Launching the TrueStack Server

  1. Launch the TrueStack Server instance from the Azure Marketplace using the recommended configuration.
  2. Access the server using a browser after launch:
    • Navigate to http://<Public IP> of the TrueStack Server instance.
    • Follow the on-screen instructions to complete the setup.
    • The server will redirect to https://<Public IP> after obtaining a Let’s Encrypt certificate.

Launch Considerations

Region and Resource Group

  • Ensure the TrueStack Server is launched in the same Resource Group, Region, and Availability Zone as your Windows Domain Controller.
  • If you haven’t already set up your Windows Domain Controller, create a new Resource Group for your deployment.

Instance Size

  • TrueStack operates efficiently on low-resource instances. Most A, B, or D series workload types are supported:
    • A and B-series (Basic): Least expensive but require a Public IP allocation post-launch.
    • D-series (Standard): Includes a Public IP and provides better performance.

Authentication Type

  • Choose SSH public key or password for server access. Save credentials securely for future use.

Networking

  • Attach the TrueStack Server to the appropriate vNet and Subnet matching your deployment needs.

Network Security Group

  • Configure the NSG to allow essential traffic:
    • TCP Ports: 80 and 443 for the web interface.
    • UDP Port: 7473 for VPN connections.

Next Step: see Using TrueStack

Configuring Azure Networking for Use with Windows Domain Controllers

If you are using the TrueStack Server to enable Windows Domain Controller communication with VPN-connected computers, follow these additional steps. These steps are not necessary if the TrueStack Server is used solely as a VPN server for encrypted internet traffic.

Step 1: Ensure the TrueStack Server VM Has a Public (Static) IP

  1. Confirm that your TrueStack Server is assigned a Public (Static) IP address:
    • Standard SKU VMs include a Public IP by default.
    • Basic SKU VMs do not include a Public IP. To allocate one:
      • Stop the TrueStack Server VM.
      • Navigate to the Public IPs section in Azure, allocate a new Public IP, and associate it with the VM.
      • Restart the VM to apply the changes.

Step 2: Create a Route Table for Communication

To enable Windows servers to communicate with VPN-connected computers, create a route to the TrueStack Server subnet (5.6.0.0/16).

  1. Search for Route Tables in the Azure portal.
  2. Create a New Route Table:
    • Place the Route Table in the same Resource Group and Region as the TrueStack Server and Windows servers.
    • Set Propagate gateway routes to Yes.
  3. Configure Routes:
    • Open the newly created Route Table and go to Settings > Routes.
    • Add a new route with the following details:
      • Destination Type: IP Address.
      • Address Prefix: 5.6.0.0/16.
      • Next Hop Type: Virtual Appliance.
      • Next Hop Address: The private IP address of the TrueStack Server (e.g., 10.0.0.5).
  4. Associate the Route Table with a Subnet:
    • Go to Settings > Subnets within the Route Table.
    • Click Associate and select the Virtual Network and the desired Subnet.

Recommended Security Group Configuration for Azure

We recommend assigning the TrueStack server to its own Network Security Group (NSG) since it functions as a front-facing web server. Refer to the #NetworkSecurity guidelines for more information. If you need to isolate Windows servers from each other, assign each server to its own NSG. For communication between the TrueStack server and Windows servers, follow these steps:

Note: Azure security rules can take a few minutes to update.

Create a Network Security Group (NSG) for the TrueStack Server

Note: If you deployed the TrueStack server via Azure Marketplace, a default NSG might already be pre-configured with rules for ports 80, 443, and 7473.

  1. Navigate to the Azure Portal and search for Network Security Groups.
  2. Create a new NSG specifically for the TrueStack Server.
  3. Add the following Inbound Security Rules:
    • Rule 1:
      • Source: Any.
      • Source Port ranges: *
      • Destination: Any
      • Service: HTTP
      • Destination Port Ranges: 80 (TCP).
      • Protocol: TCP.
      • Action: Allow.
      • Priority: 100
    • Rule 2:
      • Source: Any.
      • Source Port ranges: *
      • Destination: Any
      • Service: HTTPS
      • Destination Port Ranges: 443 (TCP).
      • Protocol: TCP.
      • Action: Allow.
      • Priority: 101
    • Rule 3:
      • Source: Any.
      • Source Port ranges: *
      • Destination: Any
      • Service: Custom
      • Destination Port Ranges: 7473 (UDP).
      • Protocol: UDP
      • Action: Allow.
      • Priority: 103
  4. Associate the TrueStack server’s Network Interface Card (NIC) with this new NSG.

Configure Network Security Groups for Windows Servers

  1. Navigate to the NSG for each Windows server.
  2. Add an Inbound Security Rule with the following parameters:
    • Source: IP Address
    • Source Port ranges: IP of the TrueStack Server
    • Destination: IP Addresses
    • Destination IP addresses: IP of the Windows server
    • Service: Custom
    • Destination Port Ranges: 8080 (or any port you choose)
    • Protocol: Any
    • Action: Allow.
    • Priority: 100

Move Windows Servers to the Correct NSG

  1. Navigate to the Virtual Machine settings for the Windows server in the Azure portal.
  2. Under Networking, click on Network Settings.
  3. Open the Network Interface linked to the VM.
  4. Under Settings for the Network Interface, select Network Security Group.
  5. Change the association to the correct NSG created for the Windows server.

Firewall Configuration for Multiple Windows Servers in Azure

To isolate individual Windows servers in Azure, create a separate Network Security Group (NSG) for each server. For each NSG, add an inbound security rule that allows traffic from the TrueStack Server, as described above. Since Azure NSG rules are stateful, when packets are sent from the TrueStack server to a Windows server, the reverse route is automatically created.

If isolation between Windows servers is not required, simplify management by placing all Windows servers into a single Network Security Group.

By default, the AllowVnetInbound rule allows communication between all virtual machines (VMs) within the same virtual network. Therefore, Windows servers in different security groups within the same virtual network will be able to communicate with each other.

If server isolation is required between specific Windows servers, you must configure a deny rule. For example, to prevent Windows Server A from accessing Windows Server B, follow these steps:

  1. Navigate to the NSG for Windows Server B.
  2. Add an Inbound Security Rule with the following parameters:
    • Source: IP Address
    • Source Port Ranges: IP address of Windows Server A
    • Destination: IP Addresses
    • Destination IP Addresses: IP address of Windows Server B
    • Service: Custom
    • Destination Port Ranges: * (all ports)
    • Protocol: Any
    • Action: Deny
    • Priority: 101 (ensure this rule has a lower priority number than the rule allowing the TrueStack server to access Windows Server B)