|
| 1 | +--- |
| 2 | +title: Prepare for extension host for Azure Stack | Microsoft Docs |
| 3 | +description: Learn to prepare for extension host which is automatically enabled via a future Azure Stack Update package. |
| 4 | +services: azure-stack |
| 5 | +keywords: |
| 6 | +author: mattbriggs |
| 7 | +ms.author: mabrigg |
| 8 | +ms.date: 08/29/2018 |
| 9 | +ms.topic: article |
| 10 | +ms.service: azure-stack |
| 11 | +ms.reviewer: thoroet |
| 12 | +manager: femila |
| 13 | +--- |
| 14 | + |
| 15 | +# Prepare for extension host for Azure Stack |
| 16 | + |
| 17 | +You can use the extension host to help secure Azure Stack by reducing the number of required TCP/IP ports. This article looks at preparing Azure Stack for the extension host, which is automatically enabled through an Azure Stack Update package after the 1808 update. |
| 18 | + |
| 19 | +## Certificate requirements |
| 20 | + |
| 21 | +The extension host implements two new domains namespaces to guarantee unique host entries for each portal extension. The new domain namespaces require two additional wild-card certificates to ensure secure communication. |
| 22 | + |
| 23 | +The table shows the new namespaces and the associated certificates: |
| 24 | + |
| 25 | +| Deployment Folder | Required certificate subject and subject alternative names (SAN) | Scope (per region) | SubDomain namespace | |
| 26 | +|-----------------------|------------------------------------------------------------------|-----------------------|------------------------------| |
| 27 | +| Admin extension host | *.adminhosting.\<region>.\<fqdn> (Wildcard SSL Certificates) | Admin extension host | adminhosting.\<region>.\<fqdn> | |
| 28 | +| Public extension host | *.hosting.\<region>.\<fqdn> (Wildcard SSL Certificates) | Public extension host | hosting.\<region>.\<fqdn> | |
| 29 | + |
| 30 | +The detailed certificate requirements can be found in the [Azure Stack public key infrastructure certificate requirements](azure-stack-pki-certs.md) article. |
| 31 | + |
| 32 | +## Create certificate signing request |
| 33 | + |
| 34 | +The Azure Stack Readiness Checker Tool provides the ability to create a certificate signing request for the two new, required SSL certificates. Follow the steps in the article [Azure Stack certificates signing request generation](azure-stack-get-pki-certs.md). |
| 35 | + |
| 36 | +> [!Note] |
| 37 | +> You may skip this step depending on your request your SSL certificates. |
| 38 | +
|
| 39 | +## Validate new certificates |
| 40 | + |
| 41 | +1. Open PowerShell with elevated permission on the hardware lifecycle host or the Azure Stack management workstation. |
| 42 | +2. Run the following cmdlet to install the Azure Stack Readiness Checker tool. |
| 43 | + ```PowerShell |
| 44 | + Install-Module -Name Microsoft.AzureStack.ReadinessChecker |
| 45 | + ``` |
| 46 | +3. Run the following script to create the required folder structure: |
| 47 | +
|
| 48 | + ```PowerShell |
| 49 | + New-Item C:\Certificates -ItemType Directory |
| 50 | +
|
| 51 | + $directories = 'ACSBlob','ACSQueue','ACSTable','Admin Portal','ARM Admin','ARM Public','KeyVault','KeyVaultInternal','Public Portal', 'Admin extension host', 'Public extension host' |
| 52 | +
|
| 53 | + $destination = 'c:\certificates' |
| 54 | +
|
| 55 | + $directories | % { New-Item -Path (Join-Path $destination $PSITEM) -ItemType Directory -Force} |
| 56 | + ``` |
| 57 | +
|
| 58 | + > [!Note] |
| 59 | + > If you deploy with Azure Active Directory Federated Services (AD FS) the following directories must be added to **$directories** in the script: `ADFS`, `Graph`. |
| 60 | +
|
| 61 | +4. Run the following cmdlets to start the certificate check: |
| 62 | +
|
| 63 | + ```PowerShell |
| 64 | + $pfxPassword = Read-Host -Prompt "Enter PFX Password" -AsSecureString |
| 65 | +
|
| 66 | + Start-AzsReadinessChecker -CertificatePath c:\certificates -pfxPassword $pfxPassword -RegionName east -FQDN azurestack.contoso.com -IdentitySystem AAD -ExtensionHostFeature $true |
| 67 | + ``` |
| 68 | +
|
| 69 | +5. Place your certificate(s) in the appropriate directories. |
| 70 | +
|
| 71 | +6. Check the output and all certificates pass all tests. |
| 72 | +
|
| 73 | +
|
| 74 | +## Import extension host certificates |
| 75 | +
|
| 76 | +Use a computer that can connect to the Azure Stack privileged endpoint for the next steps. Make sure you have access to the new certificate files from that computer. |
| 77 | +
|
| 78 | +1. Use a computer that can connect to the Azure Stack privileged endpoint for the next steps. Make sure you access to the new certificate files from that computer. |
| 79 | +2. Open PowerShell ISE to execute the next script blocks |
| 80 | +3. Import the certificate for hosting endpoint. Adjust the script to match your environment. |
| 81 | +
|
| 82 | + ```PowerShell |
| 83 | + $CertPassword = ConvertTo-SecureString "***" -AsPlainText -Force |
| 84 | +
|
| 85 | + $CloudAdminCred = Get-Credential -UserName <Privileged endpoint credentials> -Message "Enter the cloud domain credentials to access the privileged endpoint." |
| 86 | +
|
| 87 | + [Byte[]] $AdminHostingCertContent = [Byte[]](Get-Content c:\certificate\myadminhostingcertificate.pfx -Encoding Byte) |
| 88 | +
|
| 89 | + Invoke-Command -ComputeName <PrivilegedEndpoint computer name> ` |
| 90 | + -Credential $CloudAdminCred ` |
| 91 | + -ConfigurationName "PrivilegedEndpoint" ` |
| 92 | + -ArgumentList @($AdminHostingCertContent, $CertPassword) ` |
| 93 | + -ScriptBlock { |
| 94 | + param($AdminHostingCertContent, $CertPassword) |
| 95 | + Import-AdminHostingServiceCert $AdminHostingCertContent $certPassword |
| 96 | + } |
| 97 | + ``` |
| 98 | +
|
| 99 | +5. Import the certificate for the Admin hosting endpoint. |
| 100 | +
|
| 101 | + ```PowerShell |
| 102 | + [Byte[]] $HostingCertContent = [Byte[]](Get-Content c:\certificate\myadminhostingcertificate.pfx -Encoding Byte) |
| 103 | +
|
| 104 | + Invoke-Command -ComputeName <PrivilegedEndpoint computer name> ` |
| 105 | + -Credential $CloudAdminCred ` |
| 106 | + -ConfigurationName "PrivilegedEndpoint" ` |
| 107 | + -ArgumentList @($HostingCertContent, $CertPassword) ` |
| 108 | + -ScriptBlock { |
| 109 | + param($HostingCertContent, $CertPassword) |
| 110 | + Import-UserHostingServiceCert $HostingCertContent $certPassword |
| 111 | + } |
| 112 | + ``` |
| 113 | +
|
| 114 | +### Update DNS configuration |
| 115 | +
|
| 116 | +> [!Note] |
| 117 | +> This step is not required if you used DNS Zone delegation for DNS Integration. |
| 118 | +If individual host A records have been configured to publish Azure Stack endpoints, you need to create two additional host A records: |
| 119 | +
|
| 120 | +| IP | Hostname | Type | |
| 121 | +|----|------------------------------|------| |
| 122 | +| \<IP> | Adminhosting.<Region>.<FQDN> | A | |
| 123 | +| \<IP> | Hosting.<Region>.<FQDN> | A | |
| 124 | +
|
| 125 | +Allocated IPs can be retrieved using privileged endpoint by running the cmdlet **Get-AzureStackStampInformation**. |
| 126 | +
|
| 127 | +### Ports and protocols |
| 128 | +
|
| 129 | +The article, [Azure Stack datacenter integration - Publish endpoints](azure-stack-integrate-endpoints.md), covers the ports and protocols that require inbound communication to publish Azure Stack before the extension host rollout. |
| 130 | +
|
| 131 | +### Publish new endpoints |
| 132 | +
|
| 133 | +There are two new endpoints required to be published through your firewall. The allocated IPs from the public VIP pool can be retrieved using the cmdlet **Get-AzureStackStampInformation**. |
| 134 | +
|
| 135 | +> [!Note] |
| 136 | +> Make this change before enabling the extension host. This allows the Azure Stack portals to be continuously accessible. |
| 137 | +
|
| 138 | +| Endpoint (VIP) | Protocol | Ports | |
| 139 | +|----------------|----------|-------| |
| 140 | +| AdminHosting | HTTPS | 443 | |
| 141 | +| Hosting | HTTPS | 443 | |
| 142 | +
|
| 143 | +### Update existing publishing Rules (Post enablement of extension host) |
| 144 | +
|
| 145 | +> [!Note] |
| 146 | +> The 1808 Azure Stack Update Package does **not** enable extension host yet. It allows to prepare for extension host by importing the required certificates. Do not close any ports before extension host is automatically enabled through an Azure Stack Update package after the 1808 update. |
| 147 | +
|
| 148 | +The following existing endpoint ports must be closed in your existing firewall rules. |
| 149 | +
|
| 150 | +> [!Note] |
| 151 | +> It is recommended to close those ports after successful validation. |
| 152 | +
|
| 153 | +| Endpoint (VIP) | Protocol | Ports | |
| 154 | +|----------------------------------------|----------|-------------------------------------------------------------------------------------------------------------------------------------| |
| 155 | +| Portal (administrator) | HTTPS | 12495<br>12499<br>12646<br>12647<br>12648<br>12649<br>12650<br>13001<br>13003<br>13010<br>13011<br>13020<br>13021<br>13026<br>30015 | |
| 156 | +| Portal (user) | HTTPS | 12495<br>12649<br>13001<br>13010<br>13011<br>13020<br>13021<br>30015<br>13003 | |
| 157 | +| Azure Resource Manager (administrator) | HTTPS | 30024 | |
| 158 | +| Azure Resource Manager (user) | HTTPS | 30024 | |
| 159 | +
|
| 160 | +## Next steps |
| 161 | +
|
| 162 | +- Learn about [Firewall integration](azure-stack-firewall.md). |
| 163 | +- Learn about [Azure Stack certificates signing request generation](azure-stack-get-pki-certs.md) |
0 commit comments