Does anybody have good experience setting up ADM on Azure? Have 2 ADC working in Azure but cannot get ADM service to integrate.

[Philip Lavers]

Does anybody have good experience setting up ADM on Azure? Have 2 ADC working in Azure but cannot get ADM service to integrate.

[Carl Stalhood]

What error or issue are you seeing? Is the ADM Agent successfully deployed?

[Philip Lavers]

Hello Carl, thanks for the reply. Have deployed Agent/MAsS to On Premises, have also integrated Built in Agent on MPX/SDX to ADM Service - but not understand requirements ti integrate ADC's in Azure. Seems like you need to install an ADM Service agent into Azure along with NSG etc to allow 443 traffic out. But service agent fails to connect to ADM service after giving the service URL and Activation key. Other option is from a Custom Deployment in ADM that simply spins.

To build in Azure do you need to setup and register a AAD user, and an Application, and install Service Agent via ARM template?

Just no documentation on this process.

[Carl Stalhood]

Any firewall that is inspecting outbound Internet? https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/system-requirements.html#supported-ports has the URLs that need to be accessible by the ADM Agent.

[Philip Lavers]

I suspected that and we did a trace on the Firewall but they did not pick up anything - but we did not ask if they are inspecting the traffic. I am also not convinced that the UDR routing to the Firewall is correct from my ADC Management vNet. Will go back a step, redeploy Service Agent, will redo the NSG's, firewall and routing. Can you confirm that I do not need an AAD user account - I have Global Admin in the Subscription. Thank you

[Carl Stalhood]

AAD user not needed for monitoring/licensing of ADCs. Just routing to ADCs and firewall on specific port numbers.

[Philip Lavers]

Hi, We rebuilt the image and got Firewall team to allow "Any" from Agent IP - deployment still fails.

First thing is to run the deployment process where you enter the Service URL as per the Agent Activation process on ADM Service.Check the real service url and is openRun a Diag and same issue.

Question is - why enter the service url "carmel.agent.adm.cloud.com" but fails with a different url "carmel.adm.cloud.com" on both the deployment and diag tasks? This Service Agent has me done!

[Morten Kallesøe]

Hi Philip, your screenshot is of very low quality - its unreadable.

i have ADM agents in Azure, works fine. both with Citrix Cloud and "on-prem" ADM.

[Philip Lavers]

Thank you for the help. Apologies for late response, was on leave for a couple days.

After the Azure ARM Template build, we are trying to use the "deployment_type.py" utility to register the service agent with ADM, and it will not connect.

 

If we run the diagnostic tool, we get the following error

 

The service agent IP Is an internal IP with a ANY rule via 443 to Internet through a firewall.

Hope screen shots are clearer. Thanks

[Morten Kallesøe]

before running the deployment_type.py - try and do telnet <the ip of carmel.agent.adm.cloud.com> 443 - if you cannot do that, you need to check the upstream network (could be AZ fw) - something is blocking and i doubt its the cloud service.

[Philip Lavers]

Hello, we did do this and ran a number of curl commands and the ports seem open. The only possible doubt is the AWS Backup URL

 

[cid:image001.png@01D98329.806571D0]

 

I am beginning to think that the issue may lie on the ADM Portal. We did have 2 VPX’s in a private DC and we were able to manually configure the built in agent to connect to ADM. This worked fine as a test. They were on IP’s 10.10.24.140 and 10.10.24.180. We have since decommissioned these 2 VPX and build new in Azure using a ARM template. The 2 new devices are licenses via host file method.

 

Maybe, just maybe the old VPX’s are blocking new VPX’s as we cannot delete the old.

[cid:image002.png@01D98329.806571D0]

 

Second, is that maybe before we understood that we needed a “Service Agent” and could not use the Built In Agent” we did Enable the “ADM Service Connect”

 

[cid:image003.png@01D98329.806571D0]

 

And I see these 2 VPX devices listed in ADM under “Asset Inventory”

[cid:image004.png@01D98329.806571D0]

 

 

[cid:image005.png@01D98329.806571D0]

 

We unable to delete these 2 devices out of ADM, and unable to “Un Tick” the Service Connect option on the ADC’s

 

I trust email is a better way to communicate, but happy to respond via the forumn?

Thank you for the help. It is much appreciated.

 

[Text Description automatically generated]

 

From: Developer forum

Reply to: Reply to NetScaler Community <0-1jnru21k4mqisg.mran4s7dyom14dpu.tbj8q0ma29jaxj0d@0z5ztmjogrqpnajb.43l6hefqqtdluz44.8b-13r54eae.na212.chatter.salesforce.com>

[Morten Kallesøe]

Hey Philip,

I need to understand which problem you are trying to solve.

Onboarding an ADM-Agent in ADM-Cloud?

Or having VPX using inbuild ADM-Agent (Service Connect somethign seomthing)?

[Philip Lavers]

Hi,

The goal is to use the ADM features.

The problem is that the Service Agent will not register in ADM – Hence problem is onboarding an ADM Agent in ADM- Cloud.

 

Hope that helps

 

 

 

[Text Description automatically generated]

 

From: Developer forum

Reply to: Reply to NetScaler Community <1atmo714ru23gd71.8q01laq0yeovgrv2.k77t81r6csxer8fz@c45i347eoi3kcp71.yhd7szpm5p86zg.8b-13r54eae.na212.chatter.salesforce.com>

[Morten Kallesøe]

And you have followed this guide: https://docs.netscaler.com/en-us/citrix-application-delivery-management-service/getting-started/install-agent-on-microsoft-azure.html ?

[Philip Lavers]

Yes, exactly that. We tried with this option and without and there is no difference.

 

[cid:image001.png@01D9833E.55E1C250]

 

 

[Text Description automatically generated]

 

From: Developer forum

Reply to: Reply to NetScaler Community <0-1vqj9jamcl949d.jkj03su1lrv517pu.ko5nj28eiravdqvp@p21hvemq4xgv6woz.emu4fcbehvo6bbx4.8b-13r54eae.na212.chatter.salesforce.com>

[Morten Kallesøe]

I think you need to go through support, this guide works fine for me.

[Philip Lavers]

Been there, done that. It’s why I reached out to this forum. Will log another ticket and push it to be escalated.

Thank you for the help.

 

[Text Description automatically generated]

 

From: Developer forum

Reply to: Reply to NetScaler Community <0-19v2jgrbixkuvj.6dr51a8dawbk44a2.7fafutuf16bx4qln@g36gxt9nlhpuoncq.ats9xl5varxz4lzs.8b-13r54eae.na212.chatter.salesforce.com>

[Kai Thorsrud]

Works fine for me. I did the first deploy World Wide. Been running it since 2019.

You cannot install ADM in Azure but netscalers in azure can report to Citrix ADM directly or using ADM Agents. (ADM installed onprem or ADM As a Service )

Or you can hack it to work in Azure but it is not supported to install the ADM Appliance in Azure.

[Philip Lavers]

Hello, so I am learning this hard way, and I must say the documentation is really confusing.

Firstly, we have ADM Cloud Service, so simply trying to connect to that. On-Premises no longer an option as we migrated everything to Azure.

 

I understand the following basic rules:-

On-Prem MPX,SDX and VPX you can use the built in agent – no need for Agents (But if you don’t have an ADM Service in cloud then you deploy the agents and the on-prem ADM Version) – Think I got that right!

Cloud VPX version needs to be 13.0 Build 46+ and you have to use a Service Agent to talk to ADM Service in cloud.

 

What I am still figuring out is on the ADC’s in Azure, are these 2 options.

 

1. Citrix ADM Service Connect or Configure ADM Parameters – can be Enabled,

2. Configure Cloud Parameters (Controller FQDN, Controller Port etc) along with a cloud profile.

 

Are these redundant, legacy not used for Cloud – perhaps used for different scenarios.

 

I think with all the name changes, version changes, new 3 letter acronyms etc – if you do not know the history of ADC heaven help you! All I need, is this Azure Service Agent to connect to ADM Service, and register my 2 ADC’s so that I can build out 2 API Gateways for some fairly complex integration with a 3rd party service provider.

 

Clearly got a lot of catch learning up to do, and maybe I simply build what I need on ADC but I like the look of the Security Insights.

 

Thank you for your interest, and hopefully I can push this and learn something that I can share on this forum for others.

 

[Text Description automatically generated]

 

From: Developer forum

Reply to: Reply to NetScaler Community <135c0b4jhgbfaxab.c0m9dltitepyrzwr.6gn37jdjx7v6b9en@wri96kf8o3stn6zs.tdw56kwql3480q.8b-13r54eae.na212.chatter.salesforce.com>

[Kai Thorsrud]

In cloud you need ip connectivity to an ADM server or you can use the managed adm service.

For a normal ADM Server, the agent is just a cache in case you loose connectivity to ADM Server.

[Morten Kallesøe]

Hi Philip, i have personally never configured the "cloud profile".

The internal ADM Service agent replaces the need to have a dedicated ADM Agent running. But top of mind, there are some things that you cannot do, and i think its analytics. There you need the ADM Agent.

You should deploy the ADM Service Agent via the Marketplace in Azure. and follow the onboarding guide.

In azure you deploy:

Citrix ADM Service Agent 13.1

in ADM-Service (for me; https://carmel.adm.cloud.com/) - you click infrastructure -> instances -> Agents -> Set up agent button in top right corner. and follow the guide.

on your Instances (VPX,CPX,BLX), when onboarding, setup the instance with agent you just enrolled.

it should not be that frustrating, so either there is a problem or you are doing something wrong :-(

[Kai Thorsrud]

+1 to what Morten is saying

[Philip Lavers]

We found the problem, and you guys that helped were correct. Firewall! configuration was in fact wrong. If it helps somebody else the list of url's to be whitelisted on a firewall include these , and we had to register the associated IP's:

Download.citrixnetworkapi.net

34.202.177.254

107.20.215.104

52.200.108.121

Agent.adm.cloud.com

54.165.90.194

52.72.132.100

34.200.175.42

adm-prod-backup-.*.s3..*amazonaws.com [nslookup s3.amazonaws.com]

52.217.84.238

52.217.47.158

52.216.105.245

52.217.65.246

52.217.46.46

52.217.105.174

52.217.135.208

54.231.171.32

Lessons learnt, and a month of troubleshooting. Thanks again to Carl and Morten who in fact diagnosed the problem correctly.

[Sumanth Lingappa]

Hello @Philip Lavers​, we have automated the process of ADM-agent provisioning on Azure using Terraform scripts.

You can find the scripts at https://github.com/citrix/terraform-cloud-scripts/tree/master/azure/deployments

NOTE: The scripts will automatically register the ADM-agent to the ADMService.

I am happy to help you if you have more questions.