Search…
Extended Guide
SCEPman Enterprise Edition only
This will guide you through all steps to deploy SCEPman for an enterprise-grade environment with advanced requirements, e.g. naming conventions, redundancy or auto-scaling.

Azure Deployment

Let's start with the requirements and a resource overview. Keep in mind that you need to plan a useful Azure resource design.

Checklist: Prerequisites

  • Azure resource naming convention
  • Azure subscription
  • Azure owner rights (at least on Resource Group level)
  • Azure AD "Global administrator" (Consent to access Graph API)
  • Public Domain CNAME (scepman.yourdomain.com)
  • SSL (Wildcard-) Certificate (or use App Service Managed Certificate)
  • SCEPman Enterprise Edition License Key

Overview Azure Resource

All these resources are recommended for a production environment.
Type
Description
App Service(s)
A virtual Azure environment to run the SCEPman Core and Cert Master applications and provides a UI to configure different application specific settings like CNAME, SSL certificate and App Settings.
App Service Plan
A virtual set of compute resources and configurations for the "App Service(s)".
Here you can configure the pricing tier and resource scaling.
Key Vault
Tool to securely store secrets and certificates. The SCEPman application
will generate and save the root certificate in your Key Vault.
Application Insights
Application Performance Management (APM) tool to get insights of the
SCEPman applications and requests. Needed to measure performance
and good for service optimization.
Storage account
Storage platform used by SCEPman's Cert Master component to store certain attributes of the manually issued TLS server certificates for revocation purposes. Optional:
Storage platform to upload the SCEPman artifacts and save log files.
The "App Service" will load the artifacts from a public blob store URI and
save all the application and web server logs in a blob container.
Log Analytics workspace
A centralized and cloud-based log storage. The "App Service" will save all
platform logs and metrics into this workspace.

Configuration Steps

Step 1: Deploy SCEPman Base Services

This is a mandatory step.
To start with the deployment, you need to follow our Setup instruction:

Step 2: Perform Post-Deployment Steps (Permission Assignments)

This is a mandatory step.
To properly link all components of SCEPman 2.X, several permissions need to be assigned. Please follow these steps to establish the relevant connections:

Step 3: Create Root certificate

This is a mandatory step.
After the deployment and persmission assignment is complete, you need to create the root certificate for SCEPman:

Step 4: Configure a Custom Domain and SSL Certificate

This is a recommended step. However, skip this step if you are implementing geo-redundancy / high-availability.
To have your SCEPman available under your specific domain you need to create a Custom Domain in the App Service.

Step 5: Deploy Storage Account and change Artifacts

This is an optional step.
The next step is to configure the Storage account and change the Artifact location in your App Service. This is only relevant if you would like to have full control over the update cycle of SCEPman.

Step 6: Configure Log Collection

This is recommended step.
You can configure two different logging parts in your App Service, to retain your log data. The one part is the App Service Logs, which will save all application and IIS server-based log data. The other part is the Diagnostic settings, this contains platform logs and metrics data.
Use the storage account we created in Step 4 and create two new blob containers. This blob containers can be selected in the App Service Logs instructions. In the Diagnostic settings you can directly choose the storage account and blob containers will be created automatically.

Step 7: Deploy Application Insights

This is recommended step.
The Application Insights can be used to get an overview of the App Service performance and to get deeper insights of the request processing of SCEPman. We recommend to always configure Application Insights to monitor, maintain and optimize the App Service.

Step 8: Configure Health Check

This is recommended step.
We can configure a Health Check for the App Service to get direct notifications in case that the SCEPman stops working.

Step 9: Configure Autoscaling

This is an optional step.
The SCEPman solution has two different tasks and performance requirements. One task is the certificate issuance process: After the configuration of the SCEPman solution we need to deploy certificates to all devices (user and/or device certificates), but this is a one-time-task and after the initial deployment this only happens when a new device is enrolled, or the certificates needs to be renewed. In those situations, the SCEPman will face a peek of SCEP requests. The second task is the certificate validation: After we deployed certificates to devices, those certificates need to be validated each time we use them. For every certificated-based authentication the clients, gateways, or RADIUS system (depends on what you use) will send an OCSP request to the SCEPman App Service. This will cause a permanent request load on the App Service.
To have an optimized performance and take care of the costs we recommend to setup the Autoscaling functionality of the App Service. With this feature your application can scale-out and scale-in based on metrics.

Step 10: Configure Geo-Redundancy

This is an optional step.

Step 11: Configure your MDM Deployment Profiles

This is a mandatory step.
With the completion of the above steps, we have a working SCEPman implementation and can now deploy certificates to the devices.
Please use one (or more) of the following articles, to deploy certificates with your preferred MDM solution:

Step 12: Issue TLS Server Certificates or sign CSRs using Cert Master

This is an optional step.
Please follow below link, to learn how to issue TLS server certificates based on a list of FQDNs or sign any CSR using the Cert Master component.
Copy link
Edit on GitHub
Outline
Azure Deployment
Checklist: Prerequisites
Overview Azure Resource
Configuration Steps
Step 1: Deploy SCEPman Base Services
Step 2: Perform Post-Deployment Steps (Permission Assignments)
Step 3: Create Root certificate
Step 4: Configure a Custom Domain and SSL Certificate
Step 5: Deploy Storage Account and change Artifacts
Step 6: Configure Log Collection
Step 7: Deploy Application Insights
Step 8: Configure Health Check
Step 9: Configure Autoscaling
Step 10: Configure Geo-Redundancy
Step 11: Configure your MDM Deployment Profiles
Step 12: Issue TLS Server Certificates or sign CSRs using Cert Master