Azure Stack does not officially support Internet access through a non-transparent web-proxy. But on multiple occasions, we have seen environments that have been configured this way using various workarounds. This article describes steps to configure EvOps to use a non-transparent web-proxy.
Important
When an Azure Stack environment is behind a non-transparent web-proxy without following the instructions below, EvOps will stop working. EvOps will need access to, for example, Azure AD in connected scenarios.
Configuring EvOps Virtual Machines Proxy Settings
The EvOps software is hosted in a service fabric cluster and running on three virtual machines on integrated systems and one virtual machine in ASDK. Proxy settings are required configured on all virtual machines.
Prepare Set Proxy Script
- Copy and paste below PowerShell code into your favorite editor
$proxyServer = "http://webproxy:80"
$proxyOverride = "<local>;168.63.129.16;169.254.169.254;*.azurestack.local;*.azurestack.external"
# Define a proxy
Configuration ProxyPerMachineResource {
Registry ProxyPerMachinePolicy
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings'
ValueName = 'ProxySettingsPerUser'
Ensure = 'Present'
ValueData = '0'
ValueType = 'Dword'
Force = $true
}
Registry ProxyPerMachineLockAutoConfig
{
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
ValueName = 'Autoconfig'
Ensure = 'Present'
ValueData = '1'
ValueType = 'Dword'
Force = $true
}
Registry ProxyPerMachineLockProxy
{
Key = 'HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control Panel'
ValueName = 'Proxy'
Ensure = 'Present'
ValueData = '1'
ValueType = 'Dword'
Force = $true
}
Registry ProxyPerMachineAutoConfigURL
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
ValueName = 'AutoConfigURL'
Ensure = 'Absent'
Force = $true
}
Registry ProxyPerMachineWinHttPSettings
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
ValueName = 'WinHttPSettings'
Ensure = 'Absent'
Force = $true
}
Registry ProxyPerMachineDefaultConnectionSettings
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
ValueName = 'DefaultConnectionSettings'
Ensure = 'Absent'
Force = $true
}
Registry ProxyPerMachineSavedLegacySettings
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections'
ValueName = 'SavedLegacySettings'
Ensure = 'Absent'
Force = $true
}
Registry ProxyPerMachineProxyEnable
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
ValueName = 'ProxyEnable'
Ensure = 'Present'
ValueData = '1'
ValueType = 'Dword'
Force = $true
}
Registry ProxyPerMachineProxyServer
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
ValueName = 'ProxyServer'
Ensure = 'Present'
ValueData = $proxyServer
ValueType = 'String'
Force = $true
}
Registry ProxyPerMachineProxyOverride
{
Key = 'HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings'
ValueName = 'ProxyOverride'
Ensure = 'Present'
Force = $true
ValueData = $proxyOverride
ValueType = 'String'
}
}
ProxyPerMachineResource
Start-DscConfiguration -Path .\ProxyPerMachineResource -Wait -Verbose
$ie = new-object -ComObject "InternetExplorer.Application"
$ie.Quit() - Change $proxyServer value to reflect your environment
$proxyServer = "http://webproxy:80"
- Modify $proxyOverride value to add proxy exceptions in your environment
$proxyOverride = "<local>;168.63.129.16;169.254.169.254;*.azurestack.local;*.azurestack.external"
Do not remove <local>, 168.63.129.16 and 169.254.169.254
<local> are vital for virtual machines to be able to communicate with each other in the cluster. IPs 168.63.129.16 and 169.254.169.254 are Virtual IPs of the host node.
Virtual IP of the host node: Basic infrastructure services such as DHCP, DNS, IMDS, and health monitoring are provided through the virtualized host IP addresses 168.63.129.16 and 169.254.169.254. These IP addresses belong to Microsoft and are the only virtualized IP addresses used in all regions for this purpose. - Save file
Open ports for RDP temporarily on EvOps RP Network Security Group
- Login to Azure Stack tenant portal having the Owner role in Subscription hosting EvOps RP infrastructure
- Find and open the resource group containing EvOps infrastructure resources, naming convention is: system.<location>.evops
- Open the network security group evops-fabric-ssg
- In Inbound security rules list, click Port3389
- Click Allow action, then click Save
- RDP is opened to virtual machines, don't forget to set this back to deny again after all steps necessary to set proxy as been completed
Set Proxy on Virtual Machines
To be able to logon to EvOps virtual machines, the administrator password for the virtual machines that are unique for each installation needs to be gathered. Please contact our contact our support for instructions on how to extract virtual machine login details for your environment.
- Login to Azure Stack tenant portal having the Owner role in Subscription hosting EvOps RP infrastructure
- Find and open the resource group containing EvOps infrastructure resources, naming convention is: system.<location>.evops
- Open virtual machine evopsvm1
- Click Connect to open a remote desktop session
- Login using the username and password retrieved using the instruction from our support
- Open Windows PowerShell ISE as Administrator
- Click New and paste in the modified set proxy script saved earlier
- Verify that the script completed successfully
- Restart virtual machine
- If you are running on a Azure Stack integrated system, repeat step 3 to step 9 on virtual machines evopsvm2 and evopsvm3 as well
If you are running Azure Stack Development Kit (ASDK), you can proceed to the next step
Verify EvOps functionality after Web-proxy has been configured
It can take up to 20 minutes after restarting virtual machines until EvOps service fabric has been synchronized and running. Verify the following.
- Go to Azure Stack Administration portal and verify that EvOps blade opens correctly
- Go to Azure Stack Tenant portal and verify that your EvOps account opens correctly and all services are healthy
Close RDP ports opened temporarily earlier
- Login to Azure Stack tenant portal having the Owner role in Subscription hosting EvOps RP infrastructure
- Find and open the resource group containing EvOps infrastructure resources, naming convention is: system.<location>.evops
- Open the network security group evops-fabric-ssg
- In Inbound security rules list, click Port3389
- Click Deny action, then click Save
Comments
0 comments
Article is closed for comments.