...
The SQL Azure Database-as-a-service is used, and Remote Desktop services to deliver the Jiwa application as a remoteApp.
...
The Azure platform is ever-changing and best practices will change along with it.
...
The HTML5 client can also be configured on the RDS server to allow a web browser to be used.
Subscription
An Azure subscription needs to be created. Visit https://portal.azure.com/ and sign in with an existing Microsoft account, or create one.
...
Login to your Azure portal via https://portal.azure.com/ and search for Active Directory and select it.
\
On the left hand pane, select Users
A list of users should appear.
If you have no users, create themadd any users if you need to.
Azure Active Directory Domain Services (ADDS)
...
You will need to add and verify ownership of a custom domain. To verify ownership you will need to create a TXT record in your public DNS. Follow the guidance in the portal when adding the custom domain.
A network security group and virtual network will be created and associated with the AADS - all virtual machines, SQL Servers and other resources should use the Virtual Network associated associated with the AADS.
Azure Virtual Machine
An Azure virtual machine is used to deliver the Jiwa application via Remote Desktop Services. This is a Windows machine running Windows Server 2019 or later.
...
The Gateway role service will then be deployed.
...
There are some things to download and install via a browser and the Internet Explorer browser bundled with Windows Server 2019 is unfit for this purpose. Install a web browser (Edge, Chrome or Firefox).
SSL Certificates and auto-renewal
Free, auto-renewed certificates can be obtained from Trusted certificates need to be generated and installed on the machine.
We recommend using the Let's Encrypt using service and the win-acme utilityclient to generate and auto-renew certificates every 3 months.
Visit https://www.win-acme.com/ and download the version with plugin support.
Verify Firewall rules for certificate validation
In order for the win-acme tool to generate a certificate, it needs to be able to reach the machine using the Fully Qualified Domain Name (FQDN) the certificate is for. It does this via a HTTP request on port 80 (there are other options, but this is the simplest). In the Network Security Group for the VM, ensure that both port 443 and port 80 are open to all public IP addresses.
Run win-acme
Open an elevated command prompt (Run as administrator) and change directory to the C:\Program Files\win-acme folder
Type in wacs.exe and press enter
Select Create certificate (full options) (M):
Select Manual Input (2), and then enter the FQDN
Press enter to accept the Friendly name, then select option 2 to Serve verification files from memory:
Select the RSA key option:
Select option 4 to place the certificate into the Windows Certificate Store:
Then select option 2 to store in the My General computer store (for Exchange/RDS):
Choose 3: PFX archive
Enter a path to save the exported certificate to (eg: C:\Users\mikes\Documents\Certificates), and select option 2 for the .pfx password (Type / paste in console)
Enter a password for the pfx.
Choose 5: No (additional) store steps
Choose 3: No (additional) installation steps
Answer y to Open the Terms of service document
Answer y to agree with the terms:
Enter recipient email addresses for any problems:
Verification of domain ownership will then take place. win-acme will create a Windows Scheduled Task to auto-renew the certificate every 3 months - answer n
Assign certificates to RDS deployment
In Server Manager > Remote Desktop Services select Edit Deployment Properties from the Tasks combo-box on the Deployment Overview pane
Select the Certificates tab and then select Select existing certificate...
Press the Browse button and choose the pfx we configured win-acme to generate:
Enter the pfx password and check the Allow the certificate to be added... checkbox
Click the Apply button
Repeat for each Role Service in the Certificates tab of the Configure the deployment dialog Follow the documentation on https://www.win-acme.com/ to configure certificates for an RDP server.
Install Jiwa
Download and install the Jiwa application from https://support.jiwa.com.au/
If there are any service releases, be sure to download and install the latest of those also (note: service releases must be installed from an elevated command prompt).
Publish the Jiwa application as a RemoteApp
From within the Server Manager Dashboard, publish the jiwa.exe application deployed to the C:\Program Files (x86)\Jiwa Financials\Jiwa folder
RDS CAL Licenses
Note that the RDS server requires CAL licences for each user – this is a once-off purchase, and you can obtain these from various on-line retailers. Once you have your licenses, configure the license manager of remote desktop services to use them.
SQL Azure
In the Azure portal, provision a new SQL Server - it is recommended to use the Virtual networks option to allow only access from the same virtual network both the AADS and VM are in.
For Azure SQL we use Standard tier – 50 DTU’s is usually the minimum, but we have a couple of customers using less.
...
To use an RDS VM it must connect to either a domain controller or Azure Active Directory Domain Services
Remote Desktop Services
Note that the RDS server requires CAL licences for each user – this is a once-off purchase, and you can obtain these from various on-line retailers
HTML 5 client
Jiwa Connections Template
Once you have your databases established, configure Jiwa on the RDS server with the desired connections. These connection definitions are stored per user in a JiwaConnections.XML file, but the Jiwa application will seek a template JiwaConnectionsTemplate.XML in the Jiwa program files folder if the user had not previously configured any connections.
Copy the JiwaConnections.XML from the %appdata%/Jiwa Financials folder to C:\Program Files (x86)\Jiwa Financials\Jiwa 7\JiwaConnectionsTemplate.XML to give users a pre-defined list of connections when they run Jiwa.
Remote Desktop Web Client
To allow your users to easily obtain their remote app rdp file from a browser, configure Remote Desktop Services accordingly.
Once logged in, the published applications can be clicked on to download the .rdp file
And when the rdp file is opened in the users local Windows environment, the application appears as a normal Windows application to the user
HTML 5 client
Remote Desktop Services can be configured to deliver a HTML5 web client of the published applications. This may be desired over the RemoteApp solution.
hosts file
In order for the RDS VM to be able resolve DNS requests to itself using the FQDN, an entry should be added to the hosts file.
Edit the C:\Windows\System32\drivers\etc\hosts file to point the FQDN to 127.0.0.1
This will allow you to, say open a web browser and navigate to https://jiwards.jiwa.com.au and it be able to reach the locally running IIS instance for the web client.
This is not an essential configuration, but is sometimes useful.
Where this may be essential is if you are running the API self hosted service on the VM, have configured for HTTPS and wish to use the custom domain FQDN.
Secure the Remote Desktop Server
When the VM for Remote Desktop Services was provisioned, port 3389 was open and used and we used the RDP protocol to connect to it to perform the installation and configuration tasks.
Now that the Remote Desktop Gateway is configured, we only need to leave port 443 open (HTTPS) and port 80 (HTTP). The RemoteApp, Webclient and HTML5 client all require port 443 (HTTPS), and we also need port 80 open for the regular 3 monthly certificate renewal automatically performed by the win-acme client.
The rule in the Azure firewall for port 3389 to be open should be removed.
App Registration for Email through Office 365 (Microsoft Graph API)
Emailing from within Jiwa is a common requirement, and if the customer has Office 365 then you should use our Microsoft Graph API plugin for email transport - and this requires an App registration in the Azure Active Directory.
See the article Email - Configuration Microsoft Graph REST API for guidance on how to set this up.
Point to Site VPN
MS Azure Data Backups
Add on extra $$ a month to backup the VM if deemed necessary – we generally don’t as it’s just Windows Server 2019 and Jiwa – nothing that can’t rapidly be rebuiltIf users wish to access resources - such as the SQL database or RDS VM - from their local environment (perhaps for Excel queries or BI tooling), you will need to configure a point to site VPN connection in Azure, as resources should only be accessible from within the same Virtual Network.
Exposing the resources outside the virtual network via whitelisting of IP addresses in the Firewall rules is not recommended.
Backups and Data Security
Virtual Machine
The Azure Backup service can be used to automatically backup virtual machines if desired. The Jiwa application stores only ephemeral data on the VM, so if the VM is destroyed no data is lost - the database contains all the data.
However, it can save time to be able to restore a VM to a previous known working state if it is destroyed - see the official Microsoft documentation on how to configure virtual machine backups if desired.
Also, availability sets can be configured to provide a redundant failover if the VM is destroyed. See the Azure documentation on Availability options for Azure Virtual Machines.
Database
Azure SQL servers never need to be backed up, as this is already done for you. You may wish, however to opt-in to geo-redundant storage to replicate a copy of the database(s) to other Azure datacenter(s) in case of natural disaster or other catastrophe.
By default, the Azure SQL servers are replicated in real-time to 3 different failover nodes in different fault zones in the datacenter, and should one of those machines, or one of the components, fail - then the requests are automatically redirected to one of the failover machines and a new machine provisioned automatically to replace the failed machine. If you choose geo-redundant storage, then the same applies to the datacenters replicated to.
You may wish to extend the data retention period for the point-in-time backups beyond the standard 7 to 35 days. Up to 10 years of data retention of point-in-time restore is available.
You can also manually export the database to a storage blob or even local file system if desired.
MS Azure Calculator
If you haven’t already, you can use the Azure pricing calculator to see the pricing options - https://azure.microsoft.com/en-au/pricing/calculator
Of particular interest might be the discounts offered for paying up-front for VM’s for 1 or 3 years (41% discount for 1 year, 62% discount for 3 years).What you would need to do to allow us to help you (permissions, et al)
| Info |
|---|
Related articles
| Filter by label (Content by label) | ||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
...