Configure the Web Sites Service in Windows Azure Pack

[This topic is pre-release documentation and is subject to change in future releases. Blank topics are included as placeholders.]

After you install and configure the Web Sites cloud controller for Windows Azure Pack, you need to configure the rest of the service. Use the following information to do that.

• Complete setup and configuration of the Web Site cloud

• Configure source control for the Web Site service

• Configure IP SSL

• Configure shared certificates

Complete setup and configuration of the Web Site cloud

After you install and configure the Web Sites service, you can complete setup and configuration of the Web Site cloud by provisioning machines to run the Front End, Publisher, and Web Worker roles.

To configure the Web Site cloud

1. Log into the machine where you deployed the management portal for administrators (for example, WAPPortal for an express installation or WAPAdmin for a distributed installation). Launch the management portal (https://localhost:30091) if it is not already open.

2. Click Web Site Clouds, and then click Register your existing Web Site Cloud REST Endpoint.

3. Enter the following information for the resource provider:

   Display name	Enter a name to display in the management portal.
   Web Site Cloud Endpoint	Enter the URL for the REST endpoint, https://< SitesRESTAPI>
   User name	Enter the user name that you specified when creating the Service Endpoint Credentials during Web Sites cloud controller installation.
   Password	Enter the password that you specified when creating the Service Endpoint Credentials.

4. Click the checkmark in the bottom right of the Register Service Provider page to continue.

   When you receive a message indicating that registration was successful close the message.

5. Double-click the cloud you created to open the Web Site cloud dashboard.

6. Click Setup Frontend to setup the Frontend role for the web site cloud.

7. Enter the hostname or IP for the Frontend (for example, SitesFE). Click the checkmark to continue.

   To create additional frontends, repeat this step.

8. While the Frontend role is installing, click Add Role at the bottom of the Web Site Cloud Quickstart page. Click Add New Web Worker.

9. The Setup a new Web Worker dialog is displayed. Enter the name of the machine that you created for your shared Web Worker role (for example, SitesWWS), select the Shared option, and then click the checkmark to continue.

   To create additional shared (multitenant) or reserved (single tenant) workers, repeat this process.

   Important

   Ensure that at least one machine is configured to run the shared Web Worker role. Creation of a Web Site cloud without at least one machine configured to run the shared Web Worker role is not a supported configuration.

10. Repeat step 6 and 7 or step 8 to add the Publisher role. Enter the machine name for the Publisher role (for example, SitesPublisher) and click the checkmark to continue. Repeat this step to add additional publishers.

Post-provisioning configuration

The following sections provide additional information about post-provisioning configuration steps.

Configure SSL Certificate Store

Configure the SSL Certificate Polling Interval by running the following PowerShell cmdlets on the controller:

Add-pssnapin WebHostingSnapin
Set-HostingConfiguration -CentralCertPollingInterval 300 -CentralCertificateSChannelCleanupInterval 300

Configure IP filtering

The Web Sites service supports IP blacklisting to prevent worker processes from connecting to machines inside of the Web Site cloud. To configure IP filtering, run the following PowerShell cmdlets on the controller:

Add-pssnapin WebHostingSnapin
Set-Hostingconfiguration -WorkerRegKeyRejectPrivateAddresses 1
Set-Hostingconfiguration –WorkerRegKeyPrivateAddressRange <start-of-ip-blacklist-range>, <end-of-ip-blacklist-range>

For the last cmdlet, substitute valid IP addresses for the start and end of the ip blacklist range as depicted by <start-of-ip-blacklist-range> and <end-of-ip-blacklist-range>.

Restart the Dynamic WAS Service (DWASSVC) on machines configured to run the web worker role. Run the following commands from an elevated command prompt:

net stop dwassvc
net start dwassvc

Provision additional REST API servers (optional)

In addition to scaling out Workers, Front Ends, and Publishers, the Service Management REST API can also be scaled to provide additional throughput and availability. To create another REST API server, prepare the server on the new machine as described in Windows Azure Pack installation requirements, and then run the following PowerShell cmdlets on the controller:

Add -pssnapin WebHostingSnapin
New -ManagementServer –ManagementServerName <NewManagementServer>

Where <NewManagementServer> is the name of the new REST API server.

Additional machine configuration and hardening

As a best practice, employ security practices to harden your deployments. This includes, but is not limited to:

1. Firewall configuration to minimize network surface area on any Internet facing machines. Consider referencing the following resources if you are using Windows Firewall with Advanced Security. The first two were written with Windows Server 2008 R2 in mind but for the most part also apply to Windows Server 2012. The last article focuses on Windows Server 2012:

   • Windows Server 2008 R2 Step-by-Step Guide: Deploying Windows Firewall and IPsec Policies

   • Windows Server 2008 R2 Firewall Security

   • Troubleshooting Windows Firewall with Advanced Security in Windows Server 2012

2. Modification of System ACLs to secure the file system and registry. Consider downloading and using the following utilities to help evaluate a machine’s file system and Registry security settings:

   • AccessChk

   • AccessEnum

3. Adherence to the principle of least privilege when creating user accounts. For more information about the principle of least privilege please refer to Applying the Principle of Least Privilege to User Accounts on Windows.

Configure source control for the Web Site service

The Web Site service supports using the following applications as source depots for web sites:

• Bitbucket

• GitHub

• CodePlex

• Dropbox

Before you can use one of these applications, you need to configure the Web Site service with access information.

To configure source control

1. In the management portal for administrators, click Web Site Clouds to open the Web Site Clouds dashboard.

2. Click Source Control.

3. Enter the information for the source control application you are using.

   For information on how to configure your source control application, see Appendix: Getting source control information for Web Site clouds.

Configure IP SSL

If you want to enable using IP SSL for web sites, there are a number of configuration steps on the front ends, the cloud controller, and, optionally, on a hardware load balancer.

To configure IP SSL

1. Bind the IP addresses that you want to use:

   1. On each front end server, open the network management interface.

   2. Click Internet Protocol Version 6 (TCP/IPv6), and then click Properties.

   3. Click Advanced to open the Advanced properties.

   4. Click Add to add the IP addresses.

   5. Repeat these steps for Internet Protocol Version 4 (TCP/IPv4).

   Tip

   Each customer or web site that uses IP SSL needs to have an IP address on each front end server. Because this can become labor intensive you may want to use a script to automate the binding of IP addresses.

2. Next, configure the Web Site cloud to use the IP addresses for IP SSL traffic.

   1. In the management portal for administrators, click Web Site Clouds, and then double-click the cloud that you want to configure.

   2. Click Roles, and then double-click the front end server.

   3. Click IP SSL.

   4. Click Add to add the IP address range.

   5. Enter the start address and end address, and the click the checkmark.

      Note

      The IP address range must be unique for each front end server.

   6. Repeat these steps for both IPv4 and IPv6 addresses.

   Repeat these steps for each front end server in the web farm.

3. If you are using an upstream hardware load balancer to balance traffic to the front end servers, the final step is to edit the register and deregister callback scripts so the Web Site cloud can communicate with the load balancer to create the load balancer pools for a given IP address.

   The callback scripts are located on the Web Site cloud controller in the web farm, in C:\Program Files\IIS\Microsoft Web Hosting Framework\Scripts\Provision\Win.

   1. Edit the DNS-RegisterSSLBindings script. This script is used any time a user creates or edits a web site that uses IP SSL.

      1. Use the $bindings to create a load balancer pool. You can use the $hostname as a key for tracking it.

      2. Return the Virtual IP address assigned to the load balancer pool (using $retval).

   2. Edit the DNS-DeRegisterSSLBindings script. This script is used any time a user removes IP SSL from their web sites or deletes or de-provisions the web site.

      Pass back an empty value (using $retval).

Configure shared certificates

The Web Site service uses certificates to encrypt data between the front end servers, the publishers, and the cloud controller.

To configure shared certificates

1. In the management portal for administrators, click Web Site Clouds, and then double-click the cloud that you want to configure.

2. Click Configure to open the Web Site cloud configuration page.

3. The first step is to configure the default certificate to use for wildcard or default domain requests to the web site farm. This certificate is also used for source control operations.

   In the Websites default certificate field, click the folder icon to identify the certificate that you want to use for web sites. Enter the password for the certificate, and then click the checkmark. The certificate is propagated to all front end servers in the web farm.

   This certificate needs to be in .pfx format and to have two subjects:

   • *.<domain_name>.com

   • *.scm.<domain_name>.com

4. Next, provide the certificate for the publisher. This certificate is used to secure web deploy and FTPS traffic.

   This certificate needs to contain a subject that matches the Web Deploy DNS entry and one that matches the FTPS Deploy DNS entry.

   If you used wildcards in the default certificate, you can use the same certificate for the publisher. However, you can also provide a different certificate, if that is needed to further secure communication.

   In the Publisher certificate field, click the folder icon to identify the certificate that you want to use for web sites. Enter the password for the certificate, and then click the checkmark. The certificate is propagated to the publishers.