The AD Bridge Cloud Gateway is used to bridge Linux virtual machines (VMs) in the cloud with the on premises AD Bridge Gateway and push universal policies created on the Cloud Gateway to cloud Linux VMs.
To set up the AD Bridge Cloud Gateway:
Create a Resource Group.
For more information, see Create Resource Groups on Azure.
Create a Virtual Network (Classic).
For more information, see Create a Virtual Network (Classic) on Azure.
Create a Storage Account (Classic).
For more information, see Create a Storage Account (Classic) on Azure.
Create a SQL Database.
For more information, see Create a SQL Database on Azure.
Download the AD Bridge installation files from the Micro Focus Downloads website onto a Windows device.
Extract the contents of the ADBRIDGECLOUD_2.zip file.
Open the ServiceConfiguration.Release.cscfg configuration file available in the extracted contents and modify the highlighted text as shown in the snippet below according to your environment:
<?xml version="1.0" encoding="utf-8"?>
<ServiceConfiguration serviceName="HAPI.Mvc.Gatekeeper.CloudService" xmlns="http://schemas.microsoft.com/ServiceHosting/2008/10/ServiceConfiguration" osFamily="6" osVersion="*" schemaVersion="2015-04.2.6">
<Role name="HAPI.Mvc.Gatekeeper.CloudHost">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="DatabaseConnection" value="Server=tcp:myserver.database.windows.net,1433;Initial Catalog=ADBridge;Persist Security Info=True;User ID=myuser@myserver;Password=" />
<Setting name="WildcardDomain" value="your domain name.com" />
<Setting name="LogStorageConnectionString" value="DefaultEndpointsProtocol=https;AccountName=mystorageaccount;AccountKey=" />
<Setting name="AzureLogShare" value="ADB" />
<Setting name="AzureLogDirectory" value="Logs" />
<Setting name="LoggingLevel" value="Error" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Certificate1" thumbprint="<thumbprint here>" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
<Role name="HAPI.Mvc.Gatekeeper.TraversalWorker">
<Instances count="1" />
<ConfigurationSettings>
<Setting name="DatabaseConnection" value="Server=tcp:myserver.database.windows.net,1433;Initial Catalog=ADBridge;Persist Security Info=True;User ID=myuser@myserver;Password=" />
<Setting name="LogStorageConnectionString" value="DefaultEndpointsProtocol=https;AccountName=somestorageaccount;AccountKey=" />
<Setting name="AzureLogShare" value="ADB" />
<Setting name="AzureLogDirectory" value="Logs" />
<Setting name="LoggingLevel" value="Error" />
</ConfigurationSettings>
<Certificates>
<Certificate name="Certificate1" thumbprint="<thumbprint here>" thumbprintAlgorithm="sha1" />
</Certificates>
</Role>
<NetworkConfiguration>
<VirtualNetworkSite name="Group resource group virtual network" />
<AddressAssignments>
<InstanceAddress roleName="HAPI.Mvc.Gatekeeper.CloudHost">
<Subnets>
<Subnet name="subnet name" />
</Subnets>
</InstanceAddress>
<InstanceAddress roleName="HAPI.Mvc.Gatekeeper.TraversalWorker">
<Subnets>
<Subnet name="subnet name" />
</Subnets>
</InstanceAddress>
</AddressAssignments>
</NetworkConfiguration>
</ServiceConfiguration>Create a Cloud Service (Classic) and upload the necessary files and certificate.
Configure the SQL firewall to allow the cloud service to access the SQL server.
For more information, see Create a Cloud Service (Classic) on Azure.
Create a Virtual Machine (Classic) in Linux.
For more information, see Create a Virtual Machine on Azure.
Configure your Linux VM:
Install NGINX.
# yum update
# reboot
# yum install epel-release
# yum install nginx
Install your SSL certificate on the NGINX server.
Copy the cors.include file from extracted contents to the/etc/nginx directory of the NGINX server.
Copy the nginx.conf file from extracted contents to the/etc/nginx directory of the NGINX server and replace the existing version of the file.
Configure the Azure firewall to allow HTTPS (port 443) traffic to the NGINX server.
Open the /etc/nginx/nginx.conf file and modify the highlighted text as shown in the snippet below according to your environment:
user nginx;
worker_processes auto;
error_log /var/log/nginx/error.log;
pid /run/nginx.pid;
# Load dynamic modules. See /usr/share/nginx/README.dynamic.
include /usr/share/nginx/modules/*.conf;
events {
worker_connections 1024;
}
http {
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/nginx/access.log main;
sendfile on;
tcp_nopush on;
tcp_nodelay on;
keepalive_timeout 65;
types_hash_max_size 2048;
include /etc/nginx/mime.types;
default_type application/octet-stream;
server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl http2 default_server;
listen [::]:443 ssl http2 default_server;
server_name ~$(?<subdomain>\.)?(?<domain>.+)$;
root /usr/share/nginx/html;
#replace with your certificate in the next two lines
ssl_certificate "/etc/pki/nginx/cert-here.crt";
ssl_certificate_key "/etc/pki/nginx/cert-here.pem";
ssl_protocols TLSv1.2;
location ~*
"^/(api|portal|content|scripts|images|swagger)" {
gzip on;
gzip_proxied any;
gzip_types text/html application/json
application/javascript text/xml;
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header X-forward-for $proxy_add_x_forwarded_for;
proxy_set_header X-real-ip $remote_addr;
include cors.include;
rewrite ^/(.*) /$1 break;
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
proxy_pass http://10.1.0.4;#replace with IP of your Cloud Host role
}
location /ws {
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "Upgrade";
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header X-forward-for $proxy_add_x_forwarded_for;
proxy_set_header X-real-ip $remote_addr;
include cors.include;
proxy_pass https://10.1.0.5/ws; #replace with IP of your TraversalWorker role
}
location /route {
proxy_connect_timeout 300;
proxy_send_timeout 300;
proxy_read_timeout 300;
send_timeout 300;
gzip on;
gzip_proxied any;
gzip_types text/html application/json application/javascript text/xml;
proxy_redirect off;
proxy_set_header host $host;
proxy_set_header X-forward-for $proxy_add_x_forwarded_for;
proxy_set_header X-real-ip $remote_addr;
proxy_set_header If-Modified-Since "";
add_header 'Cache-Control' 'no-store, no-cache, must-revalidate, proxy-revalidate, max-age=0';
expires off;
include cors.include;
proxy_pass https://10.1.0.5/route; #replace with IP of your TraversalWorker role
}
}
}
Copy compressed files of the web console to the Linux VM and run the following commands:
Remove the old HTML files # rm -rf /usr/share/nginx/html/*
Extract the web console files # tar -jxvf WebConsole_22472.tar.bz2 -C /usr/share/nginx/html/.
Restart the nginx service# systemctl restart nginx.
To add a GoDaddy SSL certificate, you must download the certificate, copy to the necessary agent machine and manually assign trust to the certificate:
Download the gdig2.crt.pem certificate from the GoDaddy Repository.
For RHEL 7 or CentOS 7 or Oracle Linux 7:
Copy the gdig2.crt.pem file to /etc/pki/tls/certs.
Type ln -s /etc/pki/tls/certs/gdig2.crt.pem /etc/pki/tls/certs/27eb7704.0 and press Enter.
Type certutil -d sql:/etc/pki/nssdb -A -t "C,C,C" -n "Go Daddy Secure Certificate Authority - G2" -i /etc/pki/tls/certs/gdig2.crt.pem and press Enter.
For RHEL 8 or CentOS 8 or Oracle Linux 8:
Copy the Go Daddy Secure Certificate Authority - G2.pem file to /usr/share/pki/ca-trust-source/anchors.
Type update-ca-trust and press Enter.
For SLES 12 and SLES 15:
Copy the certificate to /etc/pki/trust/anchors/.
Type update-ca-certificates and press Enter.
Restart the agent.
For Ubuntu 16 and 18:
Copy the certificate.pem to /usr/local/share/ca-certificates/certificate.crt.
Type dpkg-reconfigure ca-certificates and press Enter.