Cloud Builder Certificate Requirements

4814
15
Jump to solution
03-16-2021 12:36 PM
timbkennedy
New Contributor III

I am trying to figure out what the certificate requirements are when deploying to Microsoft Azure.

I understand that I need a private .pfx version of the certificate. I also understand that the CNAME attribute for the alias used, e.g. myarcgisenterprise.mycompany.com, needs to point at the domain name of the Public IP address, e.g. myarcgisenterprise.eastus.cloudapp.azure.com.

However whats unclear to me is whether the public ip domain name (i.e. myarcgisenterprise.eastus.cloudapp.azure.com) also need to be added as a subject alternative name on the certificate? If not how do you get that domain trusted so when you browser to it you don't get an 'untrustworthy' note? Do any of the internal server names need to be included?

0 Kudos
15 Replies
ChristopherPawlyszyn
Esri Contributor

I don't think that same methodology has applied since the V2 sites were introduced at version 10.8. Since choosing the self-signed certificate option will build the federation using the <prefix>.<region>.cloudapp.azure.com URL, you'd have to manually break the federation to use a new URL.

As an alternative, you should create your own self-signed certificate (for your intended subdomain) and use that during the deployment process with the correct DNS alias defined, then update the certificate within the Microsoft Azure console for the Azure Application Gateway when it is available.

Renew an Azure Application Gateway certificate | Microsoft Docs
https://docs.microsoft.com/en-us/azure/application-gateway/renew-certificates


-- Chris Pawlyszyn
0 Kudos
DiegoLlamasOlivares
Occasional Contributor

Hello @ChristopherPawlyszyn ,

I have my wild card *gmtgis.net and my steps are, i select a public url. Esri support team recommended me to use my subdomain as it is. (gis.gmtgis.net) but in this step, this do not accept any dots before eastus.appcloud.com

viv.PNG

I use my wildcard certificate..

viv2.PNG

 

I did this, and VM were created and portal and server were running in VMS but URLs  gisgmtgis.eastus.cloudapp.azure.com or gis.gmtgis.net were not working.

Can I create my self-sign from any IIS web server I have? or where do you recommend to create it?

 

Thanks,

 

DLL

0 Kudos
ChristopherPawlyszyn
Esri Contributor

Did you have your CNAME record set prior to starting the deployment, so that gis.gmtgis.net pointed to mapsasgmtgis.eastus.cloudapp.azure.com?

The deployed application gateway is configured with a single hostname, so wouldn't accept traffic from requests using the cloudapp.azure.com alias and would require clients to access the site using the correct DNS entry (gis.gmtgis.net).


-- Chris Pawlyszyn
DiegoLlamasOlivares
Occasional Contributor

Thank you @ChristopherPawlyszyn  I will try that.

I have seen that new version 10.8.1 or 10.9 activates an extra VM (jumpbox) to connect via remote desktop and then connect to the other VMs (portal, server, datastore, filashare machines). after i am done with deployment, installation and configuration, Can I turn off that machine, right, because that machine do not have anything install from Enterprise on it.

 

Thanks,

DLL

0 Kudos
DiegoLlamasOlivares
Occasional Contributor

Hello @ChristopherPawlyszyn  Cname recorded prior deployment worked. Thankyou very much. I would like to know if the extra VM jumbox can be stopped and Enterprise would work fine. 

 

Thanks,

 

DLL 

0 Kudos
ChristopherPawlyszyn
Esri Contributor

@DiegoLlamasOlivares the ArcGIS Enterprise functionality shouldn't have any dependency on the jumpbox being available so turning it off is fine. There is a separate checkbox you can select during deployment if you would prefer to not provision that separate VM.

ChristopherPawlyszyn_0-1637614670453.png

 


-- Chris Pawlyszyn
0 Kudos