Philip Lavers Posted April 17, 2023 Share Posted April 17, 2023 Does anybody have good experience setting up ADM on Azure? Have 2 ADC working in Azure but cannot get ADM service to integrate. Link to comment Share on other sites More sharing options...
Carl Stalhood Posted April 17, 2023 Share Posted April 17, 2023 What error or issue are you seeing? Is the ADM Agent successfully deployed? Link to comment Share on other sites More sharing options...
Philip Lavers Posted April 17, 2023 Author Share Posted April 17, 2023 Hello Carl, thanks for the reply. Have deployed Agent/MAsS to On Premises, have also integrated Built in Agent on MPX/SDX to ADM Service - but not understand requirements ti integrate ADC's in Azure. Seems like you need to install an ADM Service agent into Azure along with NSG etc to allow 443 traffic out. But service agent fails to connect to ADM service after giving the service URL and Activation key. Other option is from a Custom Deployment in ADM that simply spins. To build in Azure do you need to setup and register a AAD user, and an Application, and install Service Agent via ARM template? Just no documentation on this process. Link to comment Share on other sites More sharing options...
Carl Stalhood Posted April 17, 2023 Share Posted April 17, 2023 Any firewall that is inspecting outbound Internet? https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/system-requirements.html#supported-ports has the URLs that need to be accessible by the ADM Agent. Link to comment Share on other sites More sharing options...
Philip Lavers Posted April 17, 2023 Author Share Posted April 17, 2023 I suspected that and we did a trace on the Firewall but they did not pick up anything - but we did not ask if they are inspecting the traffic. I am also not convinced that the UDR routing to the Firewall is correct from my ADC Management vNet. Will go back a step, redeploy Service Agent, will redo the NSG's, firewall and routing. Can you confirm that I do not need an AAD user account - I have Global Admin in the Subscription. Thank you Link to comment Share on other sites More sharing options...
Carl Stalhood Posted April 17, 2023 Share Posted April 17, 2023 AAD user not needed for monitoring/licensing of ADCs. Just routing to ADCs and firewall on specific port numbers. Link to comment Share on other sites More sharing options...
Philip Lavers Posted April 18, 2023 Author Share Posted April 18, 2023 Hi, We rebuilt the image and got Firewall team to allow "Any" from Agent IP - deployment still fails. First thing is to run the deployment process where you enter the Service URL as per the Agent Activation process on ADM Service.Check the real service url and is openRun a Diag and same issue.Question is - why enter the service url "carmel.agent.adm.cloud.com" but fails with a different url "carmel.adm.cloud.com" on both the deployment and diag tasks? This Service Agent has me done! Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted May 3, 2023 Share Posted May 3, 2023 Hi Philip, your screenshot is of very low quality - its unreadable.i have ADM agents in Azure, works fine. both with Citrix Cloud and "on-prem" ADM. Link to comment Share on other sites More sharing options...
Philip Lavers Posted May 9, 2023 Author Share Posted May 9, 2023 Thank you for the help. Apologies for late response, was on leave for a couple days.After the Azure ARM Template build, we are trying to use the "deployment_type.py" utility to register the service agent with ADM, and it will not connect. If we run the diagnostic tool, we get the following error The service agent IP Is an internal IP with a ANY rule via 443 to Internet through a firewall. Hope screen shots are clearer. Thanks Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted May 10, 2023 Share Posted May 10, 2023 before running the deployment_type.py - try and do telnet <the ip of carmel.agent.adm.cloud.com> 443 - if you cannot do that, you need to check the upstream network (could be AZ fw) - something is blocking and i doubt its the cloud service. Link to comment Share on other sites More sharing options...
Philip Lavers Posted May 10, 2023 Author Share Posted May 10, 2023 Hello, we did do this and ran a number of curl commands and the ports seem open. The only possible doubt is the AWS Backup URL [cid:image001.png@01D98329.806571D0] I am beginning to think that the issue may lie on the ADM Portal. We did have 2 VPX’s in a private DC and we were able to manually configure the built in agent to connect to ADM. This worked fine as a test. They were on IP’s 10.10.24.140 and 10.10.24.180. We have since decommissioned these 2 VPX and build new in Azure using a ARM template. The 2 new devices are licenses via host file method. Maybe, just maybe the old VPX’s are blocking new VPX’s as we cannot delete the old. [cid:image002.png@01D98329.806571D0] Second, is that maybe before we understood that we needed a “Service Agent” and could not use the Built In Agent” we did Enable the “ADM Service Connect” [cid:image003.png@01D98329.806571D0] And I see these 2 VPX devices listed in ADM under “Asset Inventory” [cid:image004.png@01D98329.806571D0] [cid:image005.png@01D98329.806571D0] We unable to delete these 2 devices out of ADM, and unable to “Un Tick” the Service Connect option on the ADC’s I trust email is a better way to communicate, but happy to respond via the forumn? Thank you for the help. It is much appreciated. [Text Description automatically generated] From: Developer forum Reply to: Reply to NetScaler Community <0-1jnru21k4mqisg.mran4s7dyom14dpu.tbj8q0ma29jaxj0d@0z5ztmjogrqpnajb.43l6hefqqtdluz44.8b-13r54eae.na212.chatter.salesforce.com> Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted May 10, 2023 Share Posted May 10, 2023 Hey Philip,I need to understand which problem you are trying to solve.Onboarding an ADM-Agent in ADM-Cloud?Or having VPX using inbuild ADM-Agent (Service Connect somethign seomthing)? Link to comment Share on other sites More sharing options...
Philip Lavers Posted May 10, 2023 Author Share Posted May 10, 2023 Hi, The goal is to use the ADM features. The problem is that the Service Agent will not register in ADM – Hence problem is onboarding an ADM Agent in ADM- Cloud. Hope that helps [Text Description automatically generated] From: Developer forum Reply to: Reply to NetScaler Community <1atmo714ru23gd71.8q01laq0yeovgrv2.k77t81r6csxer8fz@c45i347eoi3kcp71.yhd7szpm5p86zg.8b-13r54eae.na212.chatter.salesforce.com> Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted May 10, 2023 Share Posted May 10, 2023 And you have followed this guide: https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/getting-started/install-agent-on-microsoft-azure.html ? Link to comment Share on other sites More sharing options...
Philip Lavers Posted May 10, 2023 Author Share Posted May 10, 2023 Yes, exactly that. We tried with this option and without and there is no difference. [cid:image001.png@01D9833E.55E1C250] [Text Description automatically generated] From: Developer forum Reply to: Reply to NetScaler Community <0-1vqj9jamcl949d.jkj03su1lrv517pu.ko5nj28eiravdqvp@p21hvemq4xgv6woz.emu4fcbehvo6bbx4.8b-13r54eae.na212.chatter.salesforce.com> Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted May 10, 2023 Share Posted May 10, 2023 I think you need to go through support, this guide works fine for me. Link to comment Share on other sites More sharing options...
Philip Lavers Posted May 10, 2023 Author Share Posted May 10, 2023 Been there, done that. It’s why I reached out to this forum. Will log another ticket and push it to be escalated. Thank you for the help. [Text Description automatically generated] From: Developer forum Reply to: Reply to NetScaler Community <0-19v2jgrbixkuvj.6dr51a8dawbk44a2.7fafutuf16bx4qln@g36gxt9nlhpuoncq.ats9xl5varxz4lzs.8b-13r54eae.na212.chatter.salesforce.com> Link to comment Share on other sites More sharing options...
Kai Thorsrud Posted May 10, 2023 Share Posted May 10, 2023 Works fine for me. I did the first deploy World Wide. Been running it since 2019. You cannot install ADM in Azure but netscalers in azure can report to Citrix ADM directly or using ADM Agents. (ADM installed onprem or ADM As a Service )Or you can hack it to work in Azure but it is not supported to install the ADM Appliance in Azure. Link to comment Share on other sites More sharing options...
Philip Lavers Posted May 10, 2023 Author Share Posted May 10, 2023 Hello, so I am learning this hard way, and I must say the documentation is really confusing. Firstly, we have ADM Cloud Service, so simply trying to connect to that. On-Premises no longer an option as we migrated everything to Azure. I understand the following basic rules:- On-Prem MPX,SDX and VPX you can use the built in agent – no need for Agents (But if you don’t have an ADM Service in cloud then you deploy the agents and the on-prem ADM Version) – Think I got that right! Cloud VPX version needs to be 13.0 Build 46+ and you have to use a Service Agent to talk to ADM Service in cloud. What I am still figuring out is on the ADC’s in Azure, are these 2 options. 1. Citrix ADM Service Connect or Configure ADM Parameters – can be Enabled, 2. Configure Cloud Parameters (Controller FQDN, Controller Port etc) along with a cloud profile. Are these redundant, legacy not used for Cloud – perhaps used for different scenarios. I think with all the name changes, version changes, new 3 letter acronyms etc – if you do not know the history of ADC heaven help you! All I need, is this Azure Service Agent to connect to ADM Service, and register my 2 ADC’s so that I can build out 2 API Gateways for some fairly complex integration with a 3rd party service provider. Clearly got a lot of catch learning up to do, and maybe I simply build what I need on ADC but I like the look of the Security Insights. Thank you for your interest, and hopefully I can push this and learn something that I can share on this forum for others. [Text Description automatically generated] From: Developer forum Reply to: Reply to NetScaler Community <135c0b4jhgbfaxab.c0m9dltitepyrzwr.6gn37jdjx7v6b9en@wri96kf8o3stn6zs.tdw56kwql3480q.8b-13r54eae.na212.chatter.salesforce.com> Link to comment Share on other sites More sharing options...
Kai Thorsrud Posted May 10, 2023 Share Posted May 10, 2023 In cloud you need ip connectivity to an ADM server or you can use the managed adm service. For a normal ADM Server, the agent is just a cache in case you loose connectivity to ADM Server. Link to comment Share on other sites More sharing options...
Morten Kallesøe Posted May 11, 2023 Share Posted May 11, 2023 Hi Philip, i have personally never configured the "cloud profile".The internal ADM Service agent replaces the need to have a dedicated ADM Agent running. But top of mind, there are some things that you cannot do, and i think its analytics. There you need the ADM Agent.You should deploy the ADM Service Agent via the Marketplace in Azure. and follow the onboarding guide.In azure you deploy:Citrix ADM Service Agent 13.1in ADM-Service (for me; https://carmel.adm.cloud.com/) - you click infrastructure -> instances -> Agents -> Set up agent button in top right corner. and follow the guide.on your Instances (VPX,CPX,BLX), when onboarding, setup the instance with agent you just enrolled.it should not be that frustrating, so either there is a problem or you are doing something wrong :-( Link to comment Share on other sites More sharing options...
Kai Thorsrud Posted May 11, 2023 Share Posted May 11, 2023 +1 to what Morten is saying Link to comment Share on other sites More sharing options...
Philip Lavers Posted May 25, 2023 Author Share Posted May 25, 2023 We found the problem, and you guys that helped were correct. Firewall! configuration was in fact wrong. If it helps somebody else the list of url's to be whitelisted on a firewall include these , and we had to register the associated IP's:Download.citrixnetworkapi.net34.202.177.254107.20.215.10452.200.108.121Agent.adm.cloud.com54.165.90.19452.72.132.10034.200.175.42adm-prod-backup-.*.s3..*amazonaws.com [nslookup s3.amazonaws.com]52.217.84.23852.217.47.15852.216.105.24552.217.65.24652.217.46.4652.217.105.17452.217.135.20854.231.171.32Lessons learnt, and a month of troubleshooting. Thanks again to Carl and Morten who in fact diagnosed the problem correctly. Link to comment Share on other sites More sharing options...
Sumanth Lingappa Posted May 31, 2023 Share Posted May 31, 2023 Hello @Philip Lavers, we have automated the process of ADM-agent provisioning on Azure using Terraform scripts.You can find the scripts at https://github.com/citrix/terraform-cloud-scripts/tree/master/azure/deploymentsNOTE: The scripts will automatically register the ADM-agent to the ADMService.I am happy to help you if you have more questions. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now