Jump to content

Does anybody have good experience setting up ADM on Azure? Have 2 ADC working in Azure but cannot get ADM service to integrate.


Philip Lavers

Recommended Posts

Hello Carl, thanks for the reply. Have deployed Agent/MAsS to On Premises, have also integrated Built in Agent on MPX/SDX to ADM Service - but not understand requirements ti integrate ADC's in Azure. Seems like you need to install an ADM Service agent into Azure along with NSG etc to allow 443 traffic out. But service agent fails to connect to ADM service after giving the service URL and Activation key. Other option is from a Custom Deployment in ADM that simply spins.

To build in Azure do you need to setup and register a AAD user, and an Application, and install Service Agent via ARM template?

Just no documentation on this process.

Link to comment
Share on other sites

I suspected that and we did a trace on the Firewall but they did not pick up anything - but we did not ask if they are inspecting the traffic. I am also not convinced that the UDR routing to the Firewall is correct from my ADC Management vNet. Will go back a step, redeploy Service Agent, will redo the NSG's, firewall and routing. Can you confirm that I do not need an AAD user account - I have Global Admin in the Subscription. Thank you

Link to comment
Share on other sites

Hi, We rebuilt the image and got Firewall team to allow "Any" from Agent IP - deployment still fails.

First thing is to run the deployment process where you enter the Service URL as per the Agent Activation process on ADM Service.ADM1.png.ea5e8e98ac8af61f34c4c071915a350b.pngCheck the real service url and is openimage.png.b641ba133c4ac2fe413091455d2fa050.pngimage.png.65aeeb641b39347bf5dcee835d4168da.pngRun a Diag and same issue.

image.png.49a041764a482943e0f5cffcfbc001c0.pngQuestion is - why enter the service url "carmel.agent.adm.cloud.com" but fails with a different url "carmel.adm.cloud.com" on both the deployment and diag tasks? This Service Agent has me done!

Link to comment
Share on other sites

  • 2 weeks later...

Thank you for the help. Apologies for late response, was on leave for a couple days.

After the Azure ARM Template build, we are trying to use the "deployment_type.py" utility to register the service agent with ADM, and it will not connect.

image.png.fdef1f725cef0bf68ff3a7c2b0a8bcb6.png 

If we run the diagnostic tool, we get the following error

image.png.a33a2a8514d245931fdaa5ba0012e3ac.png 

The service agent IP Is an internal IP with a ANY rule via 443 to Internet through a firewall.

Hope screen shots are clearer. Thanks

Link to comment
Share on other sites

Hello, we did do this and ran a number of curl commands and the ports seem open. The only possible doubt is the AWS Backup URL

 

[cid:image001.png@01D98329.806571D0]

 

I am beginning to think that the issue may lie on the ADM Portal. We did have 2 VPX’s in a private DC and we were able to manually configure the built in agent to connect to ADM. This worked fine as a test. They were on IP’s 10.10.24.140 and 10.10.24.180. We have since decommissioned these 2 VPX and build new in Azure using a ARM template. The 2 new devices are licenses via host file method.

 

Maybe, just maybe the old VPX’s are blocking new VPX’s as we cannot delete the old.

[cid:image002.png@01D98329.806571D0]

 

Second, is that maybe before we understood that we needed a “Service Agent” and could not use the Built In Agent” we did Enable the “ADM Service Connect”

 

[cid:image003.png@01D98329.806571D0]

 

And I see these 2 VPX devices listed in ADM under “Asset Inventory”

[cid:image004.png@01D98329.806571D0]

 

 

[cid:image005.png@01D98329.806571D0]

 

We unable to delete these 2 devices out of ADM, and unable to “Un Tick” the Service Connect option on the ADC’s

 

I trust email is a better way to communicate, but happy to respond via the forumn?

Thank you for the help. It is much appreciated.

 

[Text Description automatically generated]

 

From: Developer forum

Reply to: Reply to NetScaler Community <0-1jnru21k4mqisg.mran4s7dyom14dpu.tbj8q0ma29jaxj0d@0z5ztmjogrqpnajb.43l6hefqqtdluz44.8b-13r54eae.na212.chatter.salesforce.com>

Link to comment
Share on other sites

Hi,

The goal is to use the ADM features.

The problem is that the Service Agent will not register in ADM – Hence problem is onboarding an ADM Agent in ADM- Cloud.

 

Hope that helps

 

 

 

[Text Description automatically generated]

 

From: Developer forum

Reply to: Reply to NetScaler Community <1atmo714ru23gd71.8q01laq0yeovgrv2.k77t81r6csxer8fz@c45i347eoi3kcp71.yhd7szpm5p86zg.8b-13r54eae.na212.chatter.salesforce.com>

Link to comment
Share on other sites

Yes, exactly that. We tried with this option and without and there is no difference.

 

[cid:image001.png@01D9833E.55E1C250]

 

 

[Text Description automatically generated]

 

From: Developer forum

Reply to: Reply to NetScaler Community <0-1vqj9jamcl949d.jkj03su1lrv517pu.ko5nj28eiravdqvp@p21hvemq4xgv6woz.emu4fcbehvo6bbx4.8b-13r54eae.na212.chatter.salesforce.com>

Link to comment
Share on other sites

Been there, done that. It’s why I reached out to this forum. Will log another ticket and push it to be escalated.

Thank you for the help.

 

[Text Description automatically generated]

 

From: Developer forum

Reply to: Reply to NetScaler Community <0-19v2jgrbixkuvj.6dr51a8dawbk44a2.7fafutuf16bx4qln@g36gxt9nlhpuoncq.ats9xl5varxz4lzs.8b-13r54eae.na212.chatter.salesforce.com>

Link to comment
Share on other sites

Works fine for me. I did the first deploy World Wide. Been running it since 2019.

You cannot install ADM in Azure but netscalers in azure can report to Citrix ADM directly or using ADM Agents. (ADM installed onprem or ADM As a Service )

Or you can hack it to work in Azure but it is not supported to install the ADM Appliance in Azure.

Link to comment
Share on other sites

Hello, so I am learning this hard way, and I must say the documentation is really confusing.

Firstly, we have ADM Cloud Service, so simply trying to connect to that. On-Premises no longer an option as we migrated everything to Azure.

 

I understand the following basic rules:-

On-Prem MPX,SDX and VPX you can use the built in agent – no need for Agents (But if you don’t have an ADM Service in cloud then you deploy the agents and the on-prem ADM Version) – Think I got that right!

Cloud VPX version needs to be 13.0 Build 46+ and you have to use a Service Agent to talk to ADM Service in cloud.

 

What I am still figuring out is on the ADC’s in Azure, are these 2 options.

 

1. Citrix ADM Service Connect or Configure ADM Parameters – can be Enabled,

2. Configure Cloud Parameters (Controller FQDN, Controller Port etc) along with a cloud profile.

 

Are these redundant, legacy not used for Cloud – perhaps used for different scenarios.

 

I think with all the name changes, version changes, new 3 letter acronyms etc – if you do not know the history of ADC heaven help you! All I need, is this Azure Service Agent to connect to ADM Service, and register my 2 ADC’s so that I can build out 2 API Gateways for some fairly complex integration with a 3rd party service provider.

 

Clearly got a lot of catch learning up to do, and maybe I simply build what I need on ADC but I like the look of the Security Insights.

 

Thank you for your interest, and hopefully I can push this and learn something that I can share on this forum for others.

 

[Text Description automatically generated]

 

From: Developer forum

Reply to: Reply to NetScaler Community <135c0b4jhgbfaxab.c0m9dltitepyrzwr.6gn37jdjx7v6b9en@wri96kf8o3stn6zs.tdw56kwql3480q.8b-13r54eae.na212.chatter.salesforce.com>

Link to comment
Share on other sites

Hi Philip, i have personally never configured the "cloud profile".

The internal ADM Service agent replaces the need to have a dedicated ADM Agent running. But top of mind, there are some things that you cannot do, and i think its analytics. There you need the ADM Agent.

You should deploy the ADM Service Agent via the Marketplace in Azure. and follow the onboarding guide.

In azure you deploy:

Citrix ADM Service Agent 13.1

in ADM-Service (for me; https://carmel.adm.cloud.com/) - you click infrastructure -> instances -> Agents -> Set up agent button in top right corner. and follow the guide.

on your Instances (VPX,CPX,BLX), when onboarding, setup the instance with agent you just enrolled.

it should not be that frustrating, so either there is a problem or you are doing something wrong :-(

Link to comment
Share on other sites

  • 2 weeks later...

We found the problem, and you guys that helped were correct. Firewall! configuration was in fact wrong. If it helps somebody else the list of url's to be whitelisted on a firewall include these , and we had to register the associated IP's:

Download.citrixnetworkapi.net

34.202.177.254

107.20.215.104

52.200.108.121

Agent.adm.cloud.com

54.165.90.194

52.72.132.100

34.200.175.42

adm-prod-backup-.*.s3..*amazonaws.com [nslookup s3.amazonaws.com]

52.217.84.238

52.217.47.158

52.216.105.245

52.217.65.246

52.217.46.46

52.217.105.174

52.217.135.208

54.231.171.32

Lessons learnt, and a month of troubleshooting. Thanks again to Carl and Morten who in fact diagnosed the problem correctly.

Link to comment
Share on other sites

Hello @Philip Lavers​, we have automated the process of ADM-agent provisioning on Azure using Terraform scripts.

You can find the scripts at https://github.com/citrix/terraform-cloud-scripts/tree/master/azure/deployments

NOTE: The scripts will automatically register the ADM-agent to the ADMService.

I am happy to help you if you have more questions.

image.thumb.png.e1f4c540f015e918b2235e99205fda07.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...