With the General Availability of Windows Azure Pack more organizations are interested in or are already implementing the complete CloudOS. Compared to the previous release Microsoft has put more effort in documentation for the product. After you have implementing your first lab environment (and you should, before trying anything like this in production) you will see that the default URLs for accessing the Admin Site is configured on port 30091 and the Tenant Site is configured on port 30081. In the previous release of Windows Azure Pack (named Windows Azure Services for Windows Server) you could just change the port to 443 in IIS, assign a public certificate to the website and you were done.
In Windows Azure Pack Microsoft introduced the possibility to use Active Directory Federations Services (ADFS) for authentication. This functionality enables a single sign on experience for end users. ADFS (besides many other features) makes Windows Azure Pack also interesting for enterprise organizations wanting to provide “Service Provider like” offerings to their internal customers.
The integration of ADFS required some changes to the validation procedure within Windows Azure Pack. Even without configuring ADFS the Admin Site and the Tenant Site now have their own dedicated authentication sites. In this blog I’ll describe the required steps to change the default URLs (name and port number) to public URLs.
Before we start it is good to understand that it is not possible to have multiple sites on a single server listening on the same default SSL port 443. I have even tried to add additional IP addresses to the same server NIC and bind each Website to a different IP Address (all on port 443). This will work within the same subnet, but will not function when accessing through NAT externally. For this configuration we are looking at four websites.
- Admin Site
- Admin Authentication Site
- Tenant Site
- Tenant Authentication Site
If you want to access these sites externally over a default SSL connection on port 443 you would need a virtual machine for each website (four in total) and four public IP addresses. For a production environment you would not provide external access to the Admin Site. The Admin Site and the Admin Authentication Site can be installed on a single machine. The Tenant Site and the Tenant Authentication site are probably going to be accessed from the internet. You can use a wildcard certificate provided by a public Certificate Authority for all websites. For this blog I will reference three virtual machines.
- wap01 (Admin Site & Admin Authentication Site)
- wap02 (Tenant Site)
- wap03 (Tenant Authentication Site)
In a more robust production environment you would double these servers and make their services high available with a Load Balancer (NLB or Hardware Load Balancer). I have verified that these configuration steps are the same for a scale out scenario using Load Balancing.
The Admin Site
In a default configuration the Admin Site is configured on port 30091 and the Admin Authentication Site is configured on port 30072. Accessing the the admin site through a browser can be divided in to the following seven steps.
- You enter the NetBIOS name of the server with the port configured in IIS for the Admin Site
- Windows Azure Pack gets the Admin Site Fully Qualified Domain Name (FQDN) and port number from the database and notifies the browser
- The browser is redirected to the FQDN and port number of the Admin Site configured in the Windows Azure Pack database
- The Admin Site detects you do not have the correct token to validate and notifies the browser with the FQDN and port number of the Admin Authentication Site configured in the database
- The browser is redirected to the FQDN and port number configured for the Admin Authentication Site in the Windows Azure Pack database
- After validation a token is provided and the Admin Authentication Site gets the FQDN and port number from the database for the Admin Site and notifies the browser
- The browser is redirected to the FQDN and port number configured for the Admin Site
For this example I want access the Admin Site on https://admin.hyper-v.nu and the Admin Authentication Site on https://admin.hyper-v.nu:30072. I will describe each configuration step referencing the numbers in the picture.