Azure Pack Powershell Quick Tips

Updating uri’s for HA WAP deployment via PowerShell

Another quick one, just to share…. 🙂

For a HA WAP deployment you will need to update each service of the pertinent url to ensure they are using the NLB endpoint rather than going direct to one of the servers.. This is one that catches a few people out when deploying a HA WAP environment.

Bit’s of the below are scribed from other sources (they escape me right now so apologies for the lack of a references) but found that they didn’t work. So I had to piece together bit’s and pieces of code from around the place and came up with the below.

Obviously there are many assumptions made around certs, DNS and the actual configuration but if you found your way here then you have probably got all of that stuff sorted already.

Enjoy!
Dan

Import-Module MgmtSvcAdmin
Import-Module MgmtSvcConfig
 
## Environment settings
# SQL Server AlwaysOn DNS Listener containing the Windows Azure Pack databases
$server="<WAPServer>"
# SQL Server sa account
$userid="sa"
# SQL Server sa password
$password="sapassword"
$PortalconnectionString="Data Source=$server;Initial Catalog=Microsoft.MgmtSvc.PortalConfigStore;User Id=$userid;Password=$password"
 
## Define the desired FQDNs and Ports
# Admin Site 
$AdminSiteLB = "wapadmin.domain.com"
$AdminSitePort = "443"
# Admin Authentication Site
$WinAuthSiteLB = "wapauth.domain.com"
$WinAuthSitePort = "443"
# Tenant Site
$TenantSiteLB = "wap.domain.com"
$TenantSitePort = "443"
# Tenant Auth Site
$TenantAuthSiteLB = "waplogon.domain.com"
$TenantAuthSitePort = "443"
# Admin API
$AdminApiLB ="adminapi.domain.com"
$AdminApiPort = "30004"
# Tenant API
$TenantApiLB = "tenantapi.domain.com"
$TenantApiPort = "30005"
# Tenant Public API
$TenantPublicApiLB = "wapapi.domain.com"
$TenantPublicApiPort = "443"
 
# Define the federation endpoints
$MgmtStoreConnectionString="Data Source=$server;Initial Catalog=Microsoft.MgmtSvc.Store;User Id=sa;Password=$password"
$PortalConnectionString="Data Source=$server;User Id=$userid;Password=$password"
$TenantMetadataEndpoint="https://${TenantAuthSiteLB}:$AuthSitePort/federationMetaData/2007-06/FederationMetadata.xml"
$AdminMetadataEndpoint="https://${WinAuthSiteLB}:$WinAuthSitePort/federationMetaData/2007-06/FederationMetadata.xml"
$AdminSiteMetadataEndpoint="https://${AdminSiteLB}:$AdminSitePort/federationMetaData/2007-06/FederationMetadata.xml"
$TenantSiteMetadataEndpoint="https://${TenantSiteLB}:$TenantSitePort/federationMetaData/2007-06/FederationMetadata.xml"
 
$adminApiUri = "https://${AdminApiLB}:$AdminApiPort"
$windowsAuthSite = "https://${WinAuthSiteLB}:$WinAuthSitePort"
 
# credentials for performing actions
$Credential = Get-Credential
$token = Get-MgmtSvcToken -Type Windows -AuthenticationSite $windowsAuthSite -ClientRealm "http://azureservices/AdminSite" -User $credential -DisableCertificateValidation

# Reconfigure Windows Azure Pack components to point to load balancers
Set-MgmtSvcFqdn -Namespace AdminSite -FQDN $AdminSiteLB -Server $server -Port $AdminSitePort
Set-MgmtSvcFqdn -Namespace AuthSite -FQDN $TenantAuthSiteLB -ConnectionString $PortalconnectionString -Port $TenantAuthSitePort
Set-MgmtSvcFqdn -Namespace AdminAPI -FQDN $AdminApiLB -ConnectionString $PortalconnectionString -Port $AdminApiPort
Set-MgmtSvcFqdn -Namespace TenantSite -FQDN $TenantSiteLB -ConnectionString $PortalconnectionString -Port $TenantSitePort
Set-MgmtSvcFqdn -Namespace WindowsAuthSite -FQDN $WinAuthSiteLB -ConnectionString $PortalconnectionString -Port $WinAuthSitePort
Set-MgmtSvcFqdn -Namespace TenantApi -FQDN $TenantApiLB -Port $TenantApiPort -Server $server
Set-MgmtSvcFqdn -Namespace TenantPublicApi -FQDN $TenantPublicApiLB -ConnectionString $PortalconnectionString -Port $TenantPublicApiPort

# Re-establish trust between the authentication sites and the management portals
Set-MgmtSvcRelyingPartySettings -Target Tenant –MetadataEndpoint $TenantMetadataEndpoint -DisableCertificateValidation -PortalConnectionString $PortalconnectionString -ManagementConnectionString $MgmtStoreConnectionString
Set-MgmtSvcRelyingPartySettings -Target Admin –MetadataEndpoint $AdminMetadataEndpoint -DisableCertificateValidation -PortalConnectionString $PortalconnectionString -ManagementConnectionString $MgmtStoreConnectionString
Set-MgmtSvcIdentityProviderSettings -Target MemberShip –MetadataEndpoint $TenantSiteMetadataEndpoint -ConnectionString $ConnectionString -DisableCertificateValidation
Set-MgmtSvcIdentityProviderSettings -Target Windows –MetadataEndpoint $AdminSiteMetadataEndpoint -ConnectionString $PortalConnectionString –DisableCertificateValidation

# Get a list of resource providers in your deployment
Get-MgmtSvcResourceProvider -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation | Format-List -Property "Name"

# Get a list of resource providers with the current configured endpoint values
$rp = Get-MgmtSvcResourceProvider -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation
$rp | Select Name, @{e={$_.AdminEndPoint.ForwardingAddress}}, @{e={$_.TenantEndpoint.ForwardingAddress}}

monitoring
marketplace
usageservice
sqlservers
mysqlservers

# new fqdn for resource provider marketplace
$resourceProviderName = "marketplace"
$adminEndpoint = "https://${AdminApiLB}:30018/"
$tenantEndpoint = "https://${AdminApiLB}:30018/"
$usageEndpoint = $null
$healthCheckEndpoint = $null
$notificationEndpoint = $null


# repeat the step below for each resource provider, updating the endpoints as appropriate
 
# acquire the resource provider you want to modify
$rp = Get-MgmtSvcResourceProvider -Name $resourceProviderName -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation
# update all the endpoints using the new fqdn:
if ($rp.AdminEndpoint -and $adminEndpoint) {
# update endpoint
$rp.AdminEndpoint.ForwardingAddress = New-Object System.Uri($adminEndpoint)
}
if ($rp.TenantEndpoint -and $tenantEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($tenantEndpoint)
}
if ($rp.UsageEndpoint -and $usageEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($usageEndpoint)
}
if ($rp.HealthCheckEndpoint -and $healthCheckEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($healthCheckEndpoint)
}
if ($rp.NotificationEndpoint -and $notificationEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($notificationEndpoint)
}
Set-MgmtSvcResourceProvider -ResourceProvider $rp -AdminUri $adminApiUri -Token $token -DisableCertificateValidation -Force



$resourceProviderName = "monitoring"
$adminEndpoint = "https://${AdminApiLB}:30020/"
$tenantEndpoint = "https://${AdminApiLB}:30020/"
$usageEndpoint = $null
$healthCheckEndpoint = $null
$notificationEndpoint = $null


# repeat the step below for each resource provider, updating the endpoints as appropriate
 
# acquire the resource provider you want to modify
$rp = Get-MgmtSvcResourceProvider -Name $resourceProviderName -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation
# update all the endpoints using the new fqdn:
if ($rp.AdminEndpoint -and $adminEndpoint) {
# update endpoint
$rp.AdminEndpoint.ForwardingAddress = New-Object System.Uri($adminEndpoint)
}
if ($rp.TenantEndpoint -and $tenantEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($tenantEndpoint)
}
if ($rp.UsageEndpoint -and $usageEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($usageEndpoint)
}
if ($rp.HealthCheckEndpoint -and $healthCheckEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($healthCheckEndpoint)
}
if ($rp.NotificationEndpoint -and $notificationEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($notificationEndpoint)
}
Set-MgmtSvcResourceProvider -ResourceProvider $rp -AdminUri $adminApiUri -Token $token -DisableCertificateValidation -Force


$resourceProviderName = "usageservice"
$adminEndpoint = "https://${AdminApiLB}:30022/"
$tenantEndpoint = "https://${AdminApiLB}:30022/"
$usageEndpoint = $null
$healthCheckEndpoint = $null
$notificationEndpoint = $null


# repeat the step below for each resource provider, updating the endpoints as appropriate
 
# acquire the resource provider you want to modify
$rp = Get-MgmtSvcResourceProvider -Name $resourceProviderName -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation
# update all the endpoints using the new fqdn:
if ($rp.AdminEndpoint -and $adminEndpoint) {
# update endpoint
$rp.AdminEndpoint.ForwardingAddress = New-Object System.Uri($adminEndpoint)
}
if ($rp.TenantEndpoint -and $tenantEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($tenantEndpoint)
}
if ($rp.UsageEndpoint -and $usageEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($usageEndpoint)
}
if ($rp.HealthCheckEndpoint -and $healthCheckEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($healthCheckEndpoint)
}
if ($rp.NotificationEndpoint -and $notificationEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($notificationEndpoint)
}
Set-MgmtSvcResourceProvider -ResourceProvider $rp -AdminUri $adminApiUri -Token $token -DisableCertificateValidation -Force



$resourceProviderName = "sqlservers"
$adminEndpoint = "https://${AdminApiLB}:30010/"
$tenantEndpoint = "https://${AdminApiLB}:30010/"
$usageEndpoint = "https://${AdminApiLB}:30010/"
$healthCheckEndpoint = $null
$notificationEndpoint = "https://${AdminApiLB}:30010/"


# repeat the step below for each resource provider, updating the endpoints as appropriate
 
# acquire the resource provider you want to modify
$rp = Get-MgmtSvcResourceProvider -Name $resourceProviderName -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation
# update all the endpoints using the new fqdn:
if ($rp.AdminEndpoint -and $adminEndpoint) {
# update endpoint
$rp.AdminEndpoint.ForwardingAddress = New-Object System.Uri($adminEndpoint)
}
if ($rp.TenantEndpoint -and $tenantEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($tenantEndpoint)
}
if ($rp.UsageEndpoint -and $usageEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($usageEndpoint)
}
if ($rp.HealthCheckEndpoint -and $healthCheckEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($healthCheckEndpoint)
}
if ($rp.NotificationEndpoint -and $notificationEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($notificationEndpoint)
}
Set-MgmtSvcResourceProvider -ResourceProvider $rp -AdminUri $adminApiUri -Token $token -DisableCertificateValidation -Force




$resourceProviderName = "mysqlservers"
$adminEndpoint = "https://${AdminApiLB}:30012/"
$tenantEndpoint = "https://${AdminApiLB}:30012/"
$usageEndpoint = "https://${AdminApiLB}:30012/"
$healthCheckEndpoint = $null
$notificationEndpoint = "https://${AdminApiLB}:30012/"


# repeat the step below for each resource provider, updating the endpoints as appropriate
 
# acquire the resource provider you want to modify
$rp = Get-MgmtSvcResourceProvider -Name $resourceProviderName -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation
# update all the endpoints using the new fqdn:
if ($rp.AdminEndpoint -and $adminEndpoint) {
# update endpoint
$rp.AdminEndpoint.ForwardingAddress = New-Object System.Uri($adminEndpoint)
}
if ($rp.TenantEndpoint -and $tenantEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($tenantEndpoint)
}
if ($rp.UsageEndpoint -and $usageEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($usageEndpoint)
}
if ($rp.HealthCheckEndpoint -and $healthCheckEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($healthCheckEndpoint)
}
if ($rp.NotificationEndpoint -and $notificationEndpoint) {
# update endpoint
$rp.TenantEndpoint.ForwardingAddress = New-Object System.Uri($notificationEndpoint)
}
Set-MgmtSvcResourceProvider -ResourceProvider $rp -AdminUri $adminApiUri -Token $token -DisableCertificateValidation -Force





# Get a list of resource providers with the current configured endpoint values
$rp = Get-MgmtSvcResourceProvider -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation
$rp | Select Name, @{e={$_.AdminEndPoint.ForwardingAddress}}, @{e={$_.TenantEndpoint.ForwardingAddress}}
$rp | Select Name, @{e={$_.AdminEndPoint.ForwardingAddress}}, @{e={$_.TenantEndpoint.ForwardingAddress}}, @{e={$_.UsageEndpoint.ForwardingAddress}}, @{e={$_.HealthCheckEndpoint.ForwardingAddress}}, @{e={$_.NotificationEndpoint.ForwardingAddress}}


Get-MgmtSvcResourceProvider -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation | Format-List -Property "Name"





# Use UriBuilder to update host name in Uri to preserve other parts of the Uri.
function Update-UriHost([string]$message, [System.Uri]$uri, [string]$find, [string]$replace)
{
    Write-Verbose -Message "  Checking $($message): $uri" -Verbose
    $uriBuilder = New-Object System.UriBuilder($uri)
    if ($uriBuilder.Host -ieq $find -and $replace)
    {
        $uriBuilder.Host = $replace
        Write-Warning -Message "  Updated $($message):`r`n    before: $uri`r`n    after:  $($uriBuilder.Uri)"
    }
    return $uriBuilder.Uri
}

# IMPORTANT: Specify -DecryptPassword switch to read plain-text password
# so passwords are not mangled when the resource provider settings are written back to the database.
$rps = Get-MgmtSvcResourceProvider -IncludeSystemResourceProviders -AdminUri $adminApiUri -Token $token -DisableCertificateValidation
foreach ($rp in $rps)
{
    Write-Verbose -Message "Updating WAP resource provider '$($rp.Name)'." -Verbose
    $find = "wapsvrt01"
    $replace = "wapsvraapi.domain.com"

    if ($rp.AdminEndpoint.ForwardingAddress)
    {
        $rp.AdminEndpoint.ForwardingAddress = Update-UriHost -message 'AdminForwardingAddress' -uri $rp.AdminEndpoint.ForwardingAddress -find $find -replace $replace
    }

    if ($rp.TenantEndpoint.ForwardingAddress)
    {
        $rp.TenantEndpoint.ForwardingAddress = Update-UriHost -message 'TenantForwardingAddress' -uri $rp.TenantEndpoint.ForwardingAddress -find $find -replace $replace
    }

    if ($rp.UsageEndpoint.ForwardingAddress)
    {
        $rp.UsageEndpoint.ForwardingAddress = Update-UriHost -message 'UsageForwardingAddress' -uri $rp.UsageEndpoint.ForwardingAddress -find $find -replace $replace
    }

    if ($rp.HealthCheckEndpoint.ForwardingAddress)
    {
        $rp.HealthCheckEndpoint.ForwardingAddress = Update-UriHost -message 'HealthCheckForwardingAddress' -uri $rp.HealthCheckEndpoint.ForwardingAddress -find $find -replace $replace
    }

    if ($rp.NotificationEndpoint.ForwardingAddress)
    {
        $rp.NotificationEndpoint.ForwardingAddress = Update-UriHost -message 'NotificationForwardingAddress' -uri $rp.NotificationEndpoint.ForwardingAddress -find $find -replace $replace
    }

    # Add -Confirm:$false to silently update.
    $rpUpdated = Set-MgmtSvcResourceProvider -ResourceProvider $rp -AdminUri $adminApiUri -Token $token -DisableCertificateValidation -Force
    Write-Host "Set-MgmtSvcResourceProvider -ResourceProvider $rp -AdminUri $adminApiUri -Token <token> -DisableCertificateValidation -Force"
}

Leave a Reply