect to the portal. So I open Internet Explorer and I’m connecting to https://www.home.net:
And on https://wapadmin.home.net:
I recommend you to restart the Web Servers of your Windows Azure Pack infrastructure to avoid some issues that I have got (on the VM clouds configuration for example).
hi when i am trying to set the relay party and identity provider i am getting a bad gateway
The remote server returned an error: (502) Bad Gateway.
Set-MgmtSvcRelyingPartySettings
Set-MgmtSvcIdentityProviderSettings
thanks Daniel
Hi Daniel,
Have You check the Windows Azure Pack event log on the related server?
yes i did and the only event i see is this one
Error:The cmdlet Set-MgmtSvcIdentityProviderSettings failed with error The remote server returned an error: (502) Bad Gateway..
Detailed error: System.Net.WebException: The remote server returned an error: (502) Bad Gateway.
at System.Net.HttpWebRequest.GetResponse()
at Microsoft.WindowsAzure.Config.PowerShell.Claims.SetClaimsCmdlet`1.ReadMetadataFromEndpoint(Uri endpoint, Boolean disableCertificateValidation)
at Microsoft.WindowsAzure.Config.PowerShell.Claims.SetClaimsCmdlet`1.Execute()
at Microsoft.WindowsAzure.Server.PowerShell.Common.BaseCmdlet.ProcessRecord()., operationName:, version:, accept language:, subscription Id:, client request Id:, principal Id:, page request Id:, server request id:
thanks daniel
Hi,
First time I have had similar issue. So I have performed again the relying and provider part from scratch.
Create a PowerShell script and use variables to avoid issues. I think you have made an error in commands.
Regards,
Romain
Hi
i did try to use variables with no change still getting the bad gateway error i can post my PS script if you can take a look,
it’s driving me mad 🙂
thanks Daniel
Hi Daniel,
Could you sens me your script and a schema on your infrastructure?
Thanks
Romain
i am using one VM Express install with SQL 2012 SP1
AD 2012 R2 and enterprise CA for certificates
i have a clustered Hyper-V with 3 hosts, i have configured the SCVMM with NVGRE environment which is working grate the only thing i have left to configure is the Azure Pack
Import-Module MgmtSvcAdmin
# Azure URLS #
$SQLSRV = “EC-SQL-01.echoes-lab.local”
$WWW = “www.echoes-lab.local”
$auth = “auth.echoes-lab.local”
$api = “api.echoes-lab.local”
$wapadmin = “wapadmin.echoes-lab.local”
$wapadminauth = “wapadminauth.echoes-lab.local”
# Get Azure URLS #
get-MgmtSvcFqdn -Server ec-sql-01 -Namespace TenantSite,AuthSite,TenantPublicAPI,AdminSite,WindowsAuthSite
# Set Azure Public #
Set-MgmtSvcFqdn -Namespace “TenantSite” -FullyQualifiedDomainName $WWW -Port 443 -Server $SQLSRV
Set-MgmtSvcFqdn -Namespace “AuthSite” -FullyQualifiedDomainName $auth -Port 443 -Server $SQLSRV
Set-MgmtSvcFqdn -Namespace “TenantPublicAPI” -FullyQualifiedDomainName $api -Port 443 -Server $SQLSRV
Set-MgmtSvcRelyingPartySettings -Target Tenant -MetadataEndpoint ‘https://Auth.echoes-lab.local/FederationMetadata/2007-06/FederationMetadata.xml’ -Server $SQLSRV
Set-MgmtSvcIdentityProviderSettings -Target Membership -MetadataEndpoint ‘https://www.echoes-lab.local/FederationMetadata/2007-06/FederationMetadata.xml’ -Server $SQLSRV
# Set Azure Admin #
Set-MgmtSvcFqdn -Namespace “AdminSite” -FullyQualifiedDomainName $wapadmin -Port 443 -Server $SQLSRV
Set-MgmtSvcFqdn -Namespace “WindowsAuthSite” -FullyQualifiedDomainName $wapadminauth -Port 443 -Server $SQLSRV
Set-MgmtSvcRelyingPartySettings -Target Admin -MetadataEndpoint ‘https://wapAdminAuth.echoes-lab.local/FederationMetadata/2007-06/FederationMetadata.xml’ -Server $SQLSRV
Set-MgmtSvcIdentityProviderSettings -Target Windows -MetadataEndpoint ‘https://wapadmin.echoes-lab.local/FederationMetadata/2007-06/FederationMetadata.xml’ -Server $SQLSRV
thanks Daniel
Hello Daniel,
Could you send me your E-mail address by E-mail (not here to avoid Robot :))
Thanks
I’m following your guide to install WAP (for use with SMA) and i can’t get passed the database setup. In your screenshots you use Windows Authentication, but I keep getting the message that I should turn on SQL Authentication. What am I missing here?