Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

The SQL Azure Database-as-a-service is used, and Remote Desktop services to deliver the Jiwa application as a remoteApp.

...

The Azure platform is ever-changing and best practices will change along with it.

...

  The HTML5 client can also be configured on the RDS server to allow a web browser to be used.

Subscription

An Azure subscription needs to be created. Visit https://portal.azure.com/ and sign in with an existing Microsoft account, or create one.

...

Login to your Azure portal via https://portal.azure.com/ and search for Active Directory and select it.

Image Removed\

On the left hand pane, select Users

Image Removed

A list of users should appear.

Image Removed

If you have no users, create themadd any users if you need to.

Azure Active Directory Domain Services (ADDS)

...

You will need to add and verify ownership of a custom domain.  To verify ownership you will need to create a TXT record in your public DNS.  Follow the guidance in the portal when adding the custom domain.

A network security group and virtual network will be created and associated with the AADS - all virtual machines, SQL Servers and other resources should use the Virtual Network associated associated with the AADS.

Azure Virtual Machine

An Azure virtual machine is used to deliver the Jiwa application via Remote Desktop Services.  This is a Windows machine running Windows Server 2019 or later.

...

The Gateway role service will then be deployed.


...

There are some things to download and install via a browser and the Internet Explorer browser bundled with Windows Server 2019 is unfit for this purpose.  Install a web browser (Edge, Chrome or Firefox).


SSL Certificates and auto-renewal

Free, auto-renewed certificates can be obtained from Trusted certificates need to be generated and installed on the machine.

We recommend using the Let's Encrypt using service and the win-acme utilityclient to generate and auto-renew certificates every 3 months.

Visit https://www.win-acme.com/ and download the version with plugin support.

Image Removed

Verify Firewall rules for certificate validation

In order for the win-acme tool to generate a certificate, it needs to be able to reach the machine using the Fully Qualified Domain Name (FQDN) the certificate is for. It does this via a HTTP request on port 80 (there are other options, but this is the simplest).  In the Network Security Group for the VM, ensure that both port 443 and port 80 are open to all public IP addresses.

Run win-acme

Open an elevated command prompt (Run as administrator) and change directory to the C:\Program Files\win-acme folder

Image Removed

Type in wacs.exe and press enter

Image Removed

Select Create certificate (full options) (M):

Image Removed

Select Manual Input (2), and then enter the FQDN

Image Removed

Press enter to accept the Friendly name, then select option 2 to Serve verification files from memory:

Image Removed

Select the RSA key option:

Image Removed

Select option 4 to place the certificate into the Windows Certificate Store:

Image Removed

Then select option 2 to store in the My General computer store (for Exchange/RDS):

Image Removed

Choose 3: PFX archive

Enter a path to save the exported certificate to (eg: C:\Users\mikes\Documents\Certificates), and select option 2 for the .pfx password (Type / paste in console)

Image Removed

Enter a password for the pfx.

Image Removed

Choose 5: No (additional) store steps

Image Removed

Choose 3: No (additional) installation steps

Image Removed

Answer y to Open the Terms of service document

Image Removed

Answer y to agree with the terms:

Image Removed

Enter recipient email addresses for any problems:

Image Removed

Verification of domain ownership will then take place.  win-acme will create a Windows Scheduled Task to auto-renew the certificate every 3 months - answer n

Image Removed

Assign certificates to RDS deployment

In Server Manager > Remote Desktop Services select Edit Deployment Properties from the Tasks combo-box on the Deployment Overview pane

Image Removed

Select the Certificates tab and then select Select existing certificate...

Image Removed

Press the Browse button and choose the pfx we configured win-acme to generate:

Image Removed

Enter the pfx password and check the Allow the certificate to be added... checkbox

Image Removed

Click the Apply button

Image Removed

Repeat for each Role Service in the Certificates tab of the Configure the deployment dialog  Follow the documentation on https://www.win-acme.com/ to configure certificates for an RDP server.


Install Jiwa

Download and install the Jiwa application from https://support.jiwa.com.au/ 

...

Publish the Jiwa application as a RemoteApp

From within the Server Manager Dashboard, publish the jiwa.exe application deployed to the C:\Program Files (x86)\Jiwa Financials\Jiwa folder

SQL Azure

In the Azure portal, provision a new SQL Server - it is recommended to use the Virtual networks option to allow only access from the same virtual network both the AADS and VM are in.

For Azure SQL we use Standard tier – 50 DTU’s is usually the minimum, but we have a couple of customers using less.

...