Installation Guide
This document accompanies Web Sites, Virtual Machines, Service Management Portal and Service Management API, and provides the step by step installation instructions for the Service Management Portal and API and the Web Sites components.
Environment Topology
Service Management Portal Sites and API
The Service Management Portal and API consist of the following components:
Service Management Admin Site: - where administrators can create Web Sites clouds, Virtual Machine clouds, author plans and manage user subscriptions.
Service Management Tenant Site - where users can sign up and create web sites, virtual machines and databases.
Service Management API - the API layer exposes the functionality to manage services such as web sites, virtual machines and application databases to the Admin and Tenant Sites via a unified interface. The Service Management API is comprised of 3 distinct interfaces:
Service Management Admin API – exposes functionality for completing administrative tasks from the Service Management Admin Site or through the use of PowerShell cmdlets.
Note
It is recommended that the Admin API be installed on a machine or machines that are behind a firewall or otherwise inaccessible from the Internet because the Service Management Admin API is intended to perform infrastructure wide administrative tasks.
Service Management Tenant API – enables end users, or tenants, to manage and configure the cloud services included with the Plan or Plans that they subscribe to.
Note
It is recommended that the Tenant API be installed on a machine or machines that are behind a firewall or otherwise inaccessible from the Internet because it provides the ability to perform critical operations like Create/Delete subscriptions and manipulation of resources across subscriptions.
Service Management Tenant Public API – enables end users to manage and configure cloud services included with the Plan or Plans they subscribe to. The Tenant Public API is designed to serve all of the needs of end users subscribing to the various services provided by a Hosting Service Provider.
Note
It is recommended that the Tenant Public API be installed on a machine or machines accessible to end users from the Internet.
Note
Service Management Sites and API can be installed on a single machine with the Service Management Portal and Service Management API Express option in Web Platform Installer. A distributed installation is also possible by installing various components on different machines which can provide increased scale and throughput.
Web Sites Roles
Web Sites Controller - enhanced version of Web Farm Framework (WFF) that provisions and manages Web Sites Roles.
Web Sites REST API - Web Sites Management API exposed via REST endpoint.
Web Workers - Web Sites-specific version of IIS web server which processes client web requests. Web workers may be ‘Shared’ or ‘Reserved’.
Front End - Web Sites-specific version of Application Request Routing (ARR) which accepts web requests from clients, routes requests to Web Workers and returns web worker responses to clients.
Publisher - Web Sites-specific version of WebDeploy and FTP which provides transparent content publishing for WebMatrix, Visual Studio and FTP clients.
File Server - Provides files services for hosting web site content.
Important
Before adding a Web Sites role to a machine ensure that the machine's firewall settings allow inbound access to the following services:
- Windows Management Instrumentation (WMI-In)
- Windows Management Instrumentation (DCOM-In)
- File and printer sharing (SMB-In)
Databases
SQL Server - database creation functionality stand-alone as well as for web sites that require a SQL database.
MySQL Server - database creation functionality stand-alone as well as for web sites that require a MySQL database.
Virtual Machines
Virtual Machine Manager (VMM) - provides the capability to create virtual machines, virtual networks, templates and disks.
Service Provider Foundation (SPF) - exposes the Virtual Machine Manager capability via REST API.
Note
This install guide does not cover deployment of Virtual Machine Manger and SPF. Please refer to the System Center 2012 SP1 install guides for deploying the Virtual Machine capability.
Virtual Machines/System Requirements
The Service Management Portal and API and the Web Sites components are intended to run on a minimum of 7 machines (these machines may be virtual). In addition to these machines, it is expected that there will be one or more servers in the datacenter running Microsoft SQL Server and MySQL Server.
The SQL Server, MySQL Server, and File Server can coexist with each other, and the Hyper-V host machine, but should not be installed in the same VMs as other Web Sites roles. Use separate SQL Server computers, or separate SQL instances, on the same SQL Server computer to isolate the Web Sites configuration databases from user/web sites databases.
Naming Convention
We recommend using descriptive computer names for each machine such as:
SvcMgmtPortal - for Express installation
SvcMgmtAdmin, SvcMgmtTenant, SvcMgtAdminAPI, SvcMgtTenantAPI, SvcMgtTenPubAPI - for distributed installation
SitesController – Web Sites Cloud Controller
SitesRESTAPI – Web Sites Cloud REST API layer
SitesFE – Web Sites Cloud Front End
SitesPublisher – Web Sites Cloud Publisher
SitesWWS – Web Sites Cloud Shared Web Worker
SitesWWR – Web Sites Cloud Reserved Web Worker
FileServer – Web Sites Cloud File Server
Memory
For Service Management Portal & API, plan to reserve at least
8GB RAM if all three components are installed using the Express install on the same machine.
4GB RAM for each of the three machines if using the distributed install.
For the Web Sites roles machines, allocate at least 4GB RAM for each role.
Do not use dynamic memory.
Disk Space
Allocate at least the minimum amount of disk space as required by the Windows Server 2012 operating system for each machine.
For the File Server role, allocate enough disk space for user generated web site content.
Software Requirements
Windows Server 2012 operating system
Download the Web Platform Installer (WebPI)
Install the following items sequentially using WebPI:
IIS recommended configuration
.NET Framework 3.5 SP1
.NET Framework 4.5
Disable IE ESC for Administrators via Server Manager.
All available Windows and .NET updates.
Important
Follow this installation order to ensure proper registration of the .NET framework assemblies.
Network Environment
Configure intranet and internet access for machines running Web Sites roles as described below.
Inbound access from the Internet - The following roles should be accessible from the Internet:
Front End – to accept client requests for websites.
Publisher – to accept requests from publishing tools like WebMatrix and FTP clients.
Other Web sites roles do not require inbound internet access, as they do not directly service end user requests.
Outbound access to the Internet - It is important that all Web Sites VMs, including Web Workers, have outbound HTTP web access to download software dependencies when installing the roles. Web Sites requires that the servers have transparent outbound Internet access. Web proxy only access is not sufficient.
Web Sites UAC
On each Web Sites role, UAC must be disabled as described below:
On each machine, run the following command from an elevated command prompt:
%windir%\System32\reg.exe ADD HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Reboot the machine.
Note
If you are logged on as a user that has Administrator privileges on a remote Web Sites Cloud role machine you can disable UAC on the remote machine by running the following command from an elevated command prompt:
%windir%\System32\cmd.exe /k %windir%\System32\reg.exe ADD \\<machine_name>\HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t REG_DWORD /d 0 /f
Substitute the name of the remote Web Server Cloud role machine for <machine_name> to disable UAC on the remote machine.
Environment Requirements
Public DNS Mappings
By default, Web Sites are created under a default domain. Once a website is created, users can add custom domain names to each web site. While tenant web sites can be configured to support custom domains, Web Sites does not update custom DNS records.
For a given domain such as MyCloud.com you would create the following DNS A records:
Host name |
IP for |
* |
Front End Server(s) |
ftp |
Publishing Server(s) |
publish |
Publishing Server(s) |
www |
Service Management Tenant Portal |
@ (or empty) |
Service Management Tenant Portal |
This mapping scheme would allow users to login into both http://www.mycloud.com and http://mycloud.com to manage their sites. These two hostnames map to the portal websites that users and administrators use to manage the software. The portals are described later in this guide.
In this configuration, user-created web sites are initially created using child domains such as site1.mycloud.com, site2.mycloud.com, etc...
Content publishing via Web Deploy and FTP uses publish.mycloud.com and ftp.mycloud.com respectively. Content publishing via git uses *.scm.mycloud.com.
Note
There is no requirement for a special domain for this deployment. You can use a subdomain like my.yourdomain.com under an existing domain.
File Share Preparation (Optional)
If using a standalone Windows File Server, file server preparation is not required and is automated during the installation process.
If, however, you are using a file server cluster or NAS device, you must create the following shares:
Content Share – contains tenant website content.
Certificate Share – contains tenant custom certificates.
In addition, you will need to create users with the following permissions:
User |
Content Share Permissions |
Certificate Share Permissions |
FileShareOwner |
Read/Write |
Read/Write |
FileShareUser |
Read/Write |
|
CertificateShareUser |
Read/Write |
Note
Web Sites makes use of a new security technology which does not depend on per web site file share permissions. This enables Web Sites to work with heterogeneous file storage implementations such as NAS devices.
On Windows file servers or clusters, install the File Services role and File Server Resource Manager role service on the File Server using the following commands:
PowerShell.exe Enable-PSRemoting –Force
%windir%\system32\dism.exe /online /enable-feature /featurename:FSRM-Management /featurename:FSRM-Infrastructure
Role Account Preparation
Create the following accounts on the roles below to allow inter-role communication:
Username |
File Server |
Publisher |
Rest API |
Front End |
FileShareUser |
X |
X |
||
FileShareOwner |
X |
X |
||
CertificateShareUser |
X |
X |
Note
When you create these user accounts ensure that the following options are applied:
- User must change password at next logon is unchecked.
- User cannot change password is checked.
- Password never expires is checked.
- If using local (non-Active Directory) accounts, passwords must match across the various roles.
SQL and MySQL
If you don’t have instances of SQL or MySQL Servers, you may install SQL Server Express or MySQL 5.1 on (one of) the Service Management Portal & API machines. To ensure adequate performance, it is recommended that SQL Server and MySQL are installed on separate machines.
Install SQL Server Express using WebPI
Launch the Web Platform Installer.
Click Products and select Database. Click the Add button next to SQL Server Express 2008 R2, SQL Server 2008 R2 Management Objects and SQL Server 2008 R2 Management Studio Express with SP1, then click Install.
Enter a password for the sa account, re-type the password and click Continue.
Accept the licensing agreements. The Web Platform Installer will install SQL Server Express.
Install MySQL Server
Launch the Web Platform Installer.
Click Products, select Database, click Add next to MySQL Windows 5.1 and then click Install.
Enter a password for the root account and click Continue.
MySQL for Windows 5.1 will finish installing.
SQL Server/SQL Server Express preparation
Ensure that the SQL server(s) that will be used for storing the Web Sites configuration database as well as any per-user/per-website databases are accessible remotely.
Test IP connectivity and name resolution between all VMs.
Ensure that the SQL Server(s) have remote access enabled.
Ensure that the SQL Server(s) have mixed mode authentication enabled.
Enable the TCP protocol on the SQL Server computers.
For SQL Server, follow the steps described at https://technet.microsoft.com/en-us/library/ms191294.aspx.
For SQL Server Express, use SQL Server Configuration Manager to update TCP ports.Click Start, All Programs, Microsoft SQL Server 2008 R2, Configuration Tools, SQL Server Configuration Manager to open the SQL Server Configuration Manager. Then navigate to Protocols for MSSQLSERVER and click on the TCP/IP protocol. Ensure that the TCP/IP protocol is enabled.
Navigate to the IP Addresses tab and scroll down to IPAll. Update the TCP port to 1433 and ensure that the TCP dynamic port is disabled.
Restart the SQL Server (SQLEXPRESS) service.
Configure Windows Firewall for Database engine access:
Add TCP port 1433 to the Inbound rules as described at https://technet.microsoft.com/en-us/library/ms175043.aspx.
Add SqlBrowser.exe (c:\Program Files (x86)\Microsoft SQL Server\90\Shared\sqlbrowser.exe) to the Inbound rules.
Enable the SQL Server Browser service if any of your SQL Server instances are running in an instance other than the "default" SQL Server instance. i.e. If Sql connection strings specify a SQL Server instance in addition to the machine name (e.g. YourSqlServerMachine\SqlExpress), then the SQL Server Browser service must be running.
MySQL Server preparation
Ensure that the MySQL server(s) is/are accessible.
Test IP connectivity and name resolution.
Open TCP 3306 Inbound on Windows Firewall for each computer running MySQL.
Enable remote access to MySQL:
Note
Update password to the root password used at the time of installation. The following commands assume that the root password is Pass@word1$
Enter the following commands from an elevated command prompt:
C:\Program Files\MySQL\MySQL Server 5.1\bin>mysql -u root -p
Enter password: **********
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%' IDENTIFIED BY 'Pass@word1$' WITH GRANT OPTION; FLUSH PRIVILEGES;
use mysql;
update user set grant_priv='Y' where user='root';
Verify that the
update user
command executed and then type the following command:exit;
Restart the MySQL service using Server manager or by typing the following from an elevated command prompt:
net stop mysql
net start mysql