...
The SQL Azure Database-as-a-service is used, and Remote Desktop services to deliver the Jiwa application as a remoteApp.
...
The Azure platform is ever-changing and best practices will change along with it.
...
The HTML5 client can also be configured on the RDS server to allow a web browser to be used.
Subscription
An Azure subscription needs to be created. Visit https://portal.azure.com/ and sign in with an existing Microsoft account, or create one.
...
Login to your Azure portal via https://portal.azure.com/ and search for Active Directory and select it.
\
On the left hand pane, select Users
A list of users should appear.
If you have no users, create themadd any users if you need to.
Azure Active Directory Domain Services (ADDS)
...
You will need to add and verify ownership of a custom domain. To verify ownership you will need to create a TXT record in your public DNS. Follow the guidance in the portal when adding the custom domain.
A network security group and virtual network will be created and associated with the AADS - all virtual machines, SQL Servers and other resources should use the Virtual Network associated associated with the AADS.
Azure Virtual Machine
An Azure virtual machine is used to deliver the Jiwa application via Remote Desktop Services. This is a Windows machine running Windows Server 2019 or later.
...
The Gateway role service will then be deployed.
...
There are some things to download and install via a browser and the Internet Explorer browser bundled with Windows Server 2019 is unfit for this purpose. Install a web browser (Edge, Chrome or Firefox).
SSL Certificates and auto-renewal
Free, auto-renewed certificates can be obtained from Trusted certificates need to be generated and installed on the machine.
We recommend using the Let's Encrypt using service and the win-acme utilityclient to generate and auto-renew certificates every 3 months.
Visit https://www.win-acme.com/ and download the version with plugin support.
Verify Firewall rules for certificate validation
In order for the win-acme tool to generate a certificate, it needs to be able to reach the machine using the Fully Qualified Domain Name (FQDN) the certificate is for. It does this via a HTTP request on port 80 (there are other options, but this is the simplest). In the Network Security Group for the VM, ensure that both port 443 and port 80 are open to all public IP addresses.
Run win-acme
Open an elevated command prompt (Run as administrator) and change directory to the C:\Program Files\win-acme folder
Type in wacs.exe and press enter
Select Create certificate (full options) (M):
Select Manual Input (2), and then enter the FQDN
Press enter to accept the Friendly name, then select option 2 to Serve verification files from memory:
Select the RSA key option:
Select option 4 to place the certificate into the Windows Certificate Store:
Then select option 2 to store in the My General computer store (for Exchange/RDS):
Choose 3: PFX archive
Enter a path to save the exported certificate to (eg: C:\Users\mikes\Documents\Certificates), and select option 2 for the .pfx password (Type / paste in console)
Enter a password for the pfx.
Choose 5: No (additional) store steps
Choose 3: No (additional) installation steps
Answer y to Open the Terms of service document
Answer y to agree with the terms:
Enter recipient email addresses for any problems:
Verification of domain ownership will then take place. win-acme will create a Windows Scheduled Task to auto-renew the certificate every 3 months - answer n
Assign certificates to RDS deployment
In Server Manager > Remote Desktop Services select Edit Deployment Properties from the Tasks combo-box on the Deployment Overview pane
Select the Certificates tab and then select Select existing certificate...
Press the Browse button and choose the pfx we configured win-acme to generate:
Enter the pfx password and check the Allow the certificate to be added... checkbox
Click the Apply button
Repeat for each Role Service in the Certificates tab of the Configure the deployment dialog Follow the documentation on https://www.win-acme.com/ to configure certificates for an RDP server.
Install Jiwa
Download and install the Jiwa application from https://support.jiwa.com.au/
...
Publish the Jiwa application as a RemoteApp
From within the Server Manager Dashboard, publish the jiwa.exe application deployed to the C:\Program Files (x86)\Jiwa Financials\Jiwa folder
SQL Azure
In the Azure portal, provision a new SQL Server - it is recommended to use the Virtual networks option to allow only access from the same virtual network both the AADS and VM are in.
For Azure SQL we use Standard tier – 50 DTU’s is usually the minimum, but we have a couple of customers using less.
...