Skip to content

Deploying Cloud Access Manager with Azure Cloud Shell

The following section outlines how to deploy Cloud Access Manager using the Azure Cloud Shell within the Azure portal.

Cloud Shell Storage Requirement

Azure Cloud Shell requires an Azure file share to persist files, for more information on this, see Cloud Shell Storage.

AADDS Support

Azure Active Directory Domain Services [AADDS] are not supported for Cloud Access Manager deployments.

Assigning a Certificate to the Cloud Access Connector

When you install the Cloud Access Connector you will receive a default certificate that will expire after 1 year. Teradici strongly recommends assigning a certificate to the application gateway within the Microsoft Azure portal. This will prevent a security certificate error from occuring when you HTTPS to Cloud Access Manager. For information on how to do this, see Assigning a Certificate to the Application Gateway.

Mozilla Firefox Issue

If you are using Mozilla Firefox as your browser the multi-line copy-and-paste function does not work with Azure Cloud Shell. The lines in the script appear backwards after you paste them. Ensure that you copy each line individually to paste the script correctly.

Cloud Access Software 19.05 - PCoIP Agent update

Teradici are removing older versions of the PCoIP Agents. As a result of this you may not be able to deploy remote workstations to a Cloud Access Connector for Azure if you have Cloud Access Connectors created prior to May 14, 2019.

The following knowledge base article details how to update previously installed Cloud Access Connectors for Azure with these new locations, see here.

If you do not run this update then you will be unable to deploy remote workstations to a Cloud Access Connector.

  1. Go to the Azure Portal and select the account you want to access.
  2. Click the cloud shell icon from the top panel to open a PowerShell instance. cloud shell
  3. Ensure that you select PowerShell as your environment by clicking the icon in the cloud shell window Cloud Shell Instance
  4. If you are using basic settings and select a subscription, a Resource Group, Storage Account and File Share will be created in the supported region that is closest to you. For more information on these resource groups, see Cloud Shell Resource Groups.
  5. Run the following script:

    cd $HOME
    Invoke-WebRequest -UseBasicParsing ` `
        -OutFile Deploy-CAM.ps1

    Displaying the State of Existing Remote Workstations

    You can view and sort the state of the resources you have within your deployment by passing specific parameters within your PowerShell instance. To enable the broker to retrieve and display the agent state for unmanaged and managed remote workstations run the following command:

    \Deploy-CAM.ps1 -retrieveAgentState $true -showAgentState $true
    The available agent states are:

    • In Session
    • Ready
    • Starting
    • Stopping
    • Stopped
    • Unknown
  6. If there is an existing Cloud Access Manager deployment in the subscription enter the group number listed under the ResourceGroupName heading, otherwise select enter to create a new deployment. Alt Text

  7. Please ensure that you read and accept the terms of the Teradici Cloud Access Software End User License Agreement and Privacy Policy.
  8. Select No if you do not want to connect to an existing domain. For information on the deployment parameters required when creating a new domain, see Deployment Parameters with a New Active Directory Domain Controller.

    Cloud Access Manager User Group

    If you are connecting to an existing domain with more than 1000 users in its directory it is recommended that you create a Cloud Access Manager User Group in the key vault in Azure after deployment. This will help you to manage and control the users in the domain. For more information on creating this user group, see Creating and Modifying the Cloud Access Manager User Group in the Keyvault with Azure within the System Configuration section.

  9. Select an existing root resource group of your new deployment or create a new resource group by entering a new resource group name.

  10. Available Azure regions will be listed. Select a region from one of the listed options and enter it into the Location field.
  11. You will be asked if you want to enable external network access for your Cloud Access Manager deployment: Alt Text If you want to create an internal connection service that only allows access to remote workstations from within your internal network, select no. For more information on the available connection service types that can be configured for Cloud Access Manager, see Cloud Access Connector.
  12. Enter the fully qualified domain name (FQDN) and ensure it finishes in .something (e.g, .com, .local, etc)
  13. If you are creating a new domain enter the new domain administrator credentials, or if you are connecting to an existing domain enter the service account credentials. For more information on connecting to an existing domain, see Deploying Cloud Access Manager with an Existing Domain with Azure Cloud Shell.
  14. You will be asked to enter the Distinguished Name of the user group you want to use to log into the Cloud Access Manager management interface. If you do not specify a user group then the Domain Admins group will be used as the default.
  15. You will be asked if you want to enable PCoIP session Multi-Factor Authentication using a RADIUS Server. If you select yes you will be requested to provide your servers Hostname, Listening port and shared secret, as outlined below: Alt Text For more information on RADIUS MFA instructions and RADIUS server settings, see Cloud Access Manager Multi-Factor Authentication.
  16. Enter your Cloud Access registration code that you received from Teradici. Your Cloud Access registration code will look similar to this: YUOIFUSD32@AB33-H372-D78E-78XX

Service Principal Creation

The Cloud Access Manager deployment script will generate a service principal for you by default. Teradici recommends allowing Cloud Access Manager to create a service principal. This service principal will have the minimum rights required to enable Cloud Access Manager to operate. You should only provide your own service principal if you have access rights restrictions with the Azure Admin account being used to deploy Cloud Access Manager. In order to provide a service principal to the deployment script, pass the service principal information as a parameter to the Deploy-CAM.ps1 script, for example:

$spCred = Get-Credential
.\Deploy-CAM.ps1 -spCredential $spCred

Azure Cloud Shell

The Azure Cloud Shell will disconnect after 20 minutes of inactivity. This is expected behavior. Once the deployment has begun, Azure will handle processing the deployment and the Azure Cloud Shell is no longer needed.

The Cloud Access Manager Role

If you are attempting to re-deploy Cloud Access Manager following a failed deployment, you must ensure that the Cloud Access Manager role has been deleted from each of the three resource groups created in the first deployment. This can be done from within the Azure portal through the Access Control (IAM) tab of each group.

For information on the resource groups that are being created by the Cloud Access Manager service within the Azure portal, see Azure Resource Groups.

To check if the deployment has been successful, check that all resources within the resource groups in your deployment have succeeded and have been created without error. Successful Deployment You can now connect to the Management Interface and use Cloud Access Manager, see Signing into the Cloud Access Manager Management Interface.

Alternatively, the prompts can be skipped by providing required parameters directly. Run the deployment script outlined above, and then run the following command:

$domainCredentials = Get-Credential
$secureRegistrationCode = ConvertTo-SecureString <Registration-Code> -AsPlainText -Force
.\Deploy-CAM.ps1 `
    -domainAdminCredential $domainCredentials `
    -domainName <Domain-Name> `
    -registrationCode $secureRegistrationCode `
    -ResourceGroupName <Resource-Group-Name> `
    -location <Location-Code>

If you wish to provide your own Service Principal credentials using this method, the additional parameter -spCredential $spCredential is required where $spCredential is set by:

$spCredential = New-Object -TypeName PSCredential -ArgumentList <Service-Principal-Client-ID>, `
    (ConvertTo-SecureString <Service-Principal-Client-Secret> -AsPlainText -Force)