Provision Services

Complete the following steps to provision services for your Windows Azure Services for Windows Server deployment:

1. Complete Setup and Configuration of the Web Site Cloud

2. Provision Application Databases for End Users

3. Provision Virtual Machine Clouds

4. Create Plans for End Users

Complete Setup and Configuration of the Web Site Cloud

Upon successful installation and configuration of the Web Sites service you can complete setup and configuration of the Web Site Cloud by provisioning machines to run the Front End, Publisher, and Web Worker roles.

1. Logon to the machine where the Service Management – Admin Portal web site was deployed (for example, SvcMgmtPortal for an Express install or SvcMgmtAdmin for a Distributed install). Launch the Admin Portal (https://localhost:30091) if it is not already open.

2. Click Web Site Cloud and then click Connect the portal to your web site installation, under Register your Web Site Cloud REST Endpoint.

   

3. Enter the following information for the resource provider:

   1. End Point URL: https://< SitesRESTAPI>

   2. Username: Enter the username that you specified when creating the Service Endpoint Credentials.

   3. Password: Enter the password that you specified when creating the Service Endpoint Credentials.

4. Click the checkmark in the bottom right of the Register Service Provider page to continue.

   

5. When you receive a message indicating that registration was successful click the “X” at the bottom right of the screen to close the message. On the Quick Start page the Register your Web Site Cloud REST Endpoint option is now greyed out.

6. Click Setup Frontend to setup the Frontend role for the web site cloud.

   

7. Enter the machine name for the Frontend (for example, SitesFE). Click the Next checkmark to continue.

   To create additional frontends, repeat this step.

8. While the Frontend role is installing, click the Add Role button at the bottom of the Web Site Cloud Quickstart page. The Add Cloud Server dialog box is displayed, click Add New Web Worker.

   The Setup a new Web Worker dialog is displayed. Enter the name of the machine that you created for your shared Web Worker role (for example, SitesWWS), specify the Shared option and click the checkmark to continue.

   To create additional shared (multitenant) or reserved (single tenant) workers, repeat this process.

   Important

   Ensure that at least one machine is configured to run the shared Web Worker role. Creation of a Web Site Cloud without at least one machine configured to run the shared Web Worker role is not a supported configuration.

9. Repeat step 6 and 7 or step 8 to add the Publisher role. Enter the machine name for the Publisher role (for example, SitesPublisher) and click the checkmark to continue. Repeat this step to add additional publishers.

Post-Provisioning Configuration

The following sections describe steps that should be followed once you have completed setup and configuration of the Web Site Cloud.

Configure SSL Certificate Store

Configure the SSL Certificate Polling Interval by running the following PowerShell commands on the controller:

1. Add-pssnapin WebHostingSnapin

2. Set-HostingConfiguration -CentralCertPollingInterval 300 -CentralCertificateSChannelCleanupInterval 300

Configure IP Filtering

Web Sites supports IP blacklisting to prevent worker processes from connecting to machines inside of the Web Site Cloud. To configure IP filtering, run the following Powershell commands on the controller:

1. Add-pssnapin WebHostingSnapin

2. Set-Hostingconfiguration -WorkerRegKeyRejectPrivateAddresses 1

3. Set-Hostingconfiguration –WorkerRegKeyPrivateAddressRange <start-of-ip-blacklist-range>, <end-of-ip-blacklist-range>

   For the last command above, substitute valid IP addresses for the start and end of the ip blacklist range as depicted by <start-of-ip-blacklist-range> and <end-of-ip-blacklist-range>.

Restart the Dynamic WAS Service (DWASSVC) on machines configured to run the web worker role. Run the following commands from an elevated command prompt:

1. net stop dwassvc

2. net start dwassvc

Provision additional REST API servers (optional)

In addition to scaling out Workers, Front Ends, and Publishers, the Service Management REST API can also be scaled to provide additional throughput and availability. To create another REST API server, perform the steps outlined in Virtual Machines/System Requirements and Role Account Preparation on the new machine and then run the following PowerShell commands on the controller:

1. Add -pssnapin WebHostingSnapin

2. New -ManagementServer –ManagementServerName <NewManagementServer>

   Substitute the actual name of the new REST API server for <NewManagementServer> when running the second command.

Additional machine configuration and hardening

Microsoft recommends that users employ security best practices to harden their deployments. This includes, but is not limited to:

1. Firewall configuration to minimize network surface area on any Internet facing machines. Consider referencing the following resources if you are using Windows Firewall with Advanced Security. The first two were written with Windows Server 2008 R2 in mind but for the most part also apply to Windows Server 2012. The last article focuses on Windows Server 2012:

   • Windows Server 2008 R2 Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies

   • Windows Server 2008 R2 Firewall Security

   • Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012

2. Modification of System ACLs to secure the file system and registry. Consider downloading and using the following utilities to help evaluate a machine’s file system and Registry security settings:

   • AccessChk

   • AccessEnum

3. Adherence to the principle of least privilege when creating user accounts. For more information about the principle of least privilege please refer to Applying the Principle of Least Privilege to User Accounts on Windows.

Provision Application Databases for End Users

You may add one or more SQL or MySQL Server hosting servers for end-users to deploy and use.

1. Create and configure a new MYSQL Database. At the bottom of the screen click NEW, click MYSQL SERVERS and then click Connect To.

   Specify the server name, the admin username (root) and password and the size of the hosting server. You may use Default for MySQL server group. Then click Connect.

   

2. A message will be displayed at the bottom of the screen indicating whether or not the operation succeeded. Click the OK checkmark to dismiss the message.

   

3. Click the newly created MYSQL Server to confirm the configuration.

   

4. Create and configure a new SQL Database. At the bottom of the screen click NEW, click SQL SERVERS and then click Connect To.

   Specify the server name, the admin username (sa), the admin password and the size of hosting server. You may use Default for SQL server group. Then click Connect.

   

5. A message will be displayed at the bottom of the screen indicating whether or not the operation succeeded. Click the OK checkmark to dismiss the message.

6. Click the newly created SQL Server to confirm the configuration.

   

Provision Virtual Machine Clouds

1. To provision virtual machine clouds, you will need the URL of the Service Provider Foundation endpoint. The endpoint is constructed as https://<server name>:8090, where the server name is the fully qualified domain name (FQDN) of the server that has Service Provider Foundation installed. The colon and the 8090 port specification are required.

2. In the Admin Portal, click Virtual Machine Clouds and then click the link under Register System Center Service Provider Foundation.

   

3. Enter the endpoint URL.

   Specify the user name and password and click the checkmark. Provide the same user name and password that were used to install Service Provider Foundation. You can determine the user name by checking the Identity for the VMM, Admin, and Provider Application Pools in Internet Information Services (IIS) Manager on the server that has Service Provider Foundation installed.

   

   Note

   If the Service Provider Foundation endpoint registration does not work, verify that you can connect to the Service Provider Foundation URL from a browser.

4. After you register Service Provider Foundation, you must register a System Center Provider to provision virtual machines against. Click New, Virtual Machine Clouds and then Connect To. Enter a friendly name for your Virtual Machine Cloud Provider, enter the Virtual Machine Manager Server Name and then click the Register checkbox.

   

5. You may click the Clouds tab to view the Virtual Machine Clouds that are registered in VMM.

   

6. Click any of the Virtual Machine Clouds to view the Virtual Machine Cloud Dashboard.

   

7. Go back to Virtual Machine Clouds list by clicking the back arrow.

   

8. You may also click Providers to see the list of existing Virtual Machine Cloud providers.

   

Create Plans for End Users

Follow these steps to create a plan for End Users. Plans include one or more provisioned services and are used to distinguish collections of service offerings that you want to make available for end users to subscribe to. You must create at least one plan and configure the plan as “Public” before end users can subscribe to services that you have provisioned.

1. Click New to open the drawer at the bottom of the screen. Click Plans and then click Create.

   

2. A wizard will open. Enter a name for your plan. This is the name that users will see when they sign up for the service. Click Next.

   

3. Select the services you want included in this plan and then click the checkmark.

   

4. From the Plans dashboard, click the plan name. Then, click each service name listed under plan services to specify quotas for the service. If the Status of a plan service is Configured you can set service quotas as soon as you click the service name. If the Status of a plan service is Not configured then you will need to provide configuration information for the service before setting service quotas.

   

5. If Virtual Machine Clouds are part of your plan you will need to specify values for the service’s Cloud Provider and Virtual Machine Cloud before you can set quotas for the service. Click the Virtual Machine Clouds Service name to open the virtual machine clouds page. Under the basic section of this page specify values for Cloud Provider and Virtual Machine Cloud.

   

6. After you select a Cloud Provider and Virtual Machine Cloud for the Virtual Machine Cloud Service, scroll down the page to set usage limits on Virtual Machine Cloud resources.

   

7. Before saving usage limits you must first scroll down and specify the following required plan properties:

   • templates – A template is a library resource that consists of a hardware profile, a virtual hard disk, and an optional guest operating system profile. Templates provide a standardized group of hardware and software settings that you can use to create multiple new virtual machines configured with those settings.

   • hardware profiles – A hardware profile is a library resource containing hardware specifications that will be applied to the associated virtual machine template. A hardware profile can contain specifications for CPU, memory, network adapters, a video adapter, a DVD drive, a floppy drive, COM ports, and the priority given the virtual machine when allocating resources on a virtual machine host. Select one or more hardware profiles to be associated with the Virtual Machine Cloud plan.

   • networks – Virtual networks work like a physical network switch except that the switch is implemented in software. Virtual networks can be external, internal, or private. Select one or more virtual networks to be associated with the plan.

   After choosing the appropriate template(s), hardware profile(s) and network(s) click Save to apply your changes. If all of the plans services are configured you can click Make Public to make the plan accessible to users. To return to the plan dashboard page click the back arrow in the upper left of the Service Management Portal.

   

8. Click Configure to specify a plan invitation code or to allow multiple signups per account. When an invitation code is specified users must enter the invitation code in order to subscribe to the plan. If multiple signups per account are enabled then users can sign up for the specified plan more than once.

   

9. If you would like to display information about the plan details to end users click Advertise. Add to the plan description and click Save. This information will be visible to end users when they sign up for the plan.