Setting up a high-available SquaredUp webfarm


Hello Everyone,

Today I’m going to talk about how to set-up the SquaredUp solution in a high-available manner. SquaredUp is a 3rd party product for SCOM which enables you to visualize your monitoring data on a lightweight HTML5 Website. I really love working with the product, and provides an enormous added value to your SCOM setup.

For more info, check out their website at http://www.squaredup.com

The reason I created this blog post is because SquaredUp has pieces and bits of info on their support page on how to configure SquaredUp load balanced but lacks an overview of how to accomplish this from start to finish. Furthermore some steps are not described on the website, and had to contact squaredup support to get it to work. The version I installed was 2.1.9

Here’s a list of components we’ll use for our setup:

  • 2 Windows Server 2012 R2, these will be used as our webservers.
  • 1 Citrix Netscaler for loadbalancing purposes.
  • 1 NFS share on a fileserver cluster, where we will save our dashboard configuration.
  • 1 service account for our application pool identity (which is the only one we’ll be using throughout the whole guide).
  • 1 A record for our load balanced URL.

A simple drawing of what it looks like:

Visio SquaredUp

How it works:

Web requests are coming in from the loadbalancer via https, the loadbalancer does the SSL offloading and communicates with the SquaredUp web servers via port 80. Both SquaredUp webservers have a domain account as their application pool identity, which is required for single sign on to work, more on SPN’s and constrained delegation later. The webservers have their dashboard configuration stored on the same share, so we always see the same dashboards, regardless of the webserver the loadbalancer redirects us to.
For the share to work, we need to create symbolic links to three folders.

The high level steps of the setup are as follows:

  1. Installing the IIS role on both web servers and creating the IIS website.
  2. Creating the necessary firewall rules.
  3. Running the squaredup setup.
  4. Changing the application pool identity.
  5. Configuring permissions on the SCOM Data Warehouse.
  6. Activating the SquaredUp licenses on both webservers.
  7. Changing the default dashboards location to our network share.
  8. Configure Windows Authentication in IIS
  9. Creating the necessary SPN records
  10. Configuring delegation in Active Directory

1. Installing the IIS role and creating the website

Normally, you can skip this step, but I don’t want SquaredUp to be installed under the default website, so I installed IIS to precreate an IIS website.

  • Open powershell on the webserver as administrator and run the following command:
    install-windowsfeature Web-Server,Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Http-Errors,Web-Static-Content,Web-Health,Web-Http-Logging,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Console,Web-Mgmt-Compat,Web-Metabase,NET-Framework-45-ASPNET
  • Create the new SquaredUp website in IIS.
    1
    2
  • Repeat this process for the other webserver as well

2. Install SquaredUp

  • Log on to one of the webserver and open an elevated prompt
  • Execute the following command: (ofcourse, change the EXE if you have a newer version of SquaredUp), this will install SquaredUp under our precreated IIS website.
    SquaredUpInstaller-2.1.9.218.exe –prop.installroot:”C:\inetpub\SquaredUp” –prop.websitename:”SquaredUp”
  • Go through the installer, it is fairly straight forward.
  • When asked for the management server address, use one of the management server addresses, I use webserver 1 with management server1, webserver 2 with management server 2. I tried using a DNS round robin record which refers to both management servers, but with it, I could not get single sign on to work well.
  • Ofcourse, repeat this for the other webserver too

3. Change the application pool identity

  • Create a user account in AD, domain user rights should be sufficient. This account will be used for our application pool identity
  • Log on to the webservers, and open an elevated command prompt
  • Get the SID of the account by running wmic useraccount where (name='<username>’ and domain='<domain>’) get sid. Copy the SID.
  • In the prompt, navigate to C:\inetpub\SquaredUp\SquaredUpv2\Tools 
    Execute the command:
    config.exe applypermissions <SID>
    3
  • Open IIS Manager
  • Click Application Pools -> Right Click SquaredUpV2 -> Select Advanced Settings…
    4
  • Click the next to Identity
    4
  • Select Custom Account -> Click Set…
    5
  • Fill in the username and password and click OK

4. Configuring the permissions on the Data Warehouse

  • Open a SQL Management studio and connect to the instance where your Data warehouse is located.
    Create a new login…, assign the service account of the application pool identity.
    6
  • At user mapping, select your SCOM data warehousedatabase and give the user OpsMgrReader rights.
    7

5. Activating the SquaredUp licenses on both webservers

Our webservers could not reach the internet, so in this tutorial I had to manually install the licenses.

  • Browse to C:\inetpub\SquaredUp\SquaredUpv2\tools
  • Run Microsoft.Licensing.LicAdmin.exe
  • On the File menu, select Activation Wizard…
    8
  • Select I want to request a license file
    9
  • Enter the activation key
    10
  • Copy to clipboard -> Click Finish
    11
  • Open a browser on your client and go to http://squaredup.com/manual-activation/
    Fill in your email, squaredup key and the activation request from the previous step and an e-mail will be sent with a .txt file
  • Save the attachment from the e-mail and change the rename_me.txt to license.bin
  • Log on to your primary webserver and open the licadmin.exe tool again. Click Open
    12
  • Navigate to the copied .bin file from the email attachment and click Open
  • The license is now installed, repeat this process for the secondary webserver as well.
  • Open IIS Manager again. Navigate to Sites -> SquaredUp -> SquaredUp -> Application Settings.
  • Fill in License-server-name and fill in the FQDN of the primary server12
  • Recycle the application pool on both webservers for the license to work.

6. Add firewall rules

Make sure to allow inbound TCP Port 80 on the windows firewall. You can easily configure this by running the following powershell command on both webservers:

  • New-NetFirewallRule -DisplayName “SquaredUp WebSite” -Direction Inbound –LocalPort 80 -Protocol TCP -Action Allow –profile “Domain”

Or you could only allow the loadbalancer IP’s to allow incoming port 80 requests, that is up to you to decide.


7. Change the dashboard configuration location to a network share

  • Create a share, preferably clustered, and give the application pool identity user account full permissions on this share.
  • Log on to the webserver.
  • Navigate to C:\inetpub\SquaredUp\SquaredUpv2
  • Move the folders Configuration, UserContentStorage and Userprofiles to your share.
  • Open an elevated prompt and create the symbolic links as follows:
    mklink /D “C:\inetpub\SquaredUp\SquaredUpv2\Configuration” \\<share>\Configuration
    mklink /D “C:\inetpub\SquaredUp\SquaredUpv2\UserContentStorage” \\<share>\UserContentStorage
    mklink /D “C:\inetpub\SquaredUp\SquaredUpv2\UserProfiles” \\<share>\UserProfiles
  • Repeat this for the other webserver as well.

8. Configure Windows Authentication in IIS

  • Open IIS manager on the first webserver
  • In the left pane : select the Website where Squared Up is installed and select the Squared Up application
    13
  • Click Authentication in the right hand pane
    14
  • Disable all authentication methods except Windows Authentication15
  • Right Click Windows Authentication and choose Advanced Settings
  • Turn off extended protection and Enable kernel-mode authentication. Ensure negotiate is above NTLM
    15
  • Go to Sites -> SquaredUp -> Click the Configuration Editor
    16
  • Fill in section: system.webServer/security/authentication/windowsAuthentication
    17
  • Set UseAppPoolCredentials to true
  • On the right hand side click Apply
    16
  • Open an elevated command prompt, run c:\inetpub\wwwroot\squaredupv2\tools\config.exe windows
  • Repeat this for the other web server as well

9. Create SPN Records

  • Open an elevated command prompt on a webserver (can be any domain joined server really), this requires domain admin rights.
  • run the following commands:
    setspn -s HTTP/<NETBIOSNAMEWEBSERVER1> <SERVICEACCOUNTAPPLICATIONPOOL>
    setspn -s HTTP/<NETBIOSNAMEWEBSERVER2> <SERVICEACCOUNTAPPLICATIONPOOL>
    setspn -s HTTP/<FQDNWEBSERVER1> <SERVICEACCOUNTAPPLICATIONPOOL>
    setspn -s HTTP/<FQDNWEBSERVER2> <SERVICEACCOUNTAPPLICATIONPOOL>
    setspn -s HTTP/<LOADBALANCEDURL>:443 <SERVICEACCOUNTAPPLICATIONPOOL>
    Examples to clarify:
    setspn -s HTTP/webserver1.contoso.local contoso\squaredup_webaccount
    setspn -s HTTP/webserver2.contoso.local contoso\squaredup_webaccount
    setspn -s HTTP/webserver1 contoso\squaredup_webaccount
    setspn -s HTTP/webserver2 contoso\squaredup_webaccount
    setspn -s HTTP/squaredup.contoso.com:443 contoso\squaredup_webaccount

10. Configure delegation in Active Directory Users and Computers

  • Open Active Directory Users And Computers
  • Search for our application pool user account, right click it and open the Properties. Click the tab delegation17
  • Click Trust this user for delegation for specified services only, and click Add.
    Select the MSOMSdkSvc service type, it should have the management server names next to them. Add all SCOM Management servers that the SquaredUp webservice will connect to (as described in step 2, during the installation of SquaredUp). It should look something like this:
    18

That should wrap up the installation, the part of the load balancer is not described as this was not done by myself, but this is fairly straightforward.

Some things to take into consideration when upgrading to a newer version:

  • You will have to recreate the symbolic links, as the installer creates new local directories.
  • You will have to reapply security on the SquaredUp folders, as described in step 3, with the config.exe command.
  • If you are running into a permission issue during the logon, try giving the service accounts rights within SCOM, but this should not be needed.

Should you run into some issues, feel free to leave a comment!

Kind regards,

Jasper

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s