Learning System Center App Controller (2015)
Chapter 4. Customizing App Controller
System Center 2012 R2 App Controller provides a web-based portal to manage an on-premises Azure Cloud and a third party cloud solution through a single pane of glass. Before we can manage these solutions, we will need to connect to these resources by integrating them in the App Controller admin console. This chapter will walk you through the steps required for integration.
In this chapter, we will cover the following topics:
· Getting familiar with the App Controller admin console
· Connecting Virtual Machine Manager with App Controller
· Connecting to Azure subscription
· Adding network shared storage to App Controller
· Changing the SSL certificate on the App Controller admin portal website
In previous chapters, we installed App Controller. For help with App Controller installation, refer to Chapter 2, Installing and Working with Different App Controller Components.
Logging in to the App Controller interface
In this section, we will log in to the App Controller web portal for the first time. Perform the following steps to open the App Controller admin console:
1. Before attempting to log on to the App Controller server, ensure that Microsoft Silverlight is installed on the server. It can be downloaded from http://www.microsoft.com/silverlight/.
2. Log on to the App Controller server. Launch the Internet Explorer: type https://localhost, and press the Enter key.
3. If a warning message saying There is a problem with this website's security certificate shows up, select the Continue to this website (not recommended) link, as shown in the following screenshot:
4. Now, you will be presented with the logon screen. Provide administrative credentials to log on to start with, it is the service account details of the App Controller administrator. Click on the Sign In button in the browser as follows:
5. Depending on the speed of your system, the Microsoft System Center 2012 R2 App Controller Admin portal will open. The Admin portal is based on the Silverlight technology and looks very similar to the Virtual Machine Manager Console as follows:
6. The App Controller Admin console is divided into seven sections, as shown in the left pane of the preceding screenshot. By default, the Overview page shows up every time we log in to the admin portal. We can manage multiple subscriptions and common tasks in the Overview page. There are three main categories in the Overview page. Out of them, Status contains Private Clouds created in the VMM server, Public Clouds displays Microsoft Azure subscriptions being managed by App Controller, andHosting Service Providers shows third party service providers.
Integrating the Virtual Machine Manager server for private cloud management
In this section, we will integrate our previously installed Virtual Machine Manager server with the App Controller server. Perform the following steps to complete the task:
1. Log on to the App Controller server. Launch Internet Explorer and log in with an account that has local administrative access on the App Controller server. On the Overview page, under the Private Clouds subsection of the Status section, click on theConnect a Virtual Machine Manager server link, as shown in the following screenshot. In future, we should click on the Settings link in the left pane, select Connections in the submenu, click on Connect in the middle pane, and select SCVMM from the pop-up menu.
2. In the pop-up dialog box, provide a Connection Name, Description, Server name, and a Port for VMM communication. Ensure that you select Automatically import SSL certificates. Then click on the OK button as shown:
3. After a couple of minutes, VMM integration will be completed and the Private Clouds section will be populated with the current configuration set in the VMM server, as shown in the following screenshot:
4. We can also see the configuration of the configured clouds in Virtual Machine Manager. By clicking on Clouds in the left pane, Contoso Cloud can be seen in the middle pane with a description and cloud name assigned. To see computer limitations set on the cloud, we can change the View option to show information cards by clicking on the Show items as cards button in the top-right corner:
Configuring a Microsoft Azure subscription
In this section, we will configure the on-premises App Controller deployment to connect to the Windows Azure subscription. The following capabilities will be enabled for our private cloud users in both private and public cloud:
· Start virtual machines
· Stop virtual machines
· Shut down virtual machines
· Restart virtual machines
· Connect to virtual machines
· Modify existing virtual machines
· Copy existing virtual machines to Azure
· Deploy virtual machines
· Deploy cloud services
· Add virtual machines to cloud services
· Modify existing services
· View and manage jobs
To connect App Controller to Windows Azure, we have to first create a self-signed certificate. Then export the certificate package with private keys and also export the certificate without private keys. Next, we need to upload the certificate without private keys to the Windows Azure management portal and import the certificate package with the subscription ID into App Controller. Perform the following steps to complete the task:
1. Log on to the App Controller server and launch the IIS manager console.
2. Left-click on the Server name in the console. Double-click on Server Certificates in the IIS feature section, as follows:
3. In the Actions pane on the right side of the console. Click on the Create Self-Signed Certificate link.
4. In the Create Self-Signed Certificate wizard, provide a friendly name like AzureManagementCertificate and store it in the Personal store. Then click on OK.
5. Launch MMC by typing MMC in the Run dialog box. Add Certificate snap-in from Add/remove snap-ins. Select Computer account for managing certificates store. Then click on Next.
6. In the Select the computer you want this snap-in to manage section dialog page, select Local computer. Next, click on Finish and then click on OK.
7. Back in the MMC console, expand Certificates (Local Computer). Expand Personal, then Highlight Certificates. In the middle pane, we can see the list of certificates available.
8. Right-click on AzureManagementCertificate. Select All Tasks and click on Export….
9. Click on Next to start the Certificate Wizard. Make sure the Yes export the private key option is selected. Then click on Next.
10. Leave default settings for Export File Format and click on Next. Provide a strong password to protect the PFX package. Then click on Next. Provide a path to store the package locally and click on Next. Finally, click on Finish.
11. Now log on to the Windows Azure portal. Sign in with your Azure Administrative ID details.
12. In the Management Portal, select Settings in the left pane. In the middle pane, click on the MANAGEMENT CERTIFICATES link. Then click on the UPLOAD A MANAGEMENT CERTIFICATE link as shown in the following screenshot. Browse for the CERfile without private keys. Wait for the upload to complete. Take a note of the Subscription ID in the Management Certificates section. This will be used during the App Controller connection configuration.
13. Now, we are ready to connect App Controller to the Azure subscription. Azure cloud subscription will use certificate authentication. The certificate uploaded in the previous step will be used for encrypting traffic between App Controller and Azure cloud.
14. Back in the App Controller admin portal, click on Clouds in the left pane. Click on the down arrow on the Connect button in the middle pane. Then select Windows Azure subscription, as shown in the following screenshot:
15. Provide a friendly name for the subscription and values for the Description, Subscription ID, and Management certificate fields with a private key and Management certificate password for the PFX package file. Then click on OK, as shown in the following screenshot:
16. After a couple of minutes, Azure subscription will be added to the App Controller environment. Now we can manage Services and Virtual Machines attached to this subscription, as follows:
17. In the Cloud section, we can also see the new Windows Azure connection as shown in the following screenshot:
Configuring roles-based access
In this section, we will be adding a new tenant user to the App Controller. This user will be assigned particular settings to manage their environment. I have created a standard domain user called Contoso_Tenant01 for demo purposes. This account will be given full administrative access to the Contoso Cloud only. Follow the following steps to complete this task:
1. Log on to the Virtual Machine Manager server. Launch VMM Console.
2. Select Settings in the left pane. Expand Security and select User Roles. In the ribbon, click on Create User Role, as shown in the following screenshot:
3. After the Create User Role wizard launches, provide the Name and Description and then click on Next. I have used Contoso Cloud Administrator and Administrator of Contoso Cloud.
4. Select Tenant Administrator and click on Next:
5. In the Members section, add a security group on individual user accounts. I have added a Contoso_Tenant01 account to the members list. Then click on Next.
6. In the Scope section of the wizard, select the checkbox next to Contoso Cloud and click on Next.
7. In the Quotas for the Contoso Cloud section, adjust Role Level and Member level quotas as required. We will be using the default settings of Use Maximum for all settings. Then click on Next.
8. In the Networking section of the wizard, add Logical network belonging to Contoso by clicking on the Add button. Then click on Next.
9. In the Resources section of the wizard, add resources that this tenant administrator can use. I have selected OS profiles, Small HW hardware profile, VM Template, and Service Template, available in the list. Then click on Next.
10. In the Permissions section of the wizard, we can specify tasks that this user account can perform in the environment. Switch to Contoso Cloud in the middle pane. Click on the Select All button. Then click on Next
11. In the Run As Accounts section of the create User Roles wizard, specify a privileged account that is required in Contoso Cloud and click on Next.
12. In the Summary section of the wizard, review specified settings and then click on Finish.
Adding a new VMM Library share
In this section, we will add a new Virtual Machine Library share to SCVMM. Perform the following steps for the new Virtual Machine Library share to SCVMM:
1. To specify a dedicated folder to upload data by this user, I have created a folder called Contoso_Cloud in the root of system drive. Give full permission to the VMM computer account and the VMM service account on the security tab and share the folder.
2. Add the new share to the VMM Library by clicking on Library in the left pane. Right-click on the VMM server name.and select Add Library Shares. Select the checkbox next to the Contoso_Cloud share. Then, click on Next and Finish.
3. Now click on Settings in the left pane. Select User Roles in the Security section in the left pane. Right-click on Contoso Cloud Administrator and select Properties. Switch to the Resources section in the left pane. Click on the Browse button in theSpecify the library location where this user can upload data section. Select the Contoso_Cloud folder from the Select destination folder dialog box and click on OK.
4. Now log on to the App Controller server. Open a new session in Internet Explorer and browse to the App Controller admin portal. Log on with a new account. In our case, it is domainname\contoso_tenant01, as shown in the following screenshot:
5. After logging on, the Contoso_Tenant01 account can only see items that are allowed in the Virtual Machine Manager server, as follows:
Adding a network share
In this section, we will be adding a network share to the App Controller server. This share will be used as local cache during download or upload of the virtual machines. It can be any folder on the local network as long as the App Controller service account has the ability to make changes to the content of the shared folder. Perform the following steps to complete this task:
1. Log on to the App Controller server. Launch Internet Explorer and log in with administrative credentials.
2. We also need a shared folder with the correct permissions assigned. So launch Windows Explorer and create a folder. We will be creating a folder in the root of the system drive called SCAC_Share.
3. Once the folder is created, right-click on the folder name and select Properties. Switch to the Security tab and add the App Controller service account. Give full control permission to the service account. In our case, the account name is srv_scac_acc. Click on Apply and then on OK. Repeat the same process by switching to Sharing tab. Click on the Share button. Add the service account if it is not already present and then click on the Share button. Now click on the Done button and click on the Close button on the folder properties dialog box.
4. Now go back to the Internet Explorer browser and select the Overview page in the App Controller admin portal. Under the Next Steps section in the Common Tasks subsection, click on the Add a network file share link, as shown in the following screenshot:
5. Provide the UNC path to the folder that we created in step 3. The naming syntax is \\<servername>\<sharename>. Then click on OK. A confirmation message will show up at the bottom of the screen for the task being completed. Take a look at the following screenshot:
6. We can verify the addition of the share by clicking on Library in the left pane. Expanding Shares in the middle pane, we can also add more shares or remove listed shares in the Library's Shares section, as follows:
Configuring SSL certificate for the App Controller website
In this section, we will change the default SSL self-signed certificate to one that is generated by our internal certificate authority (CA). Building a PKI infrastructure is out of the scope of this book. Please look at the TechNet articles for creating a PKI infrastructure. Perform the following steps provided to complete this task:
1. I will try to explain the tasks that have to be completed to get a certificate from the internal CA. To get the CA certificate published, log on to the CA server and launch the Certsrv.msc console. Expand the server name. Right-click on Certificate Templatesand make a duplicate copy of Webserver template. Ensure that Server Authentication is listed in the Extensions tab. Give the template a unique name. I have used Generic Web SSL Certificate. In the Security tab, allow the App Controller server with theEnroll permission. Then right-click on Certificates Templates in the Certsrv console. Select New; select New Certificate templates to issue. From the list, select the new template.
2. Now, reboot the App Controller server. After reboot, launch MMC console, add certificates snap-in, and ensure that it shows the Local computer store. Then expand to Personal and expand Certificates. Right-click on Certificates, select All Tasks andRequest New Certificates. Select the new template we just published and click on the Add more information link. Change Type from FullDN to Common Name. Specify appcontroller.contoso.internal. Give this certificate a friendly name and then click onOK. Back in the Certificate enrolment wizard, click on Enroll.
3. Log on to the App Controller server and launch the Internet Information Services console. The IIS Manager console can also be launched by pressing the windows key and typing in InetMgr.exe.
4. Expand Server Name and also expand Sites. Right-click on the AppController website. Select Edit Bindings…, as shown in the following screenshot:
5. In the Edit Sites Bindings dialog box, select https and then click on the Edit button.
6. Select appcontroller Webserver Cert from the drop-down list. Verify that certificate is correct by clicking on the View button. Click on the Select button and then click on the OK button, as shown in the following screenshot:
7. Now that we have a valid certificate assigned to the website in IIS Manager, create Host (A) record in DNS services. Specify appcontroller.contoso.internal as the FQDN and IP address of the App Controller server. Make sure Silverlight is installed on the testing machine. Launch Internet Explorer and browse to https://appcontroller.contoso.internal. After a couple of seconds, the App Controller logon screen will show up.
8. Take a look in the browser address bar; the certificate error should have disappeared. We no longer get a warning message before the log on screen. We can also verify the certificate assigned to this website by going to Files | Properties of the site and clicking on the Certificates button, as follows:
Customizing App Controller branding
In some scenarios corporate branding is required. It is very simple to change the branding on App Controller management portal pages. The following screenshot highlights the areas that can be changed by altering or replacing specific files on the App Controller server:
Both files are typically located at C:\Program Files\Microsoft System Center 2012 R2\App Controller\wwwroot, as shown in the following screenshot:
Let's take a look at the following steps:
1. To replace the top-left logo, create a file with the name SC2012_WebHeaderLeft_AC.png with dimensions of 213 x 38 pixels containing a transparent background.
2. To replace the top-right log, create a file with the name SC2012_WebHeaderRight_AC.png with dimensions of 108 x 16 pixels containing a transparent background.
3. Override the existing files on the App Controller server with the new files.
4. Close the browser window. Open a new browser window and try to log in to the App Controller portal. The newly added logo files will be shown on top of the logon dialog box, as shown in the following screenshot:
5. The same new branding logos will be displayed after logging on to the App Controller Management portal, as shown in the following screenshot:
In this chapter, we integrated Virtual Machine Manager in the App Controller. We also attached a Windows Azure subscription to the App Controller. We added a network share to the App Controller environment and saw how to configure roles-based access users. We also changed the SSL certificate of the App Controller admin portal.
In the next chapter, we will explore advanced features of System Center 2012 R2 App Controller and PowerShell cmdlets that are provided for App Controller.