If a firewall protects the environment that is managed by Active Roles, you must open the required ports between Active Roles Administration Service and the managed environment.
For example, if you have a firewall configured between Active Roles and a DNS, you must open:
-
Port 15172 (both inbound and outbound) on the Active Roles virtual machine (VM) and the firewall between Active Roles and Exchange Server.
-
Port 53 on the DNS or the firewall between Active Roles and the DNS.
For the list of communication ports used by Active Roles, see Communication ports in the Active Roles Administration Guide. For more information on Active Roles communication ports in general, see Knowledge Base Article 4227036 on the One Identity support portal.
Opening ports in Azure
To open ports in Azure or create an endpoint to your VM, you must:
-
Create a network filter on a subnet or a VM network interface.
-
Select the filters to control both inbound and outbound traffic on a network security group attached to the resource that receives the traffic.
For the steps of opening ports in Azure, see Tutorial: Filter network traffic with a network security group using the Azure portal in the Microsoft Azure documentation.
Opening ports in AWS
Amazon virtual environments use security groups that act as a virtual firewall, controlling the traffic for one or more instances. You can add rules to each security group to allow traffic to or from its associated instances.
If your organization has additional requirements that are not met by the Amazon security groups, you can maintain your own firewall on any of your instances instead of using the Amazon system-provided security groups.
If you plan to deploy Active Roles in AWS, make sure that the following ports are open:
For the steps of opening ports on AWS, see Amazon EC2 security groups for Windows instances in Amazon Elastic Compute Cloud User Guide for Windows Instances.
If you have opened all required ports and checked that all prerequisites are met for cloud deployment, configure the Azure virtual machine (VM) or Amazon Elastic Compute Cloud (EC2) instance that will host Active Roles.
To configure an Azure VM for Active Roles
-
Log in to the Azure Portal with the appropriate credentials.
-
Navigate to Azure Marketplace.
-
In the Azure Marketplace, search the One Identity Active Roles offer.
-
Select the marketplace image for deployment.
-
Create the Azure VM by following the on-screen instructions. For more information, see Quickstart: Create a Windows virtual machine in the Azure portal in the Microsoft Azure documentation.
-
After your VM is created and running, join it to your domain. For more information, see Join a Computer to a Domain in the Microsoft Windows Server documentation.
-
Continue the configuration of Active Roles in the VM as described in the Deploying the Administration Service and later sections.
To configure an EC2 instance on AWS
NOTE: Amazon Marketplace does not offer AWS EC2 instances preinstalled with Active Roles. You must deploy the EC2 instances first, then install and configure Active Roles manually on them.
-
Log in to the AWS Console with the appropriate credentials.
-
Navigate to AWS Marketplace.
-
In the AWS Marketplace, search the One Identity Active Roles offer.
-
Select the marketplace image for deployment:
-
Launch an AWS EC2 instance.
NOTE: As a minimum recommended configuration, One Identity recommends using an m3.xlarge instance.
-
Once your EC2 instance is created and running, join it to your domain. For more information, see Manually join a Windows instance in the AWS Directory Service documentation.
-
Continue the configuration of Active Roles in the EC2 instance as described in the Deploying the Administration Service and later sections.
This section describes how to deploy Active Roles in a Microsoft Azure Infrastructure environment. After you complete these steps, you have the following services deployed in Microsoft Azure using Microsoft Azure Virtual Machines (VMs):
-
A supported version of SQL Server to host the Active Roles databases.
For the list of SQL Server versions supported by Active Roles, see System requirements in the Active Roles Release Notes.
-
Active Roles Administration Service
-
Active Roles Web Interface
If you deploy Active Roles in the Azure cloud, you must also deploy an SQL Server instance in an Azure virtual machine (VM), so that you can host the Active Roles databases.
For the list of SQL Server versions supported by Active Roles, see System requirements in the Active Roles Release Notes.
To deploy SQL Server on an Azure VM
-
Create a VM based on an SQL Server image published in Windows Azure.
When creating the VM, on the Virtual machine configuration page, select the Create a new cloud service option and choose the Virtual Network used by your replica domain controller in Windows Azure.
For more information on how to deploy an SQL Server in Microsoft Azure, see Create SQL Server on a Windows virtual machine in the Azure portal in the Microsoft Azure documentation.
-
Join the SQL Server VM to your Active Directory domain.
-
Using SQL Server Management Studio, grant the sysadmin fixed server role to the domain user account that will be used as the service account for the Active Roles Administration Service.
-
Configure Windows Firewall to allow connections to TCP port 1433 from computers in your virtual network.
NOTE: As SQL Server will be accessed from within the virtual network, you do not need to create public endpoints in Windows Azure.
