Enterprise Guide

This will guide you through all steps to get a recommended Enterprise (SCEPman EE) production environment.

If you want to deploy:

  • a trial environment, please follow the Trial Guide

  • a community edition environment (SCEPman CE), please follow the Community Guide

Azure Deployment

Let´s start with the requirements and a resource overview. Keep in mind that you need to plan a useful Azure resource design.

Checklist pre-requirements

  • Azure resource naming convention

  • Azure subscription

  • Azure contributor rights (at least on Resource Group level)

  • Azure AD "Global administrator" (Consent to access Graph API)

  • Public Domain CNAME (scepman.yourdomain.com)

  • SSL (Wildcard-)Certificate (or use App Service Managed Certificate)

Overview Azure Resource

All these resources are recommended for a production environment.

Type

Description

App Service

The running SCEPman application and provides a UI to configure different application specific settings like CNAME, SSL certificate and App Settings.

App Service Plan

A virtual set of compute resources and configurations for the "App Service".

Here you can configure the pricing tier and resource scaling.

Key Vault

Tool to store securely secrets and certificates. The SCEPman application

will generate and save the root certificate in your Key Vault.

Application Insights

Application Performance Management (APM) tool to get insights of the

SCEPman applications and requests. Needed to measure performance

and good for service optimization.

Storage account

Storage platform to upload the SCEPman artifacts and save log files.

The "App Service" will load the artifacts from a public blob store URI and

save all the application and web server logs in a blob container.

Log Analytics workspace

A centralized and cloud-based log storage. The "App Service" will save all

platform logs and metrics into this workspace.

Configuration Steps

Step 1: Azure App Registration

Before we can start the resource deployment, we need to create an "Azure App Registration".

Step 2: Deploy SCEPman base services

To start with the deployment, you need to follow our Setup instruction:

Step 3: Configure a Custom Domain and SSL certificate

To have your SCEPman available under your specific domain you need to create a Custom Domain in the App Service.

Step 4: Deploy Storage Account and change Artifacts

The next step is to configure the Storage account and change the Artifact location in your App Service.

Not worth to mention, but we recommend the production channel.

Step 5: Configure Log collection

You can configure two different logging parts in your App Service, to retain your log data. The one part is the App Service Logs, which will save all application and IIS server-based log data. The other part is the Diagnostic settings, this contains platform logs and metrics data.

Use the storage account we created in Step 4 and create two new blob containers. This blob containers can be selected in the App Service Logs instructions. In the Diagnostic settings you can directly choose the storage account and blob containers will be created automatically.

Step 6: Deploy Application Insights

The Application Insights can be used to get an overview of the App Service performance and to get deeper insights of the request processing of SCEPman. We recommend to always configure Application Insights to monitor, maintain and optimize the App Service.

Step 7: Configure Autoscaling

The SCEPman solution has two different tasks and performance requirements. One task is the certificate issuance process: After the configuration of the SCEPman solution we need to deploy certificates to all devices (user and/or device certificates), but this is a one-time-task and after the initial deployment this only happens when a new device is enrolled or the certificates needs to be renewed. In those situations, the SCEPman will face a peek of SCEP requests. The second task is the certificate validation: After we deployed certificates to devices, those certificates needs to be validated each time we use them. For every certificated-based authentication the clients, gateways or RADIUS system (depends on what you use) will send an OCSP request to the SCEPman App Service. This will cause a permanent request load on the App Service.

To have an optimized performance and take care of the costs we recommend to setup the Autoscaling functionality of the App Service. With this feature your application can scale-out and scale-in based on metrics.

Step 8: Configure Geo-redundancy (Optional)