Joining 5nine Software as Director of Product Management

Today, I am excited to announce I will be joining the awesome team at 5nine Software as Director of Product Management. My primary job responsibilities will be for the product strategy and direction of 5nine’s security and management solutions.
5nineSo, you ask, why Product Management? It’s been a lifelong dream to be part of shaping the direction of a technology solution.  By joining 5nine, I hope to simplify IT, Cloud and beyond, because there’s always a better way 🙂

“What prepared me for this was very surprising looking back.”

Life at Nutanix

Over the past 2 1/2 years at Nutanix, I managed 84 partners over 146 solutions.  The partner solutions that my team managed and validated were from all aspects of technology. i.e. Monitoring, backup, DR, Big Data, DevOps, security, networking, databases and the list goes on.

5nine Software was one of my first partners I validated. I was familiar with them.  5nine Manager was a tool I had used in the field during my consulting days. But I had not seen security solution yet. During Nutanix Ready process, this is when I first got introduced to 5nine Security.  I remember at the time, I was super impressed with how they integrated with Hyper-V.

Shortly, after 5nine’s Nutanix Ready validation, my colleague and Alliance Manager Tommy Gustaveson and I interviewed past 5nine’s VP of Alliances Symon Perriman.  We enjoyed understanding 5nine’s vision and also getting to know a little more about Symon Perriman’s journey.  Yes, I admit, I had a little hero worship for him. But, who can blame me, Symon is a one of kind person and proud to this day to call him a friend 🙂

So, on with the story, part of my job at Nutanix was front-ending the Product Managers (PM’s). The PM’s were always pulled in 10 different directions and they came to trust us with some of these activities with partners.  This would include understanding the partner technology, how we can go to market together and how the partner would integrate with Nutanix.  We worked with Alliance Managers and PM’s to determine if this would be a good partnership.

Once the business side of alliances onboard s a partner, that’s where the handoff to the Nutanix Ready team happens. The team spends a lot of time understanding each partner solution(‘s). The team does a deep investigation of any issues around the partner solution(‘s) and Nutanix. This is vetted by Nutanix’s support and solutions teams. This, in turn, gives the customer a certain degree of comfort that the partner solutions were tested, validated and it will work on Nutanix 🙂

Over the course of my time at Nutanix and my career to that extent, I have to see many, many UI\UX’s and engines (code) behind it.  I’ve seen what works and what doesn’t. The common theme of what doesn’t work is over complicating your user experience.
We are at the age of managing multiple multi-geographic data centers and clouds, backups, DR, networking, SDN’s and we need to secure it all. If your UI even vaguely resembles an airplane cockpit, you’re doing it wrong.  It is an inefficient use of an IT Pro’s time and energy.  They just want to simply manage their production applications and have an easy management experience.

I will never trade the time I had at Nutanix, but times are a changing 🙂  As I’ve mentioned in a previous post “Building Nutnaix Ready”, “it was the best of times and the worst of times”.  I have not finished that series yet, but needless to say, it prepared me for the next step in my journey.

So, keep an eye on my blog, twitter feed, etc, because things are about to get into high gear.

Until next time and happy holidays,
Robert Corradini, MVP – Cloud & Datacenter

CPS Standard on Nutanix Released

nutanixCPS
Fun and crazy days here at Nutanix. I’ve busy been fielding a lot of calls around our new offering, CPS Standard on Nutanix. Now if you don’t know what CPS is, it stands for Cloud Platform System.

So what is Microsoft CPS anyways?

Simply, Microsoft CPS is a software stack of Window Server, System Center, and Windows Azure Pack.  CPS delivers a self-service cloud environment for Windows and Linux applications that provides optimized deployment of Windows Azure Pack.
Currently based on Windows Server 2012 R2, System Center 2012 R2 and Windows Azure Pack, CPS provides an Azure-consistent experience by leveraging Azure services to deliver business continuity (through Azure Site Recovery) of your hybrid cloud for your virtualized Windows and Linux workloads. For more details on Windows Azure Pack, check out my blog series on WAP.

If you have read my WAP blog series, building your own cloud can be a complex undertaking. Integrating the hardware, installing and configuring the software, and optimizing the overall solution for usability, performance, and scale, and reliability means that many cloud deployments fall short.

Introducing Microsoft CPS on Nutanix, an easier way to deploy WAP

The solution is due to the co-engineering and joint validation efforts with Microsoft and Nutanix. Getting the solution up and running is pretty fast, accelerating your time to value.
The joint effort goes beyond initial deployment. Once the Microsoft\Nutanix CPS solution is up and running, you get a single point of contact for support and simplified patching and updating across the entire stack of firmware and software. And as an added benefit, you get the ability to scale the environment with all the Nutanix goodness.

Bits are installed at the factory, so when you get your Nutanix Block, it’s just as easy as a wizard to get you up and running.  Below is a video that my buddy @mcghee did on the install and initial configuration of CPS. The video brings you right up to the admin and tenant portals and gives you a brief tour.

Enjoy…Until next time, Rob….

Understanding Windows Azure Pack – Reconfigure portal names, ports and deploy certificates – Part 6

happynewyear1 Windows Azure Pack
Happy New Year Everyone!!!  I know Azure Stack is just around the corner, but I still get lots of questions around configuring WAP and portals. So to follow-up my Windows Azure Pack (WAP) series, I am going to talk about reconfiguring server names and ports as well as assigning trusted certificates to my WAP Portals.

If you missed other parts of the series, check links below:
Part 1 – Understanding Windows Azure Pack
Part 2 – Understanding Windows Azure Pack – Deployment Scenarios
Part 3 – Understanding Windows Azure Pack – How to guide with Express Edition on Nutanix – Environment Prep
Part 4 – Deploying Service Provider Framework on Nutanix
Part 5 – Understanding Windows Azure Pack – How to guide with Express Edition on Nutanix – Windows Azure Pack Install

In this blog post, we will look at how you can change portal names and ports for the Tenant and Admin portals in WAP.

Once we are done with that, we are going to issue certificates from an Enterprise CA to the Admin portal as well as issuing a certificate to the Tenant Portal. As I don’t have a Public CA Certificate,  I’m going to use one from my Enterprise CA, but the concept for a Public CA is exactly the same as if I was using certificates from a trusted CA like VeriSign, DigiCert or similar.
wap-reconfig1 Windows Azure Pack
Windows Azure Pack Tenant Portal


Architecture:

Windows Azure Pack has different components which serve various functions as I mentioned in previous blog posts.
By looking at the roles being installed on a WAP Server for an express install, we can see a long list of Web Services running on the WAP Server. These different Web Services provide various roles within the WAP Infrastructure
In this lab scenario, we will be working with the following Web Services:

  • WAP Tenant Portal Service (MgmtSvc-TenantSite): Hosts the WAP Tenant Portal
  • WAP Tenant Authentication Service (MgmtSvc-AuthSite): Hosts the authentication for tenants
  • WAP Admin Portal Service (MgmtSvc-WindowsAdminSite): Hosts the Admin Portal
  • WAP Admin Authentication Service (MgmtSvc-WindowsAuthSite): Hosts the Admin Authentication

wap-config2 Windows Azure Pack

When a tenant accesses the WAP Tenant portal (exposed to the Internet) they will be redirected to the WAP Tenant Authentication Service to validate if the user is allowed to access the system, once the WAP Tenant Authentication service has validated the user, it will be redirected back to the WAP Tenant portal with access to WAP services. The tenant authentication service uses claim based authentication and can use different authentication methods like Active Directory Federation Services (ADFS) or .Net. In this scenario we are using default authentication (.Net), in the future blog post, I will tie in ADFS.

In the my lab setup these services are running on the same server (WAP01.contoso.com) as shown above..

A similar scenario happens when a WAP Administrator accesses the WAP Admin portal (only accessible on the internal network), the WAP admin portal will redirect the admin to the WAP Admin Authentication service which by default uses Windows Authentication. Once Windows Authentication service has authenticated the user, the user is redirected back to the WAP Admin portal with access to WAP.


Scenario:

After Installing and configuring Windows Azure Pack with the basic settings for the Contoso.com lab setup, the next steps are to configure the following:

  • Change WAP portal name.
  • Configure tenant and admin portals to run on port 443 (Https).
  • Replace the self-signed certificates with certificates provided by the enterprise CA (and consequently remove the warnings displayed in Internet Explorer due to the self-signed certificates).
  • Change the WAP Tenant Portal to use an internet facing url.
  • Change the WAP Tenant Authentication site to use the public web address that is also used by the WAP Tenant Portal.

The servers for this lab are configured as follows:

RoleNameFunction
Active DirectoryDC01.contoso.comActive Directory, ADFS, Certificate Server
Windows Azure PackWAP01.contoso.comWindows Azure Pack Express Install
Service Provider FoundationSPF01.contoso.comService Provider Foundation
SQL ServerDB02.contoso.comSQL Instance hosting the WAP databases
Virtual Machine ManagerVMM01.contoso.comVirtual Machine Manager 2012 R2 managing one Nutanix Hyper-V Cluster

The portals DNS names will be renamed to the following:

  • WAP Admin Portal: wapadmin.contoso.com port 443
  • WAP Tenant Portal Internal: WAPCloud.contoso.com port: 443
  • WAP Tenant Auth: wapcloud.contoso.com port: 444

Disclaimer: This environment is meant for testing only. This should not be considered guidance for production use, as several decisions made in this blog post are not targeting a production environment.

Reconfigure portal names for Windows Azure Pack

As the two WAP Portals by default (in our lab setup) are installed with https://wap01.contoso.com:30081 for the Tenant Portal and https://WAP01.contoso.com: 30091 for the Admin Portal we want to change these to use more portal friendly names.

To accomplish this, we need to do the following:

  • Create a DNS record for the new portals.
  • Install and configure an enterprise CA.
  • Request certificates for WAP Web Services from the CA.
  • Change ports and assign certificates for WAP Services.
  • Update Windows Azure Pack with the new web service modifications.

Create a DNS record for the new portals

  1. Logon to the DNS server.
  2. Start DNS Manager
  3. Expand dc01 > Forward Lookup Zone > <Yourdomain> (e.g. contoso.com)
  4. Right click on <Yourdomain> and select New Host (A-Record)
  5. Provide the DNS name and the IP address of the WAP Admin Server (e.g. Name: wapadmin, IP: 192.168.1.40)
    wap-reconfig4 Windows Azure Pack
  6. Create the other DNS name for the remaining portal (e.g. wapcloud,) and provide the WAP01 IP address as all roles are installed on the same server in the lab setup.
  7. Verify that the DNS records shows in the list.
    5wap-reconfig4 Windows Azure Pack
  8. Close the DNS Manager.

Use trusted certificates for the Windows Azure Pack

In order to use CA signed certificates in our Lab environment we need to do the following:

  • Install a CA Server
  • Configure the CA Server
  • Request Web Server certificates from the CA Server
  • Change Web Sites to use certificate.

Install a CA Server

  1. Logon to the server that will be running the CA Server (e.g. DC01)
  2. Start Server Manager.
  3. Select Dashboard on the left.
  4. Click Add roles and features.
  5. Click next to: before you begin, Installation type and server selection.
  6. In Server Roles select Active Directory Certificate Services under Roles.
  7. Click next to features.
  8. Under Role Services Select the following: Certification Services, Certificate Enrolment Policy.., Certificate Enrolment Web, Certification Authority..
  9. Accept the add-ons and click next to Web Role Services.
  10. Click Install.
  11. Verify that the install finishes with success.

Configure CA Server

  1. On the CA Server start Server Manager as a user that is member of Enterprise Admins.
  2. Select AD CS on the left.
  3. A message will show in the main window:
    wap-reconfig6 Windows Azure Pack
  4. Click on More.
  5. In the server task details click on Configure Active Directory Cert.
  6. Select All Roles to configure except for Web Service and click Next.
  7. Select Enterprise CA.
  8. Select Root CA.
  9. Select Create a new private key and click next.
  10. Click next to cryptography.
  11. Click next to CA Name and keep default. wap-reconfig8 Windows Azure Pack
  12. Keep 5 years and click next
  13. Click next to Certificate Database
  14. Select Windows Integrated auth.. and click next
  15. Under Server Certificate Select Choose and assign a certificate for SSL later and click next
  16. Click Configure
  17. Click Close

Change WEB Sites to use Certificate

Issue Certificate for the WAP Admin Portal

  1. Logon to the WAP Server as an administrator (e.g. wap01.contoso.com)
  2. Open IIS Manager on the WAP Portal Server
  3. Select the IIS server under connections
  4. In the main window select server certificates under IIS
  5. In the right windows select create a domain certificate
  6. Specify the following:
  7. WAPAdmin FQDN under common name (e.g. wapadmin.contoso.com)
  8. Organization: Contoso
  9. Organ unit: NA
  10. City NA
  11. State NA
  12. Click Next
  13. Select a CA and provide the friendly name for the certificate (e.g. wapadmin.contoso.com) wap-reconfig9 Windows Azure Pack
  14. Click Finish
  15. Verify that the certificate shows in the list of certificate wap-reconfig10 Windows Azure PackWe now have a web certificate, which we can use for the WAP Admin Portal.
  16. Request two more certificate following the same procedure:
    1. WAP Authentication: wap01.contoso.com
    2. WAP Tenant Portal Internal: WAPCloud.contoso.com
  17. There should now be three certificates in the Web Server Certificate list from Contoso CA. wap-reconfig11 Windows Azure Pack

Change ports and certificates for the WAP Admin Portal

  1. Logon to the WAP server as Administrator (This assumes it’s an express install).
  2. Start ISS Manager.
  3. Expand IIS Server > Sites.
  4. Right click on MgmtSvc-AdminSite and select edit bindings.
  5. Select https 30091 and select edit.
  6. Change port to 443.
  7. Set hostname to wapadmin.contoso.com.
  8. Select the certificate from the drop down list which was created earlier from the CA. wap-reconfig12 Windows Azure Pack
  9. Click Ok.
  10. Restart the Web Site.
  11. Right click on MgmtSvc-WindowsAuthSite and select edit bindings.
  12. Select the certificate from the list wap01.contoso.com.
  13. Click Ok.

Change ports and certificates for the WAP Tenant Portals

The following steps needs to be done in order to change ports and certificates for the tenant portal.

  1. Logon to the WAP server as Administrator (This assumes it’s an express install).
  2. Start ISS Manager.
  3. Expand IIS Server > Sites.
  4. Right click on MgmtSvc-TenantSite and select edit bindings.
  5. Select https 30081 and select edit.
  6. Change port to 443.
  7. Set hostname to wapcloud.contoso.com.
  8. Select wapcloud.contoso.com in the drop down list for certificates
  9. Click Close
  10. Right click on MgmtSvc-AuthSite and select edit bindings
  11. Select https 30071 and select edit.
  12. Change port to 444.
  13. Select wapcloud.contoso.com in the drop down list for certificates.
  14. Restart the MgmtSvc-TenantSite Web Site from the action menu.
  15. Restart the MgmtSvc-AuthSite Web Site from the action menu.

Update Windows Azure Pack with the new settings

Updating the Windows Azure Admin Portal

The TechNet documentation can be found here: Reconfigure FQDNs and Ports in Windows Azure Pack
To update WAP with our modifications the following commands needs to be executed, where we will use the values used in the scenario.

  • Set-MgmtSvcFqdn: This command will update the FQDN names for the modified services in the WAP Database.
  • Set-MgmtSvcRelyingPartySettings: This command will set the relay location for the WAP authentication service (Tenant or Admin)
  • Set-MgmtSvcIdentityProviderSettings: This command will update the authentication service where redirects will be redirected once verified.
We will be using the following arguments while executing the commands:
WAP Database Server:  db02.contoso.com
WAP Database user:    sa
Admin Portal FQDN:    wapadmin.contoso.com
Admin Portal Port:    443
Admin Auth Service:   wap01.contoso.com:30072
To update the modification made to WAP Services in the WAP database do the following.

  1. Logon to the WAP Server as a WAP Administrator.
  2. Start a PowerShell window.
  3. Import the WAP PowerShell module:

    Import-Module -Name MgmtSvcConfig

  4. Update WAP Admin Portal with the updated FQDN settings by running the following command:

    Set-MgmtSvcFqdn -Namespace “AdminSite” -FullyQualifiedDomainName “wapadmin.contoso.com” -Port 443 -Server “db02”
    3wap-reconfig12 Windows Azure Pack

  5. To set the WAP authentication service FQDN for the admin portal run the following command.Set-MgmtSvcRelyingPartySettings –Target Admin –MetadataEndpoint ‘https://wap01.contoso.com:30072/FederationMetadata/2007-06/FederationMetadata.xml’ -ConnectionString “Data Source=db02.contoso.com;User ID=sa;Password=*******”
    wap-reconfig2 Windows Azure Pack
  6. To set the authentication service redirection location to the admin portal run the following command:Set-MgmtSvcIdentityProviderSettings –Target Windows –MetadataEndpoint ‘https://wapadmin.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml’ -ConnectionString “Data Source=db02.contoso.com;User ID=sa;Password=********”
    wap-reconfig17 Windows Azure Pack

Updating the Windows Azure Tenant Portal

The following attributes are used for configuring the WAP Tenant Portal.
WAP Database Server: db02.contoso.com
WAP Database user: sa
Tenant Portal FQDN: wapcloud.contoso.com
Admin Portal Port: 443
Admin Auth Service: wapcloud.contoso.com:444
To update the tenant portal do the following:

  1. Logon to the WAP Server as an Administrator.
  2. Start PowerShell.
  3. Import the WAP PowerShell module:
    Import-Module -Name MgmtSvcConfig
  4. Update WAP Tenant Portal with the updated settings by running the following command:

Set-MgmtSvcFqdn -Namespace “TenantSite” -FullyQualifiedDomainName “wapcloud.contoso.com” -Port 443 -Server “db02”
wap-config1 Windows Azure Pack

5. Update WAP Tenant Auth Site with the updated settings by running the following command:

Set-MgmtSvcFqdn -Namespace “AuthSite” -FullyQualifiedDomainName “wapcloud.contoso.com” -Port 444 -Server “db02”
wap-config2 Windows Azure Pack

6. To set the WAP authentication service FQDN for the tenant portal run the following command.

Set-MgmtSvcRelyingPartySettings –Target Tenant –MetadataEndpoint ‘https://wapcloud.contoso.com:444/FederationMetadata/2007-06/FederationMetadata.xml’ -ConnectionString “Data Source=db02.contoso.com;User ID=sa;Password=********”
wap-config3 Windows Azure Pack

7. To set the authentication service redirection location to the admin portal run the following command.

Set-MgmtSvcIdentityProviderSettings –Target Membership –MetadataEndpoint ‘https://wapcloud.contoso.com/FederationMetadata/2007-06/FederationMetadata.xml’ -ConnectionString “Data Source=db02.contoso.com;User ID=sa;Password=********”wap-config4 Windows Azure Pack

Verify the WAP modification works.

Pre-requisite: As we don’t have a public certificate for my lab setup we are going to install the CA certificate on the computers in the Trusted Certificates store from where we will access the WAP Portals.

  1. Login to a computer as a user that has WAP Admin Portal access.
  2. Start a browser.
  3. Type the URL that the WAP Admin Portal was changed to (E.g. https://wapadmin.contoso.com)

    Verify that the WAP Admin Portal loads using the new URL

wap-config5 Windows Azure Pack
Verify that the tenant portal works by opening a browser and go to https://wapcloud.contoso.com.
During the authentication sign-in process note the redirection to the wapcloud.contoso.com:444 authentication site.
wap-config6 Windows Azure Packwap-config7 Windows Azure Pack

Verify that after login the login redirects you back to the WAP Portal.

wap-config8 Windows Azure Pack

Summary

The goal with this blog post was to show how it’s possible to reconfigure portal names, ports and use certificates after deploying the Windows Azure Pack and I think I’ve done that.  But, as always, if you have any questions or comments, let me know…..

Until next time, Rob.

Understanding Windows Azure Pack – How to guide with Express Edition on Nutanix – Windows Azure Pack Install – Part 5

To continue Windows Azure Pack series here is my next topic:  Installing and Configuring Windows Azure Pack

If you missed other parts of the series, check links below:
Part 1 – Understanding Windows Azure Pack
Part 2 – Understanding Windows Azure Pack – Deployment Scenarios
Part 3 – Understanding Windows Azure Pack – How to guide with Express Edition on Nutanix – Environment Prep
Part 4 – Deploying Service Provider Framework on Nutanix

Again to reiterate from my previous blog posts and set some context, Windows Azure Pack (WAP) includes the following capabilities:

WAP:

  • Management portal for tenants – a customizable self-service portal for provisioning, monitoring, and managing services such as Web Site Clouds, Virtual Machine Clouds, and Service Bus Clouds.
  • Management portal for administrators – a portal for administrators to configure and manage resource clouds, user accounts, and tenant offers, quotas, and pricing.
  • Authentication sites – these sites provide authentication services for the management portal for administrators and the management portal for tenants.  Windows Authentication + ADFS for Admins Sites and ASP.NET provider for tenants
  • Service management API – a REST API that helps enable a range of integration scenarios including custom portal and billing systems.

IaaS Resources:

  • Web Site Clouds – a service that helps provide a high-density, scalable shared web hosting platform for ASP.NET, PHP, and Node.js web applications. The Web Site Clouds service includes a customizable web application gallery of open source web applications and integration with source control systems for custom-developed web sites and applications.
  • Virtual Machine Clouds – a service that provides infrastructure-as-a-service (IaaS) capabilities for Windows and Linux virtual machines. The Virtual Machine Clouds service includes a VM template gallery, scaling options, and virtual networking capabilities.
  • Service Bus Clouds – a service that provides reliable messaging services between distributed applications. The Service Bus Clouds service includes queued and topic-based publish/subscribe capabilities.
  • SQL and MySQL – services that provide database instances. These databases can be used in conjunction with the Web Sites service.
  • Automation – the capability to automate and integrate additional custom services into the services framework, including a runbook editor and execution environment.
  • Optional resource = what you are going to connect with WAP (for example, SCVMM cloud, SQL Server, etc).
  • Required components = Windows Azure Pack components which you install on one machine (express) or on multiple machines (distributed)

In other words, WAP is interface between your resources and tenants = clientscustomers. On the following diagram you can see the main components of WAP, cloud components and optional resources. WAP can be deployed in 2 different ways – express and distributed as previously discussed. In the express deployment, like we are deploying in this series, you can install all WAP components on one machine for labdemo purposes. If you want to have WAP in your production environment, you should always use distributed deployment as mentioned in previous posts in this series. In such a deployment, WAP required and optional components are installed on multiple machines.
Below are examples of various distributed deployments
WAP-DIS1 Windows Azure PackWAP-DIS3 Windows Azure PackWAP-DIS2 Windows Azure Pack
In this blog post I will explain how to perform the following procedures;

Prerequisites

  • System Center Virtual Machine Manager 2012 R2 (VMM01) is installed and configured:
    • Member of the AD domain
    • One or more SCVMM Clouds created in SCVMM (See video)
    • One or more VM Networks created in SCVMM
  • Service Provider Foundation is installed as shown in my previous blog post
    • SPF IIS Web service running under a domain account
  • SQL Server Instance is installed running SQL 2012 or later for Hosting WAP Client Databases (DB01)
    • Member of the AD domain
    • With SQL Authentication enabled (Using SA)
  • WAP Server (WAP01)
    • Windows 2012 R2 Full Server (not core) with all current updates
    • Member of AD domain

Installing Windows Azure Pack:

  1. On the freshly build WAP Windows Server 2012 R2 server follow the prerequisites steps to install WAP
  2. Disable Internet Explorer Enhanced Security
    IEsecdisable Windows Azure Pack

    1. Install Microsoft Web Platform Installer (Web PI) 4.6 (it can be downloaded from here if the WAP server has no Internet follow this blog post)
    2. Install the following software through Web Pl, in this order:
      1. Enable Microsoft .NET Framework 3.5 SP 1 in Server Manager
      2. .NET 4.5 Extended, with ASP.NET for Windows 8.
      3. IIS recommended configuration.
  3. Launch WEB PI (Windows Platform Installer) Installer
  4. Select Products from the top menu
  5. Type: Windows Azure Pack in the search field in the left side
  6. Click Add Windows Azure Pack: Portal and API Express
    WindowsAzur2 Windows Azure PackWAP Express installer in Web PI
  7. Click Install at the bottom of the WEB PI windows
  8. Read the terms of use, Click I Accept
  9. When the Wizard completes the installation, it will present a screen as the one described in the picture below asking to Continue. When clicking the Continue button, an Internet Explorer Window will be launched
    WindowsAzur3 Windows Azure Pack
    WAP Install screen in Web PI

    WindowsAzur4 Windows Azure Pack
    WAP Install screen in Web PI
     
  10. In the recently opened Internet Explorer page, copy the URL, and launch a new browser with administrative privileges. When the new browser is opened, paste the URL you obtained before (https://localhost:30101/)
  11. In the browser, if you are presented with warnings related to the certificate, click continue. and then the Windows Azure Pack Setup will be displayed

    WindowsAzur5 Windows Azure PackWAP Install screen in Web PI

  12. In the Database Server page, provide the following information:
    Server Name: an instance that accepts SQL Authentication (for example db01.contoso.com)
    Authentication type: SQL authentication (Windows Authentication can also be used).
    Database server admin username: sa
    Password: ********
    Passphrase: ********
  13. Click on the arrow for next.WindowsAzur6 Windows Azure PackDatabase Server setup in WAP install
  14. In the Customer Experience Improvement program, select one Yes (MS needs your feedback:) ) and click Next
  15. In the Features Setup page, click on the to finish the wizard.
  16. Once the setup has completed, click in the arrow button
    WindowsAzur8 Windows Azure Pack
  17. Sign out and Sign in from WAP01 (this needs to be done for the user to be registered correctly in WAP)
  18. Open a browser and go to: https://wap01:30091

Validating the WAP installation succeeded:

  1. Log on to the WAP Server as Administrator
  2. Start IIS Management Console
  3. Check that the following IIS WEB Sites are created from pic below:
  4. Log on the SQL Server (SQL01) as SQL Administrator
  5. Open SQL Management Studio on the SQL Server as SA
  6. Check that the following Databases were successfully created from pic below:


Websites created after WAP Install

Configuring SCVMM and SPF

SCVMM Configuration

  1. Log on to SCVMM Server as Administrator
  2. Start the SCVMM Console
  3. In the SCVMM console go to Fabric – Servers – All Hosts and verify your Nutanix Cluster is available and also your shares are available. vmmhosts Windows Azure Packvmmshares Windows Azure Pack
  4. Once hosts have been verified, copy one or more syspreped vhds to the VMM Library (e.g. \NTNXHYPERV-smb.nutanixbd.localNTNXHYPERV-libraryVHDs)
    WindowsAzur12 Windows Azure Pack
  5. Now create one or more clouds in SCVMM (in this case we created two: Contoso and Fabrikam, Microsoft default example companies) and assign one or more logical networks to the cloud. Make sure you leave Capability Profiles unchecked
    WindowsAzur13 Windows Azure Pack
  6. Under VM Networks, create a VM Network, a subnet and an IP Pool. Connect the VM Network to a logical network that was assigned to the cloud created earlier. (e.g. Contoso Tenant)
    WindowsAzur14 Windows Azure Pack
  7. Then create one or more hardware profiles (for example, small, medium and large)
    WindowsAzur15 Windows Azure Pack
  8. Create templates from the syspreped VHDs copied to the library (for example, Windows Server 2012 R2 Core and Windows Server 2012 R2 GUI)
    WindowsAzur16 Windows Azure PackNOTE: – when creating the VM templates, in Hardware Profiles it’s not necessary to select one, for our example we created medium, then click next, and make sure that you select Create a new Windows Operating System Customization Settings, and select the operating system (for example, Windows Server 2012 R2 Datacenter). If this is not selected, the VM will not show up in the Windows Azure Pack Portal.
  9. Select Settings
  10. Add the user under which the SPF Web Service (Application Pool) account is running to the Administrators group
    Click Security > User Roles
    Click Administrators > Members
    Click Add and select the user that SPF Web Service (Application Pool) is running with. (See my SPF Blog Post)

Service Provider Foundation Configuration

  1. Log on to the SPF Server as Administrator.
  2. Start Computer Management
  3. Select Local User and Groups
  4. Create a user you want to use for SPF by right click Users > new user (e.g. spf)
    Note: This is not the same as the SPF Web Service (Application Pool). This is a local user on the SPF Server.
  5. Click on the user and select the “Member Of” tab.
    Note: Make the user member of all Groups starting with “SPF_”

    WindowsAzur17 Windows Azure Pack

  6. Verify that the SPF Web Service is running under the right user credentials
    Note: The way SPF executes commands against VMM will be in the context of the user under which the web service is running.
    To verify that the SPF Web Service is running under the right service account check the following:

    1. Log on to the SPF server as an administrator
    2. Start IIS Manager
    3. Expand SPF Server > Sites and verify that SPF shows in the list.
    4. Select Applications Pools under connection menu
    5. Verify that both the SCVMM and Provider Application Pools are running under the account (Identity) that is also a member of the VMM Administrators WindowsAzur18 Windows Azure Pack

Configuring the Windows Azure Pack

In this section we will be configuring the following:

  • Configuring VM Clouds Resource Provider in the Windows Azure Pack
  • Configure SQL Servers Resource Provider in the Windows Azure Pack
  • Configuring a plan in Windows Azure Pack
  • Configure a Admin Account and a subscription in Windows Azure Pack
  • Login as a Tenant and provision a VM and SQL Database to a Cloud

Configuring VM Clouds Resource Provider in the Windows Azure Pack

  1. Log on to WAP Admin Portal as an administrator (e.g. https://wap01.contoso.com:30091)
  2. Finish the Intro tour and click Ok
  3. In the main window, Select VM CloudsWindowsAzur19 Windows Azure Pack
  4. In the VM Clouds Window select Register System Center Service Provider Foundation
  5. Type the Service URL, Username and Password
    Note: the User name and password is the user created locally on the SPF server and which was added to the SPF groups earlier in post
    WindowsAzur20 Windows Azure Pack
  6. Verify that the registration goes sucessful
    WindowsAzur21 Windows Azure Pack
  7. Register VMM: Go to VM Clouds – Clouds – Use an existing Virtual Machine Cloud Provider to Provision Virtual Machines, and provide the following info:
    Virtual machine manager server: vmm01
    Port number (optional):
    Remote Desktop Gateway:
    Click on register
    Verify that VMM Server registers correctly by selecting the server under clouds and verify that all clouds shows for the VMM Server
    WindowsAzur22 Windows Azure Pack

Configure SQL Servers Resource Provider in Windows Azure Pack

  1. In the WAP Admin Portal, go to SQL Servers
  2. Click on Add an existing server to the hosting server group
  3. In the wizard provide the following information:
    1. SQL Server Group: Default
    2. SQL Server name: db01
    3. Username: sa
    4. Password: ********
    5. Size of hosting server in GB: 20
      WindowsAzur23 Windows Azure PackNote: The SQL Server used for the SQL server must have SQL Authentication enabled for the Service Provider service to work
  4. Verify that the following message shows in the status area
    WindowsAzur24 Windows Azure Pack
  5. Under Servers there should now be a new SQL Server showing
    WindowsAzur25 Windows Azure Pack

Configuring a Plan in Windows Azure Pack

  1. In the WAP Admin Portal, go to Plans.
  2. Click on + New -> PLAN -> CREATE PLAN
  3. Specify a name for the plan (e.g. Contoso)
  4. Select the service that should be offered via the plan (e.g. Virtual Machine Clouds and SQL Servers) and click next
    WindowsAzur26 Windows Azure Pack
  5. Skip add-ons and click Ok
    Note: In our scenario we created two plans: Contoso and Fabrikam.
  6. Under plan verify that the new Plan(s) shows in the list
    WindowsAzur27 Windows Azure Pack
  7. Click on the first plan created
  8. Under plan service, click on Virtual Machine Clouds
  9. Select the VMM Server (There should only be one in the list).
  10. Under Virtual Machine Cloud, select the Cloud for which you would like to use with the plan (e.g. Contoso)
  11. Under Usage limit, specify the usage limits that the plan should use
    WindowsAzur28 Windows Azure Pack
  12. Under networks, click Add network
  13. Select the VM networks that should be used for the plan and click Ok
    WindowsAzur29 Windows Azure Pack
  14. Click Add hardware profiles
  15. Select the hardware profiles that should be used for the plan and click Ok
    WindowsAzur30 Windows Azure Pack
  16. Click Add Templates and select the templates that should be used for the plan
    WindowsAzur31 Windows Azure Pack
  17. Under Additional settings, select the actions that should be allowed within the plan
  18. Click Save
  19. Verify that the plan service shows as configured and Active for both services
    WindowsAzur32 Windows Azure Pack

Configure a Admin Account and a subscription in Windows Azure Pack

  1. In the WAP Admin main menu click User Accounts
  2. Click + New -> User Account > Quick Create >
  3. Provide the following information:
    1. E-mail: eg. admin@nutanixbd.local
    2. Password: *******
    3. Select a plan (e.g. Contoso)
  4. Click Create
  5. Click on the newly created user and verify that a subscription shows.
    WindowsAzur33 Windows Azure Pack

Login as a Tenant and provision a VM and SQL Database to a Cloud

  1. Open a browser and go to the WAP Tenant Portal (e.g. https://wap01.contoso.com:30081)
  2. Specify the user account created earlier and password (e.g. admins@nutanixbd.local)
  3. Click on Submit
  4. Finish the introduction wizard
  5. Click on Virtual Machines
  6. Click Create a virtual Machine Role
  7. Select Standalone Virtual Machine
  8. Select From Gallery -> Templates
  9. Select a template in the list and click Next
    WindowsAzur34 Windows Azure Pack
  10. Provide the following information of the VM
    1. Name: e.g. Contoso01
    2. Password: ********
    3. Product Key
      Note: Depending on what kind of sysperped image is used, it’s necessary to provide a product key. Only if the image is build using a Volume License image it might not be needed to provide a product key.
  11. Select a network for the Virtual Machine e.g. Contoso Tenant (this is the network that was selected when creating the plan)
    WindowsAzur35 Windows Azure Pack
  12. Click Next
    WindowsAzur36 Windows Azure Pack
  13. Go to System Center Virtual Machine Manager 2012 R2 Server and start the SCVMM Console
  14. Select Job and Select Running
  15. Verify that one job shows provisioning the virtual machine
    WindowsAzur37 Windows Azure Pack
  16. Go back to the WAP Tenant Portal
  17. Select SQL Server Databases
  18. Click Add a New Database
  19. Specify a Name for the Database (e.g. DB01)
  20. Click Next
  21. Provide a User Name and a Password (e.g. dba01)
    WindowsAzur38 Windows Azure Pack
  22. Click Ok to create the Database
  23. Verify that the job completes with success.
    WindowsAzur39 Windows Azure Pack
  24. Click on All Items
  25. Verify that a VM and a Database shows in the list
    WindowsAzur40 Windows Azure Pack

Thats it…you did it…you build your own IaaS on Nutanix…I hope this blog post will help you with installing and configuring Windows Azure Pack on Nutanix.  If you run into any issues, during the deployment, please feel free to post a comment.
Until next time, enjoy building your Nutanix Windows Azure Pack IasS offering!
Rob

In the next blog post we will look at how you can create certificates and reconfigure portals and ports for Windows Azure Pack

Understanding Windows Azure Pack – How to guide with Express Edition on Nutanix – Deploying Service Provider Foundation – Part 4

To continue the Windows Azure Pack series, here is my next topic: Installing and Configuring Service Provider Foundation
If you missed other parts of the series, check links below:
Part 1 – Understanding Windows Azure Pack
Part 2 – Understanding Windows Azure Pack – Deployment Scenarios
Part 3 – Understanding Windows Azure Pack – How to guide with Express Edition on Nutanix – Environment Requirements

There are 2 main steps to deploying WAP (Windows Azure Pack) on Nutanix:

  • Deploying SPF (Service Provider Foundation) – This blog post
  • Deploying Windows Azure Pack (coming soon)

Service Provider Foundation

SPF is provided with System Center 2012 – Orchestrator, a component of System Center 2012 R2. SPF exposes an extensible OData web service that interacts with System Center Virtual Machine Manager (SCVMM). This enables service providers and hosters to design and implement multi-tenant self-service portals that integrate IaaS (Infrastructure as a Service) capabilities available on System Center 2012 R2. The following picture shows how System Center w/SPF interacts with WAP to provide VM Cloud Services (see TechNet article for more info):
SPF-overview Service Provider FoundationAs with every installation, SPF requires additional software, features and server roles. Setup wizard checks prerequisites and reports about their status. Unfortunately, there is no “button” to install all of requirements automatically. I’ve wrote a script to automate this process (see below). Please note:  Don’t try to install SPF on the SCVMM Server. It’s not supported.
Requirements:

  • SQL Server 2012 SP1 or higher instance (Already Deployed)
  • OS – Windows Server 2012 R2 VM (Already Deployed)
    • 2 CPU Cores
    • 4 Gigs of RAM
    • 100 Gig OS Drive
  • Feature – Management OData Internet Information Services (IIS) Extension
  • Feature – NET Framework 4.5 features, WCF Services, and HTTP Activation.
  • Web Server (IIS) server. Include the following services:
    Basic Authentication
    Windows Authentication
    Application Deployment ASP.NET 4.5
    Application Development ISAPI Extensions
    Application Deployment ISAPI Filters
    IIS Management Scripts and Tools Role Service
  • Downloads:
    WCF Data Services 5.0 for OData V3
    ASP.NET MVC 4
  • Virtual Machine Manager 2012 R2 Console
  • Certificates: self-signed (wizard creates one automatically) or obtained SSL-certificate (recommended for production)

This script will install all requirements except SCVMM console (please note that SCVMM console has to be installed manually):

#IIS + Process activation model
Install-WindowsFeature Web-Asp-Net45,Web-Scripting-Tools,Web-Basic-Auth,Web-Windows-Auth,NET-WCF-Services45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Scripting-Tools,WAS-Process-Model,WAS-Config-APIs,ManagementOdata
#Download and install WcfDataServices and AspNetMVC4
New-Item C:SPFRequirements -ItemType Directory
Invoke-WebRequest http://download.microsoft.com/download/8/F/9/8F93DBBD-896B-4760-AC81-646F61363A6D/WcfDataServices.exe -OutFile C:SPFRequirementswcfdatasvc.exe
Invoke-WebRequest http://download.microsoft.com/download/2/F/6/2F63CCD8-9288-4CC8-B58C-81D109F8F5A3/AspNetMVC4Setup.exe -OutFile C:SPFRequirementsaspnetmvc.exe
Set-Location C:SPFRequirements
.aspnetmvc.exe /quiet
Wait-Process aspnetmvc
.wcfdatasvc.exe /quiet
Wait-Process wcfdatasvc
Write-Host “All prerequisites are installed. Insert your SCVMM 2012 R2 DVD and install SCVMM Console manually. Then your environment will be ready for SPF installation

Required user accounts

We need to create a domain user account for the Service Provider Foundation application pools and a domain group that will be used for the permissions on the individual virtual directories created by the installer.
In my test lab I have created the following domain service accounts. They do not need any special rights other than domain users group.

  • spfadmnsvc – SPF Admin Web Service
  • spfprovsvc – SPF Provisioning Web Service
  • spfusagesvc – SPF Provisioning Web Service

And the following domain group

  • SPF_Admins – Group for SPF Administrators – Add all your WAP admins to this gorup

This admin group should be added to the local Administrators group on the SPF server.

Certificates

The Service Provider Foundation provides an extensible OData web service. Communications to this web service can and should be encrypted by SSL. SSL requires certificates. The Service Provider Foundation allows for self-singed certificates (for testing purposes) and certificates issued by a standalone Certificate Authority, an enterprise Certificate Authority or a public Certificate Authority. The Service Provider Foundation install defaults to self-signed (wizard creates one automatically) or you can obtain a certificate from a Public CA for production.

Installation

The Service Provider Foundation setup is on the System Center Orchestrator R2 media.

When installing, login to the SPF server as a user that has DBO/SA rights to the SQL 2012 instance that will be hosting SPF databases.

Mount ISO with Orchestrator and run SetupOrchestrator.exe and click on “Service Provider Foundation”
spf2 Service Provider Foundation
Click Install
spf3 Service Provider Foundation
Accept license terms and click Next
spf4 Service Provider Foundation
We’ve already installed all prerequisites using my script, so just click Next
spf5 Service Provider Foundation
Define SQL Server 2012 SP1 Instance Name , Port Number and click Next. If you unable to reach SQL Server you have to open firewall ports (https://support.microsoft.com/kb/968872) or check SQL TCP properties
spf6 Service Provider Foundation
Choose certificate type (For test lab, use self-signed and can be changed out later) and click Next
spf7 Service Provider Foundation

Define application pool credentials (spfadminsvc) and SPF_Admin Group that will have an access to SPF services and click Next. It’s best practices to create new domain accounts for every SPF services instead of using Network Service account.
spf8 Service Provider Foundation
Provider Web Service properties , click Next
spf9 Service Provider Foundation
Usage Web Service configuration, click Next
spf10 Service Provider Foundation
Windows updates + CEIP – yes (Microsoft needs your feedback 🙂 ), click Next
spf11 Service Provider Foundation
Click Install
spf12 Service Provider Foundation
Setup is complete!
spf13 Service Provider Foundation
Update SPF with the latest rollup (https://support.microsoft.com/en-us/kb/3021802) or use Windows Update.
Please note, the latest roll-up causing an issue in IIS and breaks SPF Web from working. I ran into this during my lab deployment. Check out this blog post on “System Center 2012 R2 : Update Rollup 4 breaks the SPF website” that fixes the issue.
This completes the SPF install. In a future blog post, we will be integrating SPF with WAP and SCVMM.
Additional links:
http://technet.microsoft.com/en-us/library/jj642895.aspx
http://technet.microsoft.com/en-us/library/dn266007.aspx
Next up in my series, Installing the Windows Azure Pack on Nutanix

Until next time, Rob….